OS weakness

translates high level languages, COBOL,

C++, SQL, etc into machine language

weak access control

inadequate segregation of duties

allocates computer resources to users,

workgroups, applications

multilevel password control

main tasks

risk of theft
risk of viruses
verify that control are in place to
protecteverything

directly by system operator

manages tasks of job schedulling and

multiprogramming

weak backup procedures

from various batch-job queues

through telecomm links from remote workstations

OS Objectives

auditing PC-based accounting systems

PC systems risks and control

must protect itself from users

must protect users from each other

verify that adequate supervision and

operating procedures exist

objectives

verify that backups are in place

must protect users from themselves

must be protected from itself

audit objectives

must be protected from its environtment

verify that systems selection are high

quality and protected

log on procedure

verify that system is free from viruses

audit procedures

access token

first line of defense against unathorized access

contain key information about user ID,

password, user group, previleges
granted

EDI standard
reduces the need for data entry

OS Security

data keying

access control list

error reduction

contain information that defines the

access priveleges for all valid users of
the resource

paperless
postage

discretionary access priveleges

benefits of EDI

automatic

grant access priveleges to other users

priveleges personnel who abuse their authority

inventory reduction
financial EDI
EDI controls

threats to OS integrity

access control
all EDI transactions are authorized,
validated, in compliance with trading
partner agreement

individuals who browse the operating

system to identify and exploit security
flaws
individuals who intentionally/accidentally
insert viruses or other form of
destructive programs
carefully administered and closely
monitored for compliance with
organizational policiy and principles of
internal control

no authorized org gain access to

database record
authorized trading partner have access
only to approved data

audit objectives

adequate controls are in place to ensure

a complete audit trail of all EDI
transactions

auditing electronic data

interchange (EDI)
audit objectives

verify that access privileges are granted

in a manner that is consistent with the
need to separate incompatible functions
and accordance with organization's
policy

review agreements with VAN faicility to

validate transactions

recincile terms of trading agreement

with trading pratner's access privilege

audit procedures

audit procedures

review personnel records

test of access controls

simulate access by a simple trading

partner and attempt to violate access
privileges
verify that EDI produces a transaction
log that tracks transactions through all
stages of processing

review employee records

access to corporate databases

privilege employee

reusable password
intranet risk

one time passw ord

Security part 1: auditing

operating systems and
network

SYN flood attack

perpetrator
smurf -> ping

examples

auditing operating systems

IP Spoofing

audit objectives

internet risk

distributed denial of service (DDos)

network-level firewall
application-level firewall

deep packet inspection (DPI)

change regularly and disallow weak password

changes continously

ensure that the organization has an

adequate and effective password policy
for controlling access to OS

review password control procedures

risk from equipment failure
audit procedures

software
screening router

defines the password to the system once

and then reuses it to gain future access

verify that new users are intructed in

the use of password and the importance
of passw ord control

passw ord control

comm lines
hardware

revies password file

triple DES encryption

Rivest-Shamir-Adleman (RSA)

verify password file is encrypted and secured

firewall

assess the adequacy of password

standard such as length and expiration
interval

OS control and audit test

controlling denial of service attacks

private key encryption

review account lockout policy and procedures

audit objectives

encryption

public key encryption

control against malicious and destructive programs

digital certificate

audit procedures

message sequence numbering

message transaction log
call-back devices

sufficient to preserve the integrity and

physical security if data connected to
the network

detailed logs of individual keystrokes

controlling risk from subversive threats

types
audit objectives

event-oriented logs

recording both user's keystrokes and

system's responses

summarizes key activities related to

system resources
record ID all users accessing the system
detecting unauthorized access to the systems

flexibility
filtering

verify that new software is tedsted on

standalone workstations before
implemented on network server

auditing network

setting audit trail objectives

controlling network

proxy service
segregation of systems

facilitating the reconstruction of events

promoting personal accountability
implementing a system audit trail

review the adequacy of firewall

ensure that the established system audit

trail is adequate for preventing and
detecting abuses

systems audit trail controls

audit tools
probe for weakness
verify IPS with DPI is in place

audit objectives

audit procedures

veriffy that the audit trail has been

activated according to organization
policy

verify encryption process by transmitting code test

review message transaction log to verify
all message were received
audit procedures

test operation of call back

echo check
parity check
verify the integrity of electronic
commerce transactions by determining
that controls are in place todetect and
correct message loss

audit objectives

verify that all corrupted message were

successfully retransmitted

use general purpose data extraction

tools for accessing archieved log files to
search for defined condition
select a sample of security violation
cases and evaluate their disposition to
assess the effectiveness

line errors

controlling risk from equipment failure

select a sample message from

transaction log
examine for garbled content caused by line noise

reconstructing key events that precede

systems failures
planning resource allocation

review security procedures governing

the administration of data encryption
keys

receiver returning message to sender

determine that operations personnel

have been educated about viruses and
aware of the risk

verify that current version of antivirus is

installed and upgrade regularly

request-response technique

render useless any data that a

perpetrator successfully captures

after how many failed log-on

verify that effective management

policies and procedures are in place to
prevent the introduction and spread of
destructive programs

through interviews

digital signature

prevent and detect illegal access both

internally and from the internet

ensure change regularly

determine that weak password are

identified and disallowed

conversion of data into secret code for

storage database and transmission over
network
advance encryption standard (AES)

determine whether users have formally

acknowledged their responsibility to
maintain the confidentially of company
data

verify that all users are required to have password

denial of service attack

victim

determine whether privileges undergo

an adequately intensive security
clearance check w ith policy

review the users permitted log on time

test of audit trail controls

interception of network messages

intermediary

determine their access rights are

appropriate for their job descriptions and
position

revies the previleges of a selection of

user groups and individual

controlling acess privileges

determine that access to the valid

vendor or customer file is limited

intrusion prevention systems (IPS)

ensure that they promote reasonable security

test of authorization and validation controls

examine the organization's valid partner

file for accuracy and completeness

zombie / bot

separating incompatible functions

review organization policies

ensure the information is valid,

complete, and correct

audit procedures

Security part 1. auditing operating systems and network.mmap - 07/10/2014 - Mindjet