Chapter 3

Security Part I: Auditing Operating Systems and Networks

Review Questions
1. What are the five control objectives of an operating system?
Response:
a. The operating system must protect itself from users.
b. The operating system must protect users from each other.
c. The operating system must protect users from themselves.
d. The operating system must be protected from itself.
e. The operating system must be protected from its environment.
2. What are the three main tasks the operating system performs?
Response:
a. Translates high-level languages into the machine-level language the computer
can execute.
b. Allocates computer resources to users.
c. Manages the tasks of job scheduling and multiprogramming.
3. What is the purpose of an access control list?
Response: An access control list is assigned to each computer resource such as
directories, files, programs, and printers. These lists contain information that defines the
access privileges for all valid users of the resource. When a user attempts to access a
resource, the system compares his or her ID and privileges contained in the access token
with those contained in the access control list. If there is a match, the user is granted
access.
4. What are the four techniques that a virus could use to infect a system?
Response: The virus program can attach itself to
a. an .EXE or .COM file,
b. an OVL (overlay) program file,
c. the boot sector of a disk, or
d. a device driver program.
5. What is an access token?
Response: At login, the operating system creates an access token that contains
key information about the user, including user ID, password, user group, and privileges
granted to the user. The information in the access token is used to approve all actions
attempted by the user during the session.
6. Explain discretionary access privileges.
Response: In distributed systems, end users may control (own) resources.
Resource owners in this setting may be granted discretionary access control, which
allows them to grant access privileges to other users. For example, the controller, who is
the owner of the general ledger, may grant read-only privileges to a manager in the

budgeting department. The accounts payable manager, however, may be granted both
read and write permissions to the ledger. Any attempt the budgeting manager makes to
add, delete, or change the general ledger will be denied. Discretionary access control
needs to be closely supervised to prevent security breaches resulting from too liberal use.
7. What is event monitoring?
Response: Event monitoring is an audit log that summarizes key activities related
to users, applications, and system resources. Event logs typically record the IDs of all
users accessing the system; the time and duration of a users session; programs that were
executed during a session; and the files, databases, printers, and other resources accessed.
8. What is keystroke monitoring?
Response: Keystroke monitoring is the computer equivalent of a telephone
wiretap. It is a log that records both the users keystrokes and the systems responses to
them. This form of log may be used after the fact to reconstruct the details of an event or
as a real-time control to monitor or prevent unauthorized intrusion.
9. What is a vaccine and what are its limitations?
Response: Avaccine anti-virus program detects and removes viruses from the
infected programs or data files. Most antiviral programs run in the background on the
host computer and automatically test all files that are uploaded to the host. Its limitation
is that it works only on known viruses and versions of the virus.
10. What are the risks from subversive threats?
Response: The risks from subversive threats include: a computer criminal
intercepting a message transmitted between the sender and the receiver, a computer
hacker gaining unauthorized access to the organizations network, and a denial-of-service
attack from a remote location of the Internet.
11. What are the risks from equipment failure?
Response: The risks from equipment failure include the fact that they can cause
transmissions between senders and receivers can be disrupted, destroyed, or corrupted.
Equipment failure can also result in the loss of databases and programs stored on the
network server.
12. What is a firewall?
Response:
A firewall is a system that enforces access control between two networks. Firewalls can
be used to authenticate an outside user of the network, verify his or her level of access
authority, and then direct the user to the program, data, or service requested. In addition
to insulating the organizations network from external networks, firewalls can also be
used to insulate portions of the organizations intranet from internal access.
13. Distinguish between network-level and application-level firewalls.
Response: A network-level firewall accepts or denies access requests based on
filtering rules, and then directs the incoming calls to the correct internal receiving node.

Network-level firewalls are insecure because they are designed to facilitate the free flow
of information rather than restrict it. A network level firewall does not explicitly
authenticate outside users.
An application-level firewalls provide a higher level of customizable network
security, but they add overhead to connectivity. These systems are configured to run
security applications called proxies that permit routine services such as e-mail to pass
through the firewall, but can perform sophisticated functions such as user authentication
for specific tasks. Application-level firewalls also provide comprehensive transmission
logging and auditing tools for reporting unauthorized activity.
14. What are the most common forms of contra-security behavior?
Response:
Forgetting passwords and being locked out of the system.
Failing to change passwords on a frequent basis.
The Post-it syndrome, whereby passwords are written down and displayed for
others to see.
Simplistic passwords that a computer criminal easily anticipates.
15. What can be done to defeat a DDos attack?
Response: As a countermeasure to DDos attacks, many organizations have
invested in intrusion prevention systems (IPS) that employ deep packet inspection (DPI)
to determine when an attack is in progress. DPI uses a variety of analytical and statistical
techniques to evaluate the contents of message packets. It searches the individual packets
for protocol noncompliance and employs predefined criteria to decide if a packet can
proceed to its destination. This is in contrast to the normal packet inspection that simply
checks the header portion of a packet to determine its destination. By going deeper and
examining the payload or body of the packet, DPI can identify and classify malicious
packets based on a database of known attack signatures. Once classified as malicious, the
packet can
16. How does public key encryption work?
Response:
Public key encryption uses two different keys: one for encoding messages and the other
for decoding them. Each recipient has a private key that is kept secret and a public key
that is published. The sender of a message uses the receivers public key to encrypt the
message. The receiver then uses his or her private key to decode the
message. Users never need to share their private keys to decrypt messages, thus reducing
the likelihood that they fall into the hands of a criminal.
17. What is a digital envelope?
Response: DES and RSA encryption are used together in what is called a digital
envelope. The actual message is encrypted using DES to provide the fastest decoding.
The DES private key needed to decrypt the message is encrypted using RSA and
transmitted along with the message. The receiver first decodes the DESK key, which is
then used to decode the message.

18. What is a digital signature?

Response: A digital signature is an electronic authentication that cannot be
forged. It ensures that the message or document transmitted originated with the
authorized sender and that it was not tampered with after the signature was applied. The
digital signature is derived from the computed digest of the document that has been
encrypted with the senders private key.
19. Categorize each of the following as either an equipment failure control or an
unauthorized access control:
Response:
a. message authentication: unauthorized access control
b. parity check: equipment failure control
c. call-back device: unauthorized access control
d. echo check: equipment failure control
e. line error: equipment failure control
f. data encryption: unauthorized access control
g. request response technique: unauthorized access control
20. What is DPI?
Response: DPI (deep packet inspection) is a technique that searches individual
network packets for protocol non-compliance to decide if a packet can proceed to its
destination. DPI can identify and classify malicious packets based on a database of
known attack signatures.
21. At what three points in an electronic data interchange transaction and
validation process can authorization and validation be accomplished?
Response:
a. At the VAN level: The vendor logon is validated by comparing vendor
passwords and IDs against a valid master file.
b. Before being converted: The translation software validates the trading
partners password and ID against a valid master file.
c. Before processing: the trading partners application software references the
valid customer and vendor files to validate the transaction.
22. What is packet switching?
Response:
The Internet employs communications technologies based on packet switching, whereby
messages are divided into small packets for transmission. Individual packets of the same
message may take different routes to their destinations. Each packet contains address and
sequencing codes so they can be reassembled into the original complete message at the
receiving end. The choice of transmission path is determined according to criteria that
achieve optimum utilization of the long-distance lines, including the degree of traffic
congestion on the line, the
shortest path between the end points

23. What is a VPN?

Response: A virtual private network (VPN) is a private network that exists within
a public network. VPNs are private from the clients perspective, but
physically share backbone trunks with other users. Maintaining security and privacy in
this setting, however, requires encryption and authentication controls.
24. Name three types of addresses used on the Internet?
Response: The Internet uses three types of addresses for communications:
a. e-mail addresses,
b. Web site (URL) addresses, and
c. the addresses of individual computers attached to a network (IP addresses).
25. Describe the elements of an e-mail address.
Response: The format for an e-mail address is
USER_NAME@DOMAIN_NAME. There are no spaces between any of the letters. A
domain name is an organizations unique name combined with a top-level domain name,
i.e. com, edu, etc.
26. Networks would be inoperable without protocols. Explain their importance and
what functions they perform.
Response: Network protocols are the rules and standards governing the design of
hardware and software that permit users of networks manufactured by different vendors
to communicate and share data. Without protocols, data transmission between two
incompatible systems would be impossible. Protocols facilitate the physical connection
between the network devices. Protocols also synchronize the transfer of data between
physical devices. They provide a basis for error checking and measuring network
performance. They promote compatibility among network devices. Lastly, they promote
network designs that are flexible, expandable, and cost-effective.
27. What is the purpose of the TCP portion of TCP/IP?
Response: Transfer Control Protocol (TCP) ensures that the total number of bytes
transmitted is equal to the total number of bytes received.
28. What does the HTTP do?
Response: Hypertext Transfer Protocol (HTTP) controls Web browsers that
access the Web. When the user clicks on a link to a Web page, a connection is
established, the Web page is displayed, then the connection is broken.
29. How do HTTP and HTTP-NG differ?
Response: HTTP-NG is the new generation of the Hypertext Transfer Protocol.
It is an enhanced version of the HTTP protocol that maintains the simplicity of HTTP
while adding important features such as security and authentication.
30. What is a digital certificate? How is it different from a digital signature?
Response: A digital certificate is used to verify the senders identity. It is issued
by a trusted third party called a certification authority (CA). A digital certificate is used

in conjunction with a public key encryption system to authenticate the sender of a

message. The process for certification varies depending on the level of certification
desired. A digital signature proves that the message received was indeed sent by the
sender, and was not tampered with during transmission. However, it does not prove that
the sender is who he or she claims to be. The sender could be an impersonator. The
digital certificate proves the identity of the sender.
31. What is a certification authority, and what are the implications for the
accounting profession?
Response: A certification authority is an independent and trusted third party
empowered with responsibility to vouch for the identity of organizations and individuals
engaging in Internet commerce. The question then becomes, who vouches for the CA?
How does one know that the CA who awarded a seal of authenticity to an individual is
itself reputable and was meticulous in establishing his or her identity? These questions
hold specific implication for the accounting profession. Since they enjoy a high degree
of public confidence, public accounting firms are natural candidates for certification
authorities.
Discussion Questions
1. Why is human behavior considered one of the biggest potential threats to
operating system integrity?
Response: Unfortunately, some computer hackers enjoy the challenge of creating
devices, such as viruses and logic bombs, to damage systems. They gain nothing of
monetary or financial value; they just enjoy knowing they accomplished their goal of
penetrating and affecting an operating system.

2. Why would a systems programmer create a back door if he or she has access to the
program in his or her day-to-day tasks?
Response: A back door is created so that the programmer may gain future access
to the program without needing a user password (in other words after the programmer no
longer has a valid password). The backdoor may be used legitimately to gain easy access
to perform maintenance or it may be used by a programmer who has no legitimate reason
to be accessing the system in that manner or at all.
3. Discuss the issues that need to be considered before implementing keystroke
monitoring.
Response: Keystroke monitoring is the computer equivalent of a telephone
wiretap. Whereas some situations may justify this level of surveillance, keystroke
monitoring may also be regarded as a violation of privacy. Before implementing this type
of control, management and auditors should consider the possible legal, ethical, and
behavioral implications.
4. Explain how an access token and an access control list are used to approve or deny
access.
Response: When a log-on attempt is successful, the operating system creates an
access token that contains key information about the user, including user ID, password,
user group, and privileges granted to the user. The information in the access token is used
to approve all actions the user attempts during the session.
An access control list is assigned to each IT resource (computer directory, data file,
program, or printer), which controls access to the resources. These lists contain
information that defines the access privileges for all valid users of the resource. When a
user attempts to access a resource, the system compares his or her ID and privileges
contained in the access token with those contained in the access control list. If there is a
match, the user is granted access.
5. Explain how a Trojan horse may be used to penetrate a system.
Response:
A Trojan horse is a program whose purpose is to capture IDs and passwords from
unsuspecting users. These programs are designed to mimic the normal log-on procedures
of the operating system. When the user enters his or her ID and password, the Trojan
horse stores a copy of them in a secret file. At some later date, the author of the Trojan
horse uses these IDs and passwords to access the system and masquerade as an
authorized user.
6. Discuss six ways in which threats from destructive programs can be substantially
reduced through a combination of technology controls and administrative procedures.
Response: The following examples controls and procedure that can reduce the
threat from destructive programs:
i. Purchase software only from reputable vendors and accept only those products
that are in their original, factory-sealed packages.

ii. Issue an entity-wide policy pertaining to the use of unauthorized software or

illegal (bootleg) copies of copyrighted software.
iii. Examine all upgrades to vendor software for viruses before they are
implemented.
iv. Inspect all public-domain software for virus infection before using.
v. Establish entity-wide procedures for making changes to production programs.
vi. Establish an educational program to raise user awareness regarding threats
from viruses and malicious programs.
vii. Install all new applications on a standalone computer and thoroughly test
them with antiviral software prior to implementing them on the mainframe or LAN
server.
vii. Routinely make backup copies of key files stored on mainframes, servers,
and workstations.
ix. Wherever possible, limit users to read and execute rights only.
x. Require protocols that explicitly invoke the operating systems logon
procedures in order to bypass Trojan horses. Some operating systems allow the user to
directly invoke the operating system logon procedure by entering a key sequence such as
CTRL + ALT + DEL. The user then knows that the logon procedure on the screen is
legitimate.
xi. Use antiviral software (also called vaccines) to examine application and
operating system programs for the presence of a virus and remove them from the affected
program.
7. Explain the three ways in which audit trails can be used to support security objectives.
Response: Audit trails can be used to support security objectives in three ways:
i. detecting unauthorized access to the system,
ii. reconstructing events, and
iii. promoting personal accountability.
DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in
real time or after the fact. The primary objective of real-time detection is to protect the
system from outsiders who are attempting to breach system controls. After-the-fact
detection logs can be stored electronically and reviewed periodically or as needed. When
properly designed, they can be used to determine if unauthorized access was
accomplished, or attempted and failed.
RECONSTRUCTING EVENTS. Audit analysis can be used to reconstruct the steps that
led to events such as system failures, security violations by individuals, or application
processing errors. Knowledge of the conditions that existed at the time of a system failure
can be used to assign responsibility and to avoid similar situations in the future.

PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the
lowest level of detail. This capability is a preventive control that can be used to influence
behavior. Individuals are less likely to violate an organizations security policy if they
know that their actions are recorded in an audit log. An audit log can also serve as a
detective control to assign personal accountability for actions taken. Serious errors and
the abuse of authority are of particular concern.

8. Explain how poorly designed audit trail logs can actually be dysfunctional.
Response: Audit logs can generate data in overwhelming detail. Important
information can easily get lost among the superfluous details of daily operation.
Protecting exposures with the potential for material financial loss should drive
managements decision as to which users, applications, or operations to monitor, and how
much detail to log. As with all controls, the benefits of audit logs must be balanced
against the costs of implementing them.
9. Many authorities believe that the employer does not prosecute 90 percent of all
computer fraud acts. What do you think accounts for this lack of prosecution?
Discuss the importance of the establishment of a formal policy for taking
disciplinary (or legal) action against security violations.
Response: A common belief by management of publicly traded firms is that the
public will perceive fraudulent acts that have taken place as a sign of control weaknesses.
The management teams may prefer to handle the computer fraud by dismissal of the
employee rather than have the stockholders and analysts lose faith in the internal control
procedures of the firm. Unfortunately, this type of behavior by employers sends the
wrong message to potential perpetrators. The message from top management needs to be
clear regarding fraudulent acts-they will not be tolerated and any acts will be prosecuted.
The message means absolutely nothing if the firm does not back up this policy with
actions if such crimes are committed.
10. How can passwords actually circumvent security? What actions can be taken to
minimize this?
Response: Users may share their passwords, write-down their passwords, or use
easily guessed passwords. Protection against these security breaches includes software
that allows only smart passwords and one-time passwords used in conjunction with smart
cards.
11. Explain how the one-time password approach works.
Response: Under this approach, the users password changes continuously. To
access the operating system, the user must provide both a secret reusable personal
identification number (PIN) and the current one-time only password for that point in
time. One technology employs a credit-card-sized device (smart card) that contains a
microprocessor programmed with an algorithm that generates, and visually displays, a
new and unique password every 60 seconds. The card works in conjunction with special
authentication software located on a mainframe host or network server computer. At any
point in time both the smart card and the network software are generating the same
password for the same user. To access the network, the user enters the PIN followed by
the current password displayed on the card. The password can be used one time only.
12. Explain how smurf attacks and SYN flood attacks can be controlled.

Response: In the case of a smurf attack, the targeted organization can program their
firewall to ignore all communication from the attacking site, once the attackers IP address
is determined. In the case of SYN Flood, two things can be done:
i. Internet hosts can program their firewalls to block outbound message packets that
contain invalid internal IP addresses.
ii. Security software can scan for half-open connections that have not been followed
by an ACK packet. The clogged ports can then be restored to allow legitimate
connections to use them.
13. Discuss the risks from equipment failure and how they can be controlled.
Response:
Risks: Transmissions between senders and receivers can be disrupted, destroyed,
or corrupted by equipment failures in the communications system. Equipment failure can
also result in the loss of databases and programs stored on the network server. The most
common problem in data communications is data loss due to line error. The bit structure
of the message can be corrupted through noise on the communications lines. Noise is
comprised of random signals that can interfere with the message signal when they reach a
certain level.
Controls:
i. Echo Check. The echo check involves the receiver of the message returning the
message to the sender. The sender compares the returned message with a stored copy of
the original. If there is a discrepancy between the returned message and the original,
suggesting a transmission error, the message is retransmitted.
ii. Parity Check. The parity check incorporates an extra bit (the parity bit) into the
structure of a bit string when it is created or transmitted. The value of the parity bit (1 or
0) is determined by the bit value of the character being transmitted. Parity can be both
vertical and horizontal (longitudinal). When the message is received, the parity is
checked again. A discrepancy in the parity bit value that is recalculated at the receiving
end indicates that a bit value in the character was changed during transmission.
iii. Network Backup. Data backup in networks is accomplished in several
different ways depending on the networks complexity.

14. Does every organization that has a LAN have need a firewall?
Response: Firewalls can provide protection against unauthorized access by both
internal and external intruders depending on the type of firewall. An organization with a
LAN with NO connections to ANY external networks may be safe without firewalls, but
some sort of network security is necessary for multiple users.
15. Describe three ways in which IPS can be used to protect against DDos attacks.
Response:
i. IPS can work inline with a firewall at the perimeter of the network to act as a
filer that removes malicious packets from the flow before they can affect servers and
networks.
ii. IPS may be used behind the firewall to protect specific network segments and
servers.
iii. IPS can be employed to protect an organization from becoming part of a
botnet by inspecting outbound packets and blocking malicious traffic before it reaches the
Internet.
16. What problem is common to all private key encryption techniques?
Response: The more individuals who need to know the private key, the greater
the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or
she can intercept and decipher coded messages.

17. What is RSA encryption?

Response: RSA (Rivest-Shamir-Adleman) is a highly secure public key
cryptography method. This method is, however, computationally intensive and much
slower than standard DES encryption. Sometimes, both DES and RSA are used together
in what is called a digital envelope. The actual message is encrypted using DES to
provide the fastest decoding. The DES private key needed to decrypt the message is
encrypted using RSA and transmitted along with the message. The receiver first decodes
the DES key, which is then used to decode the message.
18. Explain the triple-DES encryption techniques known as EEE3 and EDE3.
Response: EEE3 uses three different keys to encrypt the message three times.
EDE3 uses one key to encrypt the message. A second key is used to decode it. The
resulting message is garbled because the key used for decoding is different from the one
that encrypted it. Finally, a third key is used to encrypt the garbled message. The use of
multiple keys greatly reduces the chances of breaking the cipher. Triple DES encryption
is thought to be very secure and is used by major banks to transmit transactions.
Unfortunately, it is also very slow.
19. Distinguish between a digital signature and a digital certificate.
Response: A digital signature is electronic authentication that cannot be forged. It
ensures that the message or document transmitted originated with the authorized sender
and that it was not tampered with after the signature was applied. The digital signature is
a derived from the computed digest of the document that has been encrypted with the
senders private key. This process proves that the message received was indeed sent by
the sender and was not tampered with during transmission. However, it does not prove
that the sender is who he or she claims to be. The sender could be an impersonator.
A digital certificate, which is issued by a trusted third-party called a certification
authority (CA). is used to verify the senders identity. A digital certificate is used in
conjunction with a public key encryption system to authenticate the sender of a message.
The process for certification varies depending on the level of certification desired. It
involves establishing ones identity with formal documents such as a drivers license,
notarization, and fingerprints and proving ones ownership of the public key. After
verifying the owners identity the CA creates the certification, which is the owners
public key and other data that has been digitally signed by the CA.
20. Describe a digest within the context of a digital signature.
Response: A digest is a mathematical value calculated from the text content of a
message. The sender uses a one-way hashing algorithm to calculate a digest of the text
message. The digest is then encrypted using the senders private key to produce the
digital signature.

21. What is a digital envelope?

Response: Sometimes DES and RSA are used together to create a digital
envelope that is both more secure and faster than using RSA encryption alone. The actual
message is encrypted using DES to provide the fastest decoding. The DES private key
needed to decrypt the message is encrypted using RSA and transmitted along with the
message. The receiver first decodes the DES key, which is then used to decode the
message.
22. Why is inadequate segregation of duties a problem in the personal computer
environment?
Response: An employee may have access to multiple applications that process
incompatible transactions. For example, a single individual may be responsible for
entering all transaction data, including sales orders, cash receipts, invoices, and
disbursements. This degree of authority would be similar, in a manual system, to
assigning accounts receivable, accounts payable, cash receipts, cash disbursement, and
general ledger responsibility to the same person. The exposure is compounded when the
operator is also responsible for the development (programming) of the applications that
he or she runs.
23. Why is the request-response technique important? Discuss the reasons an
intruder may wish to prevent or delay the receipt of a message.
Response: This method is important in order to prevent intruders from preventing
or delaying messages. An intruder might intercept data such as credit card numbers and
expiration dates or bank debit cards and personal identification numbers in order to use
this data to commit crimes. Another possibility is that sales orders could be intercepted
and destroyed in a malicious attempt to sever customer-supplier relations.
24. Discuss how the widespread use of laptop and notebook computers is making
data encryption standards more easily penetrable.
Response: Business travelers with laptop and notebook computers are just
beginning to realize how carefully they should safeguard their computers while traveling
on subways, planes, cars, and staying in hotels. Theft of these computers is becoming a
serious problem. These computers are being stolen just as often for the information
contained on the hard drives as they are for the resale values. Unfortunately, these stolen
computers often have the DES keys contained on floppy diskettes, which are stored in the
carrying cases. The carrying cases are usually also stolen, or the encryption keys may be
on the hard drive. Thus, the thief gains access to the key and can decode messages.
25. Discuss the unique control problems EDI creates.

Response: One problem is ensuring that transactions are authorized and valid.
Both the customer and supplier must establish that the transaction being processed is with
a valid trading partner and is an authorized transaction. Another problem is that, in most
situations, the trading partners must agree to give their trading partner access to files,
which previously were entirely internal documents, such as inventory files. Prior to EDI,
firms did not exchange inventory file data. Thus, the accuracy of these files AT ALL
TIMES is crucial. Further, these files should not be allowed to be altered, in any fashion,
by the trading partners computer. Only the organizations application programs should be
allowed to process inventory records.
26. In and EDI system, only the customer needs to verify that the order being
placed is from a valid supplier and not vice versa. Do you agree with this
statement? Why or why not?
Response: No. The supplier needs to verify that the purchaser is a valid purchaser
and has authorization to scan the inventory file.
27. Discuss how EDI creates an environment in which sensitive information, such as
inventory amounts and price data, is no longer private. What potential dangers
exist if the proper controls are not in place? Give an example.
Response: In an EDI environment, the selling firm opens up previously
considered private files, such as inventory and in some cases the master production
schedule, to the customers order system so that the inventory status can be checked. If
the proper controls are not in place, a perpetrator could alter these records so that
inventory is shown to be lower than it actually is, and the organization could lose orders
as the customer contacts another vendor. If this situation went undetected for a length of
time, the organization could have such a decline in sales and loss in customer base that it
could be forced out of business.
28. What purpose do protocols serve?
Response: Protocols serve network functions in several ways.
First, they facilitate the physical connection between the network devices. Through
protocols, devices are able to identify themselves to other devices as legitimate network
entities, and thus initiate (or terminate) a communications session.
Second, protocols synchronize the transfer of data between physical devices. This
involves defining the rules for initiating a message, determining the data transfer rate
between devices, and acknowledging message receipt.
Third, protocols provide a basis for error checking and measuring network performance.
This is done by comparing measured results against expectations. For example,
performance measures pertaining to storage device access times, data transmission rates,
and modulation frequencies are critical to controlling the networks function. The
identification and correction of errors thus depends on protocol standards that define
acceptable performance.
Fourth, protocols promote compatibility among network devices. To successfully transmit
and receive data, the various devices involved in a particular session must conform to a

mutually acceptable mode of operation, such as synchronous or asynchronous and duplex

or half-duplex. Without protocols to provide such conformity, messages sent between
devices will be distorted and garbled.
Finally, protocols promote network designs that are flexible, expandable, and costeffective. Users are free to change and enhance their systems by selecting from the best
offerings of a variety of vendors. Manufacturers must, of course, construct these products
in accordance with established protocols.
29. Explain the purpose of the two elements of TCP/IP.
Response: The TCP portion of the TCP/IP protocol supports the transport
function of the OSI model. This ensures that the total number of data bytes transmitted
was received. The IP component provides the routing mechanism. Every server and
computer in a TCP/IP network requires an IP address, which is either permanently
assigned or dynamically assigned at startup. The IP part of the TCP/IP protocol supports
the network layer of the OSI model. It contains a network address and is used to route
messages to different networks. IP receives message packets from the transport protocol
and delivers them to the data link layer.
30. Distinguish between the FTP and TELNET protocols.
Response: FTP (File Transfer Protocol) is used to transfer text files, programs,
spreadsheets, and databases across the Internet. TELNET is a terminal emulation protocol
used on TCP/IP-based networks. It allows users to run programs and review data from a
remote terminal or computer. Telnet is an inherent part of the TCP/IP communications
protocol. While both protocols deal with data transfer, FTP is useful for downloading
entire files from the Internet; TELNET is useful for perusing a file of data as if the user
were actually at the remote site.
31. Distinguish between a network-level firewall and an application-level firewall.
Response: Network-level firewalls provide efficient but low-security access
control. This type of firewall consists of a screening router that examines the source and
destination addresses that are attached to incoming message packets. The firewall accepts
or denies access requests based on filtering rules that have been programmed into it. The
firewall directs incoming calls to the correct internal receiving node. Network-level
firewalls are insecure because they are designed to facilitate the free flow of information
rather than restrict it. This method does not explicitly authenticate outside users.
Application-level firewalls provide a higher level of customizable network security, but
they add overhead to connectivity. These systems are configured to run security
applications called proxies that permit routine services such as e-mail to pass through the
firewall, but can perform sophisticated functions such as user authentication for specific
tasks. Application-level firewalls also provide comprehensive transmission logging and
auditing tools for reporting unauthorized activity.
32. What is a certification authority, and what are the implications for the
accounting profession?
Response: A certification authority is an independent and trusted third party
empowered with responsibility to vouch for the identity of organizations and individuals
engaging in Internet commerce. The question then becomes, who vouches for the CA?

How does one know that the CA who awarded a seal of authenticity to an individual is
itself reputable and was meticulous in establishing his or her identity? These questions
hold specific implication for the accounting profession. Since they enjoy a high degree
of public confidence, public accounting firms are natural candidates for certification
authorities.

33. Discuss the key aspects of the following five seal-granting

organizations: BBB, TRUSTe, Veri-Sign, Inc., ICSA, and
AICPA/CICA WebTrust.
Response:
Better Business Bureau. The Better Business Bureau (BBB) is a non-profit
organization that has been promoting ethical business practices through self-regulation
since 1912. BBB has extended its mission to the Internet through a wholly owned
subsidiary called BBBOnline, Inc. To qualify for the BBBOnline seal an organization
must:
Become a member of BBB.
Provide information about the companys ownership, management, address, and
phone number. This is verified by a physical visit to the companys premises.
Be in business for at least one year.
Promptly respond to customer complaints.
Agree to binding arbitration for unresolved disputes with customers.
The assurance provided by BBBOnline relates primarily to concerns about business
policies, ethical advertising, and consumer privacy. BBBOnline does not verify controls
over transaction-processing integrity and data-security issues.
TRUSTe. Founded in 1996, TRUSTe is a non-profit organization dedicated to improving
consumer privacy practices among Internet businesses and Web sites. To qualify to
display the TRUSTe seal the organization must:
Agree to follow TRUSTe privacy policies and disclosure standards.
Post a privacy statement on the Web site disclosing the type of information being
collected, the purpose for collecting information, and with whom it is shared.
Promptly respond to customer complaints.
Agree to site-compliance reviews by TRUSTe or an independent third party.
TRUSTe addresses consumer privacy concerns exclusively and provides a mechanism for
posting consumer complaints against its members. If a member-organization is found to
be out of compliance with TRUSTe standards, its right to display the trust seal may be
revoked.
Veri-Sign, Inc. Veri-Sign, Inc. was established as a for-profit organization in 1995. VeriSign, Inc. provides assurance regarding the security of transmitted data. The organization
does not verify security of stored data or address concerns related to business policies,
business processes, or privacy. Its mission is to provide digital certificate solutions that
enable trusted commerce and communications. Its products allow customers to transmit
encrypted data and verify the source and destination of transmissions. Veri-Sign, Inc.
issues three classes of certificates to individuals, businesses, and organizations. To qualify
for class-three certification the individual, business, or organization must provide a thirdparty confirmation of name, address, telephone number, and Web site domain name.
ICSA. The International Computer Security Association (ICSA) established its Web
Certification Program in 1996. ICSA certification addresses data security and privacy
concerns. It does not deal with concerns about business policy and business processes.

Organizations that qualify to display the ICSA seal have undergone an extensive review
of firewall security from outside hackers. Organizations must be recertified on an annual
basis and undergo at least two surprise checks each year.
AICPA/CICA WebTrust. The AICPA and CICA established the WebTrust program in
1997. To display the AICPA/CICA WebTrust seal the organization must undergo an
examination according to the AICPAs Standards for Attestation Engagements, No. 1, by
a specially Web-certified CPA or CA. The examination focuses on the areas of business
practices (policies), transaction integrity (business process), and information protection
(data security). The seal must be renewed every 90 days.
32. Differentiate between a LAN and a WAN. Do you have either or both at your
university or college?

Response: The primary difference between LANs and WANs is the geographic
area coverage. LANs are typically confined to a single room, floor, or building. WANs
are used to connect various LANs and computing centers that are geographically
dispersed across distances that range from less than a mile to transcontinental.
Multiple-Choice Questions
1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

Problems
1. Operating System and Network Control
Required: Describe a well-controlled system in terms of access controls for a
major insurance company that equips each salesperson with a laptop.
Response: The company needs to make sure that the following items are included
in its system design:
Data encryption techniques for the sending of sensitive data from one file to another over
the LAN.
Access controls for files on the home computer.
Access controls for data on hard drives of the personal computers.
Back-up policy and procedures for data on the home computer and the PCs.
Virus Protection for the home computer and for the PCs.
2. Operation System Controls
Required:

a. What internal control problems do you find?

Response: There are a few security control problems within MMs operating
system. First, access control is a problem because there is not secure protection from
unauthorized users. Also, there is a problem with malicious and destructive programs.
Controls that combine technology and administrative procedures need to be implemented.
There also is a lack of audit trail controls, which are needed for proper accounting
records.
b. How can MM improve internal controls?
Response: In order to improve the security issues in part A, MM should
implement more controls. MM system security needs to make sure access privileges are
assigned only to legitimate users. Reusable passwords should be implemented especially
amongst the managers in MM in order to protect against an unauthorized user.
Additionally, controls to protect against malicious programs consist of purchasing
software from only reputable vendors, inspecting all public software for viruses prior to
use, and establishing MM entity-wide procedures for software and programs. Also,
backup files should be made of servers, mainframes and workstations. Antiviral software
should be purchased and a set of protocols should occur at system log-on to avoid Trojan
horses. Finally, audit trail controls can be improved with detailed logs of individual key
strokes and an event-oriented log. These improvements can help Mr. Rollerball find out
about an individual users session who is a suspect to possible tampering with the
computer system.
3. Internal Control and Fraud
Required: What control technique(s) discussed in this chapter could you use to
help detect this type of fraud?
Response: If the company uses a call back device, Charles Harts home phone
should not be on the approved phone list. Since Charles is an hourly worker, he should
not be expected to take work home with him. Further, a transaction log listing time of
data input and user ID would be informative to Charles boss. If Charles has not been
approved for overtime during the past month, and Charles supervisor notices that Charles
has entered some transactions into the system late in the evening, then Charles
supervisor should investigate these actions. A message transaction, which contains a log
of users on the system by login time, would also be useful.
4. Internal Control and Fraud
Required: a. What weaknesses in the organizations control structure must have
existed to permit this type of embezzlement?

Response: The control over output documents (i.e. the MRP, inventory ordering
system, billing, sales order, accounts payable, and the operating manuals) was very weak.
These documents should not be discarded in a manner in which they can be retrieved and
read by anyone. Inadequate operating system controls were in place that allowed a Trojan
horse program to retrieve user IDs and passwords. Management reports reflecting new
vendors, new suppliers, and new systems personnel IDs were either not being prepared
or not being carefully reviewed. Inadequate reports reflecting changes to the transaction
log were being kept or the changes in them would have been noticed.
Required: b. What specific control techniques and procedures could have helped
prevent or detect this fraud?
Response: All documentation manuals should be shredded or placed into an
incinerator. An operating system should have controls to protect it against breaches such
as the Trojan horse programming technique. Reports reflecting any additions to vendors
or suppliers should be carefully reviewed by management for accuracy. A periodic list of
all systems personnel and their passwords should be printed and reviewed. A sign-off
procedure for verification of these reports would send a strong message to the managers
that these reports should be carefully reviewed. The numbering of transactions on the
transaction log, such as sales orders and purchase orders should be implemented so that
transactions cannot be deleted without the occurrence of a gap in the sequence.
5. Input Controls and Networking
Required:
a. Identify and explain the data security and integrity problems that can occur.
b. For each problem identified, describe a control procedure that could be
employed to minimize or eliminate the problem.

Problem Identification and Explanation

Control Procedure and Explanation

Establish access privileges based on need

Unauthorized access to the reporting system

Implement Passwords and password

management procedures
Encrypt password file
Establish system audit trail
Employ antiviral software

Unauthorized access to report database

Establish database authority table based on

need
Assign user views based on need
Establish user-defined procedures
Encrypt financial data in the database

Unauthorized intrusion to system and data

from the internet, including denial of service
attack

Implement an application-level firewall

Encrypt financial data in the database
Use digital signatures
Implement security software to identify open
connections that indicate a SYN flood
Use message sequence numbering
Use security techniques such as requestresponse and call-back

Transmitted data received at corporate

headquarters from the reporting units may be
corrupted by line errors or other hardware
failure.

They system should have built-in controls

including echo check and parity check to
correct line errors.

6. Preventive Controls
Required: For each scenario, discuss the possible damages that can occur.
Suggest a preventive control.
Responses:
a.
The intruder can then withdraw money from the ATM cardholder accounts. (This
actually happened in California; the intruder was a systems consultant who had helped to
set up the communication system.) Digital encoding of data with the algorithm being
changed periodically, especially after the systems consultants have completed their jobs,
and the system is in use.
b.
Noise on the line may be causing line errors, which can result in data loss. Echo
checks and parity checks can help to detect and correct such errors.
c.
If data is being lost, echo checks and parity checks should also help; however, the
problem may be that an intruder is intercepting messages and tampering with them.
Message sequence numbering will help to determine if messages are being lost, and if
they are perhaps a request-response technique should be implemented that makes it
difficult for intruders to circumvent.
d.
If messages are being delayed, an important customer order or other information
could be missed. As in item c, message sequence numbering and request-response
techniques should be used.
e.
Messages altered by intruders can have a very negative impact on customersupplier relations if orders are being altered. In this case, data encryption is necessary to
prevent the intruder from reading and modifying the data. Also, a message sequence
numbering technique is necessary to make sure the message is not deleted.
7. Operating System Exposures and Controls
Required: For each scenario, discuss the potential consequences and give a
prevention technique.
Responses:
a.
A potential consequence is that hardware could be damaged if the sprinklers are
not strategically placed. Data losses could be incurred as well due to damaged storage
tapes. A corporate policy should be in place and strictly enforced banning food and drink
from this area. In case the alarms are set off, a water sprinkler system is not appropriate
due to the damage it can cause to a computer. The automatic fire extinguishing systems
should dispense an appropriate type of suppressant, such as carbon dioxide. Another
alternative is to have a warning sound that the automatic fire extinguishing system is
going to activate in a certain amount of time (maybe 5 seconds) if an override button is
not pushed. In the case of a fire, this will allow the systems personnel time to protect
themselves from the suppressant, which will be sprayed.

b.
The exposure in this situation is that user IDs and passwords residing in main
memory will be dumped and used to gain unauthorized access to the system. One method
would be to configure the operating system so that in the case of a failure, the contents of
main memory is to be dumped to a disk file only. Further, a password, or maybe a
combination of passwords, should be necessary to retrieve the data from the disk.
c.
Employees that have been terminated should also have their passwords expired
immediately. The network should require a password to log on.
d.
The potential exposure is that data and/or application programs may ultimately
be lost if the virus is not caught before it causes damage. Antivirus software should be
placed onto the network server to prevent any files from being uploaded before they are
checked for viruses. Also, an antiviral program should examine the network server to
detect any viruses.
e.
Upon Murrays announcement that he is leaving, his passwords should be
expired immediately. Further, since he has had access to all other users passwords, a
message should immediately be sent to all users requiring them to change their passwords
immediately or have the account expire. The account will have to be re-established with a
new password if the user does not change his/her password within the time period, maybe
24 hours. During this 24-hour period, all log on attempts with old passwords should fail;
the only action which should be allowed is the changing of the old passwords.

8. Encryption
Required: Determine the key used to produce the coded message and decode it.
Response: Key = +3, Decoded message:
LETS DO JULIUS ON MONDAY MARCH 15
DRESS: TOGA CASUAL (Bring Your Own Dagger)
9. Security and Control Assessment
Required: Based on BBCs plans for the implementation of a new computer
system, describe the potential risks and needed controls. Classify these according to the
relevant areas of the COSO framework.
Response: The potential risks in BBC new computer-based information system are as
follows:
Security
BBC should hold a training seminar since most employees will be using the computer
system. The purpose of the seminar is to educate users on the policies and procedures of
the system and to inform them about viruses and measures they can take to prevent
infection.
Virus updates should be performed on a daily basis by the systems administrator rather
than on a weekly basis.
If a password is entered incorrectly three times, the system should automatically reject
any further entries, this is a security measure that prevents someone from attempting to
gain unauthorized access to another users account. If this situation arises, the system
should make note of the date and time in case this information is ever needed in an
investigation.
Passwords should be changed at least twice a year. The more often passwords are
changed the more secure the system will be. Furthermore, software should be installed
that rejects weak passwords.
Event monitoring should be used for purposes of a systems audit trail. The system will
record the user name and then all information regarding the tasks performed during the
period that they are logged on.
An upper level manger should also have access to the transaction log. This will prevent
the systems administrator from potentially trying to hide his own fraudulent actions
involving the computer system.
To prevent against physical damage in the case of fire, a water sprinkler system is not
appropriate due to the damage it can cause to a computer. The automatic fire
extinguishing systems should dispense an appropriate type of suppressant, such as carbon
dioxide.
Systems Development

Employees should not be allowed to purchase and install software on company computers
even if it is for work related reasons. All software should be purchased from single
company to ensure reliability and compatibility.
Program Changes
The newly hired systems administrator should not be involved in the initial computer
programming since they will be updating the system when needed. This person would
have the knowledge of how to hide illegal changes.
All systems changes should be carefully documented and filed. This serves as a control
and can help somebody see exactly what was done if a problem with the change occurs.
10. Encryption
Response: Answers will vary among the class. This is a fun assignment that
results in interesting coding schemes.
Problems 1114 will result in varying answers.