auditing os and network

7/25/2019 Auditing Os and Network

1/43

AUDITING OS AND

NETWORK

Chapter 3


2/43

The operating system is thecomputers contro! program"

It a!!o#s users an$ their app!icationsto share an$ access commoncomputer resources% such asprocessors% main memory%

$ata&ases% an$ printers


3/43

Operating SystemObjectives


4/43

OS Security

Operating system security in'o!'espo!icies% proce$ures% an$ contro!sthat $etermine #ho can access the

operating system% #hich resources()!es% programs% printers* they canuse% an$ #hat actions they can ta+e


5/43

OS Security

,og-On .roce$ure


6/43

Access Contro! ,ist


7/43

Threats to Operating SystemIntegrity

acci$enta!!y or intentiona!!y

Acci$enta! threats inc!u$e har$#are/ai!ures that cause the operatingsystem to crash

Intentiona! threats to the operatingsystem are most common!y attemptsto i!!ega!!y access $ata or 'io!ateuser pri'acy /or )nancia! gain


8/43

Operating System Controlsand Audit Tests

Contro!!ing Access .ri'i!eges

The au$itors o&0ecti'e is to 'eri/ythat access pri'i!eges are grante$ ina manner that is consistent #ith thenee$ to separate incompati&!e/unctions an$ is in accor$ance #ith

the organi1ations po!icy"


9/43

Au$it .roce$ures Re!ating to Access

.ri'i!eges

Re'ie# the organi1ations po!icies /orseparating incompati&!e /unctionsan$ ensure that they promote

reasona&!e security"

Re'ie# the pri'i!eges o/ a se!ectiono/ user groups an$ in$i'i$ua!s to

$etermine i/ their access rights areappropriate /or their 0o& $escriptionsan$ positions"


10/43

Re'ie# personne! recor$s to $etermine#hether pri'i!ege$ emp!oyees un$ergo ana$e2uate!y intensi'e security c!earance

chec+ in comp!iance #ith company po!icy" Re'ie# emp!oyee recor$s to $etermine

#hether users ha'e /orma!!y ac+no#!e$ge$their responsi&i!ity to maintain the

con)$entia!ity o/ company $ata" Re'ie# the users permitte$ !og-on times


11/43

.ass#or$ Contro!

A pass#or$ is a secret co$e the userenters to gain access to systems%app!ications% $ata )!es% or a net#or+ser'er

Reusa&!e pass#or$ The user$e)nes the pass#or$ to the systemonce an$ then reuses it to gain /utureaccess


12/43

one-time password the userspass#or$ changes continuous!y

The au$itors o&0ecti'e here is toensure that the organi1ation has ana$e2uate an$ eecti'e pass#or$po!icy /or contro!!ing access to the

operating system"


13/43

Au$it .roce$ures Re!ating to

.ass#or$s

4eri/y that a!! users are re2uire$ toha'e pass#or$s"

4eri/y that ne# users are instructe$in the use o/ pass#or$s an$ theimportance o/ pass#or$ contro!"

Re'ie# pass#or$ contro! proce$ures

to ensure that pass#or$s arechange$ regu!ar!y


14/43

Re'ie# the pass#or$ )!e to $etermine that#ea+ pass#or$s are i$enti)e$ an$$isa!!o#e$"

4eri/y that the pass#or$ )!e is encrypte$ an$that the encryption +ey is proper!y secure$"

Assess the a$e2uacy o/ pass#or$ stan$ar$ssuch as !ength an$ e5piration inter'a!"

Re'ie# the account !oc+out po!icy an$proce$ures


15/43

Contro!!ing Against 6a!icious an$Destructi'e .rograms

The !osses are measure$ in terms o/$ata corruption an$ $estruction%$egra$e$ computer per/ormance%

har$#are $estruction% 'io!ations o/pri'acy% an$ the personne! time$e'ote$ to repairing the $amage"

This c!ass o/ programs inc!u$es'iruses% #orms% !ogic &om&s% &ac+$oors% an$ Tro0an horses


16/43

Au$it O&0ecti'e Re!ating to 4irusesan$ Other Destructi'e .rograms

The au$itors o&0ecti'e is to 'eri/ythat eecti'e management po!iciesan$ proce$ures are in p!ace to

pre'ent the intro$uction an$ sprea$o/ $estructi'e programs% inc!u$ing'iruses% #orms% &ac+ $oors% !ogic

&om&s% an$ Tro0an horses"


17/43

Au$it .roce$ures Re!ating to 4irusesan$ Other Destructi'e .rograms

Through inter'ie#s% $etermine that operationspersonne! ha'e &een e$ucate$ a&out computer'iruses an$ are a#are o/ the ris+y computingpractices that can intro$uce an$ sprea$ 'iruses

an$ other ma!icious programs" 4eri/y that ne# so/t#are is teste$ on stan$a!one

#or+stations prior to &eing imp!emente$ on thehost or net#or+ ser'er"

4eri/y that the current 'ersion o/ anti'ira! so/t#areis insta!!e$ on the ser'er an$ that upgra$es areregu!ar!y $o#n!oa$e$ to #or+stations"


18/43

System Au$it Trai! Contro!s

!ogs that recor$ acti'ity at thesystem% app!ication% an$ user !e'e!

t#o types o/ au$it !ogs7

(8* $etai!e$ !ogs o/ in$i'i$ua!+eystro+es an$ (9* e'ent-oriente$!ogs


19/43

Keystro+e monitoring in'o!'esrecor$ing &oth the users +eystro+esan$ the systems responses

E'ent monitoring summari1es +eyacti'ities re!ate$ to system resources


20/43

Au$it trai!s can &e use$ to supportsecurity o&0ecti'es in three #ays7

(8* $etecting unauthori1e$ access tothe system%

(9* /aci!itating the reconstruction o/e'ents% an$

(3* promoting persona! accounta&i!ity


21/43

The au$itors o&0ecti'e is to ensurethat the esta&!ishe$ system au$ittrai! is a$e2uate /or pre'enting an$

$etecting a&uses% reconstructing +eye'ents that prece$e systems /ai!ures%an$ p!anning resource a!!ocation"


22/43

Au$it .roce$ures Re!ating to System

Au$it Trai!s

6ost operating systems pro'i$e some/orm o/ au$it manager /unction tospeci/y the e'ents that are to &e au$ite$

6any operating systems pro'i$e anau$it !og 'ie#er that a!!o#s the au$itorto scan the !og /or unusua! acti'ity

The organi1ations security group hasresponsi&i!ity /or monitoring an$reporting security 'io!ations


23/43

AUDITI! "T#O$%S

intranet ris+s


24/43

Intranet ris+s

Intranets consist o/ sma!! ,ANs an$!arge WANs that may containthousan$s o/ in$i'i$ua! no$es

Interception o/ Net#or+ 6essages

Access to Corporate Data&ases

.ri'i!ege$ Emp!oyees


25/43

Internet ris+s

I. Spoo)ng


26/43

Controlling etwor&s

:ire#a!!sa system that en/orces accesscontro! &et#een t#o net#or+s

Encryption the con'ersion o/ $ata into a

secret co$e /or storage in $ata&ases an$transmission o'er net#or+s" The sen$eruses an encryption a!gorithm to con'ertthe origina! message (ca!!e$ c!earte5t* into

a co$e$ e2ui'a!ent (ca!!e$ cipherte5t*" Atthe recei'ing en$% the cipherte5t is$eco$e$ ($ecrypte$* &ac+ into c!earte5t


27/43

Digita! Signatures e!ectronicauthentication that cannot &e /orge$

Digita! Certi)cate issue$ &y atruste$ thir$ party ca!!e$ acerti'cation authority (CA)


28/43

Controlling $is&s *rom"+uipment ,ailure

,ine Errors

The au$itors o&0ecti'e is to 'eri/ythe integrity o/ the e!ectroniccommerce transactions &y$etermining that contro!s are in p!aceto $etect an$ correct message !oss

$ue to e2uipment /ai!ure"


29/43

AUDITI! ""CT$OIC DATAIT"$C.A!" ("DI)

A genera! $e)nition o/ EDI is7 Theintercompany e5change o/ computer-processi&!e &usiness in/ormation in

stan$ar$ /ormat" Key to EDI success is the use o/ a

stan$ar$ /ormat /or messaging

&et#een $issimi!ar systems


30/43

se'era! important /eatureso/ EDI


31/43

/ene'ts o* "DI

Data keying. EDI reduces or eveneliminates the need for data entry.

Error reduction. Firms using EDI see

reductions in data keying errors, humaninterpretation an$ c!assi)cation errors%an$ )!ing (!ost $ocument* errors

Reduction of paper. The use of electronicenvelopes and documents drasticallyre$uces the paper /orms in the system"


32/43

Postage. Mailed documents are replacedith much cheaper data transmissions.

!utomated procedures. EDI automates

manual activities associated ithpurchasing, sa!es or$er processing% cash$is&ursements% an$ cash receipts"

Inventory reduction. "y ordering directly

as needed from vendors, EDI reduces the!ag time that promotes in'entoryaccumu!ation


33/43

"DI Controls

Some 4ANs ha'e the capa&i!ity o/ 'a!i$atingpass#or$s an$ user ID co$es /or the 'en$or &ymatching these against a 'a!i$ customer )!e" The4AN re0ects any unauthori1e$ tra$ing partner

transactions &e/ore they reach the 'en$orssystem"

;e/ore &eing con'erte$% the trans!ation so/t#arecan 'a!i$ate the tra$ing partners ID an$ pass#or$

against a 'a!i$ation )!e in the )rms $ata&ase" ;e/ore processing% the tra$ing partners app!ication

so/t#are re/erences the 'a!i$ customer an$ 'en$or)!es to 'a!i$ate the transaction


34/43

EDI Au$it Trai!

One techni2ue /or restoring the au$ittrai! is to maintain a contro! !og%#hich recor$s the transactions


35/43

The au$itors o&0ecti'es are to $etermine that

(8* a!! EDI transactions are authori1e$%

'a!i$ate$% an$ in comp!iance #ith the tra$ing

partner agreement=(9* no unauthori1e$ organi1ations gain accessto $ata&ase recor$s=

(3* authori1e$ tra$ing partners ha'e access

on!y to appro'e$ $ata= an$(>* a$e2uate contro!s are in p!ace to ensure a

comp!ete au$it trai! o/ a!! EDI transactions"


36/43

Au$it .roce$ures Re!ating toEDI

Tests of Authorization and

Validation Controls

Tests of Access Controls

Tests of Audit Trail Controls


37/43

AUDITI! 0C-/AS"DACCOUTI! S1ST"2S

.C app!ications ten$ to &e genera!-purposesystems that ser'e a #i$e range o/ nee$s a!!o#s so/t#are 'en$ors to mass-pro$uce

!o#-cost an$ error-/ree stan$ar$ pro$ucts" .C accounting systems are popu!ar #ith

sma!!er )rms% #hich use them to automatean$ rep!ace manua! systems an$ thus

&ecome more e?cient an$ competiti'e" 6ost .C systems are mo$u!ar in $esign


38/43

0C Systems $is&s andControls

Operating System Wea+nesses

Wea+ Access Contro!

Ina$e2uate Segregation o/ Duties

6u!ti!e'e! .ass#or$ Contro!

Ris+ o/ The/t

Wea+ ;ac+up .roce$ures Ris+ o/ 4irus In/ection


39/43

Au$it O&0ecti'es Associate$ #ith .C

Security

4eri/y that contro!s are in p!ace to protect $ata% programs% an$computers /rom unauthori1e$ access% manipu!ation%$estruction% an$ the/t"

4eri/y that a$e2uate super'ision an$ operating proce$urese5ist to compensate /or !ac+ o/ segregation &et#een the

$uties o/ users% programmers% an$ operators"

4eri/y that &ac+up proce$ures are in p!ace to pre'ent $ata an$program !oss $ue to system /ai!ures% errors% an$ so on"

4eri/y that systems se!ection an$ ac2uisition proce$urespro$uce app!ications that are high 2ua!ity% an$ protecte$ /rom

unauthori1e$ changes" 4eri/y that the system is /ree /rom 'iruses an$ a$e2uate!y

protecte$ to minimi1e the ris+ o/ &ecoming in/ecte$ #ith a'irus or simi!ar o&0ect"


40/43

Au$it .roce$ures Associate$ #ith .C

Security

The au$itor shou!$ o&ser'e that .Csare physica!!y anchore$ to re$ucethe opportunity o/ the/t"

The au$itor shou!$ 'eri/y /romorgani1ationa! charts% 0o&$escriptions% an$ o&ser'ation that

programmers o/ accounting systems$o not a!so operate those systems"


41/43

The au$itor shou!$ con)rm that reports o/processe$ transactions% !istings o/ up$ate$accounts% an$ contro! tota!s are prepare$%$istri&ute$% an$ reconci!e$ &y appropriatemanagement at regu!ar an$ time!y inter'a!s"

Where appropriate% the au$itor shou!$$etermine that mu!ti!e'e! pass#or$ contro! isuse$ to !imit access to $ata an$ app!icationsan$ that the access authority grante$ isconsistent #ith the emp!oyees 0o&$escriptions"


42/43

I/ remo'a&!e or e5terna! har$ $ri'es are use$%the au$itor shou!$ 'eri/y that the $ri'es areremo'e$ an$ store$ in a secure !ocation#hen not in use"

;y se!ecting a samp!e o/ &ac+up )!es% theau$itor can 'eri/y that &ac+up proce$ures are&eing /o!!o#e$" ;y comparing $ata 'a!ues

an$ $ates on the &ac+up $is+s to pro$uction)!es% the au$itor can assess the /re2uencyan$ a$e2uacy o/ &ac+up proce$ures


43/43

;y se!ecting a samp!e o/ .Cs% theau$itor shou!$ 'eri/y that theircommercia! so/t#are pac+ages #ere

purchase$ /rom reputa&!e 'en$orsan$ are !ega! copies

The au$itor shou!$ re'ie# the

organi1ations po!icy /or usinganti'ira! so/t#are

auditing os and network

Documents