Chapter 3: Security Part 1

Operating Systems and Networks

 Auditing Operating
Systems
 The operating is the computer’s control program.
It allows users and their application to share and
access common computer resource, such as
processors, main memory, databases and printers.
Operating System
Objectives
 The operating system performs three main tasks.
 First, it translates high-level languages suah as COBOL,
C++, BASIC, and SQL, into the machine-level
languages that the computer can execute.
 Second, the operating system allocates computers
resources to users, workgroups, and applications.
 Third, the operating system manages the tasks of job
scheduling and multiprogramming.
 Jobs are submitted to the system in three ways:
1. Directly by the system operator
2. From various batch-job queues, and
3. Trought telecommunications links from remote workstations
Operating System Security

 Involves policies, procedures, and controls that

determine who can access the operating system.
 Log-on Procedures: A formal log-on procedures is
the operating system’s first line of defense against
anauthorized access.
 Access Token: If the log-on attempt is successfull,
the operating system creates an access token that
contains key information about the user, including
user ID, password, and privileges granted to the
users.
 Access control list is assigned to each IT resource, which
controls access to the resource.
 Discretionary Access Privileges is The central system
administrator usually determines who is granted access to
specific resources and maintains the access control list
 Threats to Operating
System Integrity
 Operating system contol objective may not be
achieved because of flaws in the operating
system that are exploited either accidentally or
intentionally.
Operating System Controls and
Audit Test

 If operating system integrity is compromised,

controls, within individual accounting applications
that impact financial reporting may also be
compromised.
 Controling access privileges
 Audit procedures relating to access privileges
 Password controls
 Audit objectives relating to passwords
 Controlling against Malicious and Destructive
programs
 Audit Objective relating to viruses
 Audit procedures relating to viruses
 System audit trails controls
 Keystroke monitoring
 Event monitoring

 Setting audit trail objective

 Detecting Unauthorized access
 Reconstructing events
 Personal accountability

 Implementing a system audit trail

 Audit objectives relating to system audit trails
 Audit procedures relating to system audit trails
Auditing Networks

 Reliance on networks for business

communications poses concern about
unauthorized access to confidental informations.
Intranet Risks and Internet Risks
 Intranet Risks is Intranets consist of small LANs and large WANs
that may contain thousands of individual nodes.
 Interception of Network messages
 Access to corporate database
 Privileged employees

 Internet Risks is this section looks at three of the more significan

business risks associated with internet commerce.
 Ip Spoofing
 Denial of service attack
1. SYN flood attack
2. Smurf attack
3. Distributed denial of service
4. Motivation behind DOS attacks
Controlling Networks

 In the following section, we examine various

control techniques employed to mitigate the risks
outlined in the previous section.
Controlling Risks from Subversive Threats

 Firewalls is organizations connected to the Internet or other

public networks often implement an electronic firewall to
insulate their intranet from outside intruders.
A fireall is a system that enfroces control between two networks.
To acoomplish this:
 Networks level firewalls
 Applications level firewalls

 Controlling Denial of Service Attacks is A previous section

described three common forms of denial of service attacks:
SYN flood attack and distibuted denial of service (D Dos)
attacks.
Encryption

 Is the conversion of data into a secret code for

stroge in database and transmission over networks.
 Digital Signatures is electronic authentication that
cannot be forged
 Digital Certificate is the aforementioned proccess
proves that the message received was nit tampered
with during transmission.
 Message Sequence Numbering
 Message Transaction Log
 Request-Response Technique
 Call-back devices
 Audit Objective Relating to Subversive Threats
 Audit procedures relating to subversive threats
 Controlling Risks from
Equipment Failure
 Line errors
The most common problem in data communications
data is loss due to line error.
 Edho check is involves the receiver of the
message returning the message to the sender.
 Parity Check is incorporates an extra bit (the party
bit) into the structure of a bit string when it is
created or transmitted.
 Auditing Electronic Data
Interchange (EDI)
 The intercompany exchange of computer
processible business information in standard format.
 EDI standarts is key to EDI success is the use of
standard format for messaging between dissimilar
systems.
 Benefit of EDI is EDI has made considerable inroads
in a number of industries, including automative,
groceries, retail, health, care and electronics
 Financial EDI is using electronic fund transfer (EFT) for cash
disbursement and cash receipts is more complicated that using
EDI for purchasing and selling activities
 EDI controls is the absence of human interview in the EDI
proccess presents a unique twist to traditional controls problems,
including ensuring that transactions are authorized and valid,
preventing unauthorized access to data files and maintaining an
audit trail of transactions.
 Access controls is to functionsmoothly, EDI trading partners must
permit a degree of access to private data files that would be
foorbidden in a traditional environment
 EDI audit trail is the absence of source documents in EDI
transaction eliminates the traditional audit trail and restrict the
ability of accountants to verify the validaty, completeness,
timming and accuracy of transaction.
 Audit PC based Accounting System
and PC-System Risks and Controls
 The software market offers hundreds of PC-based accounting
system.
 As previously discussed, the computer operating system and
network contol techniques in mainframe and distributed
environments provide effective system security
 Operating system weaknesses
 Weak access control
 Inadequate segregation of duties
 Multilevel password control
 Risks of theft
 Weak backup procedures
 Risks of virus infection
 Audit objective associated with PC security
 Audit procedures associated with PC security
The discussion then turned
to EDI
 Where firms are faced with a variety of exposures
that arise in connection with a environment void
of human intermediaries to authorize of review
transactions. Controls in an EDI environment are
achieved primarily through programmed
procedures to authorize transaction. Limit access
to data files, and ensure that transactions the
system processes are valid.
Three of the most serious
exposures are:
1. The lack of properly segregated duties,
2. PC-operating systems that do not have the
sophistication of mainframes and expose data
to unauthorized access, and
3. Computer failures and inadequate backup
procedures that to heavily on human
intervention and thus threaten the security of
accounting records.