PART I
AUDITING OPERATING
SYSTEMS AND NETWORKS
Lesson Objectives
After studying this chapter, you should:
Be able to identify the principal threats to the
operating system and the control techniques used to
minimize the possibility of actual exposures.
Be familiar with the principal risks associated with
commerce conducted over intranets and the Internet
and understand the control techniques used to reduce
these risks.
Be familiar with the risks associated with personal
computing systems.
Recognize the unique exposures that arise in
connection with electronic data interchange (EDI) and
understand how these exposures can be reduced.
https://en.wikipedia.org/wiki/
Operating_system
Access Token
~ contains key information about the user
Intentional threats
~ Attempt to access user data
~ Destructive progams
Access privileges
Password control
Malicious or destructive programs
System audit trail
Access Privileges
Audit objective: Verify that access privileges are
consistent with separation of incompatible functions and
organization policies
Audit procedures: Review or verify
policies for separating incompatible functions
a sample of user privileges, especially access to data
and programs
security clearance checks of privileged employees
formal acknowledgements to maintain confidentiality
of data
users log-on times
Access Privileges
Password Control
Audit objective: Ensure adequacy and effectiveness
of password policies for controlling access to the
operating system
Audit procedures: Review or verify
passwords required for all users
password instructions for new users
passwords changed regularly
password file for weak passwords
encryption of password file
password standards
account lockout policies
https://en.wikipedia.org/wiki/Computer_virus
https://en.wikipedia.org/wiki/Trojan_horse_(computing)
AUDITING NETWORKS
Terminologies
An INTRANET is a private network that is
contained within an enterprise. It may consist of
many interlinked local area networks and also
use leased lines in the wide area network.
The INTERNET is a global system of
interconnected computer networks that use the
standard Internet protocol suite (TCP/IP) to link
several billion devices worldwide.
SOURCE: https://en.wikipedia.org/
Intranet Risks
Intercepting network messages
Privileged employees
Reluctance to prosecute
Internet Risks
IP spoofing: masquerading to gain access to a Web
server and/or to perpetrate an unlawful act without
revealing ones identity
Denial of service (DOS) attacks: assaulting a Web
server to prevent it from servicing users particularly
devastating to business entities that cannot receive
and process business transactions
Receiver
Sender
Step 1: SYN messages
Step 2: SYN/ACK
SMURF Attack
Ping Test
Controlling Risks
Firewalls
Deep packet inspection
Encryption
Digital signature / digital certificate
Message control techniques
Firewalls
Firewalls provide security by channeling all
network connections through a control gateway.
Network level firewalls
Windows Firewall
Dual-Homed Firewall
Encryption
Computer program transforms a clear message
into a coded (cipher) text form using an algorithm.
Simplified
encryption
Encryption (cont.)
The conversion of data into a secret code for storage and
transmission
The sender uses an encryption algorithm to convert the original
cleartext message into a coded ciphertext.
The receiver decodes / decrypts the ciphertext back into cleartext.
Encryption algorithms use keys
~ Typically 56 to 128 bits in length
~ The more bits in the key the stronger the encryption method.
Digital Signature
Equipment Failure
Line errors are data errors from communications
noise.
Two techniques to detect and correct such data
errors are:
echo check - the receiver returns the
message to the sender
parity checks - an extra bit is added onto
each byte of data similar to check digits
WHAT IS EDI?
EDI (electronic data interchange) uses
computer-to-computer communications
technologies to automate B2B purchases.
(B2B -> business-to-business or e-biz)
~ EDI is an inter-organization endeavor.
~ The information systems of the trading partners
automatically process the transaction.
~ Transaction information is transmitted in a
standardized format.
EDI
System
Benefits of EDI
Reduction
Reduction
Reduction
Reduction
Reduction
paperless and
transparent
(automatic)
transactions
CONTROL
use of passwords and value
added networks (VAN) to
ensure valid partner
software to specify what
can be accessed and at
what level
control log records the
transactions flow through
each phase of the
transaction processing
EDI System
using
Transaction
Control Log
for
Audit Trail
AUDITING PC-BASED
ACCOUNTING SYSTEMS
~ Operating Systems:
o Are located on the PC (decentralized)
o O/S family dictates applications (e.g., Windows)
Risk assessment
Inherent weaknesses
Weak access control
Inadequate segregation of duties
Multilevel password control multifaceted access control