SECURITY PART I: AUDITING OPERATING SYSTEMS AND NETWORKS Focus of the Chapter Sarbanes-Oxley compliance regarding the security and control of operating systems, communication networks, electronic data exchange, and PC-based accounting system Lesson Objectives After studying this chapter, you should: Be able to identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual exposures. Be familiar with the principal risks associated with commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. Be familiar with the risks associated with personal computing systems. Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced. AUDITING OPERATING SYSTEMS What is an Operating System (O/S)? An operating system (sometimes abbreviated as "OS") is the program that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer. The other programs are called applications or application programs. The application programs make use of the operating system by making requests for services through a defined application program interface (API). In addition, users can interact directly with the operating system through a user interface such as a command language or a graphical user interface (GUI). http://learningoperatingsystem.blogspot.com/2015/09/operating-systems-definition-and.html What is an Operating System (O/S)? The operating system is the computer’s control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers. Examples of O/S: Google Chromium O/S, Linux, Microsoft Windows What is an Operating System (O/S)? An operating system (OS) is software that manages computer hardware and software resources and provides common services for computer programs. https://en.wikipedia.org/wiki/ Operating_system The operating system is an essential component of the system software in a computer system. Application programs usually require an operating system to function. Three Main Tasks Of Operating Systems translates high-level languages into the machine-level language allocates computer resources to user applications manages the tasks of job scheduling and multiprogramming Specific Tasks Of Operating Systems In a multitasking operating system where multiple programs can be running at the same time, the operating system determines which applications should run in what order and how much time should be allowed for each application before giving another application a turn. It manages the sharing of internal memory among multiple applications. It handles input and output to and from attached hardware devices, such as hard disks, printers, and dial-up ports. It sends messages to each application or interactive user (or to a system operator) about the status of operation and any errors that may have occurred. It can offload the management of what are called batch jobs (for example, printing) so that the initiating application is freed from this work. On computers that can provide parallel processing, an operating system can manage how to divide the program so that it runs on more than one processor at a time. Req’ts For Effective O/S Performance Five fundamental control objectives of the O/S The operating system must: Protect itself from users. Protect against tampering by users Protect users from each other. Prevent users from tampering with the programs of other users Protect users from themselves. Safeguard users’ applications from accidental corruption Be protected against itself. Safeguard its own programs from accidental corruption Be protected from its environment. Protect itself from power failures and other disasters Operating Systems Security Log-On Procedure ~ first line of defense – user IDs and passwords Access Token ~ contains key information about the user Access Control List ~ defines access privileges of users Discretionary Access Control ~ allows user to grant access to another user Threats to O/S Integrity Accidental threats ~ Hardware failure; errors in user application program Intentional threats ~ Attempt to access user data ~ Destructive progams Operating Systems Controls Access privileges Password control Malicious or destructive programs System audit trail Access Privileges Audit objective: Verify that access privileges are consistent with separation of incompatible functions and organization policies Audit procedures: Review or verify… policies for separating incompatible functions a sample of user privileges, especially access to data and programs security clearance checks of privileged employees formal acknowledgements to maintain confidentiality of data users’ log-on times Access Privileges Password Control Audit objective: Ensure adequacy and effectiveness of password policies for controlling access to the operating system Audit procedures: Review or verify… passwords required for all users password instructions for new users passwords changed regularly password file for weak passwords encryption of password file password standards account lockout policies Windows Startup / Login One Time Password (OTP) Malicious or Destructive Programs Audit objective: Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses Audit procedures: Review or verify… training of operations personnel concerning destructive programs testing of new software prior to being implemented currency of antiviral software and frequency of upgrades A COMPUTER VIRUS is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected”. ClamWin antivirus software running in Wine on Ubuntu Linux https://en.wikipedia.org/wiki/Computer_virus A COMPUTER WORM is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer Hex dump of the Blaster worm, showing a message left for Microsoft CEO Bill Gates by the worm's programmer. https://en.wikipedia.org/wiki/Computer_worm A TROJAN HORSE, or Trojan, in computing is generally a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the Ancient Greek story of the large wooden horse used to trick defenders of Troy into taking warriors concealed in the horse into their city in ancient Anatolia. A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer https://en.wikipedia.org/wiki/Trojan_horse_(computing) System Audit Trail Controls Audit objective: Ensure that the established system audit trail is adequate for preventing and detecting abuses, reconstructing key events that precede systems failures, and planning resource allocation. Audit procedures: Review or verify… how long audit trails have been in place archived log files for key indicators monitoring and reporting of security violations Audit trails can be used to support security objectives in three ways: (1)detecting unauthorized access to the system, (2)facilitating the reconstruction of events, (3)promoting personal accountability Two types of audit logs: Keystroke monitoring Event monitoring AUDITING NETWORKS Terminologies An INTRANET is a private network that is contained within an enterprise. It may consist of many interlinked local area networks and also use leased lines in the wide area network. The INTERNET is a global system of interconnected computer networks that use the standard Internet protocol suite (TCP/IP) to link several billion devices worldwide. SOURCE: https://en.wikipedia.org/ Intranet Risks Intercepting network messages ~ sniffing: interception of user IDs, passwords, confidential e-mails, and financial data files Accessing corporate databases ~ connections to central databases increase the risk that data will be accessible by employees Privileged employees ~ override privileges may allow unauthorized access to mission-critical data Reluctance to prosecute ~ fear of negative publicity leads to such reluctance but encourages criminal behavior Internet Risks IP spoofing: masquerading to gain access to a Web server and/or to perpetrate an unlawful act without revealing one’s identity Denial of service (DOS) attacks: assaulting a Web server to prevent it from servicing users particularly devastating to business entities that cannot receive and process business transactions Other malicious programs: viruses, worms, logic bombs, and Trojan horses pose a threat to both Internet and Intranet users Three Common Types of DOS Attacks SYN Flood – when the three-way handshake needed to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits. Smurf – the DOS attacker uses numerous intermediary computer to flood the target computer with test messages, ―pings‖. Distributed DOS (DDOS) – can take the form of Smurf or SYN attacks, but distinguished by the vast number of ―zombie‖ computers hi-jacked to launch the attacks. Receiver Sender Step 1: SYN messages Step 2: SYN/ACK Step 3: ACK packet code In a Denial of Service (DOS) Attack – SYN Flood, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received. SMURF Attack Ping Test Distributed Denial of Service Attack Controlling Risks Firewalls Deep packet inspection Encryption Digital signature / digital certificate Message control techniques Firewalls Firewalls provide security by channeling all network connections through a control gateway. Network level firewalls ~ Low cost and low security access control ~ Do not explicitly authenticate outside users ~ Filter junk or improperly routed messages ~ Experienced hackers can easily penetrate the system Application level firewalls ~ Customizable network security, but expensive ~ Sophisticated functions such as logging or user authentication Windows Firewall Dual-Homed Firewall Encryption Computer program transforms a clear message into a coded (cipher) text form using an algorithm. Simplified encryption Encryption (cont.) The conversion of data into a secret code for storage and transmission The sender uses an encryption algorithm to convert the original cleartext message into a coded ciphertext. The receiver decodes / decrypts the ciphertext back into cleartext. Encryption algorithms use keys ~ Typically 56 to 128 bits in length ~ The more bits in the key the stronger the encryption method. Two general approaches to encryption are private key and public key encryption. Controlling DOS Atttacks Controlling for three common forms of DOS attacks: Smurf attacks—organizations can program firewalls to ignore an attacking site, once identified SYN flood attacks—two tactics to defeat this DOS attack ~ Get Internet hosts to use firewalls that block invalid IP addresses ~ Use security software that scan for half-open connections DDos attacks–many organizations use Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) ~ IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks ~ DPI searches for protocol non-compliance and employs predefined criteria to decide if a packet can proceed to its destination Digital Signature / Certificate Digital signature – electronic authentication technique to ensure that… ~ transmitted message originated with the authorized sender ~ message was not tampered with after the signature was applied Digital certificate – like an electronic identification card used with a public key encryption system ~ Verifies the authenticity of the message sender Digital Signature Security Alert - Digital Certificate Message Control Techniques Message sequence numbering – sequence number used to detect missing messages Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers Request-response technique – random control messages are sent from the sender to ensure messages are received Call-back devices – receiver calls the sender back at a pre-authorized phone number before transmission is completed Audit Procedures – SUBVERSIVE THREATS Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of systems, audit tools, and probing for weaknesses. Review data encryption security procedures Verify encryption by testing Review message transaction logs Test procedures for preventing unauthorized calls Equipment Failure Line errors are data errors from communications noise. Two techniques to detect and correct such data errors are: echo check - the receiver returns the message to the sender parity checks - an extra bit is added onto each byte of data similar to check digits Vertical and Horizontal Parity using Odd Parity Audit Procedures – Eqpt Failure Using a sample of messages from the transaction log: examine them for garbled contents caused by line noise verify that all corrupted messages were successfully retransmitted AUDITING EDI WHAT IS EDI? EDI (electronic data interchange) uses computer-to-computer communications technologies to automate B2B purchases. (B2B -> business-to-business or e-biz) ~ EDI is an inter-organization endeavor. ~ The information systems of the trading partners automatically process the transaction. ~ Transaction information is transmitted in a standardized format. What is EDI? (cont.) EDI (Electronic Data Interchange) is the transfer of data from one computer system to another by standardized message formatting, without the need for human intervention. EDI permits multiple companies -- possibly in different countries -- to exchange documents electronically. EDI System Manual vs. EDI Method Benefits of EDI Reduction Reduction Reduction Reduction Reduction or elimination of data entry of errors of paper of paper processing and postage of inventories (via JIT systems) EDI Risks & Control RISKS Authorization automated and absence of human intervention Access need to access EDI partner’s files Audit Trail paperless and transparent (automatic) transactions CONTROL use of passwords and value added networks (VAN) to ensure valid partner software to specify what can be accessed and at what level control log records the transaction’s flow through each phase of the transaction processing EDI System using Transaction Control Log for Audit Trail Audit Objectives - EDI Transactions are authorized, validated, and in compliance with the trading partner agreement. No unauthorized organizations can gain access to database Authorized trading partners have access only to approved data. Adequate controls are in place to ensure a complete audit trail. Audit Procedures - EDI Tests of Authorization and Validation Controls ~ Review procedures for verifying trading partner identification codes ~ Review agreements with VAN ~ Review trading partner files Tests of Access Controls ~ Verify limited access to vendor and customer files ~ Verify limited access of vendors to database ~ Test EDI controls by simulation Tests of Audit Trail Controls ~ Verify existence of transaction logs ~ Review a sample of transactions AUDITING PC-BASED ACCOUNTING SYSTEMS PERSONAL COMPUTER SYSTEMS PC operating systems PC systems risks & controls ~ In general: o Relatively simple to operate and program o Controlled and operated by end users o Interactive data processing vs. batch o Commercial applications vs. custom o Often used to access data on mainframe or network o Allows users to develop their own applications ~ Operating Systems: o Are located on the PC (decentralized) o O/S family dictates applications (e.g., Windows) PERSONAL COMPUTER SYSTEMS Controls ~ Risk assessment ~ Inherent weaknesses ~ Weak access control ~ Inadequate segregation of duties ~ Multilevel password control – multifaceted access control Risk of physical loss ~ Laptops, etc. can ―walk off‖ Risk of data loss ~ Easy for multiple users to access data ~ End user can steal, destroy, manipulate ~ Inadequate backup procedures ~ Local backups on appropriate medium ~ Dual hard drives on PC ~ External/removable hard drive on PC (CONT.) PC Accounting System Modules IC PERSONAL COMPUTER SYSTEMS Risk associated with virus infection ~ Policy of obtaining software ~ Policy for use of anti-virus software ~ Verify no unauthorized software on PCs Risk of improper SDLC procedures ~ Use of commercial software ~ Formal software selection procedures Audit objectives – PC systems Verify controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators Verify that backup procedures are in place to prevent data and program loss due to system failures, errors Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes Verify the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object Audit procedures – PC systems Verify that microcomputers and their files are physically controlled Verify from organizational charts, job descriptions, and observation that the programmers of applications performing financially significant functions do not also operate those systems. Confirm that reports of processed transactions, listings of updated accounts, and control totals are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. Audit procedures – PC systems (CONT.) Determine that multilevel password control or multifaceted access control is used to limit access to data and applications, where applicable. Verify that the drives are removed and stored in a secure location when not in use, where applicable. Verify that backup procedures are being followed. Verify that application source code is physically secured (such as in a locked safe) and that only the compiled version is stored on the microcomputer. Review systems selection and acquisition controls Review virus control techniques. Reference Hall, J. A. (2011). Information Technology Auditing and Assurance. Singapore: Cengage Learning Asia Pte Ltd.