Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e

Chapter 3:
Security Part I: Auditing

Operating Systems and
Networks
IT Auditing, Hall, 4e
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Learning Objectives
o Be able to identify the principal threats to the operating

system and the control techniques used to minimize the
possibility of actual exposures.
o Be familiar with the principal risks associated with commerce
conducted over intranets and the Internet and understand the
control techniques used to reduce these risks.
o Be familiar with the risks associated with personal computing
systems.
o Recognize the unique exposures that arise in connection with
electronic data interchange (EDI) and understand how these
exposures can be reduced.
Business Continuity Plan and
Disaster Recovery Planning
o A disaster recovery plan is a statement of all actions to be

taken before, during and after any type of disaster. Four
common features:
o Identify critical applications:
o Short-term survival requires restoration of cash flow generating
functions.
o Applications supporting those functions should be identified and
prioritized in the restoration plan.
o Task of identifying critical items and prioritizing applications requires
active participation of user departments, accountants and auditors.
Disaster Recovery Planning
o Create a disaster recovery team:

o Team members should be experts in their areas and have
assigned tasks.
o Provide second-site backup:
o Necessary ingredient in a DRP is that it provides for duplicate data
processing facilities following a disaster.
o Specify back-up and off-site storage procedures:
o All data files, applications, documentation and supplies needed to
perform critical functions should be automatically backed up and
stored at a secure off-site location.
DRP Audit Procedures
o To verify DRP is a realistic solution, the following tests may be

performed:
o Evaluate adequacy of backup site arrangements.
o Review list of critical applications for completeness.
o Verify copies of critical applications and operating systems are
stored off-site.
o Verify critical data files are backed up in accordance with the DRP.
o Verify that types and quantities of items specified in the DRP exist in
a secure location.
o Verify disaster recovery team members are current employees and
aware of their assigned responsibilities.
Operating Systems Security
o Log-On Procedure:
o First line of defense against unauthorized access consisting of
user IDs and passwords.
o Access Token:
o Contains key information about the user which is used to approve
actions attempted during the session.
o Access Control List:
o Assigned to each IT resource and used to control access to the
resource.
o Discretionary Access Privileges:
o Allows user to grant access to another user.
Threats to Operating System
Integrity
o Accidental threats include hardware failures and errors in user
applications.
o Intentional threats are often attempts to illegally access data or
violate privacy for financial gain.
o Growing threat is destructive programs with no apparent gain,
which come from three sources:
o Privileged personnel who abuse their authority.
o Individuals who browse the operating system to identify and exploit
security flaws.
o Individuals who insert viruses or other destructive programs into
the operating system, either intentionally or unintentionally.
Operating Systems Controls
o Access Privileges - Audit Objectives:

o Verify that access privileges are consistent with separation of
incompatible functions and organization policies.
o Access Privileges - Audit Procedures:
o Review policies for separating incompatible functions.
o Review a sample of user privileges, especially access to data and
programs.
o Review security clearance checks of privileged employees.
o Determine if users have formally acknowledged their responsibility
to maintain data confidentiality.
o Review users’ permitted log-on times.
Password Controls
o A password is a secret code user enters to gain access to

system or data.
o Common contra-security behaviors:
o Forgetting passwords or failing to regularly change them.
o Post-it-syndrome which puts passwords on display.
o Simplistic passwords that are easy for criminals to anticipate.
o Most commonly passwords are reusable.
o Management should require changes and disallow weak ones.
o One-time passwords are automatically generated constantly by
the system when user enters a PIN.
Operating Systems Controls
o Password Control - Audit objectives:

o Ensure adequacy and effectiveness of password policies for
controlling access to the operating system.
o Password Control - Audit procedures:
o Verify passwords are required for all users and that new users are
instructed in their use and importance.
o Ensure controls requiring passwords to be changed regularly.
o Review password file for weak passwords.
o Verify encryption of the password file.
o Assess the adequacy of password standards.
o Review account lockout policies and procedures.
Controlling Against Malicious
& Destructive Programs
o Organizations can reduce threats:
o Purchase software from reputable vendors in original packages.
o Policy pertaining to unauthorized or illegal software.
o Examine upgrades and public-domain software for viruses before
implementation and use.
o Implement procedures for changing programs.
o Educate users regarding threats.
o Test all applications before implementation.
o Make frequent backups and limit users to read and execute rights only
whenever possible.
o Require protocols to bypass Trojan horses and use antiviral software.
Operating System Controls
o Viruses & Destructive Programs - Audit objectives:

o Verify effectiveness of procedures to protect against programs
such as viruses, worms, back doors, logic bombs, and Trojan
horses.
o Viruses & Destructive Programs - Audit procedures:
o Interviews to determine that operations personnel have been
properly educated and are aware of risks.
o Verify new software is tested on standalone workstations before
being implemented.
o Verify that antiviral software is current and that upgrades are
frequency downloaded.
System
Audit
Trail
Controls
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
learning management system for classroom use.
System Audit Trail Controls
o System audit trails are logs that record activity at the system,
application and use level.
o Two types of audit logs:
o Keystroke monitoring involves recording user’s keystrokes and
the system’s response.
o Event monitoring summarizes key activities related to system
resources.
o Audit trails can be used to: detect unauthorized access,
reconstruct events and promote personal accountability.
o Benefits must be balanced against costs.
Operating System Controls
o System Audit Trails- Audit objectives:

o Ensure established system audit trail is adequate for preventing
and detecting abuses, reconstructing key events and planning
resource allocation.
o System Audit Trails- Audit procedures:
o Verify audit trail has been activated per company policy.
o Use data extraction tools to search for defined conditions such as:
unauthorized users; periods of inactivity; periods of activity
including log-on and log-off times; failed log-on attempts; and
specific access.
o Sample security violation cases and evaluate their disposition to
assess security group effectiveness.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in
part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected
website or school-approved learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in
part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected
website or school-approved learning management system for classroom use.
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved
Technical and Administrative Controls
Network security is the protection of the network perimeter, as well as the segmentation of the internal
corporate network. Oftentimes, management devotes resources to protecting its network from outsiders but
fails to properly segment its internal network based on risks. Much like logical access control, network
resources and segments should only be made available to those who require them. An example of this would
be segmenting the Research and Development network from the rest of the organisation due to the sensitive
nature of the information that is handled in such an environment.
Network security defences include:
Firewalls
Intrusion detection systems
Intrusion prevention systems
Network access controls
Routers
What is a Server?
File Server
 A file server is a server that contains files which are made accessible to other clients on the network. A file server has
the sole responsibility for storing and managing a set of files, which are made accessible to other computers. These files
are shared among clients in the network by allowing access without having to physically transfer the accessed files to
their local systems.
Print Server
 A print server is a server which has a dedicated printer connected to it which is accessible by other clients through it on
the same network. Other clients on the network can print work to this printer through this print server.
Web Server
 A web server is a server equipped with HTTP (Hypertext Transfer Protocol) that serves web pages in response to
requests submitted by clients. For example, if you type www.ismellgood.com/homepage on your browser as a client, you
are in effect requesting a web page stored on a server with a domain named ismellgood.com, called a homepage. In
response to your request, the respective web server locates the homepage page in its system and displays it to you. If
you erroneously type www.ismellgood.com/homewage, the server will return an error message saying - web page not
found! Well, that's familiar!
Application Server
 An application server stores and manages all applications between an organization's users and its databases or
backend business applications. If you've visited a bank to withdraw money, then you've accessed the bank's application
server through the services of the attending teller. The teller's machine through the banking application accesses the
bank's application server to retrieve your bank account details and facilitate your transaction.
LAN with File and Print
Servers
Network Security
Firewalls are network hardware and software that block unauthorised or unverified access to computer
systems and network assets. These tools survey incoming and outgoing transmissions and decide what type of
traffic to permit onto an organisation’s internal network based on factors such as origination or destination
address, content of the message, protocol being used to transmit the message, and other filtering methods.
Controlling Risks from Subversive
Threats
o Firewalls prevent unauthorized access to or from a private network.
To accomplish this:
o All traffic between the outside network and organization’s intranet must
pass through the firewall.
o Only authorized traffic is allowed to pass through the firewall which must
be immune to all penetration.
o Network-level firewalls provide efficient, low security control.
o Screening router examines source and destination addresses attached
to incoming message packets but does not explicitly authenticate
outside users.
o Application-level firewalls provide higher, customizable network
security, but add overhead cost.
o Trade-off between convenience and security.
Network Security
An intrusion detection system (IDS) is a device or software application that monitors an organisation’s
inbound and outbound network activity and identifies any suspicious patterns of activity that may indicate a
network or system attack or security policy violations. An IDS alerts administrators when someone or
something is trying to compromise the information system through malicious activities or security policy
violations. These systems are designed to supplement firewalls and other forms of network security by
detecting malicious activity coming across the monitored entity’s network or system activities. They act much
like a motion sensor would; detecting individuals who have bypassed perimeter security
Encryption is one of the most effective methods of protecting networks and communications against attacks.
Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who
does not have the encryption code. The decision to use encryption should be made in light of the risks and
after a cost-benefit analysis. There are, however, drawbacks to encryption, including the cost of the encryption
device, the cost of the administration, and the inherent delays incurred by the extra steps required for
processing.
PATCH MANAGEMENT Every week, new vulnerabilities are discovered in operating systems and applications,
and attackers exploit these vulnerabilities to gain access to systems. To protect against such exposures,
system administrators should install patches as soon as they become available. Proper patch management
can prevent worms and older exploits from being exploited.
Encryption is one of the most effective methods of protecting networks and communications against attacks.
Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who
does not have the encryption code. The decision to use encryption should be made in light of the risks and
after a cost-benefit analysis. There are, however, drawbacks to encryption, including the cost of the encryption
device, the cost of the administration, and the inherent delays incurred by the extra steps required for
processing.
Application security encompasses controls implemented to prevent exceptions to the security policy of an
application and its underlying systems through flaws in design, development, or deployment. Controls built into
the application reduce the likelihood that it will be manipulated to access, steal, modify, or delete data.
Some of the best practices for ensuring segregation of duties within the information systems department and
between information systems and business unit personnel include:
System users should not have direct access to programme source code.
Computer operators should not perform computer programming.
Development staff should not have access to production data.
Development staff should not access system level technology or database management systems.
End users should not have access to production data.
End users or system operators should not have direct access to programme source code.
Programmers should not be server administrators or database administrators.
IT departments should be segregated from information user departments
 Development staff should not have access to production data, unless specifically authorized by the
functional data owner to repair a limited number of records.
 Development staff should not access system level technology or database management systems.
 End users should not have access to production data except through the features and functions of the
administrative applications; in particular, they should not have the ability to bypass or circumvent the
applications’ validation and audit procedures.
 Functional users should not access or modify application code.
 Systems programmers should not access application code.
 Accounts should be approved by the data steward and subsequently created by a separate, independent
system security administrator.
 Access to system logs and system audits should be limited to the system security analysts, and all such
access should be reviewed by IT management.
 Access to firewalls and other network security systems should be limited to the network security analysts,
and all such access should be reviewed by IT managemen
Auditing Procedures for EDI
o Tests of Authorization and Validation Controls:

o Review agreements with VAN to validate transactions.
o Review trading partner files for accuracy and completeness.
o Tests of Access Controls:
o Verify limited access to vendor and customer files.
o Verify limited access of vendors to database.
o Test EDI controls by attempting to violate access privileges.
o Tests of Audit Trail Controls:
o Verify existence of transaction logs.
o Review a sample of transactions to verify key data values were
recorded correctly.
Audit Objectives Associated with PC
Security
o Auditor should verify:

o Controls in place to protect data, programs, and computers from
unauthorized access, manipulation, destruction, and theft.
o Adequate supervision and operating procedures exist to
compensate for lack of segregation between the duties of users,
programmers, and operators.
o Backup procedures are in place to prevent data and program
loss due to system failures, errors and so on.
o Systems selection and acquisition procedures produce
applications that are high quality, and protected from
unauthorized changes.
o System virus free and adequately protected to minimize the risk
of becoming infected with a virus or similar object.
Audit Procedures Associated with PC Security
o Observe PCs are physically anchored.

o Verify segregation of duties and/or adequate supervision.
o Confirm reports are prepared, distributed, and reconciled by
appropriate management at regular and timely intervals.
o Determine multilevel password control as needed.
o Verify drives are removed and stored appropriately.
o Verify backup procedures are appropriate.
o Verify software purchases and selection and acquisition
procedures.
o Review policy for using antiviral software.

Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e

Caricato da

Copyright:

Formati disponibili

Chapter 3:

Security Part I: Auditing

o Be able to identify the principal threats to the operating

o A disaster recovery plan is a statement of all actions to be

o Create a disaster recovery team:

o To verify DRP is a realistic solution, the following tests may be

o Access Privileges - Audit Objectives:

o A password is a secret code user enters to gain access to

o Password Control - Audit objectives:

o Viruses & Destructive Programs - Audit objectives:

o System Audit Trails- Audit objectives:

Network security defences include:

Intrusion detection systems

Intrusion prevention systems

Network access controls

Computer operators should not perform computer programming.

Development staff should not have access to production data.

End users should not have access to production data.

Programmers should not be server administrators or database administrators.

IT departments should be segregated from information user departments

 Functional users should not access or modify application code.

 Systems programmers should not access application code.

o Tests of Authorization and Validation Controls:

o Auditor should verify:

o Observe PCs are physically anchored.

Potrebbero piacerti anche