Sie sind auf Seite 1von 1

OS weakness

translates high level languages, COBOL,


C++, SQL, etc into machine language

weak access control


inadequate segregation of duties

allocates computer resources to users,


workgroups, applications

multilevel password control

main tasks

risk of theft
risk of viruses
verify that control are in place to
protecteverything

directly by system operator

manages tasks of job schedulling and


multiprogramming

weak backup procedures

from various batch-job queues


through telecomm links from remote workstations

OS Objectives

auditing PC-based accounting systems

PC systems risks and control

must protect itself from users


must protect users from each other

verify that adequate supervision and


operating procedures exist

objectives

verify that backups are in place

must protect users from themselves


must be protected from itself

audit objectives

must be protected from its environtment

verify that systems selection are high


quality and protected

log on procedure

verify that system is free from viruses


audit procedures

access token

first line of defense against unathorized access

contain key information about user ID,


password, user group, previleges
granted

EDI standard
reduces the need for data entry

OS Security

data keying

access control list

error reduction

contain information that defines the


access priveleges for all valid users of
the resource

paperless
postage

discretionary access priveleges

benefits of EDI

automatic

grant access priveleges to other users

priveleges personnel who abuse their authority

inventory reduction
financial EDI
EDI controls

threats to OS integrity

access control
all EDI transactions are authorized,
validated, in compliance with trading
partner agreement

individuals who browse the operating


system to identify and exploit security
flaws
individuals who intentionally/accidentally
insert viruses or other form of
destructive programs
carefully administered and closely
monitored for compliance with
organizational policiy and principles of
internal control

no authorized org gain access to


database record
authorized trading partner have access
only to approved data

audit objectives

adequate controls are in place to ensure


a complete audit trail of all EDI
transactions

auditing electronic data


interchange (EDI)
audit objectives

verify that access privileges are granted


in a manner that is consistent with the
need to separate incompatible functions
and accordance with organization's
policy

review agreements with VAN faicility to


validate transactions

recincile terms of trading agreement


with trading pratner's access privilege

audit procedures

audit procedures

review personnel records

test of access controls

simulate access by a simple trading


partner and attempt to violate access
privileges
verify that EDI produces a transaction
log that tracks transactions through all
stages of processing

review employee records

access to corporate databases


privilege employee

reusable password
intranet risk

one time passw ord

Security part 1: auditing


operating systems and
network

SYN flood attack


perpetrator
smurf -> ping

examples

auditing operating systems

IP Spoofing

audit objectives

internet risk

distributed denial of service (DDos)

network-level firewall
application-level firewall

deep packet inspection (DPI)

change regularly and disallow weak password


changes continously

ensure that the organization has an


adequate and effective password policy
for controlling access to OS

review password control procedures


risk from equipment failure
audit procedures

software
screening router

defines the password to the system once


and then reuses it to gain future access

verify that new users are intructed in


the use of password and the importance
of passw ord control

passw ord control

comm lines
hardware

revies password file

triple DES encryption


Rivest-Shamir-Adleman (RSA)

verify password file is encrypted and secured

firewall

assess the adequacy of password


standard such as length and expiration
interval

OS control and audit test

controlling denial of service attacks

private key encryption

review account lockout policy and procedures

audit objectives

encryption

public key encryption

control against malicious and destructive programs

digital certificate

audit procedures

message sequence numbering


message transaction log
call-back devices

sufficient to preserve the integrity and


physical security if data connected to
the network

detailed logs of individual keystrokes

controlling risk from subversive threats


types
audit objectives

event-oriented logs

recording both user's keystrokes and


system's responses

summarizes key activities related to


system resources
record ID all users accessing the system
detecting unauthorized access to the systems

flexibility
filtering

verify that new software is tedsted on


standalone workstations before
implemented on network server

auditing network

setting audit trail objectives

controlling network

proxy service
segregation of systems

facilitating the reconstruction of events


promoting personal accountability
implementing a system audit trail

review the adequacy of firewall

ensure that the established system audit


trail is adequate for preventing and
detecting abuses

systems audit trail controls

audit tools
probe for weakness
verify IPS with DPI is in place

audit objectives

audit procedures

veriffy that the audit trail has been


activated according to organization
policy

verify encryption process by transmitting code test


review message transaction log to verify
all message were received
audit procedures

test operation of call back


echo check
parity check
verify the integrity of electronic
commerce transactions by determining
that controls are in place todetect and
correct message loss

audit objectives

verify that all corrupted message were


successfully retransmitted

use general purpose data extraction


tools for accessing archieved log files to
search for defined condition
select a sample of security violation
cases and evaluate their disposition to
assess the effectiveness

line errors

controlling risk from equipment failure

select a sample message from


transaction log
examine for garbled content caused by line noise

reconstructing key events that precede


systems failures
planning resource allocation

review security procedures governing


the administration of data encryption
keys

receiver returning message to sender

determine that operations personnel


have been educated about viruses and
aware of the risk

verify that current version of antivirus is


installed and upgrade regularly

request-response technique

render useless any data that a


perpetrator successfully captures

after how many failed log-on

verify that effective management


policies and procedures are in place to
prevent the introduction and spread of
destructive programs

through interviews

digital signature

prevent and detect illegal access both


internally and from the internet

ensure change regularly

determine that weak password are


identified and disallowed

conversion of data into secret code for


storage database and transmission over
network
advance encryption standard (AES)

determine whether users have formally


acknowledged their responsibility to
maintain the confidentially of company
data

verify that all users are required to have password

denial of service attack

victim

determine whether privileges undergo


an adequately intensive security
clearance check w ith policy

review the users permitted log on time

test of audit trail controls

interception of network messages

intermediary

determine their access rights are


appropriate for their job descriptions and
position

revies the previleges of a selection of


user groups and individual

controlling acess privileges

determine that access to the valid


vendor or customer file is limited

intrusion prevention systems (IPS)

ensure that they promote reasonable security

test of authorization and validation controls

examine the organization's valid partner


file for accuracy and completeness

zombie / bot

separating incompatible functions

review organization policies

ensure the information is valid,


complete, and correct

audit procedures

Security part 1. auditing operating systems and network.mmap - 07/10/2014 - Mindjet