advanced accounting information systems day 23 operating systems security october 16, 2009
TRANSCRIPT
Advanced Accounting Information Systems
Advanced Accounting Information Systems
Day 23
Operating Systems SecurityOctober 16, 2009
AnnouncementsAnnouncements
– Quiz 5– Assignment 4 – due today
• Task as IT auditor is to identify potential problems new owner may encounter with Threadchic
– Midterm• In class – systems documentation, sql queries
• Out of class – four essay questions, you pick the two to write on, maximum of two double-spaced pages per essay question
– Covers systems development, IT auditing, internal controls
Objectives – Operating Systems SecurityObjectives – Operating Systems Security
Understand the core components of operating systems Understand the common implmentations of the main
operating system components as well as the associated risk and control considerations
Apply security principles and concepts to effectively secure operating systems
Blaster WormBlaster Worm
Remote procedure call– Core operating system component implemented in the Windows family of
products• Allows a computer to invoke and execute programs from remote
computers• Present on every Windows computer and has highest level of privileges
July 16, 2003 announcement of critical vulnerability that allowed attackers to send specially crafted malformed messages and thereby run any code of their choice on a computer with no restrictions
– Attackers could then • install any software on a machine• Capture keystrokes to get passwords• Impersonate users• Read or delete any emails
Blaster WormBlaster Worm
Department of Homeland Security issued high[profile alerts but many businesses and end users did not install patch
August 11, 2003, MSBlaster worm was released in the wild – Within 204 hours, over 330,000 computers were infected
– Resulted in denial of service for Windows users as infected computers frequently rebooted
– Caused CSX Transportation Corporation to stop trains causing serious delays for commuter rail service near Washington DC
– Caused Air Canada to delay flights
– forced Maryland’s motor vehicle agency to close for a day
– Kicked Swedish Internet users offline
– Contributed to the major power blackout on the East Coast
Goal of ChapterGoal of Chapter
For each environment – operating systems, applications, databases, telecommunication networks, data networks, and Web systems, we look at the risks that affect these environments and learn about controls to mitigate the risks
Breach in one environment may affect other environments given that these environments depend on each other
Most important environment that needs to be secured – operating system
Common Operating SystemsCommon Operating Systems
Every command entered on a computer is managed and processed by the operating system– All data files, applications, and databases reside on the
operating system Operating system – house that contains various safes
( applications and databases) – if someone breaks into the house, they can just pick up the safe and run, no matter how strong the security lock is on the safe– Thus compromise of operating system almost always leads to
compromise of its contents including various applications and database
Operating SystemsOperating Systems
Operating system – software that controls the operation of a computer and directs the processing of programs by assigning storage space in memory and controlling input and out functions
Interface between end user and various applications Must also manage the hardware present in the computer API – application programming interface Rainbow series books
– Orange book – trusted computer system evaluation criteria – seven classes – see table 7.1
Orange Book summary chartOrange Book summary chart
Division D – minimum security– D systems that aren’t rated higher
Division C – discretionary protection– C1 discretionary security protection– C2 – controlled access protection
Division B Division A
– A verified design
Common Operating SystemsCommon Operating Systems
Windows Linux z/OS NetWare
Common Risks and Controls - AuthenticationCommon Risks and Controls - Authentication
Passwords Risks Controls Other authentication technologies
Common Risks and Controls - AuthorizationCommon Risks and Controls - Authorization
Permissions Risks Controls
Common Risks and Controls – Trust RelationshipsCommon Risks and Controls – Trust Relationships
Why establish trust?– Data exchange between two systems
without requiring user intervention to first authenticate and authorize the transaction
– User movement across multiple systems without having to re-authenticate
Risks Controls
Common Risks and Controls – Job SchedulingCommon Risks and Controls – Job Scheduling
Risks Controls
Common Risks and Controls – File SystemsCommon Risks and Controls – File Systems
Local File Systems Remote File Systems File and Directory Permissions Risks Controls
Common Risks and Controls – Software UpdatesCommon Risks and Controls – Software Updates
Risks Controls
Assurance ConsiderationsAssurance Considerations
Number of workstations and servers on system
Number of different operating systems used Criticality of the computers or data stored
on the system Types of tools available for collection and
analysis of data detailing the security controls
Vocabulary ReviewVocabulary Review
Access control list Active directory Application programming interface Authentication Authorization Baseline Biometrics brute-force attacks Common internet file system (CIFS) Dictionary attacks File system Jobs Malware netWare directory service (NDS) Network file system (NFS)
Vocabulary ReviewVocabulary Review
One-time password (OTP) One-way hash algorithms Operating system Password file Password hash Permissions piggybacking Root Salt Samba Secure shell (SSH) Server message block (SMB) Shadow file Smart card Tripwire Trust relationship
Questions for MondayQuestions for Monday
Identify common risks to application security and suggest at least one control to mitigate each risk