ch03-security part 1. auditing operating systems and networks
DESCRIPTION
Ch03-Security Part 1. Auditing Operating Systems and NetworksTRANSCRIPT
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
1/42
CHAPTER 3:Security part 1:
auditing operating systems and networks
CSI4601851
Dasar-Dasar Audit SISemester Genap 2013/2014
Fakultas Ilmu Komputer
Universitas Indonesia
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
2/42
Learning Objectives
Be able to identify the principal threats to the operatingsystem and the control techniques used to minimize thepossibility of actual exposures.
Be familiar with the principal risks associated with
commerce conducted over intranets and the Internet andunderstand the control techniques used to reduce theserisks.
Be familiar with the risks associated with personal
computing systems. Recognize the unique exposures that arise in connection
with electronic data interchange (EDI) and understandhow these exposures can be reduced (readingassignment)
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
3/42
Operating Systems
Perform three main tasks:
translates high-level languages into the machine-
level language
allocates computer resources to user applications manages the tasks of job scheduling and
multiprogramming
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
4/42
Requirements for Effective Operating
Systems Performance
OS must protect itself from users
OS must protect users from each other
OS must protect users from themselves
OS must be protected from itself OS must be protected from its environment
Such as power failures and other disasters
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
5/42
Operating Systems Security
Log-On Procedure first line of defenseuser IDs and passwords.
If login failed, do not reveal whether the ID or the password causedthe failure
For more than five failed attempt, lock the system
Access Token contains key information (ID, password, group, privilege) about the
user
Access Control List defines access privileges of users
Discretionary Access Control allows user to grant access to another user
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
6/42
Operating System Controls and Audit
Tests
Controlling Access Privileges
Password Control
Controlling Against Malicious and Destructive Programs
System Audit Trail Controls
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
7/42
Controlling Access Privileges
Audit objectives relating to access privileges
verify that access privileges are granted in a mannerthat is consistent
with the need to separate incompatible functions and is in accordance with
the organizations policy
Audit procedures relating to access privileges
Review the organizations policiesfor separating incompatible functions
Review the privileges of a selection of user groups and individuals to
determine if their access rights are appropriate for their job descriptions
and positions
Review personnel records to determine whether privileged employees
undergo an adequately intensive security clearance check in compliancewith company policy
Review employee records to determine whether users have formally
acknowledged their responsibility to maintain the confidentiality of
company data
Review the users permitted log-on times
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
8/42
Password Control
Common forms of contra-security behavior include:
Forgetting passwords and being locked out of the system.
Failing to change passwords on a frequent basis.
The Post-it syndrome, whereby passwords are written down and
displayed for others to see.
Simplistic passwords that a computer criminal easily anticipates
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
9/42
Password Control
Reusable Passwords
User defines the password to the system once and then reuses it to
gain future access.
Quality depends on the password itself
Management actions: require passwords be changed regularly and disallow weak passwords
use extensive databases of known weak passwords to validate the new
password and disallow weak ones
One-Time Passwords
the users password changes continuously
Common implementation
PIN + random generated password
Additional device (with display such as: mobile phone) is usually needed
to generate one time password
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
10/42
Password Control
Audit objectives
to ensure organization has an adequate and effective password policyfor controlling access to the OS
Audit procedure
Verify that all users are required to have passwords.
Verify that new users are instructed in the use of passwords and theimportance of password control.
Review password control procedures to ensure that passwords arechanged regularly.
Review the password file to determine that weak passwords are identifiedand disallowed.
Verify that the password file is encrypted and that the encryption key isproperly secured.
Assess the adequacy of password standards such as length and expirationinterval.
Review the account lockout policy and procedures.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
11/42
Controlling Against Malicious and
Destructive Programs Corporate losses: data corruption and destruction, degraded
computer performance, hardware destruction, violations of privacy,
and the personnel time devoted to repairing the damage.
Example of malicious & destructive programs: viruses, worms,
logic bombs, back doors, and Trojan horses Threats can be reduced through a combination of technology controls
and administrative procedures:
Purchase software only from reputable vendors, factory-sealed
packages.
Issue an entity-wide policy pertaining to the use of unauthorizedsoftware or illegal (bootleg) copies of copyrighted software.
Examine all upgrades to vendor software for viruses before they
are implemented.
Inspect all public-domain software for virus infection before using
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
12/42
Controlling Against Malicious and
Destructive Programs Threat can be reduced through a combination of
technology controls and administrative procedures (cont): Establish entity-wide procedures for making changes to production
programs.
Establish an educational program to raise user awareness Install all new applications on a stand-alone computer and
thoroughly test them with antiviral software prior to implementingthem on the mainframe or LAN
Routinely make backup copies of key files
Limit users to read and execute rights only Require protocols that explicitly invoke the operating systems log-
on procedures to bypass Trojan horses
Use antiviral software (also called vaccines) to examine applicationand operating system programs
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
13/42
Controlling Against Malicious and
Destructive Programs
Audit objectives
verify that effective management policies and procedures are in
place to prevent the introduction and spread of destructive
programs, including viruses, worms, back doors, logic bombs, and
Trojan horses
Audit procedures
Determine that operations personnel have been educated
Verify that new software is tested on workstations prior to being
implemented on the host or network server. Verify that the current version of antiviral software is always up-to-
date
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
14/42
System Audit Trail Controls
System audit trails are logs that record activity at the
system, application, and user level
Audit trails typically consist of two types of audit logs:
Detailed logs of individual keystrokes recording both the users keystrokes and the systems responses
Event-oriented logs
summarizes key activities related to system resources
Event logs: IDs of all users accessing the system; the time and duration
of a users session; programs that were executed during a session; andthe files, databases, printers, and other resources accessed
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
15/42
System Audit Trail Controls
Audit trail support security objectives in:
detecting unauthorized access to the system,
facilitating the reconstruction of events, and;
promoting personal accountability.
Information contained in audit logs is useful to
accountants in measuring the potential damage and
financial loss associated with application errors, abuse of
authority, or unauthorized access by outside intruders.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
16/42
System Audit Trail Controls
Audit objectives
ensure that audit trail system is adequate for preventing & detecting
abuses, reconstructing key events that precede systems failures, &
planning resource allocation
Audit procedures verify that the audit trail in OS has been activated according to
organization policy
use general-purpose data extraction tools for accessing archived
log files to search conditions: unauthorized or terminated user;
periods of inactivity; etc. select a sample of security violation cases and evaluate their
disposition to assess the effectiveness of the security group
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
17/42
Internet and Intranet Risks
The communications component is a unique aspect of
computer networks:
different than processing (applications) or data storage
(databases) Network topologiesconfigurations of:
communications lines (twisted-pair wires, coaxial cable,
microwaves, fiber optics)
hardware components (modems, multiplexers, servers, front-
end processors)
software (protocols, network control systems)
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
18/42
Intranet Risks
Interception of network messages
Sniffing confidential data such as passwords, confidential e-mails,
and financial data files
Access to corporate databases
Central database increases the risk that an employee will view,corrupt, change, or copy data such as customer listings, credit card
information, recipes, formulas, and design specifications
Privileged employees
middle managers, who often possess access privileges that allow
them to override controls, are most often prosecuted for insidercrimes
Reluctance to prosecute
fear of negative publicity
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
19/42
Internet Risks to Businesses IP spoofing: masquerading to gain access to a Web
server and/or to perpetrate an unlawful act withoutrevealing ones identity
Denial of service (DOS) attacks: assaulting a Web
server to prevent it from servicing users particularly devastating to business entities that cannot
receive and process business transactions
Other malicious programs: viruses, worms, logicbombs, and Trojan horses pose a threat to both
Internet and Intranet users
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
20/42
Three Common Types of DOS Attacks SYN Floodwhen the three-way handshake needed
to establish an Internet connection occurs, the finalacknowledgement is not sent by the DOS attacker,thereby tying-up the receiving server while it waits.
Smurfthe DOS attacker uses numerous
intermediary computer to flood the target computerwith test messages, pings.
Distributed DOS (DDOS)can take the form ofSmurf or SYN attacks, but distinguished by the vastnumber of zombie computers hi-jacked to launch
the attacks.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
21/42
In a DOS Attack, the sender sends hundreds of messages,
receives the SYN/ACK packet, but does not response with an
ACK packet. This leaves the receiver with clogged
transmission ports, and legitimate messages cannot be
received.
SYN FLOOD DOS ATTACK
Sender Receiver
Step 1: SYN messages
Step 2: SYN/ACK
Step 3: ACK packet code
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
22/42
SMURF Attack
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
23/42
Distributed Denial of Service Attack
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
24/42
Risks from Equipment Failure Include:
Disrupting, destroying, or corrupting
transmissions between senders andreceivers
Loss of databases and programs stored on
network servers
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
25/42
Controlling Risks from Subversive Threats
Firewalls
a system that enforces access control between two
networks
Only authorized traffic between the organization and theoutside is allowed to pass through the firewall
Types:
Network-level firewalls: screening router that examines the source
and destination addresses
Application-level firewalls: run security applications called proxies
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
26/42
Dual-Homed Firewall
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
27/42
Controlling Risks from Subversive
ThreatsControlling DOS Attacks Controlling for three common forms of DOS attacks:
Smurf attacksorganizations can program firewalls toignore an attacking site, once identified
SYN flood attackstwo tactics to defeat this DOS attack
Get Internet hosts to use firewalls that block invalid IP addresses
Use security software that scan for half-open connections
DDos attacksmany organizations use IntrusionPrevention Systems (IPS) that employ deep packetinspection (DPI)
IPS works with a firewall filter that removes malicious packetsfrom the flow before they can affect servers and networks
DPIsearches for protocol non-compliance and employspredefined criteria to decide if a packet can proceed to itsdestination
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
28/42
Controlling Risks from Subversive Threats
Encryption The conversion of data into a secret code for storage
and transmission
Encryption algorithms use keys Typically 56 to 128 bits in length
The more bits in the key the stronger the encryption method.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
29/42
Two general approaches to encryption areprivate key
andpublic keyencryption. Private key encryption
Advance encryption standard (AES), uses a single key known to both
the sender and the receiver of the message Triple Data Encryption Standard (DES), uses three keys
Techniques: EEE3 & EDE3
Public key encryption
uses two different keys: one for encoding messages and the other for
decoding them
each recipient has a private key that is kept secret and a public key that
is published
Controlling Risks from Subversive Threats
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
30/42
Controlling Risks from Subversive
Threats Digital signatureelectronic authentication technique to
ensure that
transmitted message originated with the authorized sender
message was not tampered with after the signature was applied
Digital certificatelike an electronic identification cardused with a public key encryption system
Verifies the authenticity of the message sender
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
31/42
EEE3 & EDE3 Technique
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
32/42
Public Key Encryption
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
33/42
Digital Signature
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
34/42
Controlling Risks from Subversive
Threats Message sequence numberingsequence number
used to detect missing messages
Message transaction loglisting of all incoming and
outgoing messages to detect the efforts of hackers Request-response techniquea control message
form the sender and a response from the receiver aresent at periodic, synchronized intervals. The timing of the messages should follow a random pattern that
will be difficult for the intruder to determine and circumvent Call-back devicesreceiver calls the sender back at a
pre-authorized phone number before transmission iscompleted
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
35/42
Controlling Risks from Subversive Threats
Audit objectives, to verify the security and integrity of financial transactions by
determining that network controls
can prevent and detect illegal access both internally and from Internet
will render useless any data that a perpetrator successfully captures
are sufficient to preserve the integrity and physical security of data connected to the
network Audit procedures
(1) Review the adequacy of the firewall in balancing control and convenience.
Flexibility. The firewall should be flexible enough to accommodate new services
Proxy services. Adequate proxy applications should be in place to provide explicit user
authentication to sensitive services, applications, and data.
Filtering. The firewall should specify which services the user is permitted to access Segregation of systems. Systems that do not require public access should be segregated
from the Internet.
Audit tools. The firewall should provide a thorough set of audit and logging tools that identify
and record suspicious activity.
Probe for weaknesses. Periodically probe the firewall for weaknesses just as a computer
Internet hacker would do.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
36/42
Controlling Risks from Subversive Threats
Audit procedures
(2) Verify that an intrusion prevention system (IPS) is in place for
organizations that are vulnerable to DDos attacks, such as financial
institutions.
(3) Review security procedures governing the administration ofdata encryption keys.
(4) Verify the encryption process by transmitting a test message
and examining the contents at various points along the channel
between the sending and receiving locations.
(5) Review the message transaction logs to verify that all messageswere received in their proper sequence.
(6) Test the operation of the call-back feature by placing an
unauthorized call from outside the installation.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
37/42
Controlling Risks from Equipment Failure
The most common problem in data communications is data loss due
to line error
Controls:
Echo Check-- the receiver returns the message to the sender
Parity Check-- incorporates an extra bit (the parity bit) into thestructure of a bit string when it is created or transmitted
Audit objectives
verify the integrity of the transactions by determining that controls
are in place to detect and correct message loss due to equipment
failure.
Audit procedures
select a sample of messages from the transaction log and examine
them for garbled content caused by line noise
verify that all corrupted messages were successfully retransmitted
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
38/42
Vertical and Horizontal Parity
using Odd Parity
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
39/42
PC Systems Risks and Controls
OS weaknesses
minimal security for data files and programs
data stored on microcomputers that are shared by multiple users
are exposed to unauthorized access, manipulation, and destruction
Weak access control
Logon procedures is usually active only when the computer is
booted from the hard drive
How about booting from CD-ROM?
Inadequate segregation of duties Computers are shared among end users
Operator may also act as developer
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
40/42
PC Systems Risks and Controls
Risk of Theft
PCs and laptops are easy to steal
Policy for managing sensitive data
Weak backup procedures
disk failure, is the primary cause of data loss in PC environments End users should back up their own PC, but mostly they lack of
experience
Risk of virus infection
ensure that effective antivirus software is installed on the PCs andkept up-to-date
Multilevel password control
When computers are shared among employees
each employee is required to enter a password to access his or herapplications and data.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
41/42
Audit Objectives
Verify that controls are in place to protect data, programs, and
computers from unauthorized access, manipulation, destruction, and
theft.
Verify that adequate supervision and operating procedures exist to
compensate for lack of segregation between the duties of users,programmers, and operators.
Verify that backup procedures are in place to prevent data and
program loss due to system failures, errors, and so on.
Verify that systems selection and acquisition procedures produce
applications that are high quality, and protected from unauthorizedchanges.
Verify that the system is free from viruses and adequately protected to
minimize the risk of becoming infected with a virus or similar object.
-
5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks
42/42
Audit Procedures
Observe PCs are physically anchored to reduce the opportunity of theft.
Verify from organizational charts, job descriptions, and observation that
programmers of accounting systems do not also operate those systems.
Determine that multilevel password control is used to limit access to data and
applications and that the access authority granted is consistent with the
employees job descriptions.
If removable or external hard drives are used, the auditor should verify that
the drives are removed and stored in a secure location when not in use.
Select a sample of backup files and verify that backup procedures are being
followed.
Select a sample of PCs and verify that their commercial software packageswere purchased from reputable vendors and are legal copies.
Review the organizations policy for using antiviral software