Identifying Computer Systems
advertisement
Final Exam Review
IS Audit (ISMT 350)
Time & Venue: 7 Dec 2006, 10:30 to 11:50 am
Note: You will be allowed one A4 sized sheet of paper as a “
Cheat Sheet” for your reference during the IST300S Final Exam.
You can fill out both sides, and there are no limits on handwriting,
font, or techniques for the information you place on the page. No
other materials will be allowed during the exam
Classes of Things
You have Learned
Concepts: Things you need to know These include:
Theories and frameworks
Facts
‘
Activities and Tasks: Things an auditor needs to
do
Tools: Used to make audit decisioms
Logical Structure of the Course
With Readings from the Text
IS Auditing
IS Components
Ch. 1&2
Controls over IS
Assets
Ch. 7 & 8
Encryption
Ch. 11
Current and
Future Issues in
IS Auditing
Audit Components
Ch 3&4
Procedural
Controls
Ch. 9
Audit Standards
and Procedures
Ch. 10
Forensics and
Fraud Audits
Ch. 12
Prac·ti·cum (prăk-tĭ-kəm) noun
Lessons in a specialized field of study designed to give
students supervised practical application of previously studied
theory
Student Competence
Case Study
1
Evaluating IT Benefits and Risks
Jacksonville Jaguars
2
The Job of the Staff Auditor
A Day in the Life of Brent Dorsey
3
Recognizing Fraud
The Anonymous Caller
4
Evaluating a Prospective Audit Client
Ocean Manufacturing
5
Inherent Risk and Control Risk
Comptronix Corporation
6
Evaluating the Internal Control Environment
Easy Clean
7
Fraud Risk and the Internal Control Environment
Cendant Corporation
8
IT-based vs. Manual Accounting Systems
St James Clothiers
9
Materiality / Tolerable Misstatement
Dell Computer
10
Analytical Procedures as Substantive Tests
Burlington Bees
11
Information Systems and Audit Evidence
Henrico Retail
IS Audit Programs
Chapter 2
What is IS Auditing?
Why is it Important?
What is the Industry Structure?
Attestation and Assurance
Transactions
External Real
World Entities
and Events that
Create and
Destroy Value
Internal
Operations
of the Firm
The Physical World
Transactions
Corporate Law
Substantive T
ts
Analytical Tes
Audit Report /
Opinion
Accounting
Systems
The Parallel (Logical)
World of Accounting
Ledgers:
Databases
Auditing
Journal Entries
Reports:
Statistics
Tests of Transactions
Audit
Program
tation
Attes
Auditing
ests
'Owned' Assets
and Liabilities
Audit Objectives
Reporting Risks
(External Audit)
Control Process Risks
(Internal & External
Audits)
Asset Loss Risks
(Internal Audits)
Transaction Flows
Business Application
Systems
Operating Systems
(including DBMS, network
and other special systems)
Hardware Platform
Physical and Logical
Security Environment
How Auditors
Should Visualize
Computer Systems
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux
Because of advances in Information Technology applied to
Accounting
Information that is needed for an Audit is often hidden from
easy access by auditors
Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly
the main proportion of wealth held by corporations
The Challenge to Auditing Presented
by Computers
Transaction flows are less visible
Fraud is easier
Computers do exactly what you tell them
Audit samples require computer knowledge and access
Transaction flows are much larger (good for the company, bad for the
auditor)
Audits grow bigger and bigger from year to year
To err is human
But, to really screw up you need a computer
And there is more pressure to eat hours
Environmental, physical and logical security problems grow
exponentially
Externally originated viruses and hacking
are the major source of risk
(10 years ago it was employees)
The Challenge to Auditing Presented
by The Internet
Transaction flows are External
External copies of transactions on many Internet nodes
External Service Providers for accounting systems
require giving control to outsiders with different incentives
Audit samples may be impossible to obtain
Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially
Externally originated viruses and hacking
are the major source of risk
(10 years ago it was employees)
Practicum:
A Day in the Life of Brent Dorsey
A Staff Auditors’ Professional Pressure
Understand some of the pressures faced by young
professionals in the workplace
Generate and evaluate alternative courses of action
to resolve a difficult workplace issue
Understand more fully the implications of "eating
time" and "premature sign-off"
More fully appreciate the need to balance
professional and personal demands
Ideas, not Things, have Value
16
600
14
500
Asset Intensity
(Fixed Assets / Sales)
12
400
10
300
8
200
6
100
4
2
0
0
-100
Rank order by increasing return
5-yr Shareholder Return %
… and these ideas are tracked in the computer
How Accounting has had to Change
Because of Business Automation
Material
Labor
Capital
30%
50%
Knowledge
Integrator
Knowledge
Integrator
20%
Knowledge
Integrator
Manufacturing
Value Added
110%
Material
Consumer
Knowledge Base (uncertain
claims, contributions and
property rights)
Labor
Capital
5%
5%
80%
10%
Knowledge
Integrator
Manufacturing
Value Added
%
ed
ish ct 20
n
i
F du
g
Pro
rin
u
t
ns
fac
nu icatio
a
M ecif
Sp
Consumer
110%
Flowcharting Accounting
Systems
Each
bubble is associated with a person or entity
that is responsible for that process
The same individuals with:
Managerial Control
Accountability
Responsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems
A data flow diagram
Data Flow Diagram
Notations
Flowcharting Accounting Systems
A process transforms
incoming data flow into
outgoing data flow.
Flowcharting Accounting Systems
Datastores are repositories
of data in the system.
They are sometimes also
referred to as databases or
files.
Flowcharting Accounting Systems
Dataflows are pipelines
through which transactions
(packets of information)
flow.
Label the arrows with the
name of the data that
moves through it.
Flowcharting Accounting Systems
External entities are entities
outside the firm, with which the
accounting system
communicates
E.g., vendors, customers,
advertisers, etc.
External entities are sources
and destinations of the
transaction input and output
Flowcharting Accounting Systems
The Context diagram lists
all of the external
relationships
Flowcharting Accounting
Systems …Levels
Context
DFD levels
known as Level 0) data flow diagram. It only
contains one process node (process 0) that
generalizes the function of the entire system in
relationship to external entities.
The first level DFD shows the main processes
within the system.
Each of these processes can be broken into
further processes until you reach the level at
which individual actions on transaction flows
take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily
nest data flow diagrams in SmartDraw. Draw the high-level diagrams first,
then select the process you want to expand, go to the Tools menu, and
select Insert Hyperlink. Link the selected process notation to another
SmartDraw diagram or a web page.
The Datastore
The Datastore is used to
represent Ledgers, Journals
Or more often in the current
world
Their computer
implemented counterpart
Since almost no one keeps
physical records
Flowcharting Accounting
Systems …Lower Level with Multiple
Processes
Data Flow Diagram Layers
Draw data flow diagrams in
several nested layers.
A single process node on a
high level diagram can be
expanded to show a more
detailed data flow diagram
Practicum:
Jacksonville Jaguars
Assurance Services for the Electronic Payments
System of a privately held company
Identify benefits, costs and risks to businesses from
implementing information technologies
Determine how CPAs can provide assurance about
processes designed to reduce risks created when new IT
systems are introduced
Understand ways CPAs can identify new assurance
services opportunities (i.e., new areas for revenue
generation)
Identifying Computer
Systems
Chapter 1
1.
2.
3.
4.
Identifying what you are going to audit
The Computer Asset Inventory
Identification of Transactions, and Risk Levels
Audit programs for high risk transactions
Audit Program
Audit programs are checklists of the various tests (audit
procedures) that auditors must perform within the scope of their
audits to determine whether key controls intended to mitigate
significant risks are functioning as designed.
Objective
To determine the adequacy of the controls over the particular
accounting processes covered by the audit program
This is fundamentally what the assurance and attestation
aspects of the audit are expected to achieve
during the ‘tests of transactions’ or
mid-year or
internal control tests
The objective
The reason for an audit is to write an opinion:
Saying stock price is fairly stated (external)
Control processes are effective (internal & external)
Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one
of more of these objectives is affected
Benefits
The use of audit programs is fairly standard for audit firms,
and is considered good business practice. List three (3)
benefits to the audit firm of using an audit program
The improve resource planning (where to spend money and
employ people on an audit)
They promote consistency from year to year when personnel and
situations of an audit change
Prior years’ programs are the basis for the current year’s audit
procedures
Anything else that seems reasonable
Control assessment
Information systems audit programs should assess
the adequacy of controls in four (4) areas.
1.
2.
3.
4.
Environmental controls
Physical security controls
Logical security controls
IS operating controls
Computer Assets
Central Processing Unit
Peripheral Processor
(Video, Bus, Etc.)
Memory
RAM / ROM
Network Devices
Optical &
Magnetic Media
Operating Systems
Specialized
O/S
Network O/S
Utilities
Database O/S
Applications
Programming Languages,
Utilities and Services
Tools & Environments
The main categories of Computer
Applications, and their relative importance
Information
Technology
Market
Operations & Accounting
Search & Storage
Tools
Embedded
Communications
Total
Annual
Expenditures
($US billion)
Employees
(thousand)
Major Suppliers
500
2000
US, India
1000
5000
US
300
300
US, Germany
1500
700
US, Japan, Korea, Greater China
700
2000
4,000
10,000
US, Germany, Japan, Greater China
GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300 million)
The Risk Assessment Database
Asset (Ex 2.1)
Risk Assessment (Ex. 2.2 with improvements)
Asset Value
($000,000 to
Owner)*
Transaction Flow
Description
Total Annual Transaction
Value Flow managed by
Asset($000,000)*
Cost of
single
occurrence
($)
Probability of
Occurrence (# per
Year)
Primary OS
Owner
Applicati
on
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Theft
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Obsolescence
and spoilage
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
*Whether you list depends on
Audit Materiality
Risk Description
Expected
Loss
100
100
10000
35
350
12250
Materiality
Materiality represents the maximum, combined, financial statement
misstatement or omission that could occur before influencing the decisions of
reasonable individuals relying on the financial statements.
The magnitude and nature of financial statement misstatements or omissions
will not have the same influence on all financial statement users.
The specific amounts established for each financial statement element must be
determined by considering the primary users as well as qualitative factors.
For example, a 5 percent misstatement with current assets may be more relevant for a creditor
than a stockholder, whereas a 5 percent misstatement with net income before income taxes
may be more relevant for a stockholder than a creditor. Therefore, the primary consideration
when determining materiality is the expected users of the financial statements.
For example, if the client is close to violating the minimum current ratio requirement for a loan
agreement, a smaller planning materiality amount should be used for current assets and
liabilities.
Conversely, if the client is substantially above the minimum current ratio requirement for a loan
agreement, it would be reasonable to use a higher planning materiality amount for current
assets and current liabilities.
Planning materiality should be based on the smallest amount established from
relevant materiality bases to provide reasonable assurance that the financial
statements, taken as a whole, are not materially misstated for any user.
Tolerable misstatement
This is essentially materiality for individual financial statement
accounts. The amount established for individual accounts is
referred to as "tolerable misstatement."
Tolerable misstatement represents the amount an individual
financial statement account can differ from its true amount
without affecting the fair presentation of the financial
statements taken as a whole.
Establishment of tolerable misstatement for individual
accounts enables the auditor to design and execute an audit
strategy for each audit cycle.
Tolerable misstatement should be established for all balance
sheet accounts (except "retained earnings" because it is the
residual account).
Practicum:
Dell Computer
This is the case that required you to come up with
hard numbers for materiality!
Determine planning materiality for an audit client
Allocate planning materiality to financial statement
elements
Provide support for your materiality decisions
IS Security
Chapter 3
What is Security?
Security involves:
Proper security
the protection of a person, property or organization from attack.
Knowing the types of possible attacks,
being aware of the motivations for attacks and your relationship to those
motives.
makes it difficult to attack,
threatens counter-measures, or
make a pre-emptive attack on a source of threat.
IS Security is a collection of investments and procedures that:
Protect information stored on computers
Protect Hardware and Software assets
From theft or vandalism by 3rd parties
What is a Lock & Key?
Lock is a security system
The key is its password
Keys used to be worn visibly around the neck
Newer Technology
As a sign of authority (similar to employee
badges today)
Badges and electronic keys
Biometrics (M-28 fingerprint lock at right)
Remote controls (Lexus keys)
‘Keys’ are just another Security Policy
Effective security policy
Security policy defines the organization’s attitude to Assets, and
announces internally and externally which assets are mission critical
Effective information security policies
Which is to be protected from unauthorized access, vandalism and destruction
by 3rd parties
Will turn staff into participants in the company’s security
The process of developing these policies will help to define a company’s
assets
An effective security policy also protects people.
Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without
fear of reprisal.
Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for
employees.
IP
There are four types of Intellectual Property (IP) that are
protected by law
Copyright
Patent
Trade secret
Trademark
Two aspects of the use of IP are covered by intellectual
property laws
Right of publicity
Privacy
Almost All Security Controls use the Lock & Key paradigm.
Authorization system = Who gets a Key (And Why?)
Password, etc. = Key
Encryption algorithms, SSL, etc. = Lock
Entry into Computer Crime
This flowchart describes the
points at which Control
Processes may be created
to stop criminals
Controls may:
Personal
Background
Motives
Learning
S kills to
Commit
Crime
Un-premeditated
Prevent access to the asset
Detect asset access
Correct the problems or
losses after an illicit access
Remember that criminals
specialize in one type of
crime
Premeditated
Choose
"Best"
Option
Decision / Action Matrix
Commit Crime
Reaction to
Chance
Event
Select Asset
Don't Select
• Face Penalties
• Enjoy Rewards
N/A
Don't Commit
• Too Hard
• M onitored
• Unfamilar
• Not enough value
Bringing a computer
crime to court
Step
Potential Terminal Outcome
Crime committed
Reported
Investigation
Arrest
Booking
Preliminary appearance in court
Bail or detention
Adjudication
Arraignment
Trial
Sentencing
Sentencing
Sentencing
Not detected
Not investigated
Unsolved
Released without prosecution
Released without prosecution
Charges dropped or dismissed
Arbitration, Settled "Out of Court"
Charge dismissed
Acquitted
Appeal
Probation
Prison
Practicum:
The Anonymous Caller
Recognizing It's a Fraud and Evaluating What to Do
How would you politely and ethically handle a ‘dodgy’ request
for help
Appreciate real-world pressures for meeting financial
expectations
Distinguish financial statement fraud from aggressive
accounting
Identify alternative actions when confronted with suspected
financial statement fraud
Develop arguments to resist or prevent inappropriate
accounting techniques
Utility Computing and IS
Service Organizations
Chapter 4
Old and New
Service Organizations like EDS
Are in the business of running IS shops
Only the transactions are handled by the client
They are being replaced by Utility Computing
Which is an outgrowth of software vending business
models
Particularly those of Oracle, SAP and Salesforce.com
Why do firms choose Utility
computing?
Utility computing offers greater flexibility in the creation of computing
environments when they are needed.
It opens up usage-based pricing and reduces users' use of capital.
Utility Computing allows an organization to have the ability to
harness latent computing power and resources, regardless of
application or other physical or organizational boundaries.
It allows an organization to virtually repurpose operating systems,
application mix, processing power, and storage to the immediate needs
of the corporation, to meet new demand or to rapidly create computing
environments for projects.
Pervasiveness of Utility
Computing
Recent moves like
Oracle's acquisition of Siebel,
And The growing popularity of software-as-a-service vendors like
Salesforce.com
are indicators that the software industry is tilting toward an on-demand
future
Still, on-demand services are likely to account for less than 10 percent
of business application use through 2010 (Gartner)
The reason why
the on-demand model is not suitable for complex business uses like logistics
support and order handling
nor for large complex companies requiring business process support
But the "complexity constraint bar" will rise over time since on-demand
vendors can add functionality easily
Consequences: Control of Data
and Programs
Copies of data outside the organization
Accounting transactions (fraud, loss, alteration)
Personnel and customer records (privacy, theft)
Operation of programs may be less well understood
since there are no in-house experts
This may lead to more audit exceptions
The Risk Assessment Database
Asset (Ex 2.1)
Risk Assessment (Ex. 2.2 with improvements)
Asset Value
($000,000 to
Owner)*
Transaction Flow
Description
Total Annual Transaction
Value Flow managed by
Asset($000,000)*
Cost of
single
occurrence
($)
Probability of
Occurrence (# per
Year)
Primary OS
Owner
Applicati
on
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Theft
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Obsolescence
and spoilage
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
Etc
*Whether you list depends on
Audit Materiality
Risk Description
Expected
Loss
100
100
10000
35
350
12250
Practicum:
Ocean Manufacturing
Deciding whether to accept a new client
Understand the types of information relevant to
evaluating a prospective audit client
List some of the steps an auditor should take in
deciding whether to accept a prospective client
Identify and evaluate factors important in the
decision to accept or reject a prospective client
Understand the process of making and justifying a
recommendation regarding client acceptance
Physical Security
Logical Security
Chapter 7
Chapter 8
Security Policy
Information
Manager
Environmental
Competitive
Internal Financial
Internal
Non-financial
Action
Inputs
Plan
Organize
Actuate
Control
Manpow er
Money
Machines
Methods
Materials
Information System
Information Systems
Information System
Information System
Outputs
Objectives
Quantity
Quality
Cost
Time
Profitability
Efficiency
Grow th
Survival
Strategy Policy
Strategy defines the way that Top Management
achieves corporate objectives
Policy is a written set of procedures, guidelines and
rules
Designed to accomplish a subset of strategic tasks
By a particular subgroup of employees
Effective security policy
An effective security policy also protects people.
Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without
fear of reprisal.
Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for
employees.
Effective information security
policy
Information security policy defines the organization’s attitude to
information, and
announces internally and externally that information is an asset
Which is to be protected from unauthorized access, modification,
disclosure, and destruction
Effective information security policies
Will turn staff into participants in the company’s security
The process of developing these policies will help to define a
company’s information assets
Why Do You Need Security Policy?
A security policy should Protect people and information
Set the rules for expected behavior by users, system
administrators, management, and security personnel
Authorize security personnel to monitor, probe, and investigate
Define and authorize the consequences of violation
The Three Elements of Policy
Implementation
Standards – Standards specify the use of specific technologies in a
uniform way. The example the book gives is the standardization of
operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed
for any tasks.
Steps to Creation of IS Security Policy
Policy Development Lifecycle
5.
Senior management buy-in
Determine a compliance grace period
Determine resource involvement .
Review existing policy
Determine research materials (Internet, SANS, white papers, books…)
6.
Interview parties {Responsible, Accountable, Controlling} assets
1.
2.
3.
4.
1.
2.
3.
4.
7.
8.
9.
10.
11.
12.
Define your objectives
Control the interview
Sum up and confirm
Post-interview review
Review with additional stakeholders
Ensure policy is reflected in “awareness” strategies
Review and update
Gap Analysis
Develop communication strategy
Publish
What’s in a Policy Document
Governing Policy
Should cover
Address information security policy at a general level
define significant concepts
describe why they are important, and
detail what your company’s stand is on them
Governing policy will be read by managers and by technical
custodians
Level of detail: governing policy should address the “what” in
terms of security policy.
Governing Policy Outline
might typically include
1. Authentication
2. Access Control
3. Authorization
4. Auditing
5. Cryptography
6. System and Network Controls
7. Business Continuity/Disaster Recovery
8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their
security responsibilities for the system they work
with.
Are more detailed than the governing policy and will
be system or issue specific, e.g., AS-400 or physical
security.
Technical Policy Outline
might typically include
1. Authentication
2. Authorization
3. Auditing
4. Network Services
5. Physical Security
6. Operating System
7. Business Continuity/Disaster Recovery
8. Compliance Measurement
User Policies
Cover IS security policy that end-users should ever have to know about,
comply with, and implement.
Most of these will address the management of
transaction flows and
databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to
go to one place and read one document in order to learn everything
they need to do to ensure compliance with company security
User Policy Outline
might typically include
1. User Access
2. User Identification and Accountability
3. Passwords
4. Software
5. System Configuration and Settings
6. Physical
7. Business Continuity Planning
8. Data Classification
9. Encryption
10. Remote Access
11. Wireless Devices/PDAs
12. Email
13. Instant Messaging
14. Web Conferencing
15. Voice Communications
16. Imaging/Output
Practicum:
Comptronix Corporation
Identifying Inherent Risk and Control Risk
Factors
* Understand how managers can fraudulently
manipulate financial statements
* Recognize key inherent risk factors that increase
the potential for financial reporting fraud
* Recognize key control risk factors that increase the
potential for financial reporting fraud
* Understand the importance of effective corporate
governance for overseeing top executives
IS Operations
Chapter 9
What are ‘Operations’
Development and Test
Production
Outsourcing and Utility Computing
Also, two sides to one system
Business Operations
All the tangible physical things that go on in a corporation
Computer Operations
Transactions
Business Operations
External Real
World Entities
and Events that
Create and
Destroy Value
Internal
Operations
of the Firm
Transactions
'Owned' Assets
and Liabilities
Corporate Law
g
osting Postin
ent / P nt /
urem easurme
Meas
M
Audit
Program
Internal Control Review
Over Operations
The Parallel (Logical)
World of Computer Operations
Internal Control
Memo
Computer
Systems
Ledgers:
Databases
Journal Entries
Reports:
Statistics
Business &
Computer
Operations
Transactions
External Real
World Entities
and Events that
Create and
Destroy Value
Internal
Operations
of the Firm
The Physical World
Transactions
Corporate Law
Substantive T
ts
Analytical Tes
Audit Report /
Opinion
Tests of Transactions
Audit
Program
tation
Attes
Auditing
ests
'Owned' Assets
and Liabilities
Accounting
Systems
The Parallel (Logical)
World of Accounting
Ledgers:
Databases
Journal Entries
Reports:
Statistics
Look Familiar?
Computer Operations
Only a subset of business operations are computerized (automated)
Computers do the following well:
All other Business Operations require human intervention
Even computer operations require human intervention at some level
High-speed arithmetic operations
Storage and search of massive quantities of data
Standardization of repetitive procedures
E.g., turning the computer on and off
In both business and computer operations
Human interventions demand the most auditing
Automation & Operations Objectives
Operations should be about following predetermined procedures
The appeal rests largely on the ability to reduce or alter the role of
people in the process
The intent is to take people out of the loop entirely,
Or to increase the likelihood that people will do what they are
supposed to do, and that they do it accurately
People are flexible and clever
We sometimes don’t want to take people out of the loop on a lot of
systems
The problem is when a lot of things break at the same time.
There’ll probably be a few things that are hard to fix, a cascade of effects
Fully automated (computerized) procedures
Can be audited once with a small data set
And these results can be considered to hold over time
Operations Objectives
What to look for in an audit
Production jobs are completed in time
Output (information) are distributed on time
Backup and recovery procedures are adequate
(requires risk analysis)
Maintenance procedures adequately protect
computer hardware and software
Logs are kept of all changes to HW & SW
Backup and Recovery Objectives
Best Practices
Determination of appropriate recovery and resumption objectives for
activities in support of critical markets.
Core organizations should develop the capacity to recover and resume activities within
the business day on which the disruption occurs.
The overall goal is to resume operations within two hours
Maintenance of sufficient geographic dispersion of resources to meet
recovery and resumption objectives.
back-up sites should not rely on the same infrastructure components used by the
primary site, and
back-up operations should not be impaired by a wide-scale evacuation or
inaccessibility of staff that services the primary site
Routine use or testing of recovery and resumption arrangements.
Testing should not only cover back-up facilities of the firm,
but connections with the markets,
third party service providers
and customers
Connectivity, functionality and volume capacity should be covered.
How Does Backup & Recovery
Fit into your Risk Assessment Framework?
Your Toolkit:
Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and
Systems Components Hierarchy
Asset (Ex 2.1)
Risk Assessment (Ex. 2.2 with improvements)
Asset Value
($000,000 to
Owner)*
Transaction Flow
Description
Total Annual Transaction
Value Flow managed by
Asset($000,000)*
Primary OS
Owner
Applicati
on
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Theft
Win XP
Receiving
Dock
A/P
0.002
RM Received from
Vendor
23
Obsolescence
and spoilage
Audit Objectives
Reporting Risks
(External Audit)
Control Process Risks
(Internal & External
Audits)
Transaction Flows
Business Application
Systems
Operating Systems
(including DBMS, network
and other special systems)
Hardware Platform
Physical and Logical
Security Environment
Asset Loss Risks
(Internal Audits)
Risk Description
Cost of
single
occurrence
($)
Probability of
Occurrence (# per
Year)
Expected
Loss
100
100
10000
35
350
12250
Prioritizing Backup & Recovery
Tasks
Find the critical transactions (High value; High
volume)
Identify the critical applications for processing these
transactions
Identify the critical personnel
including those you may not have hired or defined jobs for
Who are essential to processing these transactions
Practicum:
Easy Clean
Evaluation of Internal Control Environment
Evaluate a new audit client's control environment.
Provide an initial evaluation of certain components
of the client's control environment
Appreciate the judgment involved in evaluating the
overall internal control environment based on
interview data
Provide support for your internal control
assessments
Controls Self Assessment
Chapter 10
What is ‘Control Self-Assessment’?
DEFINITION
Control Self-assessment (CSA) is a leading edge process
in which auditors
facilitate a group of staff members
with the objective of identifying opportunities for internal control enhancement
Management integrity, honesty, trust
Willingness of employees to circumvent controls
Employee morale
The tone and ethics of a firm are set by top management
pertaining to critical operating areas designated by management
Originally a way of measuring ‘soft controls' which traditional
auditing found difficult to measure, e.g.
who have expertise in a specific process,
And this is a way of eliciting these
It’s become especially important post Sarbanes-Oxley
Why is CSA Important?
Without commitment to good internal control
Internal control systems (preventive, detective and corrective)
And inherent honest and ethical behavior of employees throughout
the organization
Would quickly become the single most expensive part of the firm’s
accounting systems
Internal and external audits would become prohibitively expensive
Financial statements would lose their value to outside investors
Causing stock price to fall
Bank borrowing interest rates to rise
And firm operations to cease being competitive
This happened in some of Arthur Andersen’s clients
Where financial statements came to be known as:
Andersen’s Fairy Tales
COSO Framework
COSO (Committee of Sponsoring Organizations of
the Treadway Commission)
Founded in aftermath of the 1977 Lockheed Scandal
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
COCO Framework
CoCo (Criteria of Control Board)
Founded by Canadian Institute of Chartered Accountants
The world’s premier group in setting internal auditing
standards
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations & internal
policies
Cadbury Framework
Committee of the Financial Aspects of Corporate Governance
of the Institute of Chartered Accountants in England and
Wales (Cadbury Committee … you can see why they adopted
the latter name)
Contemporaneous with CoCo
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Safeguarding of assets against unauthorized use of disposition
Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
COBIT Framework
COBIT (Control Objectives for Information and Related
Technology)
Contemporaneous with CoCo and Cadbury
Internal Control was supposed to insure:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Safeguarding of assets against unauthorized use of disposition
Maintenance of proper accounting records and the reliability of
financial information used with in the business or for publication
An important difference as COBIT was directed specifically
towards Information Technology
SAC / eSAC Framework
SAC (Systems Auditability and Control report)
Originally published in 1977, but updated in 1991-4
contemporaneous with CoCo and Cadbury
Internal Control insure the same things as CoCo and Cadbury
But provide an extensive module-based framework
Audit & control Environment
IT in Auditing
Managing computer resources
Managing Information and Developing System
Business Systems
End user and Departmental Computing
Telecommunications Security
Contingency Planning
Emerging tech
An important difference as SAC / eSAC was directed specifically
towards Information Technology, and provides more detailed
direction for IT audits
SASs 55, 78 & 94
Extensions to the COSO Framework that are essentially
summarized in SAS 94 (2001)
Specific IT related Internal Control risks are targeted:
Reliance on IT that is inaccurately processing data
Unauthorized access to data, destruction, inaccurate recording, privacy
breach
Unauthorized changes to systems
Failure to make needed changes to systems
Inappropriate manual intervention
Potential loss of data
SAS 94 also emphasizes the importance of specialized IT
Auditing skills (important for this class)
Prisoner's dilemma
Two suspects A, B are arrested by the police.
The police have insufficient evidence for a conviction, and having separated both
prisoners, visit each of them and offer the same deal:
If one testifies for the prosecution (turns King's Evidence) against the other and the other
remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes
free.
If both stay silent, the police can only give both prisoners 6 months for a minor charge.
If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Prisoner A Stays Silent
Prisoner A Betrays
Prisoner B
Stays Silent Bother Serve 6 months
Prisoner B serves ten years;
Prisoner A goes free
Prisoner B
Betrays
Both serve two years
Prisoner A serves ten years;
Prisoner B goes free
The Dilemma
Each prisoner has two options:
to cooperate with his accomplice and stay quiet,
or to betray his accomplice and give evidence.
The outcome of each choice depends on the choice of the accomplice.
However, neither prisoner knows the choice of his accomplice.
The optimal solution would be for both prisoners to cooperate with each other,
as this would reduce the total jail time served by the group to one year total.
Any other decision would be worse for the two prisoners considered together.
However by each following their individual interests, the two prisoners each
receive a lengthy sentence
The optimal multiperiod prisoner’s dilemma strategy is called ‘Tit-for-Tat’
Cooperate by default
If your opponent defects, you defect the next time, and then go back to cooperating if
they opponent cooperates on that next play
Be nice, but disciplined (tough love)
Prisoner's dilemma
(Corporate Setting)
Two officers of the corporation – the CEO and the Comptroller are arrested for Financial
Reporting fraud
The police have insufficient evidence for a conviction (they didn’t take my course) and
having separated both prisoners, visit each of them and offer the same deal:
If one testifies for the prosecution against the other and the other remains silent, the silent
accomplice receives the full 10-year sentence and the betrayer goes free.
If both stay silent, the police can only give both prisoners 6 months for a minor charge.
If both betray each other, they receive a 2-year sentence each.
This can be summarized:
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
-.5,-.5
0,-10
CEO Betrays
-10,0
-2,-2
The Deal (another view)
Or stated differently
Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
Win-win
Win much – lose much
CEO Betrays
Lose much – win much
Lose - lose
The Deal
Or stated differently
Here is how the deal will look to the CEO and the
Comptroller
Comptroller Cooperates
Comptroller Betrays
CEO Cooperates
Cooperation, 6 months each
Comptroller Temptation to Defect
payoff of zero years
CEO Betrays
CEO Temptation to Defect payoff
of zero years
Sucker’s Payoff (two years each)
Why Ethics are Important!
The prisoner's dilemma is a type of non-zero-sum game
it is assumed that each individual player ("prisoner") is trying to maximize his own
advantage, without concern for the well-being of the other players.
In Econo-speak: The Nash equilibrium for this type of game does not lead to
Pareto optimums (jointly optimum solutions)
Each side has an individual incentive to cheat even after promising to
cooperate. This is the heart of the dilemma.
In the iterated prisoner's dilemma the game is played repeatedly.
Thus each player has an opportunity to "punish" the other player for previous noncooperative play.
Cooperation may then arise as an equilibrium outcome.
The incentive to cheat may then be overcome by the threat of punishment, leading to
the possibility of a superior, cooperative outcome.
As the number of iterations approach infinity, the Nash equilibrium tends
to the Pareto Optimum, because when you face eternity the threat of
grudges is a grave one indeed
Practicum:
Cendant Corporation
Evaluating Risk of Financial Statement Fraud and Assessing
the Control Environment
Describe the auditor's responsibility for considering a client's internal
controls
Describe the auditor's responsibility to detect material
misstatements due to fraud
Identify red flags present during the audits of CUC International,
Inc.'s financial statements, which suggest weaknesses in the
company's control environment (CUC was the predecessor
company to Cendant Corporation)
Identify red flags present during the audits of CUC's financial
statements suggesting a higher likelihood of financial statement
fraud
Identify management assertions violated as a result of the
misstatements included in CUC's 1995 through 1997 financial
statements (prior to its merger with HFS, Inc.)
Identify audit procedures that could have been performed to detect
misstatements that occurred
Encryption and Cryptography
Chapter 11
Goal of Encryption
To reasonable ensure the
Confidentiality
Integrity and
Authenticity
Of electronic storage and transmission of data
System components:
Encryption
Hashing
Digital Signatures
Uses of Encryption
The most obvious application of a public key encryption system is
confidentiality
Public-key digital signature algorithms can be used for sender
authentication
a message which a sender encrypts using the recipient's public key
can only be decrypted by the recipient's paired private key
For instance, a user can encrypt a message with his own private key and
send it
If another user can successfully decrypt it using the corresponding public
key, this provides assurance that the first user (and no other) sent it
These characteristics are useful for many other applications
digital cash,
password-authenticated key agreement,
multi-party key agreement
Types of Encryption
Public key cryptography is a form of cryptography which generally allows users to
communicate securely without having prior access to a shared secret key, by using a pair
of cryptographic keys, designated as public key and private key, which are related
mathematically.
The term asymmetric key cryptography is a synonym for public key cryptography.
In public key cryptography, the private key is generally kept secret, while the public key
may be widely distributed. In a sense, one key "locks" a lock; while the other is required to
unlock it. It should not be possible to deduce the private key of a pair given the public key.
There are many forms of public key cryptography, including:
public key encryption — keeping a message secret from anyone that does not possess a
specific private key.
public key digital signature — allowing anyone to verify that a message was created with
a specific private key.
key agreement — generally, allowing two parties that may not initially share a secret key
to agree on one.
Typically, public key techniques are much more computationally intensive than purely
symmetric algorithms, but the judicious use of these techniques enables a wide variety of
applications.
Applying the Keys
Asymmetric or Public Key Encryption
Privacy: Single Key Encryption
Encryption: scramble a message rendering it
readable only to the intended recipient
Single-key encryption:
Sender supplies a "key" to encrypt the message
Receiver uses the same key to decrypt it. At least
that's how it works
e.g., Federal Data Encryption Standard (DES)
Not usable over insecure channels (if you have a
secure channel for exchanging keys, why do you
need cryptography in the first place?)
Public Key Encryption
Two related complementary keys
a publicly revealed key and
a secret key (called a private key)
Each key unlocks the code that the other key
makes.
Anyone can use a recipient's public key to
encrypt a message to that person
That recipient uses her own corresponding
secret key to decrypt that message
Digital Signature
Sender's secret key can be used to encrypt a
message, thereby "signing" it.
This creates a digital signature
which the recipient can check by using the sender's
public key to decrypt it.
Proving that the sender was the true originator of the
message
Proving that the message has not been subsequently
altered by anyone else
Forgery of a signed message is infeasible
The sender cannot later disavow his signature.
These two processes can be combined
Asymmetric or Public Key Encryption
PGP (Pretty Good Privacy)
What is PGP?
Pretty Good Privacy (PGP) is strong encryption software that
enables you to protect your email and files by scrambling
them so others cannot read them.
It also allows you to digitally "sign" your messages in a way
that allows others to verify that a message was actually sent
by you. PGP is available in freeware and commercial versions
all over the world.
PGP was first released in 1991 as a DOS program that
earned a reputation for being difficult.
In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP
5.x included plugins for several popular email programs.
http://www.pgp.com/
Hashing
Uses one way ‘hash-function’ (i.e., you can’t determine the
original message from the MAC)
And a block of data called the ‘message digest’
When both
Are processed through a one-way hash function
The resulting block of data is called
Electronic message, and
Cryptographic key
a message authentication code (MAC)
If it doesn’t match the message, discard the transmission
Two common one-way hash functions are:
Message Digest 5 (MD-5)
Secure Hash Algorithm 1 (SHA-1)
‘Keys’ are just another Security
Policy
A security policy
establishes what must be done to protect information stored on computers
Keys are physical manifestations of “Authorization”
Issuance and control of keys are just part of the authorization scheme.
Security policy defines the organization’s attitude to Assets, and
Effective information security policies
announces internally and externally which assets are mission critical
Which is to be protected from unauthorized access, vandalism and destruction by
3rd parties
Will turn staff into participants in the company’s security
The process of developing these policies will help to define a company’s assets
Anyone who makes decisions or takes action in a situation where information is
a risk incurs personal risk as well.
A security policy allows people to take necessary actions without fear of reprisal.
Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for employees.
Who can revoke a key?
Obviously, a malicious (or erroneously) revocation of some (or
all!) of the keys in the system will most likely be a systemwide failure
It is impossible to arrange things so that this can not happen
(if keys can be revoked at all)
Because the principal having authority to revoke keys is very
powerful,
the mechanisms used to control it should involve as many
participants as possible to guard against malicious attacks,
while at the same time as few as possible to ensure that a key
can be revoked without delay
How to distribute a new key
After a key has been revoked, a new key must be distributed in
some pre-determined manner.
Assume that Carol's key has been revoked.
Until a new key has been disseminated, Carol is effectively silenced.
No one will be able to send her data without violating system security,
and data coming from her will be discarded for the same reason.
Or, in other words, the part of the system controlled by Carol is
disconnected and so unavailable.
The need for security was deemed higher than the need for availability in
this design.
One could lump together the authority to create new keys (and
certify them) with the authority to revoke keys,
but there is no need to do so.
In fact, for reasons of security, this likely a bad idea.
How to spread the revocation
The notification that a key has been revoked and should not
be used again must be spread to all those that potentially hold
the key, and as rapidly as possible.
There are two means of spreading information (e.g., a key
revocation here) in a distributed system:
either the information is pushed to users from a central point(s),
or it is pulled from a central point(s) to end users.
Pushing the information is the simplest solution in that a message
is sent to all participants. However, there is no way of knowing
that all participants actually receive the message, and, pushing is
not very securable nor very reliable.
The alternative to pushing is pulling. In this setup, all keys are
included within a certificate that requires the one using them to
verify that the key is valid.
Recovery from a leaked key
If loss of secrecy and/or authenticity is a systemwide failure, a strategy for recovery must be in
place.
This strategy will determine who has authority to
revoke the key,
how to spread the revocation,
also how to deal with all messages encrypted with the key
since the leak is recognized
This recovery procedure can be extremely
complicated, and while it is in progress the system
might be very vulnerable to Denial of Service attacks
Practicum:
St James Clothiers
Evaluation of Manual & IT-Based Sales Accounting
System Risks
Recognize risks in a manual-based accounting sales
system
Explain how an information technology-based
accounting system can reduce manual system risks
Identify new risks potentially arising from the use of an
information technology (IT)-based accounting system
Recognize issues associated with the process of
converting from a manual to an IT-based accounting
system
Prepare a formal business memorandum
Forensics and Ethics
Chapter 12
Why ‘Computer’ Crime?
‘Because that's where the money is‘ (c. 2005)
Money is no longer held in physical form
How much money is being handled daily by
computer exchange systems in 2005?
Foreign exchange $2 trillion daily
Derivatives markets $5 trillion daily
Outstanding derivatives positions $200 trillion
NYSE daily activity $1.6 trillion daily
Types of Computer Crime:
Business as a Victim
Employee Thefts
Payroll Fraud
Fraudulent Billing Schemes
Fraud Committed by outsiders
Management Thefts
Corporate Thefts
Business as a Vehicle
Organized Crime
Money laundering
Theft from Minority Shareholders
Other Stock Market Fraud
Bankruptcy Fraud
Crime’s new venue
The Internet (With an estimated 1 billion people ) is now in a golden age of criminal
invention.
Even encryption, supposedly a defensive measure, has become a tool for extortion
It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business
models.
witness the weird new crime of breaking into a computer, encrypting its contents, and then
demanding a payoff to supply a password to the victim's own data.
The crime's so new, it doesn't even have a name yet.
All the classic scams and rackets that city sharpies push on rubes can be digitized
once there were a few relatively uncomplicated viruses, now there are torrents of fastevolving, multifaceted viruses.
Where once there was just small-time credit-card fraud, now there is international credit-card
racketeering.
Computer-network password theft has turned into sophisticated ID fraud that robs patrons of
banks and online auction sites.
Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion
pieces a day worldwide last May, according to the e-mail security firm IronPort)
Then there are the newer electronic crimes, proliferating so fast that even experts have
trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS
protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.
Hotspots for Internet crime
Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan,
Latvia, Malaysia, North Korea, Romania, Russia, and the
United States are major centers for organized hacking
Why are certain areas hotspots?
Places where there's a significant amount of activity usually have
a technically advanced population and a large population of
computer users.
You also have a poor economy, so you have people with the
technical skills to do good work, but they can't find a job that will
provide for them,
so they may have to resort to doing things that are against the
law
These hotspots (other than the United States and Japan) also
tend to be countries where laws and law enforcement lag
hackers will find the weakest link, the country with no laws
Denial-of-service (DoS attack)
A "denial-of-service" attack is characterized by an explicit
attempt by attackers to prevent legitimate users of a service
from using that service. Examples include
1.
2.
3.
4.
attempts to "flood" a network, thereby preventing legitimate
network traffic
attempts to disrupt connections between two machines, thereby
preventing access to a service
attempts to prevent a particular individual from accessing a
service
attempts to disrupt service to a specific system or person
Details are at
http://www.cert.org/tech_tips/denial_of_service.html
Zombies
Zombies do a lot of the heavy lifting
malware-infected computers that an online puppet master controls
Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet"
attempt to carry out the high-tech money grab.
Botnets are popular because of their increasing sophistication and multiple uses.
versatile zombie armies pull in cash for their controllers in a variety of ways.
Sending spam (a big money-maker)is one common use.
Zombie networks can also steal personal information for purposes of identity theft.
When botnets are used to launch a DDoS attack,
the ringleader instructs each zombie computer to send a flood of data to a particular Web site.
By itself, the data from a single PC can't hurt a site.
But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed
and cut off from the Internet.
E.g., MyDoom had a rather unsophisticated means of controlling host machines.
Once it insinuated itself into an unprotected PC,
anyone who knew a not-so-secret five-digit code could commandeer the computer for any
desired purpose
As a result, MyDoom-compromised computers were very popular with online criminals for a
while
Botnets
Malware turned an average of 172,009 previously healthy
computers into zombies every day during May 2005
As processing power improves and broadband Internet
connections become more widespread, zombie computers will
be able to send more spam or hit Web sites harder
CipherTrust, an e-mail security company that tracks botnets
and botnets will become more powerful.
Also, the ability to shuffle funds
including ransom payments
anonymously through convoluted Internet paths using human
mules (in much the same way as in the drug trade) and online
payment services
means that criminals can revisit old approaches.
Cops and Robbers
Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs
that are controlled by groups of people dispersed around the world
Christopher Painter, deputy chief of the Computer Crime
section of the U.S. Department of Justice.
Most perpetrators are adults who execute extremely sophisticated assaults.
"They don't brag, and they cover their tracks very well," (Painter)
One notorious cybergang, called Shadowcrew, reportedly had 4000
members scattered across the United States, Brazil, Spain, and Russia.
Objectives
Money is these cybergangs' primary
motivation
The asking price for temporary use of an army of
20,000 zombie PCs today is $2000 to $3000,
according to a June posting on SpecialHam.com,
an electronic forum for hackers
Marshaling their armies of zombie PCs, online
extortionists may threaten to crash a company's
Web site unless they are paid off.
Hackers are not shy about asking for $20,000 to
$30,000 from companies.
Payoffs
Companies know it's far cheaper to pay the hackers
than to get knocked offline and lose hundreds of
thousands of dollars in lost business
Many extortionists go unreported because businesses are
unwilling to volunteer evidence of their coercion to law
enforcement officials,
corporations don't want to admit to their customers,
stockholders, and business partners their networks were
ever vulnerable to an attack.
only about 20 percent of computer intrusions are ever
reported to law enforcement agencies.
The US Secret Service receives between 10 and 15
inquiries per week from businesses owners who believe
they may be the target of a cyberattack.
2004 survey conducted by the Computer Security
Institute
Client-side Targets
About 60 percent of new vulnerabilities now affect client-side
applications
In 2005, unwanted network traffic targeting Symantec Veritas
BackupExec
like Web browsers and media players
And those vulnerabilities are drawing all the wrong sorts of
attention
rocketed to 500,000 instances within days of an announced
security hole in the product,
up from a previous maximum of about 50,000 instances.
Microsoft Office, Internet Explorer, Firefox, and AOL Instant
Messenger also suffered from serious reported vulnerabilities,
as did RealPlayer and iTunes
Focus of Client-side Attacks
Attackers now target
backup and recovery programs,
as well as "the antivirus and other security tools that
most organizations think are keeping them safe
SANS Top 20 report for 2005 on the most critical Internet
vulnerabilities
The shift toward finding and exploiting vulnerabilities
in programs represents a major change from past
years,
when Windows and other operating systems and Internet
services like Web and e-mail servers were the preferred
targets.
Phishing
California has passed an antiphishing law,
Phishing victims are typically sent fraudulent e-mail designed to trick
them into revealing personal information, like bank account numbers,
user names, and passwords.
the Anti-Phishing Act of 2005
With the passage of the Anti-Phishing Act of 2005, California joins such
states as Texas, New Mexico, and Arizona, all of which adopted
antiphishing legislation earlier this year.
Under the Anti-Phishing Act, these victims may seek to recover either
the cost of the damages they have suffered or $500,000, whichever is
greater; government prosecutors can also seek penalties of up to $2500
per phishing violation.
Phishing attacks have been on the rise. Research firm Gartner
estimates that 73 million U.S. Internet users received phishing emails during the 12 months ended May 2005, up 28 percent from the
previous year.
Malware
The mischief-making hacker of the 1990s gives way to the
determined high-tech thief of the 21st century
The 2005 E-Crime Watch survey of security and law enforcement
estimated an average loss of $506,670 per organization due to
malware
It's gotten so bad that the U.S. Secret Service and Carnegie
Mellon University's Computer Emergency Response Team
(CERT)
last year stopped publishing the number of computer crime
incidents, saying:
"Given the widespread use of automated attack tools, attacks
against Internet-connected systems have become so
commonplace that counts of the number of incidents reported
provide little information with regard to assessing the scope and
impact of attacks."
How to Build a Legal Case:
Inference Network Analysis
Legal cases are proved through inferences.
These inferences, built in chains, must lead logically from
point A to point B
He strength (or weakness) of these inferences determines the
strength of the legal case
Evidence
Inference
Proof
Chain of Inferences
Suppose we want to link the defendant
(and ex-football player and aspiring
movie star) to the murder of his ex-wife
Initially the evidence is weak (dotted
line)
The defendant and victim were divorced,
and that may have been motive for the
murder, but that is a weak case
murder
Defendent
Glove
DNA
Victim
murder
Defendant
Ownership
Glove
Unique
DNA
Victim
murder
Defendent
Victim
Defendant
DNA
Glove
Ownership
DNA
Unique
Victim
Analytical and Automated Fraud
Auditing Approaches
Looks at the general (qualitative) factors of a company.
Based on tangible and measurable factors (quantitative).
Used in conjunction with tests of transactions and substantive
tests
Analytical techniques provide an important, macro-level,
detective control over fraud and misstatement in financial
statements
Goals
Such an analysis has for objective to assess the firm's:
performance, for the management to improve it,
solvency, so as for a bank or a supplier to grant a credit,
potential value to decide an investment or divestment. Then it is called
fundamental analysis and is linked to business valuation and stock
valuation
How to: Analytical Techniques
Compare financial ratios (of solvency, profitability, growth...)
Those ratios are calculated by dividing a (group of) account
balance(s),
between several periods (the last 5 years for example)
and between similar firms.
taken from the balance sheet and / or
the income statement,
by another,
for example :
Net profit / equity = return on equity
Gross profit / balance sheet total = return on assets
Stock price / earnings per share = P/E-ratio
Where to find the data
Company websites
almost every public company has a website or investor relations department.
For the most current quarterly or annual report you might want to check in these
places first.
http://www.gm.com/company/investor_information/stockholder_info/
Securities and Exchange Commission (SEC) - The information posted in the
"EDGAR" database includes the annual report (known as the 10-K), quarterly
report (10-Q), and a myriad of other forms that contain every type of financial
data.
http://www.edgar-online.com/products/edgarpro.aspx
Hoovers.com - another source for company analysis (some of the data requires
a subscription)
http://www.hoovers.com/free/
Fraud Detection Using Digital
Analysis
A growing area of fraud prevention and detection involves the
examination of patterns in data – i.e., Digital Analysis
The rationale is that unexpected patterns can be symptoms of
fraud. A simple example of the application of this technique is
a search for duplicate transactions, such as identical invoice
or vendor numbers for the same amount.
A simple digital analysis technique is to search for invoices
with even dollar amounts, such as $200.00 or $5,000.00.
The existence of particular even amounts may be a symptom of
fraud and should be examined.
Ratio Analysis
Another useful fraud detection technique is the calculation of data analysis
ratios for key numeric fields.
Like financial ratios that give indications of the financial health of a company,
data analysis ratios report on the fraud health by identifying possible symptoms
of fraud.
Three commonly employed ratios are:
* the ratio of the highest value to the lowest value (max/min);
* the ratio of the highest value to the second highest value (max/max2); and
* the ratio of the current year to the previous year.
For example, auditors concerned about prices customers were being charged
for products could calculate the ratio of the maximum sales price to the
minimum sales price for each product.
If the ratio is close to 1.0, they can be sure that there is little variance between the
highest and lowest prices charged to customers.
However, if the ratio is large this could indicate that a customer was being charged too
much or too little for the product.
Benford's Law
Benford's Law, developed by Frank Benford in the 1920s, predicts the
occurrence of digits in data. Benford's Law concludes that the first digit in a
large population of transactions (10,000 plus) will most often be a 1. Less
frequently will the first digit be a 2; even less frequently a 3.
An analysis of the frequency distribution of the first or second digits can detect
abnormal patterns in the data and may identify possible fraud. An even more
focused test can be used to examine the frequency distribution of the first two
digits (FTD). The formula for the expected frequencies is:
Expected FTD Frequency = log(1+1/FTD)
Therefore, the expected frequency of 13 is log(1+1/13). The expected
frequencies range from 0.041 for 10, to 0.004 for 99.
Some audit software programs can be used to determine the frequency
distribution for first digits, first two digits, and second digits.
Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid
rationale for certain numbers occurring more frequently than expected. For example, if a
company sends a large amount of correspondence via courier, and the cost is a standard rate
($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits
(61) may occur more often than predicted by Benford's Law.
Practicum:
Burlington Bees
Using Analytical Procedures as Substantive
Tests
OBJECTIVES
Use analytical procedures to develop expectations for
revenue accounts
Recognize factors that lead to precise expectations of
account balances
Appreciate the degree of professional judgment involved in
evaluating differences between expected and reported
account balances
Understand the audit planning implications of using
analytical procedures as substantive tests of account
balances
New Challenges from the Internet:
Privacy, Piracy, Viruses
Course Wrap-up
Password Cracking
Password cracking is the process of recovering secret
passwords from data that has been stored in or transmitted by
a computer system, typically, by repeatedly verifying guesses
for the password
The purpose of password cracking might be to help a user
recover a forgotten password (though installing an entirely
new password is less of a security risk), to gain unauthorized
access to a system, or as a preventive measure by the
system administrator to check for easily crackable passwords.
Guessing
Not surprisingly, many users choose weak passwords, usually one related to
themselves in some way. It may be:
blank
the word 'password'
the user's name or login name
the name of their significant other or another relative
their birthplace or date of birth
a pet's name
automobile licence plate number
and so on,
Some users even neglect to change the default password that came with their
account on the computer system.
And some administrators neglect to change default account passwords provided by
the operating system vendor or hardware supplier.
A famous example is the use of FieldService as a user name with Guest as the
password. If not changed at system configuration time, anyone familiar with
such systems will have 'cracked' an important password, and such service
accounts often have higher access privileges than a normal user account.
The determined cracker can easily develop a computer program that accepts
personal information about the user being attacked and generates common
variations for passwords suggested by that information.
Dictionary attack
A dictionary attack also exploits the tendency of people to choose weak
passwords,
Password cracking programs usually come equipped with "dictionaries", or word
lists, with thousands or even millions of entries of several kinds, including:
The cracking program encrypts each word in the dictionary, and
words in various languages
names of people
places
commonly used passwords
simple modifications of each word, and
checks whether any match an encrypted password.
This is feasible because the attack can be automated and, on inexpensive modern
computers, several thousand possibilities can be tried per second
Guessing, combined with dictionary attacks, have been repeatedly and
consistently demonstrated for several decades to be sufficient to crack
perhaps as many as 50% of all account passwords on production systems.
Brute force attack
Try every possible password up to some size,
This is known as a brute force attack.
As the number of possible passwords increases rapidly as the length of the password
increases, this method is unlikely to be successful unless the password is relatively
small
How small is too small?
A common current recommendation is 8 or more randomly chosen characters
combining letters, numbers, and special (punctuation, etc) characters
Systems which limit passwords to numeric characters only, or upper case only, or,
generally, which exclude possible password character choices make such attacks
easier.
Using longer passwords in such cases (if possible on a particular system) can
compensate for a limited allowable character set.
The real threat may be likely to be from smart brute-force techniques
that exploit knowledge about how people tend to choose passwords.
Most commonly used hashes can be implemented using specialized hardware,
allowing faster attacks. Large numbers of computers can be harnessed in parallel,
each trying a separate portion of the search space. Unused overnight and weekend
time on office computers can also be used for this purpose.
Precomputation
Precomputation involves hashing each word in the dictionary
or any search space of candidate passwords
and storing the <plaintext, ciphertext> pairs in a way that enables
lookup on the ciphertext field
This way, when a new encrypted password or is obtained, password
recovery is instantaneous
There exist advanced precomputation methods that are even more
effective.
By applying a time-memory tradeoff, a middle ground can be reached
a search space of size N can be turned into an encrypted database of
size O(N2/3) in which searching for an encrypted password takes time
O(N2/3).
The theory has recently been refined into a practical technique, and
the online implementation at http://passcracking.com/ achieves
impressive results on 8 character alphanumeric MD5 hashes.
Salting (a remedy)
The benefits of precomputation and memoization
can be nullified by randomizing the hashing process
This is known as salting
When the user sets a password,
Since the salt is different for each user,
a short string called the salt is suffixed to the password before
encrypting it;
the salt is stored along with the encrypted password so that it can
be used during verification
the attacker can no longer use a single encrypted version of each
candidate password.
If the salt is long enough, the attacker must repeat the
encryption of every guess for each user,
and this can only be done after obtaining the encrypted password
record for that user.
Programs for password cracking
John the Ripper
John the Ripper is password cracking software. Initially developed
for the UNIX operating system,
It currently runs on fifteen different platforms.
It is one of the most popular password testing/breaking programs as it
combines a number of password crackers into one package, autodetects,
and includes a customisable cracker.
The encrypted password formats which it can be run against include
various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash.
Additional modules have extended its ability to include passwords stored
in LDAP, MySQL and others.
John is designed to discover weak passwords from the encrypted
information in system files. It operates by taking text strings (usually
from a file containing words found in a dictionary), encrypting it in
the same format as the password being examined, and comparing
the output to the encrypted string. It also offers a brute force mode.
Programs for password cracking
L0phtCrack
L0phtCrack is a password auditing and recovery
application (now called LC5),
originally produced by L0pht Heavy Industries (later
produced by @stake and now by Symantec, which
acquired @stake in 2004)
It is used to test password strength and to recover
lost Microsoft Windows passwords,
by using dictionary, brute-force, and hybrid attacks.
It is one of the crackers' tools of choice
Practicum:
Henrico Retail
Understanding the IT Accounting System and
Identifying Audit Evidence for Retail Sales
Outline the audit trail for processing retail sales transactions
Develop audit plans for gathering evidence to test the
existence and valuation of retail sales
Recognize when audit evidence must be gathered
electronically if a traditional paper trail is absent
Identifying audit trails in preparation for flowcharting
accounting cycle processing required for writing an
audit program
