Auditing in CIS Enviroment

ANDAYA, Queenie
CABALTICA, Ednalyn
CARIÑO, Pamela
PACNA, Kriza
PASCUAL, Engel
WIGAN, Krizel Faye

Security Part 1:
Auditing Operating
Systems and Networks
Security Part 1: Auditing
Operating Systems and
Networks

• Auditing Operating
Systems
• Auditing Networks
• Auditing EDI
• Auditing PC-Based
Accounting System
Operating System Threats to System
Objectives Integrity

Operating System
Operating System
Controls and
Security
Audit Test
Operating Systems
–It is the computer’s control program.
–It allows users and their applications to share
and access common resources, such as
processors, main memory, databases, and
printers.
–The larger the computer facility, the greater
the scale of potential damage.
Operating System: Tasks
• Translates high level languages into the machine-level
language
• Allocates computer resources to users, workgroups, and
applications
• Manages the tasks of job scheduling and multiprogramming.
Jobs are submitted to the system in three ways:
1. Directly by the system operator
2. From various batch-job queues
3. Through telecommunication links from remote workstations
Operating System Objectives
1. The OS must protect itself from users.
2. The OS must protect users from each other.
3. The OS must protect users from themselves.
4. The OS must be protected from itself.
5. The OS must be protected from its environment.
Operating System Security
– It involves policies, procedures, and controls that
determine who can access the operating system, which
resources they can use, and what actions they can take.
– Its components include: log-on procedure, access token,
access control list, and discretionary access privileges.
Operating System Security:
Components
1. Log-on Procedure
– First line of defense against unauthorized access
Operating System Security:
Components
• Access Token
– Contains key information about the user that is used to
approve all actions the user attempts during the session
Operating System Security:
Components
• Access Control List
– It is assigned to each IT resource (computer directory,
data file, program, or printer), which controls access to
the resources.
– It contain information that defines the access privileges
for all valid users of the resource.
Operating System Security:
Components
• Discretionary Access Privileges
– These are granted to resource owners and these allows
them to grant access privileges to other users.
Threats to Operating System Integrity
• Accidental Threats
– These refer to situations in which damage or data loss
occurs as a results of an insider with no malicious intent.
Threats to Operating System Integrity
• Intentional Threats
– These refer to attempts to illegally access data or
violate user privacy for financial gain.
– These exposures come from three sources:
1. Privileged personnel who abuse their authority.
2. Individuals, both internal and external to the
organization, who browse the OS to identify and
exploit security flaws.
3. Individuals who intentionally insert computer viruses
or other forms of destructive programs into the OS.
Operating System Controls and Audit
Tests
• Controlling Privileges
– Management should ensure that individuals are not
granted privileges that are incompatible with their
assigned duties.

oAudit Objective Relating to Access Privileges

– Verify that access privileges are granted in a manner
that is consistent with the need to separate
incompatible functions and is in accordance with the
organization’s policy.
Operating System Controls and Audit
Tests
o Audit Process Relating to Access Privileges
1. Review the organization’s policies for separating incompatible
functions and ensure that they promote reasonable security.
2. Review the privileges of a selection of user groups and
individuals to determine if their access rights are appropriate for
their job descriptions and positions.
3. Verify that individuals are granted access to data and programs
based on their need to know.
4. Review personnel records to determine whether privileged
employees undergo an adequately intensive security clearance
check in compliance with company policy.
5. Review employee records too determine whether users have
formally acknowledged their responsibility to maintain the
confidentiality of company data
Operating System Controls and Audit
Tests
• Password Control
– A password is a secret code the user enters to gain
access to systems, applications, data files, or a network
server.

oUsing Passwords: Issues

– Forgetting passwords and being locked out of the system
– Failing to change passwords on a frequent basis
– Post-it syndrome
– The use of simple passwords
Operating System Controls and Audit
Tests
oPassword: Types
 Reusable Passwords
– The user defines the password to the system once
and then reuses it to gain future access.
 One-time Passwords
– The user’s password changes continuously
oAudit Objectives Relating to Password
– Ensure that the organization has an adequate and
efficient password policy for controlling access to the
OS.
Operating System Controls and Audit
Tests
o Audit Process Relating to Passwords
1. Verify that all users are required to have passwords
2. Verify that new users are instructed in the use of passwords and
the importance of password control.
3. Review password control procedures to ensure that passwords
are changed regularly
4. Review the password file to determine that weak passwords are
identified and disallowed.
5. Verify that the password file is encrypted and that the
encryption key is properly secured.
6. Assess the adequacy of password standards such as length and
expiration interval.
7. Review the account lockout policy and procedures.
Operating System Controls and Audit
Tests
• Controlling Against Malicious and Destructive Programs
– Malicious and destructive programs include viruses,
worms, logic bombs, back doors, and Trojan horses.
Operating System Controls and Audit
Tests
o Technology Controls and Administrative Procedures
– Purchase software only from reputable vendors
– Issue an entity-wide policy regarding the use of unauthorized software or illegal
copies of copyrighted software
– Examine all upgrades for viruses
– Inspect all public-domain software for viruses before using
– Establish entity-wide procedures for making changes to production programs
– Establish an educational program to raise user awareness regarding threats
– Install all new apps on a stand-alone computer
– Routinely make backup copies
– Limit users to read and execute rights only
– Require protocols that explicitly invoke the operating system’s log-on
procedures to bypass Trojan horses
– Use antiviral software
Operating System Controls and Audit
Tests
o Audit Objectives Relating to Viruses and Other Destructive Programs
– Verify that effective management policies and procedures are in
place to prevent the introduction and spread of destructive
programs, including viruses, worms, back doors, logic bombs,
and Trojan horses.
o Audit Procedures Relating to Viruses and Other Destructive
Programs
– Determine that operations personnel have been educated
about computer viruses and are aware of the risky computing
practices that can introduce and spread viruses
– Verify that new software is tested on standalone workstations
– Verify that the current version of antiviral software is installed on
the server and that upgrades are regularly downloaded
Operating System Controls and Audit
Tests
• System Audit Trail Controls
– System audit trails are logs that record the activity at
the system, application, and user-level.
oAudit Logs: Types
 Keystroke Monitoring
– Involves recording both the user’s keystrokes and
system’s responses
– Equivalent of a telephone wiretap
 Event Monitoring
– Summarizes key activities related to system resources
Operating System Controls and Audit
Tests
o Setting Audit Trail Objectives
 Detecting Unauthorized Access
– Protect the system from outsiders attempting to breach system
controls
 Reconstructing Events
– Audit trail analysis can be used to reconstruct the steps that led to events
such as system failures, or security violations by individuals
 Personal Accountability
– Audit trails can be used to monitor user activity
– A system audit log can also serve as a detective control to assign
personal accountability for actions taken such as abuse of authority
Operating System Controls and Audit
Tests
oAudit Objectives Relating to System Audit Trails
– Ensure that the established system audit trail is adequate for
preventing and detecting abuses, reconstructing key
events that precede system failures and planning resource
allocation.
o Audit Procedures Relating to System Audit Trails
– Verify that the audit trail has been activated accdg to
organization policy
– Search for defined conditions such as: unauthorized or
terminated user; periods of inactivity; activity by user, workgroup,
or department; log-on and log-off times; failed log-on attempts;
and access to specific files or applications
– Select a sample of security violation cases and evaluate their
disposition to assess the effectiveness of the security group