SECURITY PART I:
AUDITING OPERATING
SYSTEMS AND NETWORKS
Focus of the Chapter
 Sarbanes-Oxley compliance regarding the
security and control of operating systems,
communication networks, electronic data
exchange, and PC-based accounting
system
Lesson Objectives
After studying this chapter, you should:
 Be able to identify the principal threats to the operating
system and the control techniques used to minimize the
possibility of actual exposures.
 Be familiar with the principal risks associated with commerce
conducted over intranets and the Internet and understand the
control techniques used to reduce these risks.
 Be familiar with the risks associated with personal computing
systems.
 Recognize the unique exposures that arise in connection with
electronic data interchange (EDI) and understand how these
exposures can be reduced.
AUDITING OPERATING SYSTEMS
What is an Operating System (O/S)?
 An operating system (sometimes abbreviated as
"OS") is the program that, after being initially
loaded into the computer by a boot program,
manages all the other programs in a computer.
 The other programs are called applications or
application programs.
 The application programs make use of the
operating system by making requests for services
through a defined application program
interface (API). In addition, users can interact
directly with the operating system through a user
interface such as a command language or a
graphical user interface (GUI).
http://learningoperatingsystem.blogspot.com/2015/09/operating-systems-definition-and.html
What is an Operating System (O/S)?
The operating system is the computer’s
control program. It allows users and their
applications to share and access common
computer resources, such as processors,
main memory, databases, and printers.
Examples of O/S: Google Chromium O/S,
Linux, Microsoft Windows
What is an Operating System (O/S)?
An operating system (OS) is
software that manages computer
hardware and software resources
and provides common services for
computer programs.
https://en.wikipedia.org/wiki/
Operating_system
The operating system is an essential
component of the system software
in a computer system. Application
programs usually require an
operating system to function.
Three Main Tasks Of Operating Systems
 translates high-level languages into the
machine-level language
 allocates computer resources to user
applications
 manages the tasks of job scheduling and
multiprogramming
Specific Tasks Of Operating Systems
 In a multitasking operating system where multiple programs
can be running at the same time, the operating system
determines which applications should run in what order and
how much time should be allowed for each application before
giving another application a turn.
 It manages the sharing of internal memory among multiple
applications.
 It handles input and output to and from attached hardware
devices, such as hard disks, printers, and dial-up ports.
 It sends messages to each application or interactive user (or to
a system operator) about the status of operation and any errors
that may have occurred.
 It can offload the management of what are called batch jobs
(for example, printing) so that the initiating application is freed
from this work.
 On computers that can provide parallel processing, an operating
system can manage how to divide the program so that it runs
on more than one processor at a time.
Req’ts For Effective O/S Performance
Five fundamental control objectives of the O/S
The operating system must:
 Protect itself from users. Protect against tampering
by users
 Protect users from each other. Prevent users from
tampering with the programs of other users
 Protect users from themselves. Safeguard users’
applications from accidental corruption
 Be protected against itself. Safeguard its own
programs from accidental corruption
 Be protected from its environment. Protect itself
from power failures and other disasters
Operating Systems Security
 Log-On Procedure
~ first line of defense – user IDs and passwords
 Access Token
~ contains key information about the user
 Access Control List
~ defines access privileges of users
 Discretionary Access Control
~ allows user to grant access to another user
Threats to O/S Integrity
 Accidental threats
~ Hardware failure; errors in user application
program
 Intentional threats
~ Attempt to access user data
~ Destructive progams
Operating Systems Controls




Access privileges
Password control
Malicious or destructive programs
System audit trail
Access Privileges
Audit objective: Verify that access privileges are
consistent with separation of incompatible functions and
organization policies
Audit procedures: Review or verify…
 policies for separating incompatible functions
 a sample of user privileges, especially access to data
and programs
 security clearance checks of privileged employees
 formal acknowledgements to maintain confidentiality
of data
 users’ log-on times
Access Privileges
Password Control
Audit objective: Ensure adequacy and effectiveness
of password policies for controlling access to the
operating system
Audit procedures: Review or verify…
 passwords required for all users
 password instructions for new users
 passwords changed regularly
 password file for weak passwords
 encryption of password file
 password standards
 account lockout policies
Windows Startup / Login
One Time Password (OTP)
Malicious or Destructive Programs
Audit objective: Verify effectiveness of procedures
to protect against programs such as viruses, worms,
back doors, logic bombs, and Trojan horses
Audit procedures: Review or verify…
 training of operations personnel concerning
destructive programs
 testing of new software prior to being implemented
 currency of antiviral software and frequency of
upgrades
A COMPUTER VIRUS is a malware program that, when executed,
replicates by inserting copies of itself (possibly modified) into
other computer programs, data files, or the boot sector of the
hard drive; when this replication succeeds, the affected areas are
then said to be "infected”.
ClamWin antivirus software
running in Wine on Ubuntu Linux
https://en.wikipedia.org/wiki/Computer_virus
A COMPUTER WORM is a standalone malware computer program that
replicates itself in order to spread to other computers. Often, it uses a
computer network to spread itself, relying on security failures on the target
computer to access it.
Unlike a computer virus, it does not need to attach itself to an existing
program. Worms almost always cause at least some harm to the network, even
if only by consuming bandwidth, whereas viruses almost always corrupt or
modify files on a targeted computer
Hex dump of the Blaster worm,
showing a message left for
Microsoft CEO Bill Gates by the
worm's programmer.
https://en.wikipedia.org/wiki/Computer_worm
A TROJAN HORSE, or Trojan, in computing is generally a non-self-replicating
type of malware program containing malicious code that, when executed,
carries out actions determined by the nature of the Trojan, typically causing
loss or theft of data, and possible system harm. The term is derived from the
Ancient Greek story of the large wooden horse used to trick defenders of Troy
into taking warriors concealed in the horse into their city in ancient Anatolia.
A Trojan often acts as a backdoor,
contacting a controller which can
then have unauthorized access to
the affected computer
https://en.wikipedia.org/wiki/Trojan_horse_(computing)
System Audit Trail Controls
Audit objective: Ensure that the established system
audit trail is adequate for preventing and detecting
abuses, reconstructing key events that precede systems
failures, and planning resource allocation.
Audit procedures: Review or verify…
 how long audit trails have been in place
 archived log files for key indicators
 monitoring and reporting of security violations
Audit trails can be used to support security
objectives in three ways:
(1)detecting unauthorized access to the
system,
(2)facilitating the reconstruction of events,
(3)promoting personal accountability
Two types of audit logs:
 Keystroke monitoring
 Event monitoring
AUDITING NETWORKS
Terminologies
 An INTRANET is a private network that is
contained within an enterprise. It may consist of
many interlinked local area networks and also
use leased lines in the wide area network.
 The INTERNET is a global system of
interconnected computer networks that use the
standard Internet protocol suite (TCP/IP) to link
several billion devices worldwide.
SOURCE: https://en.wikipedia.org/
Intranet Risks
 Intercepting network messages
~ sniffing: interception of user IDs, passwords,
confidential e-mails, and financial data files
 Accessing corporate databases
~ connections to central databases increase the risk
that data will be accessible by employees
 Privileged employees
~ override privileges may allow unauthorized access
to mission-critical data
 Reluctance to prosecute
~ fear of negative publicity leads to such reluctance
but encourages criminal behavior
Internet Risks
 IP spoofing: masquerading to gain access to a Web
server and/or to perpetrate an unlawful act without
revealing one’s identity
 Denial of service (DOS) attacks: assaulting a Web
server to prevent it from servicing users particularly
devastating to business entities that cannot receive
and process business transactions
 Other malicious programs: viruses, worms, logic
bombs, and Trojan horses pose a threat to both
Internet and Intranet users
Three Common Types of DOS Attacks
 SYN Flood – when the three-way handshake needed
to establish an Internet connection occurs, the final
acknowledgement is not sent by the DOS attacker,
thereby tying-up the receiving server while it waits.
 Smurf – the DOS attacker uses numerous
intermediary computer to flood the target computer
with test messages, ―pings‖.
 Distributed DOS (DDOS) – can take the form of
Smurf or SYN attacks, but distinguished by the vast
number of ―zombie‖ computers hi-jacked to launch
the attacks.
Receiver
Sender
Step 1: SYN messages
Step 2: SYN/ACK
Step 3: ACK packet code
In a Denial of Service (DOS) Attack – SYN Flood, the sender sends
hundreds of messages, receives the SYN/ACK packet, but does not
response with an ACK packet. This leaves the receiver with clogged
transmission ports, and legitimate messages cannot be received.
SMURF Attack
Ping Test
Distributed Denial of Service Attack
Controlling Risks





Firewalls
Deep packet inspection
Encryption
Digital signature / digital certificate
Message control techniques
Firewalls
Firewalls provide security by channeling all
network connections through a control gateway.
 Network level firewalls
~ Low cost and low security access control
~ Do not explicitly authenticate outside users
~ Filter junk or improperly routed messages
~ Experienced hackers can easily penetrate the system
 Application level firewalls
~ Customizable network security, but expensive
~ Sophisticated functions such as logging or user
authentication
Windows Firewall
Dual-Homed Firewall
Encryption
Computer program transforms a clear message
into a coded (cipher) text form using an algorithm.
Simplified
encryption
Encryption (cont.)
 The conversion of data into a secret code for storage and
transmission
 The sender uses an encryption algorithm to convert the original
cleartext message into a coded ciphertext.
 The receiver decodes / decrypts the ciphertext back into cleartext.
 Encryption algorithms use keys
~ Typically 56 to 128 bits in length
~ The more bits in the key the stronger the encryption method.
 Two general approaches to encryption are private key and public
key encryption.
Controlling DOS Atttacks
Controlling for three common forms of DOS attacks:
 Smurf attacks—organizations can program firewalls to ignore an
attacking site, once identified
 SYN flood attacks—two tactics to defeat this DOS attack
~ Get Internet hosts to use firewalls that block invalid IP addresses
~ Use security software that scan for half-open connections
 DDos attacks–many organizations use Intrusion Prevention
Systems (IPS) that employ deep packet inspection (DPI)
~ IPS works with a firewall filter that removes malicious packets
from the flow before they can affect servers and networks
~ DPI searches for protocol non-compliance and employs
predefined criteria to decide if a packet can proceed to its
destination
Digital Signature / Certificate
 Digital signature – electronic authentication
technique to ensure that…
~ transmitted message originated with the
authorized sender
~ message was not tampered with after the
signature was applied
 Digital certificate – like an electronic
identification card used with a public key
encryption system
~ Verifies the authenticity of the message sender
Digital Signature
Security Alert - Digital Certificate
Message Control Techniques
 Message sequence numbering – sequence number
used to detect missing messages
 Message transaction log – listing of all incoming and
outgoing messages to detect the efforts of hackers
 Request-response technique – random control
messages are sent from the sender to ensure messages
are received
 Call-back devices – receiver calls the sender back at a
pre-authorized phone number before transmission is
completed
Audit Procedures – SUBVERSIVE
THREATS
 Review firewall effectiveness in terms of
flexibility, proxy services, filtering, segregation
of systems, audit tools, and probing for
weaknesses.
 Review data encryption security procedures
 Verify encryption by testing
 Review message transaction logs
 Test procedures for preventing unauthorized
calls
Equipment Failure
Line errors are data errors from communications
noise.
Two techniques to detect and correct such data
errors are:
 echo check - the receiver returns the
message to the sender
 parity checks - an extra bit is added onto
each byte of data similar to check digits
Vertical and Horizontal Parity using Odd Parity
Audit Procedures – Eqpt Failure
Using a sample of messages from the
transaction log:
 examine them for garbled contents caused
by line noise
 verify that all corrupted messages were
successfully retransmitted
AUDITING EDI
WHAT IS EDI?
 EDI (electronic data interchange) uses
computer-to-computer communications
technologies to automate B2B purchases.
(B2B -> business-to-business or e-biz)
~ EDI is an inter-organization endeavor.
~ The information systems of the trading partners
automatically process the transaction.
~ Transaction information is transmitted in a
standardized format.
What is EDI? (cont.)
 EDI (Electronic Data Interchange) is the
transfer of data from one computer system to
another by standardized message formatting,
without the need for human intervention. EDI
permits multiple companies -- possibly in different
countries -- to exchange documents electronically.
EDI
System
Manual vs. EDI Method
Benefits of EDI





Reduction
Reduction
Reduction
Reduction
Reduction
or elimination of data entry
of errors
of paper
of paper processing and postage
of inventories (via JIT systems)
EDI Risks & Control
RISKS
Authorization automated and
absence of human
intervention
Access
need to access EDI
partner’s files
Audit Trail
paperless and
transparent
(automatic)
transactions
CONTROL
use of passwords and value
added networks (VAN) to
ensure valid partner
software to specify what
can be accessed and at
what level
control log records the
transaction’s flow through
each phase of the
transaction processing
EDI System
using
Transaction
Control Log
for
Audit Trail
Audit Objectives - EDI
 Transactions are authorized, validated, and
in compliance with the trading partner
agreement.
 No unauthorized organizations can gain
access to database
 Authorized trading partners have access
only to approved data.
 Adequate controls are in place to ensure a
complete audit trail.
Audit Procedures - EDI
 Tests of Authorization and Validation Controls
~ Review procedures for verifying trading partner
identification codes
~ Review agreements with VAN
~ Review trading partner files
 Tests of Access Controls
~ Verify limited access to vendor and customer files
~ Verify limited access of vendors to database
~ Test EDI controls by simulation
 Tests of Audit Trail Controls
~ Verify existence of transaction logs
~ Review a sample of transactions
AUDITING PC-BASED
ACCOUNTING SYSTEMS
PERSONAL COMPUTER SYSTEMS
 PC operating systems
 PC systems risks & controls
~ In general:
o Relatively simple to operate and program
o Controlled and operated by end users
o Interactive data processing vs. batch
o Commercial applications vs. custom
o Often used to access data on mainframe or network
o Allows users to develop their own applications
~ Operating Systems:
o Are located on the PC (decentralized)
o O/S family dictates applications (e.g., Windows)
PERSONAL COMPUTER SYSTEMS

Controls
~ Risk assessment
~ Inherent weaknesses
~ Weak access control
~ Inadequate segregation of duties
~ Multilevel password control – multifaceted access control

Risk of physical loss
~ Laptops, etc. can ―walk off‖

Risk of data loss
~ Easy for multiple users to access data
~ End user can steal, destroy, manipulate
~ Inadequate backup procedures
~ Local backups on appropriate medium
~ Dual hard drives on PC
~ External/removable hard drive on PC
(CONT.)
PC Accounting System Modules
IC PERSONAL COMPUTER SYSTEMS
 Risk associated with virus infection
~ Policy of obtaining software
~ Policy for use of anti-virus software
~ Verify no unauthorized software on PCs
 Risk of improper SDLC procedures
~ Use of commercial software
~ Formal software selection procedures
Audit objectives – PC systems
 Verify controls are in place to protect data, programs, and computers
from unauthorized access, manipulation, destruction, and theft
 Verify that adequate supervision and operating procedures exist to
compensate for lack of segregation between the duties of users,
programmers, and operators
 Verify that backup procedures are in place to prevent data and
program loss due to system failures, errors
 Verify that systems selection and acquisition procedures produce
applications that are high quality, and protected from unauthorized
changes
 Verify the system is free from viruses and adequately protected to
minimize the risk of becoming infected with a virus or similar object
Audit procedures – PC systems
 Verify that microcomputers and their files are physically
controlled
 Verify from organizational charts, job descriptions, and
observation that the programmers of applications
performing financially significant functions do not also
operate those systems.
 Confirm that reports of processed transactions, listings of
updated accounts, and control totals are prepared,
distributed, and reconciled by appropriate management
at regular and timely intervals.
Audit procedures – PC systems (CONT.)
 Determine that multilevel password control or multifaceted
access control is used to limit access to data and
applications, where applicable.
 Verify that the drives are removed and stored in a secure
location when not in use, where applicable.
 Verify that backup procedures are being followed.
 Verify that application source code is physically secured
(such as in a locked safe) and that only the compiled
version is stored on the microcomputer.
 Review systems selection and acquisition controls
 Review virus control techniques.
Reference
Hall, J. A. (2011). Information Technology
Auditing and Assurance. Singapore:
Cengage Learning Asia Pte Ltd.