AUDITING OPERATING Operating Systems Controls

SYSTEMS AND Access privileges

Password control
Malicious or destructive programs
System audit trail

NETWORKS Access Privileges

Audit objective: Verify that access
privileges are consistent with separation
of incompatible functions and organization
policies.

AUDITING OPERATING SYSTEMS Audit procedures: Review or verify..

policies for separating incompatible
What Is An Operating System (O/S)? functions
a sample of user privileges, especially
The operating system is the computer’s access to data and programs
control program. It allows users and their security clearance checks of
privileged employees
applications to share and access common
formal acknowledgements to maintain
computer resources, such as processors,
confidentiality of data
main memory, databases, and printers. users’ log-on times

Examples of O/S: Google Chromium O/S,

Linux, Microsoft Windows

An operating system (OS) is

software that manages computer
hardware and software resources
and provides common services
for computer programs.
Password Control
The operating system is an Audit objective: Ensure adequacy and
essential component of the effectiveness of password policies for
controlling access to the operating
system software in a computer
system.
system. Application programs
usually require an operating
Audit procedures: Review or verify…
system to function. passwords required for all users
Three Main Tasks Of Operating Systems password instructions for new users
translates high-level languages into the passwords changed regularly
machine-level language password file for weak passwords
allocates computer resources to user Encryption of password file
applications password standards
manages the tasks of job scheduling and account lockout policies
Malicious or Destructive Programs
multiprogramming.
Audit objective: Verify effectiveness of
procedures to protect against programs
such as viruses, worms, back doors, logic
bombs, and Trojan horses

Audit procedures: Review or verify…

training of operations personnel
concerning estructive programs
Testing of new software
prior to being implemented
Currency of antiviral
Req’ts For Effective O/S Performance software and frequency of upgrades
Five fundamental control objectives of the O/S
A COMPUTER VIRUS is a malware
The operating system must:
program that, when executed, replicates
by inserting copies of itself (possibly
Protect itself from users modified) into other computer programs,
Protect users from each other data files, or the boot sector of the hard
Protect users from themselves drive; when this replication succeeds, the
Be protected against itself affected areas are then said to be
Be protected from its environment "infected”.

Operating Systems Security

A COMPUTER WORM is a standalone malware
computer program that replicates itself in
Log-On Procedure order to spread to other computers. Often, it
Access Token uses a computer network to spread itself,
Access Control List relying on security failures on the target
Discretionary Access Control computer.

Threats to O/S Integrity A TROJAN HORSE, or Trojan, in computing is

generally a non-self-replicating type of
Accidental threats malware program containing malicious code
Intentional threats that, when executed, carries out actions
determined by the nature of the Trojan,
typically causing loss or theft of data, and
possible system harm.
 System Audit Trail Controls
Audit objective: Ensure that the established
system audit trail is adequate for preventing
and detecting abuses, reconstructing key
events that precede systems failures, and
planning resource allocation.

Audit procedures: Review or verify… Controlling Risks

How long audit trails have been in place Firewalls
archived log files for key indicators Deep packet inspection
monitoring and reporting of security Encryption
violations Digital signature / digital certificate
Message control techniques
Audit trails can be used to support security
Firewalls
objectives in three ways:
Firewalls provide security by channeling all
network connections through a control
(1)detecting unauthorized access to the
gateway.
system,
(2)facilitating the reconstruction of events,
Network level firewalls
(3)promoting personal accountability
Application level firewalls

Two types of audit logs:

Keystroke monitoring
Event monitoring

AUDITING NETWORKS
Terminologies
An INTRANET is a private network that
is Encryption
contained within an enterprise. It may Computer program transforms a clear
consist of many interlinked local area
message into a coded (cipher)
networks and also use leased lines in
text form
the wide area network.
using an algorithm.
The INTERNET is a global system of
interconnected computer networks
that use the standard Internet protocol
suite (TCP/IP) to link several billion
devices worldwide.
Intranet Risks
Intercepting network messages
~ sniffing
Accessing corporate databases
Privileged employees The conversion of data into a secret
Reluctance to prosecute code for storage and transmission
IP spoofing The sender uses an encryption
Denial of service (DOS) attacks algorithm to convert the original
Other malicious programs cleartext message into a coded
ciphertext.
Three Common Types of DOS Attacks The receiver decodes / decrypts
SYN Flood the ciphertext back into cleartext.
Smurf Encryption algorithms use keys
Distributed DOS (DDOS) ~ Typically 56 to 128 bits in length
~ The more bits in the key the stronger
the encryption method.
Two general approaches to
encryption are private key and
public key encryption.
Controlling DOS Atttacks
Controlling for three common forms of
DOS attacks:
Smurf attacks
SYN flood attacks
DDos attacks

Digital Signature / Certificate

Digital signature
Digital certificate
Message Control Techniques

Message sequence numbering

Message transaction log
Request-response technique
Call-back devices

Audit Procedures – SUBVERSIVE

THREATS
Review firewall effectiveness in
terms of flexibility, proxy services,
filtering, segregation of systems,
audit tools, and probing for
weaknesses.
Review data encryption security
procedures
Verify encryption by testing
Review message transaction logs
Benefits of EDI
Test procedures for preventing Reduction or elimination of data entry
unauthorized calls Reduction of errors
Reduction of paper
Equipment Failure Reduction of paper processing and
Line errors are data errors from postage
communications noise. Reduction of inventories (via JIT
Two techniques to detect and correct such systems)
data errors are:
1.echo check
2.parity checks

Audit Procedures – Eqpt Failure

Using a sample of messages from the
transaction log:

examine them for garbled contents

caused by line noise
verify that all corrupted messages
were successfully retransmitted
Audit Objectives - EDI
AUDITING ELECTRONIC DATA Transactions are authorized,
validated, and
INTERCHANGE (EDI) in compliance with the trading partner
agreement.
No unauthorized organizations can
WHAT IS EDI?
gain
EDI (electronic data interchange) access to database
uses computer-to-computer Authorized trading partners have
communications technologies to access
automate B2B purchases. only to approved data.
(B2B -> business-to-business or e-biz) Adequate controls are in place to
- EDI is an inter-organization endeavor. ensure a
- The information systems of the trading complete audit trail.
partners automatically process the Audit Procedures - EDI
transaction. Tests of Authorization and Validation
-Transaction information is transmitted in Controls
a standardized format. ~ Review procedures for verifying trading
EDI (Electronic Data Interchange) is partner
the transfer of data from one computer identification codes
~ Review agreements with VAN
system to another by standardized
~ Review trading partner files
message formatting, without the need
Tests of Access Controls
for human intervention. EDI permits
~ Verify limited access to vendor and
multiple companies -- possibly in customer files
different countries -- to exchange ~ Verify limited access of vendors to
documents electronically database
~ Test EDI controls by simulation
Tests of Audit Trail Controls
~ Verify existence of transaction logs
~ Review a sample of transactions
 AUDITING PC-BASED
ACCOUNTING SYSTEMS
PERSONAL COMPUTER SYSTEMS
PC operating systems
PC systems risks & controls
In general:
1.Relatively simple to operate and program
2.Controlled and operated by end users
3. Interactive data processing vs. batch
4. Commercial applications vs. custom
5.Often used to access data on mainframe or
network
6. Allows users to develop their own
Audit procedures – PC systems
applications
Operating Systems: Verify that microcomputers and their
1.Are located on the PC (decentralized) files are physically controlled
2. O/S family dictates applications (e.g., Verify from organizational charts,
Windows) job descriptions, and observation
that the programmers of
Controls applications
- Risk assessment performing financially significant
- Inherent weaknesses functions do not also
- Weak access control operate those systems.
- Inadequate segregation of duties Confirm that reports of processed
- Multilevel password control – multifaceted transactions, listings of updated
access control accounts, and control totals are
Risk of data loss prepared, distributed, and reconciled
- Easy for multiple users to access data by appropriate management at regular
- End user can steal, destroy, manipulate and timely intervals.
- Inadequate backup procedures Determine that multilevel password
- Local backups on appropriate medium control or multifaceted access
- Dual hard drives on PC control is used to limit access to
- External/removable hard drive on PC data and applications, where
applicable.
IC PERSONAL COMPUTER SYSTEMS Verify that the drives are removed
Risk associated with virus infection
and stored in a secure location
- Policy of obtaining software
when not in use, where applicable.
- Policy for use of anti-virus software
Verify that backup procedures are
- Verify no unauthorized software on PCs
Risk of improper SDLC procedures being followed.
- Use of commercial software Verify that application source
- Formal software selection procedures code is physically secured(such as
in a locked safe) and that only the
Audit objectives – PC systems
compiled
Verify controls are in place to protect
version is stored on the
data, programs, and computers
microcomputer.
from unauthorized access,
Review systems selection and
manipulation, destruction, and theft
acquisition controls
Verify that adequate supervision and
Review virus control techniques
operating procedures exist to
compensate for lack of segregation
between the duties of users,
programmers, and operators
Verify that backup procedures are in
place to prevent data and
program loss due to system failures,
errors
Verify that systems selection and
acquisition procedures produce
applications that are high quality, and
protected from unauthorized
changes
Verify the system is free from viruses
and adequately protected to minimize
the risk of becoming infected with a
virus or similar object