SlideShare a Scribd company logo

Chapter 3 security part i auditing operating systems and networks

Download as PPTX, PDF
T
Tommy Zul Hidayat

Auditing OS and Networks

Technology
1 of 63
Chapter 3: Security Part I: Auditing Operating Systems and Networks IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 16/01/2017 0
Learning Objectives • Be able to identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual exposures. • Be familiar with the principal risks associated with commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. • Be familiar with the risks associated with personal computing systems. • Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced. 16/01/2017 1
Operating System Control Objectives • Protect itself against tampering by users. • Protect users from accessing, destroying, or corrupting another user’s programs or data. • Safeguard users’ application modules from destroying or corrupting other modules. • Safeguard its own modules from destroying or corrupting other modules. • Protect itself from its environment including power failures and other disasters. 16/01/2017 2
Operating Systems Security • Log-On Procedure: • First line of defense against unauthorized access consisting of user IDs and passwords. • Access Token: • Contains key information about the user which is used to approve actions attempted during the session. • Access Control List: • Assigned to each IT resource and used to control access to the resource. • Discretionary Access Privileges: • Allows user to grant access to another user. 16/01/2017 3
Threats to Operating System Integrity • Accidental threats include hardware failures and errors in user applications. • Intentional threats are often attempts to illegally access data or violate privacy for financial gain. • Growing threat is destructive programs with no apparent gain, which come from three sources: • Privileged personnel who abuse their authority. • Individuals who browse the operating system to identify and exploit security flaws. • Individuals who insert viruses or other destructive programs into the operating system, either intentionally or unintentionally. 16/01/2017 4
Operating Systems Controls • Access Privileges - Audit Objectives: • Verify that access privileges are consistent with separation of incompatible functions and organization policies. • Access Privileges - Audit Procedures: • Review policies for separating incompatible functions. • Review a sample of user privileges, especially access to data and programs. • Review security clearance checks of privileged employees. • Determine if users have formally acknowledged their responsibility to maintain data confidentiality. • Review users’ permitted log-on times. 16/01/2017 5
Password Controls • A password is a secret code user enters to gain access to system or data. • Common contra-security behaviors: • Forgetting passwords or failing to regularly change them. • Post-it-syndrome which puts passwords on display. • Simplistic passwords that are easy for criminals to anticipate. • Most commonly passwords are reusable. • Management should require changes and disallow weak ones. • One-time passwords are automatically generated constantly by the system when user enters a PIN. 16/01/2017 6
Operating Systems Controls • Password Control - Audit objectives: • Ensure adequacy and effectiveness of password policies for controlling access to the operating system. • Password Control - Audit procedures: • Verify passwords are required for all users and that new users are instructed in their use and importance. • Ensure controls requiring passwords to be changed regularly. • Review password file for weak passwords. • Verify encryption of the password file. • Assess the adequacy of password standards. • Review account lockout policies and procedures. 16/01/2017 7
Controlling Against Malicious & Destructive Programs • Organizations can reduce threats: • Purchase software from reputable vendors in original packages. • Policy pertaining to unauthorized or illegal software. • Examine upgrades and public-domain software for viruses before implementation and use. • Implement procedures for changing programs. • Educate users regarding threats. • Test all applications before implementation. • Make frequent backups and limit users to read and execute rights only whenever possible. • Require protocols to bypass Trojan horses and use antiviral software. 16/01/2017 8
Operating System Controls • Viruses & Destructive Programs - Audit objectives: • Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses. • Viruses & Destructive Programs - Audit procedures: • Interviews to determine that operations personnel have been properly educated and are aware of risks. • Verify new software is tested on standalone workstations before being implemented. • Verify that antiviral software is current and that upgrades are frequency downloaded. 16/01/2017 9
System Audit Trail Controls • System audit trails are logs that record activity at the system, application and use level. • Two types of audit logs: • Keystroke monitoring involves recording user’s keystrokes and the system’s response. • Event monitoring summarizes key activities related to system resources. • Audit trails can be used to: detect unauthorized access, reconstruct events and promote personal accountability. • Benefits must be balanced against costs. 16/01/2017 10
Operating System Controls • System Audit Trails- Audit objectives: • Ensure established system audit trail is adequate for preventing and detecting abuses, reconstructing key events and planning resource allocation. • System Audit Trails- Audit procedures: • Verify audit trail has been activated per company policy. • Use data extraction tools to search for defined conditions such as: unauthorized users; periods of inactivity; periods of activity including log-on and log-off times; failed log-on attempts; and specific access. • Sample security violation cases and evaluate their disposition to assess security group effectiveness. 16/01/2017 11
Intranet Risks • Intercepting network messages: • Sniffing: Interception of user IDs, passwords, confidential e-mails, and financial data files. • Accessing corporate databases: • Connections to central databases increase risk data will be accessible to employees. • Privileged employees: • Overrides may allow unauthorized access critical data. • Organizations reluctance to prosecute. • Negligent hiring liability requires employers to check employee backgrounds. Courts holding employers responsible for employee criminal acts that could have been prevented with background check. 16/01/2017 12
Internet Risks • IP spoofing is masquerading to gain access to a Web server and/or to perpetrate an unlawful act without revealing one’s identity. • Denial of service (DOS) attack is an assault on a Web server to prevent it from servicing users. • Particularly devastating to business entities that cannot receive and process business transactions. • Motivation may be to punish an organization for a grievance or may be done for financial gain. • Network topologies are subject to risks from equipment failure which can cause corruption or loss. 16/01/2017 13
Three Common Types of DOS Attacks • SYN Flood: When the three-way handshake needed to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits. • Smurf: DOS attacker uses numerous intermediary computers to flood the target computer with test messages, “pings” causing network congestion. • Distributed Denial of Service:– May take the form of Smurf or SYN attacks, but distinguished by the vast number of zombie computers hijacked to launch the attacks. 16/01/2017 14
SMURF Attack 15
Distributed Denial of Service Attack 16
Controlling Risks from Subversive Threats • Firewalls prevent unauthorized access to or from a private network. To accomplish this: • All traffic between the outside network and organization’s intranet must pass through the firewall. • Only authorized traffic is allowed to pass through the firewall which must be immune to all penetration. • Network-level firewalls provide efficient, low security control. • Screening router examines source and destination addresses attached to incoming message packets but does not explicitly authenticate outside users. • Application-level firewalls provide higher, customizable network security, but add overhead cost. • Trade-off between convenience and security. 17
Dual-Homed Firewall 18
Controlling DOS Attacks • Smurf attacks: Organizations can program firewalls to ignore identified attacking site. • SYN flood attacks have two tactics: • Get Internet hosts to use firewalls that block invalid IP addresses. • Use security software to scan for half-open connections. • To counteract DDos attacks organizations use intrusion prevention systems (IPS) that employ deep packet inspection (DPI). • Works as a filter that removes malicious packets from the flow before they can affect servers and networks. 19
Encryption • Conversion of data into a secret code for storage and transmission. • Sender uses an encryption algorithm to convert the original cleartext message into a coded ciphertext which is decoded at receiving end. • Earliest is the Caesar cipher method. • Two fundamental components: • Key is a mathematical value sender selects. • Algorithm is procedure of shifting letters in cleartext message number of positions key value indicates. • Private key and public key encryption are two commonly used methods. 16/01/2017 20
EE3 and ED3 Encryption 21
Public Key Encryption 22
Digital Signatures & Certificate • Digital signature is electronic authentication that cannot be forged. • Sender uses a one-way hashing algorithm to calculate a digest of the text message which is encrypted to produce the digital signature. • Verifying the sender’s identity requires a digital certificate which is issued by a trusted third party called a certification authority (CA). • Public key encryption is central to digital authentication making public key management an important internal control issue. • Public key infrastructure (PKI) constitutes policies and procedures for administering this activity. 16/01/2017 23
Digital Signature 24
Other Subversive Threat Controls • Message sequence numbering inserts a sequence number in each message to prevent attempts to delete, change or duplicate a message. • Message transaction log records all attempted accesses with user ID, time of access and location. • Request-response technique sends control messages and responses randomly making it difficult for an intruder to circumvent. • Call-back device requires a dial-in user to enter and password and be identified. 16/01/2017 25
Operating Systems Controls • Subversive Threats- Audit objectives: • Verify security and integrity of financial transactions. • Determine network controls (1) can prevent and detect illegal access; (2) will render captured data useless; and (3) are sufficient to preserve integrity and security of data. • Subversive Threats - Audit procedures: • Review adequacy of firewall: flexibility, proxy services, filtering, segregation of systems; audit tools; weaknesses. • Verify IPS with DPI for organizations vulnerable to DDoS. • Review security procedures and message transaction logs. • Verify encryption process and test operation of the call-back feature. 16/01/2017 26
Controlling Risks from Equipment Failure • Line errors are losses from communications noise. • Techniques to detect and correct data errors: • Echo check - receiver returns the message to the sender. • Parity check - extra bit is added onto each byte of data similar to check digits. • Audit objective is to verify integrity of transactions by determining controls are in place to detect and correct message loss. • Audit procedures include examining a sample of messages for garbled content and verifying all corrupted messages were retransmitted. 16/01/2017 27
Vertical Parity Bit 28
Auditing Electronic Data Interchange (EDI) • EDI is the intercompany exchange of computer-processible business information in standard format. • Key to success is use of standard format for messaging between dissimilar systems. • Benefit of EDI: • Reduces or eliminates need for data entry. • Reduction of errors and paper forms. • Mailed documents replaced with cheaper transmissions. • Automated manual procedures and inventory reduction. 16/01/2017 29
Overview of EDI 30
Value-added Network and EDI 31
Auditing Electronic Data Interchange (EDI) • Electronic funds transfer (EFT) processing more complicated than EDI for purchasing and selling. • Converting remittance information to electronic form can result in very large records. • Both customer and supplier must establish EDI transactions are valid and authorized. • Some VANs have the capability of validating passwords and user ID codes for the vendor. • Before conversion, translation software can validate trading partner’s IDs and passwords. • Before processing, trading partner’s application software reference valid files to validate transaction. 32
EFT Transactions Between Trading Partners 33
Auditing Electronic Data Interchange (EDI) • Absence of source documents in EDI eliminates traditional audit trail and restricts audit tests. • Audit objectives relating to EDI are to determine: • Transactions are authorized, validated, and in compliance with the trading partner agreement. • No unauthorized organizations can gain access to database. • Authorized trading partners have access only to approved data. • Adequate controls are in place to ensure a complete audit trail. 34
EFT System Using Transaction Control Log for Audi Trail 35
Auditing Procedures for EDI • Tests of Authorization and Validation Controls: • Review agreements with VAN to validate transactions. • Review trading partner files for accuracy and completeness. • Tests of Access Controls: • Verify limited access to vendor and customer files. • Verify limited access of vendors to database. • Test EDI controls by attempting to violate access privileges. • Tests of Audit Trail Controls: • Verify existence of transaction logs. • Review a sample of transactions to verify key data values were recorded correctly. 36
PC Accounting System Modules 37
PC Systems Risks and Controls • Operating System Weaknesses: • PCs provide only minimal security for data files and programs. • Once computer criminal gains access to user’s PC, little to prevent stealing or manipulation of the data. • Weak access control. • Inadequate segregation of duties. • Multilevel password control used to restrict employees sharing computers. • Risk of theft and virus infection. • Weak backup procedures. 38
Audit Objectives Associated with PC Security • Auditor should verify: • Controls in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft. • Adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators. • Backup procedures are in place to prevent data and program loss due to system failures, errors and so on. • Systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes. • System virus free and adequately protected to minimize the risk of becoming infected with a virus or similar object. 39
Audit Procedures Associated with PC Security • Observe PCs are physically anchored. • Verify segregation of duties and/or adequate supervision. • Confirm reports are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. • Determine multilevel password control as needed. • Verify drives are removed and stored appropriately. • Verify backup procedures are appropriate. • Verify software purchases and selection and acquisition procedures. • Review policy for using antiviral software. 40
Internet & Intranet Technologies and Malicious & Destructive Programs Appendix 16/01/2017 41
Internet Technologies • Packet switching: • Messages divided into small packets where each packet of the message may take a different routes. • Virtual private network (VPN) is a private network within a public network. • Extranet is a password controlled network for private users. • World Wide Web (WWW) is an Internet facility that links users locally and globally. • Web pages are maintained at Web sites which are computer servers that support HTTP. 42
Message Packet Switching 43
Internet Addresses • E-mail addresses: • Format is USERNAME@DOMAIN NAME • URL address: • Defines the path to a facility or file on the Web. • Subdirectories can be several levels deep. • IP address: • Every computer node and host attached to the Internet must have a unique Internet protocol (IP) address. 44
Protocols • Rules and standards governing design of hardware and software that permit network users to communicate and share data. • Functions include: • Facilitate physical connection between the network devices. • Synchronize transfer of data between physical devices. • Provide basis for error checking and measuring network performance. • Promote compatibility among network devices. • Promote network designs that are flexible, expandable, and cost-effective. 45
Internet Protocols • Transfer Control Protocol/Internet Protocol (TCP/IP) permits communication between Internet sites. • File Transfer Protocol (FTP) used to transfer files across the Internet. • Simple Network Mail Protocol (SNMP) transmits e-mail messages. • Secure Sockets Layer (SSL) and Secure Electronic Transmission (SET) are encryption schemes. • Network News Transfer Protocol used to connect to Usenet groups on the Internet. • HTTP and HTTP-NG control Web browsers. • HTML is the document format used to produce Web pages. 16/01/2017 46
Intranet Technologies • A network topology is the physical arrangement of network components. • Networks are classified as LANs or WANs: • Local area networks (LANs) can cover several miles and connect hundreds of users. • Networks that exceed geographic limitations of LANs are wide area networks (WANs). • The physical connection of workstations to the LAN is achieved through a network interface card (NIC). • A server is used to store the network operating system, application programs, and data to be shared. 16/01/2017 47
LAN with File and Print Servers 16/01/2017 48
Bridges and Gateways Linking LANs & WANs 16/01/2017 49
Star Topology • A network of IPUs with a large central computer (the host). • Host computer has direct connections to smaller computers, typically desktop or laptop PCs. • Popular for mainframe computing. • All communications must go through the host computer, except for local computing. 16/01/2017 50
Local Data Local Data Local Data Local Data Central Data POS POS POS POS POS Topeka St. Louis Kansas City Dallas Tulsa Star Network 16/01/2017 51
Hierarchical Topology • A host computer is connected to several levels of subordinate smaller computers in a master-slave relationship. 16/01/2017 52 Production Planning System Production Scheduling System Regional Sales System Warehouse System Warehouse System Production System Production System Sales Processing System Sales Processing System Sales Processing System Corporate Level Regional Level Local Level
Ring Topology • Configuration eliminates the central site. • All nodes in this configuration are of equal status (peers). • Responsibility for managing communications is distributed among the nodes. • Common resources that are shared by all nodes can be centralized and managed by a file server that is also a node. 16/01/2017 53
Ring Topology 16/01/2017 54
Bus Topology • Most popular LAN topology. 16/01/2017 55
Client-Server Topology • Configuration distributes the processing between the user’s (client’s) computer and the central file server. • Both types of computers are part of the network, but each is assigned functions that it best performs. • This approach reduces data communications traffic, thus reducing queues and increasing response time. 16/01/2017 56
Client-Server Topology 16/01/2017 57
Network Control oPurpose of network control is to: o Establish communications sessions. o Manage the flow of data across the network. o Detect and resolve data collisions between nodes. o Detect line failure of signal degeneration errors oTwo or more signals transmitted simultaneously will result in data collision which destroys messages. o Polling most popular technique for establishing a communication session in WANs. o Token passing involves transmitting special signal around the network. Only the node processing the token is allowed to transmit data. 16/01/2017 58
Pooling Method of Controlling Data Collisions 16/01/2017 59
Token-Passing Approach to Controlling Data Collisions 16/01/2017 60
Carrier Sensing • A random access technique that detects collisions when they occur. • Technique is used with bus topology. • Node wishing to transmit listens to determine if line is in use. If it is, it waits a pre-specified time to transmit. • Collisions occur when nodes hear no transmissions, and then simultaneously transmit. • Data collides and nodes instructed to hang up and try again. • Ethernet is the best-know LAN using this standard. 16/01/2017 61
Malicious & Destructive Programs • Virus is a program that attaches itself to a legitimate program to penetrate the operating system and destroy programs, files and the operating system itself. • Worm is used interchangeably with virus. • Logic bomb is a destructive program triggered by some predetermined event or date. • Back door (or trap door) is a software program that allows unauthorized access to a system. • Trojan horse program purpose is to capture IDs and passwords. 16/01/2017 62

Recommended

Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 

Recommended

Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsjayussuryawan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...
Chapter 6: Transaction Processing and Financial Reporting Systems Overview (C...Vhena Pilongo
 
Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Habib Ullah Qamar
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3David Julian
 
Chapter 7
Chapter 7Chapter 7
Chapter 7Seth Nurul
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Magnolia Raz
 
Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3Habib Ullah Qamar
 
Chapter 7.audit 2docx
Chapter 7.audit 2docxChapter 7.audit 2docx
Chapter 7.audit 2docxESHETIE MEKONENE AMARE
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approachkzoe1996
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptxOliviaCelestine
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkAziz Fataliyev, Internal Audit Practitioner
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4David Julian
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1David Julian
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2David Julian
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facilitykzoe1996
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportJamesChaves3
 
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...Habib Ullah Qamar
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 
FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareDavid Sweigert
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 

More Related Content

What's hot

Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Habib Ullah Qamar
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspectiveermin08
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Magnolia Raz
 
Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3Habib Ullah Qamar
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approachkzoe1996
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptxOliviaCelestine
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facilitykzoe1996
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportJamesChaves3
 
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...Habib Ullah Qamar
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)Osareme Erhomosele
 

What's hot (20)

Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3Lecture 17 sas framework internal control - james a. hall book chapter 3
Lecture 17 sas framework internal control - james a. hall book chapter 3
 
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's PerspectiveChapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
 
James hall ch 3
James hall ch 3James hall ch 3
James hall ch 3
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.
 
Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3Lecture 16 internal control - james a. hall book chapter 3
Lecture 16 internal control - james a. hall book chapter 3
 
Chapter 7.audit 2docx
Chapter 7.audit 2docxChapter 7.audit 2docx
Chapter 7.audit 2docx
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
 
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
521974482-AUDITING-and-ASSURANCE-Specialized-Industries-1.pptx
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
James hall ch 4
James hall ch 4James hall ch 4
James hall ch 4
 
James hall ch 1
James hall ch 1James hall ch 1
James hall ch 1
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copy
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan
 
James hall ch 2
James hall ch 2James hall ch 2
James hall ch 2
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facility
 
Chapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-reportChapter 12-fraud-and-error-report
Chapter 12-fraud-and-error-report
 
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
Lecture 22 expenditure cycle part ii - payroll processing accounting informa...
 
General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)General Ledger and Financial Reporting System (GLFRS)
General Ledger and Financial Reporting System (GLFRS)
 

Similar to Chapter 3 security part i auditing operating systems and networks

FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareDavid Sweigert
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7limsh
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 
Chapter 13
Chapter 13Chapter 13
Chapter 13bodo-con
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Penentration testing
Penentration testingPenentration testing
Penentration testingtahreemsaleem
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testingsakshisoni076
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxyasirkhokhar7
 

Similar to Chapter 3 security part i auditing operating systems and networks (20)

FBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from RansomwareFBI Memo on How to Protect Yourself from Ransomware
FBI Memo on How to Protect Yourself from Ransomware
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power point
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Penentration testing
Penentration testingPenentration testing
Penentration testing
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testing
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
 
Application security
Application securityApplication security
Application security
 

Recently uploaded

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Chapter 3 security part i auditing operating systems and networks

  • 1. Chapter 3: Security Part I: Auditing Operating Systems and Networks IT Auditing, Hall, 4e © 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use. 16/01/2017 0
  • 2. Learning Objectives • Be able to identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual exposures. • Be familiar with the principal risks associated with commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. • Be familiar with the risks associated with personal computing systems. • Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced. 16/01/2017 1
  • 3. Operating System Control Objectives • Protect itself against tampering by users. • Protect users from accessing, destroying, or corrupting another user’s programs or data. • Safeguard users’ application modules from destroying or corrupting other modules. • Safeguard its own modules from destroying or corrupting other modules. • Protect itself from its environment including power failures and other disasters. 16/01/2017 2
  • 4. Operating Systems Security • Log-On Procedure: • First line of defense against unauthorized access consisting of user IDs and passwords. • Access Token: • Contains key information about the user which is used to approve actions attempted during the session. • Access Control List: • Assigned to each IT resource and used to control access to the resource. • Discretionary Access Privileges: • Allows user to grant access to another user. 16/01/2017 3
  • 5. Threats to Operating System Integrity • Accidental threats include hardware failures and errors in user applications. • Intentional threats are often attempts to illegally access data or violate privacy for financial gain. • Growing threat is destructive programs with no apparent gain, which come from three sources: • Privileged personnel who abuse their authority. • Individuals who browse the operating system to identify and exploit security flaws. • Individuals who insert viruses or other destructive programs into the operating system, either intentionally or unintentionally. 16/01/2017 4
  • 6. Operating Systems Controls • Access Privileges - Audit Objectives: • Verify that access privileges are consistent with separation of incompatible functions and organization policies. • Access Privileges - Audit Procedures: • Review policies for separating incompatible functions. • Review a sample of user privileges, especially access to data and programs. • Review security clearance checks of privileged employees. • Determine if users have formally acknowledged their responsibility to maintain data confidentiality. • Review users’ permitted log-on times. 16/01/2017 5
  • 7. Password Controls • A password is a secret code user enters to gain access to system or data. • Common contra-security behaviors: • Forgetting passwords or failing to regularly change them. • Post-it-syndrome which puts passwords on display. • Simplistic passwords that are easy for criminals to anticipate. • Most commonly passwords are reusable. • Management should require changes and disallow weak ones. • One-time passwords are automatically generated constantly by the system when user enters a PIN. 16/01/2017 6
  • 8. Operating Systems Controls • Password Control - Audit objectives: • Ensure adequacy and effectiveness of password policies for controlling access to the operating system. • Password Control - Audit procedures: • Verify passwords are required for all users and that new users are instructed in their use and importance. • Ensure controls requiring passwords to be changed regularly. • Review password file for weak passwords. • Verify encryption of the password file. • Assess the adequacy of password standards. • Review account lockout policies and procedures. 16/01/2017 7
  • 9. Controlling Against Malicious & Destructive Programs • Organizations can reduce threats: • Purchase software from reputable vendors in original packages. • Policy pertaining to unauthorized or illegal software. • Examine upgrades and public-domain software for viruses before implementation and use. • Implement procedures for changing programs. • Educate users regarding threats. • Test all applications before implementation. • Make frequent backups and limit users to read and execute rights only whenever possible. • Require protocols to bypass Trojan horses and use antiviral software. 16/01/2017 8
  • 10. Operating System Controls • Viruses & Destructive Programs - Audit objectives: • Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses. • Viruses & Destructive Programs - Audit procedures: • Interviews to determine that operations personnel have been properly educated and are aware of risks. • Verify new software is tested on standalone workstations before being implemented. • Verify that antiviral software is current and that upgrades are frequency downloaded. 16/01/2017 9
  • 11. System Audit Trail Controls • System audit trails are logs that record activity at the system, application and use level. • Two types of audit logs: • Keystroke monitoring involves recording user’s keystrokes and the system’s response. • Event monitoring summarizes key activities related to system resources. • Audit trails can be used to: detect unauthorized access, reconstruct events and promote personal accountability. • Benefits must be balanced against costs. 16/01/2017 10
  • 12. Operating System Controls • System Audit Trails- Audit objectives: • Ensure established system audit trail is adequate for preventing and detecting abuses, reconstructing key events and planning resource allocation. • System Audit Trails- Audit procedures: • Verify audit trail has been activated per company policy. • Use data extraction tools to search for defined conditions such as: unauthorized users; periods of inactivity; periods of activity including log-on and log-off times; failed log-on attempts; and specific access. • Sample security violation cases and evaluate their disposition to assess security group effectiveness. 16/01/2017 11
  • 13. Intranet Risks • Intercepting network messages: • Sniffing: Interception of user IDs, passwords, confidential e-mails, and financial data files. • Accessing corporate databases: • Connections to central databases increase risk data will be accessible to employees. • Privileged employees: • Overrides may allow unauthorized access critical data. • Organizations reluctance to prosecute. • Negligent hiring liability requires employers to check employee backgrounds. Courts holding employers responsible for employee criminal acts that could have been prevented with background check. 16/01/2017 12
  • 14. Internet Risks • IP spoofing is masquerading to gain access to a Web server and/or to perpetrate an unlawful act without revealing one’s identity. • Denial of service (DOS) attack is an assault on a Web server to prevent it from servicing users. • Particularly devastating to business entities that cannot receive and process business transactions. • Motivation may be to punish an organization for a grievance or may be done for financial gain. • Network topologies are subject to risks from equipment failure which can cause corruption or loss. 16/01/2017 13
  • 15. Three Common Types of DOS Attacks • SYN Flood: When the three-way handshake needed to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits. • Smurf: DOS attacker uses numerous intermediary computers to flood the target computer with test messages, “pings” causing network congestion. • Distributed Denial of Service:– May take the form of Smurf or SYN attacks, but distinguished by the vast number of zombie computers hijacked to launch the attacks. 16/01/2017 14
  • 17. Distributed Denial of Service Attack 16
  • 18. Controlling Risks from Subversive Threats • Firewalls prevent unauthorized access to or from a private network. To accomplish this: • All traffic between the outside network and organization’s intranet must pass through the firewall. • Only authorized traffic is allowed to pass through the firewall which must be immune to all penetration. • Network-level firewalls provide efficient, low security control. • Screening router examines source and destination addresses attached to incoming message packets but does not explicitly authenticate outside users. • Application-level firewalls provide higher, customizable network security, but add overhead cost. • Trade-off between convenience and security. 17
  • 20. Controlling DOS Attacks • Smurf attacks: Organizations can program firewalls to ignore identified attacking site. • SYN flood attacks have two tactics: • Get Internet hosts to use firewalls that block invalid IP addresses. • Use security software to scan for half-open connections. • To counteract DDos attacks organizations use intrusion prevention systems (IPS) that employ deep packet inspection (DPI). • Works as a filter that removes malicious packets from the flow before they can affect servers and networks. 19
  • 21. Encryption • Conversion of data into a secret code for storage and transmission. • Sender uses an encryption algorithm to convert the original cleartext message into a coded ciphertext which is decoded at receiving end. • Earliest is the Caesar cipher method. • Two fundamental components: • Key is a mathematical value sender selects. • Algorithm is procedure of shifting letters in cleartext message number of positions key value indicates. • Private key and public key encryption are two commonly used methods. 16/01/2017 20
  • 22. EE3 and ED3 Encryption 21
  • 24. Digital Signatures & Certificate • Digital signature is electronic authentication that cannot be forged. • Sender uses a one-way hashing algorithm to calculate a digest of the text message which is encrypted to produce the digital signature. • Verifying the sender’s identity requires a digital certificate which is issued by a trusted third party called a certification authority (CA). • Public key encryption is central to digital authentication making public key management an important internal control issue. • Public key infrastructure (PKI) constitutes policies and procedures for administering this activity. 16/01/2017 23
  • 26. Other Subversive Threat Controls • Message sequence numbering inserts a sequence number in each message to prevent attempts to delete, change or duplicate a message. • Message transaction log records all attempted accesses with user ID, time of access and location. • Request-response technique sends control messages and responses randomly making it difficult for an intruder to circumvent. • Call-back device requires a dial-in user to enter and password and be identified. 16/01/2017 25
  • 27. Operating Systems Controls • Subversive Threats- Audit objectives: • Verify security and integrity of financial transactions. • Determine network controls (1) can prevent and detect illegal access; (2) will render captured data useless; and (3) are sufficient to preserve integrity and security of data. • Subversive Threats - Audit procedures: • Review adequacy of firewall: flexibility, proxy services, filtering, segregation of systems; audit tools; weaknesses. • Verify IPS with DPI for organizations vulnerable to DDoS. • Review security procedures and message transaction logs. • Verify encryption process and test operation of the call-back feature. 16/01/2017 26
  • 28. Controlling Risks from Equipment Failure • Line errors are losses from communications noise. • Techniques to detect and correct data errors: • Echo check - receiver returns the message to the sender. • Parity check - extra bit is added onto each byte of data similar to check digits. • Audit objective is to verify integrity of transactions by determining controls are in place to detect and correct message loss. • Audit procedures include examining a sample of messages for garbled content and verifying all corrupted messages were retransmitted. 16/01/2017 27
  • 30. Auditing Electronic Data Interchange (EDI) • EDI is the intercompany exchange of computer-processible business information in standard format. • Key to success is use of standard format for messaging between dissimilar systems. • Benefit of EDI: • Reduces or eliminates need for data entry. • Reduction of errors and paper forms. • Mailed documents replaced with cheaper transmissions. • Automated manual procedures and inventory reduction. 16/01/2017 29
  • 33. Auditing Electronic Data Interchange (EDI) • Electronic funds transfer (EFT) processing more complicated than EDI for purchasing and selling. • Converting remittance information to electronic form can result in very large records. • Both customer and supplier must establish EDI transactions are valid and authorized. • Some VANs have the capability of validating passwords and user ID codes for the vendor. • Before conversion, translation software can validate trading partner’s IDs and passwords. • Before processing, trading partner’s application software reference valid files to validate transaction. 32
  • 34. EFT Transactions Between Trading Partners 33
  • 35. Auditing Electronic Data Interchange (EDI) • Absence of source documents in EDI eliminates traditional audit trail and restricts audit tests. • Audit objectives relating to EDI are to determine: • Transactions are authorized, validated, and in compliance with the trading partner agreement. • No unauthorized organizations can gain access to database. • Authorized trading partners have access only to approved data. • Adequate controls are in place to ensure a complete audit trail. 34
  • 36. EFT System Using Transaction Control Log for Audi Trail 35
  • 37. Auditing Procedures for EDI • Tests of Authorization and Validation Controls: • Review agreements with VAN to validate transactions. • Review trading partner files for accuracy and completeness. • Tests of Access Controls: • Verify limited access to vendor and customer files. • Verify limited access of vendors to database. • Test EDI controls by attempting to violate access privileges. • Tests of Audit Trail Controls: • Verify existence of transaction logs. • Review a sample of transactions to verify key data values were recorded correctly. 36
  • 38. PC Accounting System Modules 37
  • 39. PC Systems Risks and Controls • Operating System Weaknesses: • PCs provide only minimal security for data files and programs. • Once computer criminal gains access to user’s PC, little to prevent stealing or manipulation of the data. • Weak access control. • Inadequate segregation of duties. • Multilevel password control used to restrict employees sharing computers. • Risk of theft and virus infection. • Weak backup procedures. 38
  • 40. Audit Objectives Associated with PC Security • Auditor should verify: • Controls in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft. • Adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators. • Backup procedures are in place to prevent data and program loss due to system failures, errors and so on. • Systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes. • System virus free and adequately protected to minimize the risk of becoming infected with a virus or similar object. 39
  • 41. Audit Procedures Associated with PC Security • Observe PCs are physically anchored. • Verify segregation of duties and/or adequate supervision. • Confirm reports are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. • Determine multilevel password control as needed. • Verify drives are removed and stored appropriately. • Verify backup procedures are appropriate. • Verify software purchases and selection and acquisition procedures. • Review policy for using antiviral software. 40
  • 42. Internet & Intranet Technologies and Malicious & Destructive Programs Appendix 16/01/2017 41
  • 43. Internet Technologies • Packet switching: • Messages divided into small packets where each packet of the message may take a different routes. • Virtual private network (VPN) is a private network within a public network. • Extranet is a password controlled network for private users. • World Wide Web (WWW) is an Internet facility that links users locally and globally. • Web pages are maintained at Web sites which are computer servers that support HTTP. 42
  • 45. Internet Addresses • E-mail addresses: • Format is USERNAME@DOMAIN NAME • URL address: • Defines the path to a facility or file on the Web. • Subdirectories can be several levels deep. • IP address: • Every computer node and host attached to the Internet must have a unique Internet protocol (IP) address. 44
  • 46. Protocols • Rules and standards governing design of hardware and software that permit network users to communicate and share data. • Functions include: • Facilitate physical connection between the network devices. • Synchronize transfer of data between physical devices. • Provide basis for error checking and measuring network performance. • Promote compatibility among network devices. • Promote network designs that are flexible, expandable, and cost-effective. 45
  • 47. Internet Protocols • Transfer Control Protocol/Internet Protocol (TCP/IP) permits communication between Internet sites. • File Transfer Protocol (FTP) used to transfer files across the Internet. • Simple Network Mail Protocol (SNMP) transmits e-mail messages. • Secure Sockets Layer (SSL) and Secure Electronic Transmission (SET) are encryption schemes. • Network News Transfer Protocol used to connect to Usenet groups on the Internet. • HTTP and HTTP-NG control Web browsers. • HTML is the document format used to produce Web pages. 16/01/2017 46
  • 48. Intranet Technologies • A network topology is the physical arrangement of network components. • Networks are classified as LANs or WANs: • Local area networks (LANs) can cover several miles and connect hundreds of users. • Networks that exceed geographic limitations of LANs are wide area networks (WANs). • The physical connection of workstations to the LAN is achieved through a network interface card (NIC). • A server is used to store the network operating system, application programs, and data to be shared. 16/01/2017 47
  • 49. LAN with File and Print Servers 16/01/2017 48
  • 50. Bridges and Gateways Linking LANs & WANs 16/01/2017 49
  • 51. Star Topology • A network of IPUs with a large central computer (the host). • Host computer has direct connections to smaller computers, typically desktop or laptop PCs. • Popular for mainframe computing. • All communications must go through the host computer, except for local computing. 16/01/2017 50
  • 52. Local Data Local Data Local Data Local Data Central Data POS POS POS POS POS Topeka St. Louis Kansas City Dallas Tulsa Star Network 16/01/2017 51
  • 53. Hierarchical Topology • A host computer is connected to several levels of subordinate smaller computers in a master-slave relationship. 16/01/2017 52 Production Planning System Production Scheduling System Regional Sales System Warehouse System Warehouse System Production System Production System Sales Processing System Sales Processing System Sales Processing System Corporate Level Regional Level Local Level
  • 54. Ring Topology • Configuration eliminates the central site. • All nodes in this configuration are of equal status (peers). • Responsibility for managing communications is distributed among the nodes. • Common resources that are shared by all nodes can be centralized and managed by a file server that is also a node. 16/01/2017 53
  • 56. Bus Topology • Most popular LAN topology. 16/01/2017 55
  • 57. Client-Server Topology • Configuration distributes the processing between the user’s (client’s) computer and the central file server. • Both types of computers are part of the network, but each is assigned functions that it best performs. • This approach reduces data communications traffic, thus reducing queues and increasing response time. 16/01/2017 56
  • 59. Network Control oPurpose of network control is to: o Establish communications sessions. o Manage the flow of data across the network. o Detect and resolve data collisions between nodes. o Detect line failure of signal degeneration errors oTwo or more signals transmitted simultaneously will result in data collision which destroys messages. o Polling most popular technique for establishing a communication session in WANs. o Token passing involves transmitting special signal around the network. Only the node processing the token is allowed to transmit data. 16/01/2017 58
  • 60. Pooling Method of Controlling Data Collisions 16/01/2017 59
  • 61. Token-Passing Approach to Controlling Data Collisions 16/01/2017 60
  • 62. Carrier Sensing • A random access technique that detects collisions when they occur. • Technique is used with bus topology. • Node wishing to transmit listens to determine if line is in use. If it is, it waits a pre-specified time to transmit. • Collisions occur when nodes hear no transmissions, and then simultaneously transmit. • Data collides and nodes instructed to hang up and try again. • Ethernet is the best-know LAN using this standard. 16/01/2017 61
  • 63. Malicious & Destructive Programs • Virus is a program that attaches itself to a legitimate program to penetrate the operating system and destroy programs, files and the operating system itself. • Worm is used interchangeably with virus. • Logic bomb is a destructive program triggered by some predetermined event or date. • Back door (or trap door) is a software program that allows unauthorized access to a system. • Trojan horse program purpose is to capture IDs and passwords. 16/01/2017 62