Chapter 3

Security Part 1: Auditing Operating

Systems and Networks
• A woman worked at a high security institution.
• One day she went to work and tried to log-in to her computer.
• Her password was denied
• She recalled that the password changes monthly for security
reasons.
• She asked her manager what her password was.
• The manager said: “the new password is different, but if you pay
attention, you will be able to figure out the new one.”
• “Your new password has the same amount of letters as the old
one; and four of the letters are the same.”
• The woman was able to log-in without any problems.
• What were the old and new passwords?
Auditing Operating Systems
• Operating System is the computer’s control program. It allows
users and their applications to share and access common computer
resources.

• Operating System Objectives

1. It translates high-level languages into the machine level- language
that the computer can execute.
2. It allocates computer resources to users, workgroups, and
applications.
3. Operating system manages the tasks of job scheduling and
multiprogramming.
• To perform these tasks consistently and reliably, the operating
system must achieve five fundamental control objectives:

1. The operating system must protect itself from users.

2. The operating system must protect users from each other.
3. The operating system must protect users from themselves.
4. The operating system must be protected from itself.
5. The operating system must be protected from its environment.
Operating System Security
Operating system security involves policies, procedures, and controls that determine
who can access the operating system which resources they can use, and what actions they
can take.
Log-on procedure is the OS’s first line of defense against unauthorized access.If the log-
on attempt is successful, the OS creates an access token that contains key information
about the user.
Access Control List is assigned to each IT resource which controls access to the
resources.
The central system administrator usually determines who is granted access to specific
resources and maintains the access control list. In distributed systems, however, end users
may control (own) resources. Resource owners in this setting may be granted
discretionary access privileges, which allow them to grant access privileges to other
users.
Threats to OS Integrity
Intentional threats to the operating system are most commonly attempts to illegally access data or
violate user privacy for financial gain.
1. Privileged personnel who abuse their authority.
2. Individuals, both internal and external to the organization, who browse the operating system to
identify and exploit security flaws.
3. Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive
programs into the operating system.

Operating System Controls and Audit Tests

1.Controlling Access Privileges
- Privileges should, therefore, be carefully administered and closely monitored for
compliance with organizational policy and principles of internal control.
Audit Objectives Relating to Access Privileges
- Verify that access privileges are granted in a manner that is consistent with the need
to separate incompatible functions and is in accordance with the organization’s policy.
Audit Procedures Relating to Access Privileges
- Performance of certain test of controls.
2. Password Control
- A password is a secret code the user enters to gain access to systems, applications, data
files, or a network server.
- The most common method of password control is the reusable password. The user
defines the password to the system once and then reuses it to gain future access. The quality
of the security that a reusable password provides depends on the quality of the password
itself. To improve access control, management should require that passwords be changed
regularly and disallow weak passwords.
- The one-time password was designed to overcome the aforementioned problems.
Under this approach, the user’s password changes continuously. This technology employs a
credit card–sized smart card that contains a microprocessor programmed with an algorithm
that generates, and electronically displays, a new and unique password every 60 seconds.
Audit Objectives Relating to Passwords
- The auditor’s objective here is to ensure that the organization has an adequate and
effective password policy for controlling access to the operating system.
Audit Procedures Relating to Passwords
- Performance of certain test of controls.
3. Controlling Against Malicious and Destructive Programs
- Malicious and destructive programs are responsible for millions of dollars of corporate
losses annually. The losses are measured in terms of data corruption and destruction,
degraded computer performance, hardware destruction, violations of privacy, and the
personnel time devoted to repairing the damage. This class of programs includes viruses,
worms, logic bombs, back doors, and Trojan horses.

Audit Objective Relating to Viruses and Other Destructive Programs

- The key to computer virus control is prevention through strict adherence to organizational
policies and procedures that guard against virus infection. The auditor’s objective is to verify
that effective management policies and procedures are in place to prevent the introduction
and spread of destructive programs, including viruses, worms, back doors, logic bombs, and
Trojan horses.

Audit Procedures Relating to Viruses and Other Destructive Programs

- Performance of certain test of controls.
System Audit Trail Controls
System audit trails are logs that record activity at the system, application, and
user level. Operating systems allow management to select the level of auditing to be
recorded in the log.

Keystroke Monitoring
Keystroke monitoring involves recording both the user’s keystrokes and the
system’s responses. This form of log may be used after the fact to reconstruct the
details of an event or as a real-time control to prevent unauthorized intrusion.
Keystroke monitoring is the computer equivalent of a telephone wiretap.
Whereas some situations may justify this level of surveillance, keystroke monitoring
may also be regarded as a violation of privacy. Before implementing this type of
control, management and auditors should consider the possible legal, ethical, and
behavioral implications.

Event Monitoring
Event monitoring summarizes key activities related to system resources. Event
logs typically record the IDs of all users accessing the system; the time and duration
of a user’s session; programs that were executed during a session; and the files,
databases, printers, and other resources accessed.
Setting Audit Trail Objectives
Audit trails can be used to support security objectives in three ways: (1) detecting unauthorized access to the
system, (2) facilitating the reconstruction of events, and (3) promoting personal accountability.
Detecting Unauthorized Access.
Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time
detection is to protect the system from outsiders attempting to breach system controls. A real-time audit trail
can also be used to report changes in system performance that may indicate infestation by a virus or worm.

Reconstructing Events.
Audit trail analysis can be used to reconstruct the steps that led to events such as system failures, or security
violations by individuals. Knowledge of the conditions that existed at the time of a system failure can be used
to assign responsibility and to avoid similar situations in the future.

Personal Accountability.
Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive
control that can influence behavior. A system audit log can also serve as a detective control to assign personal
accountability for actions taken such as abuse of authority. For example, consider an accounts receivable clerk
with authority to access customer records. The audit log may disclose that the clerk has been printing an
inordinate number of records, which may indicate that the clerk is selling customer information in violation of
the company’s privacy policy.
4. Implementing a System Audit Trail
- The information contained in audit logs is useful to accountants in measuring the potential
damage and financial loss associated with application errors, abuse of authority, or unauthorized
access by outside intruders. Audit logs, however, can generate data in overwhelming detail.
Important information can easily get lost among the superfluous details of daily operation. Thus,
poorly designed logs can actually be dysfunctional.
- Protecting exposures with the potential for material financial loss should drive management’s
decision as to which users, applications, or operations to monitor, and how much detail to log. As
with all controls, the benefits of audit logs must be balanced against the costs of implementing them.

Audit Objectives Relating to System Audit Trails

- The auditor’s objective is to ensure that the established system audit trail is adequate for
preventing and detecting abuses, reconstructing key events that precede systems failures, and
planning resource allocation.

Audit Procedures Relating to System Audit Trails

- Performance of certain test of controls.
AUDITING NETWORKS

Reliance on networks for business communications poses concern about unauthorized

access to confidential information. As LANs become the platform for mission-critical
applications and data, proprietary information, customer data, and financial records are at
risk. Organizations connected to their customers and business partners via the Internet are
particularly exposed. Without adequate protection, firms open their doors to computer
hackers, vandals, thieves, and industrial spies both internally and from around the world.

The paradox of networking is that networks exist to provide user access to shared resources,
yet the most important objective of any network is to control such access. Organization
management constantly seeks balance between increased access and the associated business
risks.
Intranet Risks
Intranets consist of small LANs and large WANs that may contain thousands of individual
nodes. Intranets are used to connect employees within a single building, between buildings
on the same physical campus, and between geographically dispersed locations. Typical
intranet activities include e-mail routing, transaction processing between business units,
and linking to the outside Internet.

Unauthorized and illegal employee activities internally spawn intranet threats. Their
motives for doing harm may be vengeance against the company, the challenge of breaking
into unauthorized files, or to profit from selling trade secrets or embezzling assets.

The threat from employees (both current and former) is significant because of their intimate
knowledge of system controls and/or the lack of controls. Discharged employees, or those
who leave under contentious circumstance, raise particular concerns. Trade secrets,
operations data, accounting data, and confidential information to which the employee has
access are at greatest risk.
Interception of Network Messages
The individual nodes on most intranets are connected to a shared channel across which
travel user IDs, passwords, confidential e-mails, and financial data files. The unauthorized interception
of this information by a node on the network is called sniffing. The exposure is even greater when the
intranet is connected to the Internet. Network administrators routinely use commercially available
sniffer software to analyze network traffic and to detect bottlenecks. Sniffer software, however, can also
be downloaded from the Internet. In the hands of a computer criminal, sniffer software can be used to
intercept and view data sent across a shared intranet channel.
Access to Corporate Databases
Intranets connected to central corporate databases increase the risk that an employee will view,
corrupt, change, or copy data. Social Security numbers, customer listings, credit card information,
recipes, formulas, and design specifications may be downloaded and sold. Outsiders have bribed
employees, who have access privileges to financial accounts, to electronically write off an account
receivable or erase an outstanding tax bill.
Privileged Employees
We know from Chapter 1 that an organization’s internal controls are typically aimed at lower-level
employees. According to the CSI study, however, middle managers, who often possess access privileges
that allow them to override controls, are most often
prosecuted for insider crimes. Information systems employees within the organization are another
group empowered with override privileges that may permit access to mission-critical data
Reluctance to Prosecute.

A factor that contributes to computer crime is many organizations’ reluctance to

prosecute the criminals. Many computer criminals are repeat offenders. Performing
background checks on prospective employees can significantly reduce an
organization’s hiring risk and avoid criminal acts. In the past, employee
backgrounding was difficult to achieve because former employers, fearing legal action,
were reluctant to disclose negative information to prospective employers. A no
comment policy prevailed. The relatively new legal doctrine of negligent hiring
liability is changing this. This doctrine effectively requires employers to check into an
employee’s background.
Internet Risks
• IP Spoofing – Masquerading to gain unauthorized access to a Web
server or to perpetrate fraud without revealing one’s identity
• Denial of Service Attack – assaulting on a web server to prevent it
from servicing legitimate users
• Equipment Failure – Failure from any of the three network
topologies
▫ Communication Lines
▫ Hardware Components
▫ Software
Denial of Service Attacks
• SYN Flood Attack – For a short background, a connecting server
(our network) sends an initiation SYN code to a receiving server
(any website i.e. SLU Student Portal) which in turn prompts a
host machine to respond ACK with a packet code to the user
• Preventing the host machine from acknowledging the SYN-ACK
code will cause the server to time-out. Third person/s flood the
machine preventing any other user to get a response. A Firewall is
a useful countermeasure.
Denial of Service Attacks
• Smurf Attacks – Exploiting Ping which is used to test network
congestion.
• Smurf attacks are composed of 3 parties (Perpetrator, intermediary,
Victim)
• A ping message containing a forged IP address via IP spoofing rather
than actual source computer is used. The intermediary receives the
ping message and relays the same to other networks connected to it.
• Each network connected to the intermediary responds to the ping and
returns the ping message back to the victim’s forged IP address,
causing a server time out.
Denial of Service Attacks
• Distributed Denial of Service Attacks – employing a bot to launch
a DOS attack.
• DDOS used for holding a firm hostage, preventing it from
processing online transactions
• DDOS involves large numbers of intermediaries as well as internet
relay chat (IRC) coming from multiple sources around the net
▫ IRC – allows people around the world to communicate in real-time,
tends to have poor security
Controlling From Subversive Threats
• Firewalls – An implement made to insulate the intranet from
intruders.
• All traffic must pass through the firewall
• Only authority may pass through it
• It must be immune from penetration from inside and outside of
the organization
• May be implemented in a LAN
• Network-level Firewalls – Efficient, low-security; Consists of a
screening router that examines both source and destination
addresses attached to packets
• Application-level Firewalls – higher level of customizable network
security, adding overhead to connectivity. These are configured to
run security applications (proxies) that permit routine services.
Controlling Denial of Service Attacks
• Smurf Attacks – Program a firewall to block an attacker.
• SYN Flooding – Program firewalls to block outbound message
packets that contain invalid internal IP; Purchase security
software for targeted sites that scan for half-open connections
• DDOS Attacks – Investing in Intrusion prevention systems
employ deep packet inspection to determine when an attack is in
progress
Controlling Risks from Subversive Threats
• Encryption – Conversion of data into a secret code for storage in
database and transmission over networks
• Private Key Encryption
▫ Advance Encryption Standard – 128-bit encryption technique that
has become a US government standard; known only between sender
and receiver of a message
▫ Triples DES Encryption – using 3-layers of encryption to protect a
message
Controlling Risks from Subversive Threats
• Public Key Encryption – Uses 2 different keys: A private key kept
in secret, and a public key that is published
• The sender of a message uses the receiver’s public key to encrypt a
file
• The receiver uses the private key to decrypt the file
• This lessens the need to share a single key among them, reducing
the chances of the encryption getting leaked
• E.g. Blockchain systems used for Cryptocurrencies
Controlling Risks from Subversive Threats
• Digital Signatures – an electronic authentication that cannot be forged,
ensuring the security and safe condition of the file transmitted
• Digital signatures work through a one-way hash algorithm, a file will be
encrypted and the encryption will be unique for that file only. A file
digested will enable the decryption of a hashing algorithm. If the digest
detects any difference in the files, the decryption will fail
• Digital Certificates – an electronic authentication process that ensures
both safety and legitimacy of the source. This is done by actually
involving a 3rd party to affirm the ownership of a public key
Public Key Infrastructure
• Constitutes the policies and procedures for administering public
key encryption
• Consists of:
1. Certification authority- issues and revokes digital certificates
2. Registration authority- verifies the identity of certificate applicants
3. Certification repository- publicly accessible database
Message Sequence Numbering
• Sequence number inserted in each message and any such attempt
will be apparent at the receiving end.
Message Transaction Log
• Records the user ID, the time of access, and the terminal location
or telephone number from which the access originated
Request-Response Technique
• A control message from the sender and a response from the
receiver are sent at periodic, synchronized intervals.

Call-Back Devices
• Requires the dial-in user to enter a password and be identified.
Audit Objectives Relating to Subversive Threats
• Verify the security and integrity of financial transactions by
determining that network controls:
1. Can prevent and detect illegal access both internally and from the
Internet
2. Will render useless any data that a perpetrator successfully
captures
3. Are sufficient to preserve the integrity and physical security of data
connected to the network.
Audit Procedures Relating to Subversive Threats
1. Review the adequacy of the firewall in achieving the proper
balance between control and convenience
▫ Criteria for assessing firewall effectiveness
a. Flexibility
b. Proxy services
c. Filtering
d. Segregation of systems
e. Audit tools
f. Probe for weaknesses
Audit Procedures Relating to Subversive Threats
2. Verify that an intrusion prevention system with deep packet
inspection is in place for organizations that are vulnerable
3. Review security procedures governing the administration of data
encryption keys
4. Verify the encryption process by transmitting a test message and
examining the contents at various points along the channel
5. Review the message transaction logs to verify that all messages
were received in their proper sequence
6. Test the operation of the call-back feature by placing an
unauthorized call from outside the installation
Controlling Risks from Equipment Failure
• Line Errors
• Two techniques used to detect and correct errors:
a. Echo Check
b. Parity Check
Audit Objectives Relating to Equipment Failure
• To verify the integrity of the electronic commerce transactions by
determining that controls are in place to detect and correct
message loss due to equipment failure

Audit Procedures Relating to Equipment

Failure
• Select a sample of messages from the transaction log and examine
them for garbled content caused by line noise.
AUDITING ELECTRONIC DATA INTERCHANGE (EDI)
• What is EDI?
EDI is the intercompany exchange of computer-processible
business information in standard format.
To coordinate sales and production operations and to maintain an
uninterrupted flow of raw materials, many organizations enter into a
trading partner agreement with their suppliers and customers. This
agreement is the foundation for a fully automated business process
called Electronic data interchange (EDI).
Important Features of EDI:
• EDI is an inter-organization endeavor.
• The information systems of the trading partners automatically
process the transaction.
• Transaction information is transmitted in a standardized format.
▫ This allows firms with different internal systems can exchange
information and do business. Because EDI documents must be
processed by computers rather than humans, a standard format must
be used so that the computer will be able to read and understand the
documents. A standard format describes what each piece of
information is and in what format (e.g., integer, decimal, mmddyy).
Overview of EDI
This figure shows a direct private
communications link between
two companies. Many
companies, however, choose to
use a third-party value added
network (VAN) to connect to
their trading partners.
No EDI vs. With
EDI
Value Added
Network and EDI
This figure illustrates third party VAN.
The originating company transmits its
EDI messages to the network rather
than directly to the trading partner’s
computer. The network directs each
EDI transmission to its destination
and deposits the message in the
appropriate electronic mailbox. The
messages stay in the mailboxes until
the receiving companies’ systems
retrieve them. VANs can also provide
an important degree of control over
EDI transactions.
 EDI Standards

Key to EDI success is the use of a standard format for messaging

between dissimilar systems. Over the years, both in the United
States and internationally, a number of formats have been proposed.
▫ The standard in the United States is the American National
Standards Institute (ANSI) X.12 format
▫ The standard used internationally is the EDI for administration,
commerce, and transport (EDIFACT) format.
X.12 format
The X-12 electronic envelope contains the
electronic address of the receiver,
communications
protocols, and control information. A
functional group is a collection of
transaction sets (electronic documents) for
a particular business application, such as a
group of sales invoices or purchase orders.
The transaction set is composed of data
segments and data elements.
Conventional
Source Document
This figure relates these terms to a
conventional document. Each data
segment is an information category on
the document, such as part number,
unit price, or vendor name. The data
elements are specific items of data
related to a segment.
Benefits of EDI
• Data keying. EDI reduces or even eliminates the need for data entry.
• Error reduction. Firms using EDI see reductions in data keying errors,
human interpretation and classification errors, and filing (lost document)
errors.
• Reduction of paper. The use of electronic envelopes and documents
drastically
• reduces the paper forms in the system.
• Postage. Mailed documents are replaced with much cheaper data
transmissions.
• Automated procedures. EDI automates manual activities associated with
purchasing, sales order processing, cash disbursements, and cash receipts.
• Inventory reduction. By ordering directly as needed from vendors, EDI
reduces the lag time that promotes inventory accumulation.
 Financial EDI
• Electronic Fund Transfer (EFT) - an EDI among financial
institutions in which money is transferred from one account to
another. Some examples of EFTs include electronic wire transfers;
automatic teller machine (ATM) transactions; direct deposit of
payroll; business-to-business payments; and federal, state, and
local tax payments.
• EFT for cash disbursement and receipts processing is MORE
complicated than using EDI for purchasing and selling activities.
EFT
Transactions
Between Trading
Partners
 EDI Controls
• Authorization and Validation Control
1. Some VANs have the capability of validating passwords and user ID codes
for the vendor by matching these against valid customer file.
2. Before being converted, the translation software can validate the trading
partner’s ID and password against a validation file in firm’s database.
3. Before processing, the trading partner’s application software references the
valid customer and vendor files to validate the transaction.
• Access Control – trading partner agreement, establish valid customer
and vendor files.
• Audit Trail Control – maintain control log, w/c records the transaction
flow through each phase of the EDI system.
EDI System Using
Transaction Control Log
for Audit Trail
 Audit Objectives Relating to EDI:
1. All EDI transactions are authorized and validated.
2. No unauthorized organizations gain access to database records.
3. Authorized trading partners have access only to approved data.
4. Adequate controls are in place.
 Audit Procedures Relating to EDI
• Test of Authorization and Validation Controls
1. Review agreements w/ VAN facility.
2. Examine the organization’s valid trading partner file.
• Test of Access Controls
1. Determine that access to valid vendor and customer file is limited to
authorized employees only.
2. Review the trading agreement to determine degree of access of a trading
partner.
3. Stimulate access by a sample of trading partners and attempt to violate
access privileges.
• Audit Trail Controls
1. Verify the EDI System.
2. Verify key data values were recorded correctly at each point.
Auditing PC-Based Accounting Systems
PC Accounting Systems Module
PC Systems Risks and Controls
• Operating System Weaknesses
• Weak Access Control
• Inadequate Segregation of Duties
• Multilevel Password Control
• Risk of Theft
• Weak Backup Procedures
• Risk of Virus Infection
 Audit Objectives Associated w/ PC Security
• Verify Controls are in place.
• Verify adequate supervision and operating procedures exist.
• Verify backup procedures.
• Verify system selection and acquisition procedures.
• Verify that the system is free from virus and adequately protected.
 Audit Procedures Associated w/ PC Security
• Observe if PCs are physically anchored.
• Verify from organizational charts, job descriptions and
observation.
• Confirm reports of processed transactions and updated accounts.
• Determine the multilevel password control if appropriate.
• If removable hard drives are used, verify if they are removed and
stored in a secure location when not in use.
• Verify that backup procedures are being followed.
• Verify if their commercial software packages were purchased from
reputable vendors and are legal copies.
• Review the Organization’s Policy for using antiviral software
which may include:
1. Antiviral Software installed on all computers
2. All upgrades to vendor software
3. All public-domain software
4. Current Versions of antiviral software
Decode this Text!
• NbhjhjohDQBubzpohmbibu