Professional Documents
Culture Documents
Chapter 3-Auditing Operating Systems and Networks-Orginal
Chapter 3-Auditing Operating Systems and Networks-Orginal
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Learning Objectives
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating System Control Objectives
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating Systems Security
o Log-On Procedure:
o First line of defense against unauthorized access consisting of
user IDs and passwords.
o Access Token:
o Contains key information about the user which is used to approve
actions attempted during the session.
o Access Control List:
o Assigned to each IT resource and used to control access to the
resource.
o Discretionary Access Privileges:
o Allows user to grant access to another user.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Threats to Operating System
Integrity
o Accidental threats include hardware failures and errors in user
applications.
o Intentional threats are often attempts to illegally access data
or
violate privacy for financial gain.
o Growing threat is destructive programs with no apparent
gain, which come from three sources:
o Privileged personnel who abuse their authority.
o Individuals who browse the operating system to identify and
exploit
security flaws.
o Individuals who insert viruses or other destructive programs into
© 2016 Cengagethe operating
Learning®. May not be scanned,system,
copied or duplicatedeither intentionally
or posted to a publicly or orunintentionally.
accessible website, in whole in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating Systems Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Password Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Controlling Against
Malicious & Destructive
Programs
o Organizations can reduce threats:
o Purchase software from reputable vendors in original packages.
o Policy pertaining to unauthorized or illegal software.
o Examine upgrades and public-domain software for viruses before
implementation and use.
o Implement procedures for changing programs.
o Educate users regarding threats.
o Test all applications before implementation.
o Make frequent backups and limit users to read and execute rights only
whenever possible.
o Require protocols to bypass Trojan horses and use antiviral software.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating System Controls
o System audit trails are logs that record activity at the system,
application and use level.
o Two types of audit logs:
o Keystroke monitoring involves recording user’s keystrokes and
the system’s response.
o Event monitoring summarizes key activities related to system
resources.
o Audit trails can be used to: detect unauthorized access,
reconstruct events and promote personal accountability.
o Benefits must be balanced against costs.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating System Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Intranet Risks
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Three Common Types of DOS
Attacks
o SYN Flood: When the three-way handshake needed to
establish an Internet connection occurs, the final
acknowledgement is not sent by the DOS attacker, thereby
tying-up the receiving server while it waits.
o Smurf: DOS attacker uses numerous intermediary computers
to flood the target computer with test messages, “pings”
causing network congestion.
o Distributed Denial of Service:– May take the form of Smurf
or SYN attacks, but distinguished by the vast number of
zombie computers hijacked to launch the attacks.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
SMURF
Attack
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Distributed Denial of Service
Attack
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Controlling Risks from Subversive
Threats
o Firewalls prevent unauthorized access to or from a private
network. To accomplish this:
o All traffic between the outside network and organization’s intranet must
pass through the firewall.
o Only authorized traffic is allowed to pass through the firewall which must
be immune to all penetration.
o Network-level firewalls provide efficient, low security control.
o Screening router examines source and destination addresses attached
to incoming message packets but does not explicitly authenticate
outside users.
o Application-level firewalls provide higher, customizable network
security, but add overhead cost.
o Trade-off between convenience and security.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Dual-Homed Firewall
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Controlling DOS
Attacks
o Smurf attacks: Organizations can program firewalls to
ignore identified attacking site.
o SYN flood attacks have two tactics:
o Get Internet hosts to use firewalls that block invalid IP addresses.
o Use security software to scan for half-open connections.
o To counteract DDos attacks organizations use intrusion
prevention systems (IPS) that employ deep packet inspection
(DPI).
o Works as a filter that removes malicious packets from the flow before
they can affect servers and networks.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Encryption
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Public Key Encryption
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Digital Signatures &
Certificate
o Digital signature is electronic authentication that cannot
be forged.
o Sender uses a one-way hashing algorithm to calculate a digest of
the text message which is encrypted to produce the digital signature.
o Verifying the sender’s identity requires a digital certificate
which is issued by a trusted third party called a certification
authority (CA).
o Public key encryption is central to digital authentication making
public key management an important internal control issue.
o Public key infrastructure (PKI) constitutes policies and procedures
for administering this activity.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Digital Signature
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Other Subversive Threat
Controls
o Message sequence numbering inserts a sequence number
in each message to prevent attempts to delete, change or
duplicate a message.
o Message transaction log records all attempted accesses
with user ID, time of access and location.
o Request-response technique sends control messages
and responses randomly making it difficult for an intruder to
circumvent.
o Call-back device requires a dial-in user to enter and
password and be identified.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Operating Systems Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Vertical Parity Bit
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Auditing Electronic Data
Interchange (EDI)
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Overview of EDI
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Value-added Network and EDI
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Auditing Electronic Data
Interchange (EDI)
o Electronic funds transfer (EFT) processing more complicated than
EDI for purchasing and selling.
o Converting remittance information to electronic form can result in very
large records.
o Both customer and supplier must establish EDI transactions are
valid and authorized.
o Some VANs have the capability of validating passwords and user ID
codes for the vendor.
o Before conversion, translation software can validate trading
partner’s
IDs and passwords.
o Before processing, trading partner’s application software reference
valid files to validate transaction.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
EFT Transactions Between
Trading Partners
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Auditing Electronic Data Interchange
(EDI)
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
EFT System Using Transaction
Control Log for Audi Trail
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Auditing Procedures for EDI
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
PC Accounting System Modules
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
PC Systems Risks and Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Audit Objectives Associated with PC
Security
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Internet & Intranet
Technologies and
Malicious & Destructive
Programs
APPENDIX
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Internet Technologies
o Packet switching:
o Messages divided into small packets where each packet of the
message may take a different routes.
o Virtual private network (VPN) is a private network within a public
network.
o Extranet is a password controlled network for private users.
o World Wide Web (WWW) is an Internet facility that links users
locally and globally.
o Web pages are maintained at Web sites which are computer
servers that support HTTP.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Message Packet Switching
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Internet
Addresses
o E-mail addresses:
o Format is USERNAME@DOMAIN NAME
o URL address:
o Defines the path to a facility or file on the Web.
o Subdirectories can be several levels deep.
o IP address:
o Every computer node and host attached to the Internet must have
a unique Internet protocol (IP) address.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Protocols
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Internet Protocols
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Bridges and Gateways Linking
LANs & WANs
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Star Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Star Network
Kansas
City Central Data
POS
POS Dallas
Tulsa
Local Data
Local Data
POS
POS
POS
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Hierarchical Topology
Corporate Production
Level Planning System
Production
Regional Regional
Level Scheduling Sales System
System
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Ring Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Ring Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Bus Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Client-Server Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Client-Server Topology
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Network Control
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Pooling Method of Controlling
Data Collisions
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Token-Passing Approach to
Controlling Data Collisions
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Carrier Sensing
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.
Malicious & Destructive Programs
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom
use.