THE BYTELINE Official Publication of the Kettle Moraine Chapter of ISACA March 2000 This Month's Meeting M Using ACL to Detect Fraud in Your Organization any Internal Audit departments have experienced increased oc currences of fraud within their organizations. In many cases, these frauds can be exposed or corroborating evidence obtained by analyzing transactional data using Computer Assisted Audit Techniques (CAATS) with tools such as ACL. This presentation will explore some of the common applications of CAATs that can be used to detect fraud within your organization. The presentation will focus on demonstrating actual audit techniques that have been used to identify fraud in the past. We will also discuss common approaches to computer data acquisition and analysis as well as explore some of the problems many users have experienced with using ACLâ in the past. Our presentation will be given by Larry F. Maher. Larry is Manager of Arthur Andersen Computer Risk Management in Milwaukee, Wisconsin. Larry has over four years of experience with Arthur Andersen in financial audit and Computer Risk Management services. His experience includes ERP reviews, network security reviews, general controls reviews, developing Computer-Assisted Audit Techniques (CAATs) as well as financial statement assurance. He is also actively involved with developing and teaching training for computer-related topics such as office automation tools, on-line resources and ACL to the firm’s financial auditors. Larry has assisted various Internal Audit departments with the implementation of ACL. These projects involved helping clients develop ACL auditing techniques to assist the Internal Audit function with improving the quality and efficiency of their audit approach. He has been involved on a number of engagements where he has assisted Internal Audit departments with developing CAATs using ACL for fraud detection and general audit purposes. Larry is a Certified Public Accountant (CPA) and a Certified Information Systems Auditor (CISA) and has a Bachelor’s degree in Accounting and Finance from UW-Madison. Larry is also a member of the Information Systems Audit and Control Association. - submitted by Clint Laskowski, (414) 283-3705 Meeting Details When: Wednesday, Mar. 8 2:30PM Registration 3:00PM Session 4:00PM Cookie Break 5:00PM Session Ends 5:05PM Social Hour-Bar Where: Country Inn Hotel 2810 Golf Road Pewaukee, Wisconsin Cost: $15 Chapter Members $20 Nonmember For Reservations Contact: Roger Naegeli, CISA MGIC Investment Corp. P.O. Box 488 Milwaukee, WI 53201 (414)347-2689 E-mail:roger_naegeli@mgic.com When registering, indicate your name, company name, and member/ nonmember status. Reservations must be received by 12:00PM Monday, March 5. No cancellations will be accepted after the reservation deadline. No shows will be billed! PAGE 2 KETTLE MORAINE CHAPTER OF ISACA CHARTERED 1981 Find us on the Web at: http://www.execpc.com/~isaca-km BOARD OF DIRECTORS '99-'00 President John Ley, CISA (414)636-7665 Case Corporation Vice President Carol Pokrandt (414)347-2345 Audit Force Treasurer Brian Hogeland (414)283-3933 Arthur Andersen LLP Secretary Tim McWilliams (608)664-8884 Telephone Data Systems Publications Director Roger Naegeli, CISA(414)347-2689 MGIC Investment Corp. Membership Director Clint Laskowski (414)283-3705 Arthur Andersen LLP Program Director Randall Augsburger (414)223-7149 Ernst & Young LLP Seminar Director Michael Lisenby (414)283-3130 Arthur Andersen LLP Arrangements Director Roger Naegeli (414)347-2689 MGIC Investment Corporation THE BYTE LINE ISACA BOARD MEETING January 18, 2000 Attendees: John Ley, Tim McWilliams, Dan Buckley, Kathy Porter, Carol Pokrandt, and Roger Naegeli. 1. The Board approved the nominations of two chapter members to fill the vacant Seminar Director and Treasurer positions on the Board. Mike Lisenby will be the Seminar Director and Brian Hogeland will be the Treasurer for the Board. 2. Final preparations for the April 11th and 12 seminar on Control and Security over Electronic Commerce were discussed. Most of the seminar preparations have been completed, however, the mailings to promote the seminar and finalizing the meeting arrangements still need to be completed. It was expected that these arrangements would be completed in the next two weeks. 3. Tim reported that the responsibilities for the Treasurer position have been updated to include tax return responsibilities. Tim will assume responsibilities for maintaining the electronic files of the Board positions. 4. Roger agreed to assume the monthly meeting arrangements responsibilities for the remainder of the chapter year. The March meeting topic will be on ACL. 5. Roger reported that he has completed the reconciliation of the e-mail distribution list and the membership list. Twenty-three names were added to the e-mail distribution list. Roger also reported that he hopes to have a secured version of the membership binder on the web page by the end of January. At the February Board meeting, Board members will discuss the sections of the web page that should be open to everyone and the sections that should be open only to chapter members. CISA Director Kathy Porth (414)347-2345 Audit Force 6. Roger reported that he submitted four newsletters as entries into the ISACA newsletter contest. Past President Mary Luebke (414)274-8106 Ernst & Young LLP 7. John agreed to contact Dan Buckley, past Seminar Director, to arrange turnover of the speaker gifts. Newsletter Editor Roger Naegeli, CISA MGIC Investment Corporation P.O. Box 488 Milwaukee, WI 53201 (414)347-2689 Fax (414)347-6696 e-mail: Roger_Naegeli@mgic.com 8. John agreed to follow-up with Brian Treinen to find out more information about previous donations the chapter made to the ISACF, initiate the turnover of the Treasury information, and to arrange turnover of any remaining chapter audio and video equipment. 9. The next Board meeting time will be held on February 14th from 4:00 to 5:00. - submitted by Tim McWilliams 608-664-8884 PAGE 3 THE BYTE LINE The ISACA KETTLE MORAINE CHAPTER Presents CONTROL & SECURITY OF ELECTRONIC COMMERCE April 11 and 12, 2000 presented by: GORDON SMITH, PRESIDENT, CANAUDIT During this two-day seminar, you will explore the components of Electronic Commerce (including EDI) and the new risks created by the electronic marketplace. You will learn new controls including how to secure financial transactions and confidential information. Each participant will receive a copy of the Canaudit risk/control tables and COSO compliant checklists. Electronic Commerce encompasses more than ordering goods on the Internet. Electronic ordering, while still in its infancy, is rapidly replacing trips to the shopping malls. Payment is easy, just use your cash or credit card or for additional security, an electronic token. Additional services include applying for a mortgage, purchasing and financing a car, along with downloading new software. Yes, Electronic Commerce is here. However, with it comes an entirely new set of control issues. Al the paper records are gone, replaced by databases that store massive amounts of customer information. The potential for electronic fraud abounds! It is our job as auditors to ensure that strong controls are built into electronic applications and this seminar will show you how to do it. This seminar is intended for all auditors; there are no prerequisites. SEMINAR OUTLINE I. · INTRODUCTION What is Electronic Commerce? Business Globalization Customer Interaction EDI - Useful But Primitive Electronic Funds Transfer Electronic Commerce vs EDI/EFT The Electronic Warehouse Internet, Education, Voice Response, Network Connections Push Pull Technology, Fraud, Security, Encryption Applications & Operating System Controls Firewalls, Routers, and Penetration Testing II. LEGAL ISSUES RELATED TO ELECTRONIC COMMERCE · Contract Law · In The Courtroom · Legal Agreements · Trading Partner Agreements · Agreements with Value Added Networks (VAN) · Risk/Control Tables, Checklists III. INFORMATION SECURITY OF ELECTRONIC COMMERCE · Overview of Information Security · Threats to Electronic Commerce · Cryptography and Encryption · Key Management and Transfer Techniques · Digital Signatures · Risk/Control Tables, Checklists IV. · · · CERTIFICATES AND NON-REPUDIATION Certificates and Certificate Authorities Non-Repudiation Risk/Control Tables, Checklists V. OPERATING SYSTEM SECURITY · Identify Server Security Requirements by Platform UNIX/AIX Windows NT Novell NetWare · Security Requirements Client and User Security File Data and Share Security · Risk/Control Tables, Checklists VI. AUDITING SALES AND INVOICING · Overview of Sales and Invoicing · The Audit Guide Purpose of the Guide Flowcharts/Process Analysis Anticipated Controls Risk Analysis Fraud Potential Assessment Checklists/Risk Tables Cash Flow Potential Items Audit Software Tests VII. AUDITING PROCUREMENT - A/P · Overview of Procurement and A/P · The Audit Guide VIII. AUDITING DEMAND DEPOSIT ACCOUNTING · Overview of DDA · The Audit Guide IX. APPENDIX A & B · Internet Security Handbook · Computer Security Incident Response PAGE 4 THE BYTE LINE Instructor Profile Gordon E. Smith Gordon Smith, President of Canaudit Inc., is a highly energetic and enthusiastic speaker who makes audit topics interesting and exciting. His motivating style and dynamic delivery techniques capture the interest of the audience, opening their minds and inspiring them to accept new methodologies and techniques. His innovative audit techniques and ability to translate complicated technology into simple English make Mr. Smith one of the most popular speakers on the audit lecture circuit. With 21 years of audit experience, Mr. Smith continues to audit complex technology and business applications. He specializes in networks, information security, operating systems and client/server environments. Mr. Smith is a practicing auditor with a strong business sense capable of tying critical audit findings to the key objectives of the organization. Gordon has also been the keynote speaker at several international conferences and is a “regular” at both the CACS and the ISACA International Conferences. Schedule: April 11 and 12, 2000 Registration: 7:30-8:00 AM Seminar: 8:00-5:00 PM Location: Directions: Seminar Price: Continuing Education: For additional information: Sheraton Hotel 375 South Moorland Road Brookfield, Wisconsin 53187 (262) 786-1100 I-94, exit Moorland Road north $395 (includes continental breakfasts, lunches, refreshments and course materials) This seminar is approved for 16 CPE hours contract Michael Lisenby at (414) 283-3130 or via e-mail at michael.j.lisenby@us.arthurandersen.com ISACA KETTLE MORAINE CHAPTER – REGISTRATION FORM Please enroll me in: CONTROL & SECURITY OF ELECTRONIC COMMERCE April 11 and 12, 2000 Name:_______________________________________ Make checks payable to: ISACA-KM Title:________________________________________ Detach and mail, along with check to: Michael Lisenby Arthur Andersen LLP 100 East Wisconsin Ave. Milwaukee WI 53202 Company:____________________________________ Address:_____________________________________ City/State/Zip:_________________________________ PAGE 5 THE BYTE LINE Security Experts Aid Universities To Mitigate DoS Incidents by Rutrell Yasin A s investigators track down the vandals respon sible for the denial-of-service (DoS) attacks on Yahoo.com, Amazon.com and others, the trail has led to university computers, which have been electronically broken into and used as launching pads for attacks. Efforts continued this week to help universities shore up security with stronger password protection and secure communications. Four vendors, led by the SANS Institute, a think tank that specializes in security, next week will announce they are teaming up to provide free encryption software for U.S. universities to prevent intruders from hacking into university networks. Meanwhile, security experts this week issued a warning about a 32-bit Intel-based version of a distributed DoS tool called W32/Trinoo that can be delivered via e-mail, much like the Melissa virus or Back Office 2000 trojan horse. The emergence of W32/Trinoo vastly increases the number of machines that can become slaves, or launching pads, in a distributed DoS attack, given the ubiquity of the Wintel platform. Previously, the distributed DoS tools were available for Unix and Linux machines. Antivirus vendors are updating software to detect the rogue tool. Theft of passwords and accounts at universities have led to break-ins at e-commerce and government sites, including the Department of Defense research facilities, according to security experts. Often a hacker will break into one machine by exploiting a known vulnerability and install a sniffer to detect passwords traversing the network in clear text, said Steve Acheson, a program manager with the SANS Institute. As a result, the SANS Institute has teamed up with RSA Security, SSH Communications Security, MIT and MindBright Technologies to provide free secure universal logins for every student, faculty and staff member to use on servers and home PCs. Universities are more susceptible to break-ins because of their open nature, security experts said. "Universities by nature are open," said Fred Kost, a prod- uct manager at Recourse Technologies, a supplier of intrusion-prevention software. "The problem is they have a large number of users coming and going as students enter and graduate from school," he said. Recourse experts have been working with the FBI to trace the origins of the attacks and during that investigation discovered that hackers might have been able to exploit vulnerabilities in a file-sharing program called WUFTP, which is commonly used by universities. While the SANS initiative won't plug any WU-FTP security holes, it will provide stronger authentication to block a hacker from stealing passwords, Acheson said. SSH's Secure Shell secure login program will protect confidential data across university networks. The program authenticates users at both ends of a connection to prevent identity spoofing. Agent technology lets users log in to multiple systems with a single sign-on. The software also provides encryption algorithms such as RSA to secure terminal connections, file transfers and tunneling of e-mail traffic. SANS will provide initial support for the Secure Shell 1.0 product. SSH will provide the migration path to the most recent version, SSH Secure Shell 2.1. The effort is the culmination of eight months of work by technical experts at 13 leading universities, including the University of North Carolina, Georgia Tech University, Carnegie Mellon University, University of Wisconsin and University of California at Berkeley. Copyright 2000 CMP Media Inc. a service of Internet Week. Reprinted with permission as an educational service. Visit their web site at http://www.internetwk.com The views and opinions contained in this newsletter are solely those of it's authors, and do not necessarily represent or reflect the views or opinions of the Kettle Moraine Chapter of ISACA. In the event you have any questions concerning this newsletter, you may wish to contact the article's author directly. PAGE 6 THE BYTE LINE Event Calendar ISACA Kettle Moraine Chapter Thomas Varney, Ernst & Young LLP Dan Quealy, Ernst & Young LLP Dan Quealy, Ernst & Young LLP Mel Mickey, Case Corporation Scott Redlinger, Ernst & Young LLP Larry F Maher, Arthur Andersen LLP Gordon Smith, CANAUDIT 2000 ISACA Dates Philadelphia, Pennsylvania Dallas, Texas Various Locations Lake Buena Vista, Florida Orlando, Florida Las Vegas, Neveda THE BYTELINE Kettle Moraine Chapter, ISACA Roger Naegeli, Editor c/o MGIC Investment Corp. P.O. Box 488 Milwaukee, WI 53201 IS Audit & Control Training Week North America CACS Conference CISA Exam The International Conference IS Audit & Control Training Week Network Security Conference inside ... March 7-11, 2000 May 7-11, 2000 June 10, 2000 July 16-19, 2000 July 17-21, 2000 August 21-23, 2000 Computer Forensics The "Ugly Side of eCommerce" eCommerce: What's an auditor to do? Security for the Internet - Public Key Infrastructure How Can Audit Impact An ERP Implementation (No meeting scheduled) Using ACL to Detect Fraud in Your Organization Control & Security of Electronic Commerce Seminar (To Be Announced) (To Be Announced) This Month's Meeting ............. Page 1 Board Minutes ........................ Page 2 April's Seminar ....................... Page 3-4 DoS Incidents ......................... Page 5 September 8, 1999 October 13, 1999 November 10, 1999 December 8, 1999 January 12, 2000 February 9, 2000 March 8, 2000 April 11 & 12, 2000 May 10, 2000 September 13, 2000