Identifying Threats As was alluded to in the section on threats, both threat-sources and threats must be identified.

Threats should include the threat-source to ensure accurate assessment. Some common threat-sources include: Natural Threatsfloods, earthquakes, hurricanes Human Threatsthreats caused by human beings, including both unintentional (Inadvertent data entry) and deliberate actions (network based attacks, virus infection, Unauthorized access) Environmental Threatspower failure, pollution, chemicals, water damage. Individuals who understand the organization, industry or type of system (or better yet all three) Are key in identifying threats. Once the general list of threats has been compiled, review it with Those most knowledgeable about the system, organization or industry to gain a list of threats that Applies to the system. It is valuable to compile a list of threats that are present across the organization and use this list As the basis for all risk management activities. As a major consideration of risk management is to Ensure consistency and repeatability, an organizational threat list is invaluable.

Threat-Source Identification The goal of this step is to identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated.

A threat-source is defined as any circumstance or event with the potential to cause harm to an IT system. The common threatsources can be natural, human, or environmental.In assessing threat-sources, it is important to consider all potential threat-sources that could cause harm to an IT system and its processing environment. For example, although the threat statement for an IT system located in a desert may not include natural flood because of the low likelihood of such an events occurring, environmental threats such as a bursting pipe can quickly flood a computer room and cause damage to an organizations IT assets and resources. Humans can be threat-sources through intentional acts, such as deliberate attacks by malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors. A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT system (e.g., via password guessing) in order to compromise system and data integrity, availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent system security. One example of the latter type of deliberate attack is a programmers writing a Trojan horse program to bypass system security in order to get the job done.

Motivation and Threat Actions

Motivation and the resources for carrying out an attack make humans potentially dangerous threat-sources. Table presents an overview of many of todays common human threats, their possible motivations, and the methods or threat actions by which they might carry out an attack. This information will be useful to organizations studying their human threat environments and customizing their human threat statements. In addition, reviews of the history of system breakins; security violation reports; incident reports; and interviews with the system administrators, help desk personnel, and user community during information gathering will help identify human threat-sources that have the potential to harm an IT system and its data and that may be a concern where a vulnerability exist.

Threat

Description

Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems in order to coordinate attacks and to distribute Bot-network phishing schemes, spam, and malware attacks. The services of these operators networks are sometimes made available in underground markets (e.g., purchasing a denial-of-service attack, servers to relay spam, or phishing attacks, etc.). Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to commit identity theft and online fraud. Criminal groups International corporate spies and organized crime organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. Hackers According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause Insiders damage to the system or to steal system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems. Individuals, or small groups, who execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishe Phishers may also use spam and spyware/malware to accomplish their objectives. Individuals or organizations who distribute unsolicited e-mail with hidden or false information in order to sell products, conduct Spammers phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service). Individuals or organizations with malicious intent carry out attacks Spyware/malware against users by producing and distributing spyware and malware. authors Several destructive computer viruses and worms have harmed files

and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.

Threats to Accounting Information Systems

Threats to accounting information systems come from a variety of sources. If ignored, they can destroy the relevance and reliability of financial information, leading to poor decisions by various stakeholders. At the point of data collection, it is important to establish security controls that ensure that transaction or event data are valid, complete, and free from material errors. Masquerading (pretending to be an authorized user) and piggybacking (tapping into telecommunications lines) are examples of hacker activities that can seriously impact valid data collection. Threats to accounting information systems can also occur during the data processing phase. Creating illegal programs, accessing or deleting files, destroying or corrupting a programs logic through viruses, or altering a programs logic to cause the application to process data incorrectly all represent threats. Threats to database management might include unauthorized access that allows altering, deleting, corrupting, destroying, or stealing data. The failure to maintain backup files or other retrieval techniques represents a potentially devastating loss of data. Threats to the information generation and reporting phase must also be considered. For example, the theft, misdirection, or misuse of computer output could damage the competitiveness or reputation of the organization. Advances in information technology and increased use of the Internet require that management, accountants, auditors, and academicians become more knowledgeable and conversant in the design, operation, and control of accounting information systems. Security Threats to Internet Commerce and Technology The growth of the Internet has been fueled by its potential for conducting business. The Internet has removed physical barriers to commerce, tapping previously uneconomical markets. The power of the Internet to facilitate business can be severely offset by users concern over security. The website problems occasionally experienced by major e-commerce providers such as Yahoo, eBay, E-Trade, and

Amazon.com have provided evidence of some of the risks of Internet-based attacks. The use of Internet technologies has substantially increased the vulnerability of information systems. One of the fastest-growing threats on the Internet is the theft of sensitive financial data. Failure to include basic information security unwittingly creates significant business and professional risks. For example, without effective security, a hacker may be able to access user passwords, providing entree to an array of system capabilities and information. Such breaches can have serious legal consequences. Or, trade secrets may be uncovered and disseminated, diminishing competitive advantage and profits. Inadequate information security increases the opportunity for manipulation, falsification, or alteration of accounting records. Unauthorized or inappropriate access to the accounting information system, or the failure to establish and maintain separation of duties as part of a system of internal control, may make it difficult to ensure that valid and accurate transactions are recorded, processed, and reported. There are a number of threats to accounting information systems, especially for those systems used in conjunction with the Internet. These threats represent challenges to management, accountants, auditors, and academicians.

Management must ask important questions and be able to rely on the answers with confidence:
y y y y y y y

Did assets, liabilities, and other elements shown on financial statements actually exist? Did recorded transactions included in the financial statements actually occur? Did the financial statements include all transactions and accounts that should be presented? Were accounts included in the financial statements at appropriate values? Are the assets shown on the balance sheet rights of the company? Are the liabilities shown on the balance sheet obligations of the company? Are elements of financial statements appropriately classified and disclosed?

Implications for Accountants and Auditors

Accountantsas users, managers, designers, and evaluators of information systemsshould be knowledgeable of security threats and appropriate control techniques in order to protect their own information systems and to advise businesses about security risks. A companys use of information technology and the security of the accounting information system affect the companys internal control over financial reporting. System processes and system-generated entries for valid transactions and events are an integral part of financial reporting. Since the advent of computer systems that capture, verify, store, and report the data used in financial reports, new security issues involving technology have developed.
y

Although SOX prohibits auditors from offering information system design and implementation services to audit clients, SOX mandates that every independent audit report include an auditor attestation report relating to the internal control assessments made by management. Specific notation of any significant defects or material noncompliance must be included in that report. In addition, the New York Stock Exchange now requires all listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the companys risk management processes and system of internal control.

Vulnerabilities are classified according to the asset class they related to:


hardware  susceptibility to humidity  susceptibility to dust  susceptibility to soiling  susceptibility to unprotected storage software  insufficient testing  lack of audit trail network  unprotected communication lines  insecure network architecture

personnel  inadequate recruiting process  inadequate security awareness  site  area subject to flood  unreliable power source  organizational  lack of regular audits  lack of continuity plans Causes
 

Complexity: Large, complex systems increase the probability of flaws and unintended access points Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability Password management flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites. Fundamental operating system design flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals.

Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application. Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer, SQL injection or other nonvalidated inputs). Not learning from past mistakes: for example most vulnerabilities discovered in IPv4 protocol software were discovered in the new IPv6 implementations

The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern Vulnerabilities Vulnerabilities are weaknesses or holes in information resources and processes which allow the potential for unauthorized or unintentional change or manipulation of resources which impact the confidentiality, integrity, and availability of these resources.

y Points of Vulnerabilities Identified

The System they are using for maintenance of accounts is Tally ERP 9. It is protected by the passwords of different users and its server is kept at SIU. The authorized users are allowed to change the data entered in the ERP for a period of eight days. The Systems are protected by antivirus and firewall software. The Auditing firm is Sharad Shah & company which conducts audits once a year for 3 days. The ERP system is accessible to all registered users with authorized passwords.

Information entered in the ERP system consists of purchase orders, expenses for infrastructure/events, vouchers, salaries of faculty and staff members, student fees etc. There is a backup facility provided in the ERP system. The salary is transferred to the salary accounts of the faculty and other employees every month. The accounts are maintained in the Bank of Maharashtra.

Common Exploits and Attacks in computerized accounting

Exploit Description Leaving administrative passwords blank or using a default password set by the product vendor. This is most common in hardware such as routers and firewalls, though some services that run on Linux can contain default administrator passwords (though Red Hat Enterprise Linux 5 does not ship with them). Notes

Common in many legacy operating systems, especially OSes that bundle services (such as UNIX and Windows.)

Null or Default Passwords

Administrators sometimes create privileged user accounts in a rush and leave the password null, a perfect entry point for malicious users who discover the account.

This type of attack works mostly with plain text transmission protocols such as Telnet, FTP, and HTTP transfers.

Eavesdropping

Collecting data that passes between two active nodes on a network by eavesdropping on the connection between the two nodes.

Remote attacker must have access to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or man-in-the-middle) to compromise a system on the LAN.

Preventative measures include services with cryptographic key exchange, one-time

Exploit

Description

Notes

passwords, or encrypted authentication to prevent password snooping; strong encryption during transmission is also advised.

HTTP-based services such as CGI are vulnerable to remote command execution and even interactive shell access. Even if the HTTP service runs as a non-privileged user such as "nobody", information such as configuration files and network maps can be read, or the attacker can start a denial of service attack which drains system resources or renders it unavailable to other users. An attacker finds a flaw or loophole in a service run over the Internet; through this vulnerability, the attacker compromises the entire system and any data that it may hold, and could possibly compromise other systems on the network.

Service Vulnerabilities

Services sometimes can have vulnerabilities that go unnoticed during development and testing; these vulnerabilities (such as buffer overflows, where attackers crash a service using arbitary values that fill the memory buffer of an application, giving the attacker an interactive command prompt from which they may execute arbitrary commands) can give complete administrative control to an attacker.

Administrators should make sure that services do not run as the root user, and should stay vigilant of patches and errata updates for applications from vendors or security organizations such as CERT and CVE. Attackers find faults in desktop and workstation applications (such as email clients) and execute arbitrary code, implant trojan horses for future compromise, or crash systems. Further

Application Vulnerabilities

Workstations and desktops are more prone to exploitation as workers do not have the expertise or experience to prevent or detect a compromise; it is imperative to inform

Exploit

Description exploitation can occur if the compromised workstation has administrative privileges on the rest of the network.

Notes

individuals of the risks they are taking when they install unauthorized software or open unsolicited email attachments.

Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic update of workstation software via Red Hat Network or other system management services can alleviate the burdens of multi-seat security deployments.

Denial of Service (DoS) Attacks

Attacker or group of attackers coordinate against an organization's network or server resources by sending unauthorized packets to the target host (either server, router, or workstation). This forces the resource to become unavailable to legitimate users.

The most reported DoS case in the US occurred in 2000. Several highly-trafficked commercial and government sites were rendered unavailable by a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as zombies, or redirected broadcast nodes.

Source packets are usually forged (as well as rebroadcasted), making investigation as to the true source of the attack difficult.

Advances in ingress filtering (IETF rfc2267) using iptables and Network IDSes such assnort assist administrators in tracking down and preventing distributed DoS attacks.