Ch03-Security Part 1. Auditing Operating Systems and Networks

5/21/2018 Ch03-Security Part 1. Auditing Operating Systems and Networks

1/42

CHAPTER 3:Security part 1:

auditing operating systems and networks

CSI4601851

Dasar-Dasar Audit SISemester Genap 2013/2014

Fakultas Ilmu Komputer

Universitas Indonesia


2/42

Learning Objectives

Be able to identify the principal threats to the operatingsystem and the control techniques used to minimize thepossibility of actual exposures.

Be familiar with the principal risks associated with

commerce conducted over intranets and the Internet andunderstand the control techniques used to reduce theserisks.

Be familiar with the risks associated with personal

computing systems. Recognize the unique exposures that arise in connection

with electronic data interchange (EDI) and understandhow these exposures can be reduced (readingassignment)


3/42

Operating Systems

Perform three main tasks:

translates high-level languages into the machine-

level language

allocates computer resources to user applications manages the tasks of job scheduling and

multiprogramming


4/42

Requirements for Effective Operating

Systems Performance

OS must protect itself from users

OS must protect users from each other

OS must protect users from themselves

OS must be protected from itself OS must be protected from its environment

Such as power failures and other disasters


5/42

Operating Systems Security

Log-On Procedure first line of defenseuser IDs and passwords.

If login failed, do not reveal whether the ID or the password causedthe failure

For more than five failed attempt, lock the system

Access Token contains key information (ID, password, group, privilege) about the

user

Access Control List defines access privileges of users

Discretionary Access Control allows user to grant access to another user


6/42

Operating System Controls and Audit

Tests

Controlling Access Privileges

Password Control

Controlling Against Malicious and Destructive Programs

System Audit Trail Controls


7/42

Controlling Access Privileges

Audit objectives relating to access privileges

verify that access privileges are granted in a mannerthat is consistent

with the need to separate incompatible functions and is in accordance with

the organizations policy

Audit procedures relating to access privileges

Review the organizations policiesfor separating incompatible functions

Review the privileges of a selection of user groups and individuals to

determine if their access rights are appropriate for their job descriptions

and positions

Review personnel records to determine whether privileged employees

undergo an adequately intensive security clearance check in compliancewith company policy

Review employee records to determine whether users have formally

acknowledged their responsibility to maintain the confidentiality of

company data

Review the users permitted log-on times


8/42

Password Control

Common forms of contra-security behavior include:

Forgetting passwords and being locked out of the system.

Failing to change passwords on a frequent basis.

The Post-it syndrome, whereby passwords are written down and

displayed for others to see.

Simplistic passwords that a computer criminal easily anticipates


9/42

Password Control

Reusable Passwords

User defines the password to the system once and then reuses it to

gain future access.

Quality depends on the password itself

Management actions: require passwords be changed regularly and disallow weak passwords

use extensive databases of known weak passwords to validate the new

password and disallow weak ones

One-Time Passwords

the users password changes continuously

Common implementation

PIN + random generated password

Additional device (with display such as: mobile phone) is usually needed

to generate one time password


10/42

Password Control

Audit objectives

to ensure organization has an adequate and effective password policyfor controlling access to the OS

Audit procedure

Verify that all users are required to have passwords.

Verify that new users are instructed in the use of passwords and theimportance of password control.

Review password control procedures to ensure that passwords arechanged regularly.

Review the password file to determine that weak passwords are identifiedand disallowed.

Verify that the password file is encrypted and that the encryption key isproperly secured.

Assess the adequacy of password standards such as length and expirationinterval.

Review the account lockout policy and procedures.


11/42

Controlling Against Malicious and

Destructive Programs Corporate losses: data corruption and destruction, degraded

computer performance, hardware destruction, violations of privacy,

and the personnel time devoted to repairing the damage.

Example of malicious & destructive programs: viruses, worms,

logic bombs, back doors, and Trojan horses Threats can be reduced through a combination of technology controls

and administrative procedures:

Purchase software only from reputable vendors, factory-sealed

packages.

Issue an entity-wide policy pertaining to the use of unauthorizedsoftware or illegal (bootleg) copies of copyrighted software.

Examine all upgrades to vendor software for viruses before they

are implemented.

Inspect all public-domain software for virus infection before using


12/42


Destructive Programs Threat can be reduced through a combination of

technology controls and administrative procedures (cont): Establish entity-wide procedures for making changes to production

programs.

Establish an educational program to raise user awareness Install all new applications on a stand-alone computer and

thoroughly test them with antiviral software prior to implementingthem on the mainframe or LAN

Routinely make backup copies of key files

Limit users to read and execute rights only Require protocols that explicitly invoke the operating systems log-

on procedures to bypass Trojan horses

Use antiviral software (also called vaccines) to examine applicationand operating system programs


13/42


Destructive Programs

Audit objectives

verify that effective management policies and procedures are in

place to prevent the introduction and spread of destructive

programs, including viruses, worms, back doors, logic bombs, and

Trojan horses

Audit procedures

Determine that operations personnel have been educated

Verify that new software is tested on workstations prior to being

implemented on the host or network server. Verify that the current version of antiviral software is always up-to-

date


14/42


System audit trails are logs that record activity at the

system, application, and user level

Audit trails typically consist of two types of audit logs:

Detailed logs of individual keystrokes recording both the users keystrokes and the systems responses

Event-oriented logs

summarizes key activities related to system resources

Event logs: IDs of all users accessing the system; the time and duration

of a users session; programs that were executed during a session; andthe files, databases, printers, and other resources accessed


15/42


Audit trail support security objectives in:

detecting unauthorized access to the system,

facilitating the reconstruction of events, and;

promoting personal accountability.

Information contained in audit logs is useful to

accountants in measuring the potential damage and

financial loss associated with application errors, abuse of

authority, or unauthorized access by outside intruders.


16/42


Audit objectives

ensure that audit trail system is adequate for preventing & detecting

abuses, reconstructing key events that precede systems failures, &

planning resource allocation

Audit procedures verify that the audit trail in OS has been activated according to

organization policy

use general-purpose data extraction tools for accessing archived

log files to search conditions: unauthorized or terminated user;

periods of inactivity; etc. select a sample of security violation cases and evaluate their

disposition to assess the effectiveness of the security group


17/42

Internet and Intranet Risks

The communications component is a unique aspect of

computer networks:

different than processing (applications) or data storage

(databases) Network topologiesconfigurations of:

communications lines (twisted-pair wires, coaxial cable,

microwaves, fiber optics)

hardware components (modems, multiplexers, servers, front-

end processors)

software (protocols, network control systems)


18/42

Intranet Risks

Interception of network messages

Sniffing confidential data such as passwords, confidential e-mails,

and financial data files

Access to corporate databases

Central database increases the risk that an employee will view,corrupt, change, or copy data such as customer listings, credit card

information, recipes, formulas, and design specifications

Privileged employees

middle managers, who often possess access privileges that allow

them to override controls, are most often prosecuted for insidercrimes

Reluctance to prosecute

fear of negative publicity


19/42

Internet Risks to Businesses IP spoofing: masquerading to gain access to a Web

server and/or to perpetrate an unlawful act withoutrevealing ones identity

Denial of service (DOS) attacks: assaulting a Web

server to prevent it from servicing users particularly devastating to business entities that cannot

receive and process business transactions

Other malicious programs: viruses, worms, logicbombs, and Trojan horses pose a threat to both

Internet and Intranet users


20/42

Three Common Types of DOS Attacks SYN Floodwhen the three-way handshake needed

to establish an Internet connection occurs, the finalacknowledgement is not sent by the DOS attacker,thereby tying-up the receiving server while it waits.

Smurfthe DOS attacker uses numerous

intermediary computer to flood the target computerwith test messages, pings.

Distributed DOS (DDOS)can take the form ofSmurf or SYN attacks, but distinguished by the vastnumber of zombie computers hi-jacked to launch

the attacks.


21/42

In a DOS Attack, the sender sends hundreds of messages,

receives the SYN/ACK packet, but does not response with an

ACK packet. This leaves the receiver with clogged

transmission ports, and legitimate messages cannot be

received.

SYN FLOOD DOS ATTACK

Sender Receiver

Step 1: SYN messages

Step 2: SYN/ACK

Step 3: ACK packet code


22/42

SMURF Attack


23/42

Distributed Denial of Service Attack


24/42

Risks from Equipment Failure Include:

Disrupting, destroying, or corrupting

transmissions between senders andreceivers

Loss of databases and programs stored on

network servers


25/42

Controlling Risks from Subversive Threats

Firewalls

a system that enforces access control between two

networks

Only authorized traffic between the organization and theoutside is allowed to pass through the firewall

Types:

Network-level firewalls: screening router that examines the source

and destination addresses

Application-level firewalls: run security applications called proxies


26/42

Dual-Homed Firewall


27/42

Controlling Risks from Subversive

ThreatsControlling DOS Attacks Controlling for three common forms of DOS attacks:

Smurf attacksorganizations can program firewalls toignore an attacking site, once identified

SYN flood attackstwo tactics to defeat this DOS attack

Get Internet hosts to use firewalls that block invalid IP addresses

Use security software that scan for half-open connections

DDos attacksmany organizations use IntrusionPrevention Systems (IPS) that employ deep packetinspection (DPI)

IPS works with a firewall filter that removes malicious packetsfrom the flow before they can affect servers and networks

DPIsearches for protocol non-compliance and employspredefined criteria to decide if a packet can proceed to itsdestination


28/42


Encryption The conversion of data into a secret code for storage

and transmission

Encryption algorithms use keys Typically 56 to 128 bits in length

The more bits in the key the stronger the encryption method.


29/42

Two general approaches to encryption areprivate key

andpublic keyencryption. Private key encryption

Advance encryption standard (AES), uses a single key known to both

the sender and the receiver of the message Triple Data Encryption Standard (DES), uses three keys

Techniques: EEE3 & EDE3

Public key encryption

uses two different keys: one for encoding messages and the other for

decoding them

each recipient has a private key that is kept secret and a public key that

is published



30/42


Threats Digital signatureelectronic authentication technique to

ensure that

transmitted message originated with the authorized sender

message was not tampered with after the signature was applied

Digital certificatelike an electronic identification cardused with a public key encryption system

Verifies the authenticity of the message sender


31/42

EEE3 & EDE3 Technique


32/42

Public Key Encryption


33/42

Digital Signature


34/42


Threats Message sequence numberingsequence number

used to detect missing messages

Message transaction loglisting of all incoming and

outgoing messages to detect the efforts of hackers Request-response techniquea control message

form the sender and a response from the receiver aresent at periodic, synchronized intervals. The timing of the messages should follow a random pattern that

will be difficult for the intruder to determine and circumvent Call-back devicesreceiver calls the sender back at a

pre-authorized phone number before transmission iscompleted


35/42


Audit objectives, to verify the security and integrity of financial transactions by

determining that network controls

can prevent and detect illegal access both internally and from Internet

will render useless any data that a perpetrator successfully captures

are sufficient to preserve the integrity and physical security of data connected to the

network Audit procedures

(1) Review the adequacy of the firewall in balancing control and convenience.

Flexibility. The firewall should be flexible enough to accommodate new services

Proxy services. Adequate proxy applications should be in place to provide explicit user

authentication to sensitive services, applications, and data.

Filtering. The firewall should specify which services the user is permitted to access Segregation of systems. Systems that do not require public access should be segregated

from the Internet.

Audit tools. The firewall should provide a thorough set of audit and logging tools that identify

and record suspicious activity.

Probe for weaknesses. Periodically probe the firewall for weaknesses just as a computer

Internet hacker would do.


36/42


Audit procedures

(2) Verify that an intrusion prevention system (IPS) is in place for

organizations that are vulnerable to DDos attacks, such as financial

institutions.

(3) Review security procedures governing the administration ofdata encryption keys.

(4) Verify the encryption process by transmitting a test message

and examining the contents at various points along the channel

between the sending and receiving locations.

(5) Review the message transaction logs to verify that all messageswere received in their proper sequence.

(6) Test the operation of the call-back feature by placing an

unauthorized call from outside the installation.


37/42

Controlling Risks from Equipment Failure

The most common problem in data communications is data loss due

to line error

Controls:

Echo Check-- the receiver returns the message to the sender

Parity Check-- incorporates an extra bit (the parity bit) into thestructure of a bit string when it is created or transmitted

Audit objectives

verify the integrity of the transactions by determining that controls

are in place to detect and correct message loss due to equipment

failure.

Audit procedures

select a sample of messages from the transaction log and examine

them for garbled content caused by line noise

verify that all corrupted messages were successfully retransmitted


38/42

Vertical and Horizontal Parity

using Odd Parity


39/42

PC Systems Risks and Controls

OS weaknesses

minimal security for data files and programs

data stored on microcomputers that are shared by multiple users

are exposed to unauthorized access, manipulation, and destruction

Weak access control

Logon procedures is usually active only when the computer is

booted from the hard drive

How about booting from CD-ROM?

Inadequate segregation of duties Computers are shared among end users

Operator may also act as developer


40/42

PC Systems Risks and Controls

Risk of Theft

PCs and laptops are easy to steal

Policy for managing sensitive data

Weak backup procedures

disk failure, is the primary cause of data loss in PC environments End users should back up their own PC, but mostly they lack of

experience

Risk of virus infection

ensure that effective antivirus software is installed on the PCs andkept up-to-date

Multilevel password control

When computers are shared among employees

each employee is required to enter a password to access his or herapplications and data.


41/42

Audit Objectives

Verify that controls are in place to protect data, programs, and

computers from unauthorized access, manipulation, destruction, and

theft.

Verify that adequate supervision and operating procedures exist to

compensate for lack of segregation between the duties of users,programmers, and operators.

Verify that backup procedures are in place to prevent data and

program loss due to system failures, errors, and so on.

Verify that systems selection and acquisition procedures produce

applications that are high quality, and protected from unauthorizedchanges.

Verify that the system is free from viruses and adequately protected to

minimize the risk of becoming infected with a virus or similar object.


42/42

Audit Procedures

Observe PCs are physically anchored to reduce the opportunity of theft.

Verify from organizational charts, job descriptions, and observation that

programmers of accounting systems do not also operate those systems.

Determine that multilevel password control is used to limit access to data and

applications and that the access authority granted is consistent with the

employees job descriptions.

If removable or external hard drives are used, the auditor should verify that

the drives are removed and stored in a secure location when not in use.

Select a sample of backup files and verify that backup procedures are being

followed.

Select a sample of PCs and verify that their commercial software packageswere purchased from reputable vendors and are legal copies.

Review the organizations policy for using antiviral software

Ch03-Security Part 1. Auditing Operating Systems and Networks

Documents

Transcript of Ch03-Security Part 1. Auditing Operating Systems and Networks