CHAPTER 3:

Security part 1:
auditing operating systems and networks
CSI4601851
Dasar-Dasar Audit SI
Semester Genap 2013/2014
Fakultas Ilmu Komputer
Universitas Indonesia
Learning Objectives
Be able to identify the principal threats to the operating
system and the control techniques used to minimize the
possibility of actual exposures.
Be familiar with the principal risks associated with
commerce conducted over intranets and the Internet and
understand the control techniques used to reduce these
risks.
Be familiar with the risks associated with personal
computing systems.
Recognize the unique exposures that arise in connection
with electronic data interchange (EDI) and understand
how these exposures can be reduced (reading
assignment)
Operating Systems
Perform three main tasks:
translates high-level languages into the machine-
level language
allocates computer resources to user applications
manages the tasks of job scheduling and
multiprogramming
Requirements for Effective Operating
Systems Performance
OS must protect itself from users
OS must protect users from each other
OS must protect users from themselves
OS must be protected from itself
OS must be protected from its environment
Such as power failures and other disasters
Operating Systems Security
Log-On Procedure
first line of defense user IDs and passwords.
If login failed, do not reveal whether the ID or the password caused
the failure
For more than five failed attempt, lock the system
Access Token
contains key information (ID, password, group, privilege) about the
user
Access Control List
defines access privileges of users
Discretionary Access Control
allows user to grant access to another user
Operating System Controls and Audit
Tests
Controlling Access Privileges
Password Control
Controlling Against Malicious and Destructive Programs
System Audit Trail Controls
Controlling Access Privileges
Audit objectives relating to access privileges
verify that access privileges are granted in a manner that is consistent
with the need to separate incompatible functions and is in accordance with
the organizations policy
Audit procedures relating to access privileges
Review the organizations policies for separating incompatible functions
Review the privileges of a selection of user groups and individuals to
determine if their access rights are appropriate for their job descriptions
and positions
Review personnel records to determine whether privileged employees
undergo an adequately intensive security clearance check in compliance
with company policy
Review employee records to determine whether users have formally
acknowledged their responsibility to maintain the confidentiality of
company data
Review the users permitted log-on times
Password Control
Common forms of contra-security behavior include:
Forgetting passwords and being locked out of the system.
Failing to change passwords on a frequent basis.
The Post-it syndrome, whereby passwords are written down and
displayed for others to see.
Simplistic passwords that a computer criminal easily anticipates
Password Control
Reusable Passwords
User defines the password to the system once and then reuses it to
gain future access.
Quality depends on the password itself
Management actions:
require passwords be changed regularly and disallow weak passwords
use extensive databases of known weak passwords to validate the new
password and disallow weak ones
One-Time Passwords
the users password changes continuously
Common implementation
PIN + random generated password
Additional device (with display such as: mobile phone) is usually needed
to generate one time password

Password Control
Audit objectives
to ensure organization has an adequate and effective password policy
for controlling access to the OS
Audit procedure
Verify that all users are required to have passwords.
Verify that new users are instructed in the use of passwords and the
importance of password control.
Review password control procedures to ensure that passwords are
changed regularly.
Review the password file to determine that weak passwords are identified
and disallowed.
Verify that the password file is encrypted and that the encryption key is
properly secured.
Assess the adequacy of password standards such as length and expiration
interval.
Review the account lockout policy and procedures.
Controlling Against Malicious and
Destructive Programs
Corporate losses: data corruption and destruction, degraded
computer performance, hardware destruction, violations of privacy,
and the personnel time devoted to repairing the damage.
Example of malicious & destructive programs: viruses, worms,
logic bombs, back doors, and Trojan horses
Threats can be reduced through a combination of technology controls
and administrative procedures:
Purchase software only from reputable vendors, factory-sealed
packages.
Issue an entity-wide policy pertaining to the use of unauthorized
software or illegal (bootleg) copies of copyrighted software.
Examine all upgrades to vendor software for viruses before they
are implemented.
Inspect all public-domain software for virus infection before using
Controlling Against Malicious and
Destructive Programs
Threat can be reduced through a combination of
technology controls and administrative procedures (cont):
Establish entity-wide procedures for making changes to production
programs.
Establish an educational program to raise user awareness
Install all new applications on a stand-alone computer and
thoroughly test them with antiviral software prior to implementing
them on the mainframe or LAN
Routinely make backup copies of key files
Limit users to read and execute rights only
Require protocols that explicitly invoke the operating systems log-
on procedures to bypass Trojan horses
Use antiviral software (also called vaccines) to examine application
and operating system programs
Controlling Against Malicious and
Destructive Programs
Audit objectives
verify that effective management policies and procedures are in
place to prevent the introduction and spread of destructive
programs, including viruses, worms, back doors, logic bombs, and
Trojan horses
Audit procedures
Determine that operations personnel have been educated
Verify that new software is tested on workstations prior to being
implemented on the host or network server.
Verify that the current version of antiviral software is always up-to-
date
System Audit Trail Controls
System audit trails are logs that record activity at the
system, application, and user level
Audit trails typically consist of two types of audit logs:
Detailed logs of individual keystrokes
recording both the users keystrokes and the systems responses
Event-oriented logs
summarizes key activities related to system resources
Event logs: IDs of all users accessing the system; the time and duration
of a users session; programs that were executed during a session; and
the files, databases, printers, and other resources accessed
System Audit Trail Controls
Audit trail support security objectives in:
detecting unauthorized access to the system,
facilitating the reconstruction of events, and;
promoting personal accountability.
Information contained in audit logs is useful to
accountants in measuring the potential damage and
financial loss associated with application errors, abuse of
authority, or unauthorized access by outside intruders.


System Audit Trail Controls
Audit objectives
ensure that audit trail system is adequate for preventing & detecting
abuses, reconstructing key events that precede systems failures, &
planning resource allocation
Audit procedures
verify that the audit trail in OS has been activated according to
organization policy
use general-purpose data extraction tools for accessing archived
log files to search conditions: unauthorized or terminated user;
periods of inactivity; etc.
select a sample of security violation cases and evaluate their
disposition to assess the effectiveness of the security group
Internet and Intranet Risks
The communications component is a unique aspect of
computer networks:
different than processing (applications) or data storage
(databases)
Network topologies configurations of:
communications lines (twisted-pair wires, coaxial cable,
microwaves, fiber optics)
hardware components (modems, multiplexers, servers, front-
end processors)
software (protocols, network control systems)
Intranet Risks
Interception of network messages
Sniffing confidential data such as passwords, confidential e-mails,
and financial data files
Access to corporate databases
Central database increases the risk that an employee will view,
corrupt, change, or copy data such as customer listings, credit card
information, recipes, formulas, and design specifications
Privileged employees
middle managers, who often possess access privileges that allow
them to override controls, are most often prosecuted for insider
crimes
Reluctance to prosecute
fear of negative publicity
Internet Risks to Businesses
IP spoofing: masquerading to gain access to a Web
server and/or to perpetrate an unlawful act without
revealing ones identity
Denial of service (DOS) attacks: assaulting a Web
server to prevent it from servicing users
particularly devastating to business entities that cannot
receive and process business transactions
Other malicious programs: viruses, worms, logic
bombs, and Trojan horses pose a threat to both
Internet and Intranet users
Three Common Types of DOS Attacks
SYN Flood when the three-way handshake needed
to establish an Internet connection occurs, the final
acknowledgement is not sent by the DOS attacker,
thereby tying-up the receiving server while it waits.
Smurf the DOS attacker uses numerous
intermediary computer to flood the target computer
with test messages, pings.
Distributed DOS (DDOS) can take the form of
Smurf or SYN attacks, but distinguished by the vast
number of zombie computers hi-jacked to launch
the attacks.

In a DOS Attack, the sender sends hundreds of messages,
receives the SYN/ACK packet, but does not response with an
ACK packet. This leaves the receiver with clogged
transmission ports, and legitimate messages cannot be
received.

SYN FLOOD DOS ATTACK
Sender
Receiver
Step 1: SYN messages
Step 2: SYN/ACK
Step 3: ACK packet code
SMURF Attack
Distributed Denial of Service Attack
Risks from Equipment Failure
Include:
Disrupting, destroying, or corrupting
transmissions between senders and
receivers
Loss of databases and programs stored on
network servers
Controlling Risks from Subversive Threats
Firewalls
a system that enforces access control between two
networks
Only authorized traffic between the organization and the
outside is allowed to pass through the firewall
Types:
Network-level firewalls: screening router that examines the source
and destination addresses
Application-level firewalls: run security applications called proxies
Dual-Homed Firewall
Controlling Risks from Subversive
Threats
Controlling DOS Attacks
Controlling for three common forms of DOS attacks:
Smurf attacksorganizations can program firewalls to
ignore an attacking site, once identified
SYN flood attackstwo tactics to defeat this DOS attack
Get Internet hosts to use firewalls that block invalid IP addresses
Use security software that scan for half-open connections
DDos attacksmany organizations use Intrusion
Prevention Systems (IPS) that employ deep packet
inspection (DPI)
IPS works with a firewall filter that removes malicious packets
from the flow before they can affect servers and networks
DPI searches for protocol non-compliance and employs
predefined criteria to decide if a packet can proceed to its
destination


Controlling Risks from Subversive Threats
Encryption
The conversion of data into a secret code for storage
and transmission
Encryption algorithms use keys
Typically 56 to 128 bits in length
The more bits in the key the stronger the encryption method.
Two general approaches to encryption are private key
and public key encryption.
Private key encryption
Advance encryption standard (AES), uses a single key known to both
the sender and the receiver of the message
Triple Data Encryption Standard (DES), uses three keys
Techniques: EEE3 & EDE3
Public key encryption
uses two different keys: one for encoding messages and the other for
decoding them
each recipient has a private key that is kept secret and a public key that
is published

Controlling Risks from Subversive Threats
Controlling Risks from Subversive
Threats
Digital signature electronic authentication technique to
ensure that
transmitted message originated with the authorized sender
message was not tampered with after the signature was applied
Digital certificate like an electronic identification card
used with a public key encryption system
Verifies the authenticity of the message sender
EEE3 & EDE3 Technique
Public Key Encryption
Digital Signature
Controlling Risks from Subversive
Threats
Message sequence numbering sequence number
used to detect missing messages
Message transaction log listing of all incoming and
outgoing messages to detect the efforts of hackers
Request-response technique a control message
form the sender and a response from the receiver are
sent at periodic, synchronized intervals.
The timing of the messages should follow a random pattern that
will be difficult for the intruder to determine and circumvent
Call-back devices receiver calls the sender back at a
pre-authorized phone number before transmission is
completed
Controlling Risks from Subversive Threats
Audit objectives, to verify the security and integrity of financial transactions by
determining that network controls
can prevent and detect illegal access both internally and from Internet
will render useless any data that a perpetrator successfully captures
are sufficient to preserve the integrity and physical security of data connected to the
network
Audit procedures
(1) Review the adequacy of the firewall in balancing control and convenience.
Flexibility. The firewall should be flexible enough to accommodate new services
Proxy services. Adequate proxy applications should be in place to provide explicit user
authentication to sensitive services, applications, and data.
Filtering. The firewall should specify which services the user is permitted to access
Segregation of systems. Systems that do not require public access should be segregated
from the Internet.
Audit tools. The firewall should provide a thorough set of audit and logging tools that identify
and record suspicious activity.
Probe for weaknesses. Periodically probe the firewall for weaknesses just as a computer
Internet hacker would do.
Controlling Risks from Subversive Threats
Audit procedures
(2) Verify that an intrusion prevention system (IPS) is in place for
organizations that are vulnerable to DDos attacks, such as financial
institutions.
(3) Review security procedures governing the administration of
data encryption keys.
(4) Verify the encryption process by transmitting a test message
and examining the contents at various points along the channel
between the sending and receiving locations.
(5) Review the message transaction logs to verify that all messages
were received in their proper sequence.
(6) Test the operation of the call-back feature by placing an
unauthorized call from outside the installation.
Controlling Risks from Equipment Failure
The most common problem in data communications is data loss due
to line error
Controls:
Echo Check -- the receiver returns the message to the sender
Parity Check -- incorporates an extra bit (the parity bit) into the
structure of a bit string when it is created or transmitted
Audit objectives
verify the integrity of the transactions by determining that controls
are in place to detect and correct message loss due to equipment
failure.
Audit procedures
select a sample of messages from the transaction log and examine
them for garbled content caused by line noise
verify that all corrupted messages were successfully retransmitted
Vertical and Horizontal Parity
using Odd Parity
PC Systems Risks and Controls
OS weaknesses
minimal security for data files and programs
data stored on microcomputers that are shared by multiple users
are exposed to unauthorized access, manipulation, and destruction
Weak access control
Logon procedures is usually active only when the computer is
booted from the hard drive
How about booting from CD-ROM?
Inadequate segregation of duties
Computers are shared among end users
Operator may also act as developer

PC Systems Risks and Controls
Risk of Theft
PCs and laptops are easy to steal
Policy for managing sensitive data
Weak backup procedures
disk failure, is the primary cause of data loss in PC environments
End users should back up their own PC, but mostly they lack of
experience
Risk of virus infection
ensure that effective antivirus software is installed on the PCs and
kept up-to-date
Multilevel password control
When computers are shared among employees
each employee is required to enter a password to access his or her
applications and data.

Audit Objectives
Verify that controls are in place to protect data, programs, and
computers from unauthorized access, manipulation, destruction, and
theft.
Verify that adequate supervision and operating procedures exist to
compensate for lack of segregation between the duties of users,
programmers, and operators.
Verify that backup procedures are in place to prevent data and
program loss due to system failures, errors, and so on.
Verify that systems selection and acquisition procedures produce
applications that are high quality, and protected from unauthorized
changes.
Verify that the system is free from viruses and adequately protected to
minimize the risk of becoming infected with a virus or similar object.
Audit Procedures
Observe PCs are physically anchored to reduce the opportunity of theft.
Verify from organizational charts, job descriptions, and observation that
programmers of accounting systems do not also operate those systems.
Determine that multilevel password control is used to limit access to data and
applications and that the access authority granted is consistent with the
employees job descriptions.
If removable or external hard drives are used, the auditor should verify that
the drives are removed and stored in a secure location when not in use.
Select a sample of backup files and verify that backup procedures are being
followed.
Select a sample of PCs and verify that their commercial software packages
were purchased from reputable vendors and are legal copies.
Review the organizations policy for using antiviral software