Hall Chapter 16

Controlling the Operating System

Operating System
- computers control program
- allows users and their applications to share and access common computer
resources
- if OSs integrity is compromised, controls w/in individual accounting
applications may also be circumvented or neutralized
- common to all users --- the larger the computer facility, the greater the scale
of potential damage
- performs 3 main tasks:
o translate high-level languages into machine-level language
compilers and interpreters language translator modules of the
OS
high-level languages COBOL, C++, BASIC, SQL
o allocates computer resources to users, workgroups and applications
o manages the tasks of job scheduling and multiprogramming
multiple applications may try to access resources at a given
time
schedule job processing according to job priorities and balance
the use of resources among the competing applications
applications (jobs) are submitted to the system in 3 ways
1. directly by the system operator operating system
2. from various batch-job queues
3. telecommunications links from remote workstations
- 5 fundamental control objectives:
o Protect itself from users must not be tampered
o Protect users from each other must not be tampered
o Protect users from themselves accidental corruption
o Protect itself from itself accidental corruption domino effect
o Protect itself from the environment power failures or other disasters
- Security involves policies, procedures and controls that determine who can
access the OS, w/c resources they can access and what actions they can
take
o Log-on procedure
OSs first line of defense against unauthorized access
In a dialog box, user ID and pw will be requested compare
input to database of valid users match log-on attempt is
authenticated
If does not match, a message is returned to user, not indicating
what caused the failure
Should allow user to re-enter log-on information, after a failed
attempt usually no more than 5 tries lock user out
afterwards
o Access token
Created after a successful log-on attempt

Hall Chapter 16
Contains key information about user (user ID, pw, user group
and privileges)
Information here are used to approve all actions the user
attempts during a session
o Access control list
Assigned to each resource
Controls access to system resources
Contains information that defines the access privileges for all
valid users of the resources
User attempts access system compares his ID and privileges
contained in the access token against the access control list
match grant access
o Discretionary access privilege
Central system administrator (centralized system) - det. who is
granted access to specific resources and maintains the access
control list --- in distributed system, end users may control
resources
Allows end users (owner of resource) to grant access privileges
to other users
Must be closely supervised to prevent security breaches of its
liberal use
Threats to OS integrity
o Hindrance in achieving control objectives
o Accidental Threats system failure
o Intentional Threats attempt to illegally access data or violate
o Destructive programs w/ no apparent gain --- gaining threat
Exposure from 3 sources
Privileged personnel who abuse their authority system
administrators and systems programmers need unlimited
access to the OS
Individuals ( internal & external) who browse the OS to
identify and exploit security flaws
Individuals who intentionally or accidentally insert computer
viruses or other forms of destructive programs into the OS
Operating System Controls and Tests of Controls the design and
assessment of these controls are SOX compliance issues
o Access privileges (controlling access privileges) user access
privileges are assigned to individuals and to entire workgroups
authorized to use the system; privileges determine who has access
also what types of action can be taken
Management should be concerned that individuals arent
granted privileges that are incompatible w/ their assigned
duties
The way access privileges are assigned influences system
security

Hall Chapter 16
Audit objective verify that all access privileges are granted in
a manner that is consistent w/ the need to separate
incompatible functions and is in accordance w/ the
organizations policy
Audit procedure
Review policies for separating incompatible functions and
ensure they promote reasonable security
Review privileges of a selection of user groups and
individuals to determine if their access rights are appropriate
for their job description and positions
Review personnel records to det. whether privileged
employees undergo an adequately intensive security
clearance check in compliance w/ company policy
Review employee records to det. whether users have
formally acknowledged their responsibility to maintain
confidentiality of company data
Review users permitted log-on times should be reasonable
w/ task assigned
Password control
Password secret code the user enters to gain access to
systems, applications, data files or a network server
Password procedures can result in end-user behavior that
circumvents security when imposed on nonsecurity-minded
users
Forgetting password
Failing to change password on a frequent basis
Post-it syndrome --- written down for others to see
Simplistic passwords
Reusable password
Most common
The user defines the password to the system once and then
reuses it to gain future access
Quality of security depends on the quality of password
Passwords that are more difficult to crack are harder to
remember
Management should require passwords to be changed
frequently and to disallow weak passwords theres a
software for this task
One-time password
Users password changes continuously
Employs a credit card-sized smart card that contain s a
microprocessor programmed with an algorithm that
generates and electronically displays a new and unique
password every 60 seconds; the card works in conjunction

Hall Chapter 16

Virus

with special authentication software located on a mainframe

or network server computer; users cards are synchronized to
the authentication software so that at any point in time both
the smart card and network software are generating the
same passwords for the same user
Usage to access network, user enters the PIN and the
current password displayed on the card pw can only be
used for one time
Challenge/response approach user attempts to log-on
network authentication software issues a 6-character code
(challenge) that the card can either scan optically or enter
into the card via built-in keypad cards internal algorithm
generates a one-time password (response) the user enters
through the keyboard of the remote terminal firewall
recognize current password access granted
Audit objectives ensure the organization has an adequate and
effective password policy for controlling access to the OS
Audit procedures review or verify the ff.:
All users have passwords
New users know how to use passwords and their importance
Passwords are changed regularly
Password file for weak passwords to be identified and
disallowed
Password file is encrypted and encryption key is secured
Adequacy of password standards length, expiration interval,
etc.
Account lockout policy procedures det. how many log-out
attempt are allowed before an account is locked and duration
of lockout
control (controlling against malicious and destructive programs)
Destructive programs: virus, worms, logic bombs, back doors,
Trojan horses
Threats from such could be substantially reduced through
technology controls and administrative procedures
Some pre-cautional steps:
Buy original, factory-sealed package software from reputable
vendors
Issue policy regarding unauthorized or illegal(bootleg)
software
Examine upgrades before implementing check for virus
Inspect all public-domain software before using check for
virus
Establish procedures for making changes to production
programs
Establish educational program to raise awareness to threat

Hall Chapter 16

New applications should be tested first on a stand-alone

computer
Routinely make backup copies of key files
Limit users to read and execute rights only
Require protocols that explicitly invoke the OSs log-on
procedures to bypass Trojan horses may be fake log-on
procedure
Use antiviral software (vaccines) to check applications and
OS programs for the presence of a virus and remove them
most vaccines run in the background on the host computer
and automatically test all files that are uploaded to the host
--- vaccines only work to known viruses - update
The key is prevention
Audit objectives verify that effective management policies and
procedures are in place to prevent introduction and spread of
destructive programs
Audit procedures
See if operations personnel are knowledgeable about
computer viruses and know of their risks --- through interview
Verify that new software is tested on a stand-alone first
before implementing on the host or network server
Verify that the current version of antiviral software is installed
and that upgrades are regularly downloaded
System audit trail controls
System audit trail logs that record activity at the system,
application and user level; OS allow management to choose
level of auditing to be recorded in the log information vs.
irrelevant facts
Detailed logs of individual keystrokes and event-oriented logs
Keystroke monitoring records both users keystrokes and the
systems responses to prevent unauthorized intrusion; like
telephone wiretap; may be regarded as invasion of privacy
Event monitoring summarizes key activities related to system
resources; records users ID, time and duration of session,
programs executed and resources accessed
Setting audit trail objective
Detect unauthorized access to the system
Facilitate reconstruction of events
Promote personal accountability because they are
monitored
Implementation cost-benefit analysis; know what to store in
logs
Audit objectives ensure system audit trail is adequate for
preventing and detecting abuses, reconstructing key events
and planning resource allocation

Hall Chapter 16

Audit procedures
Verify if audit trail was activated according to company policy
Audit log viewer allows auditor to scan log for unusual
activities
Select sample of security violation causes and evaluate their
dispositions to assess effectiveness of security group

Controlling Database Management Systems

Controls:
1. Access Controls designed to prevent unauthorized individuals from
viewing, retrieving, corrupting or destroying entitys data
a. Userview (subschema) subset of the total database that defines
the users data domain and restricts his access to the database
accordingly responsibility of DBA; access privilege should match
needs; does not define task privileges
b. Database authorization table contains rules that limit the action a
user can take
c. User-defined procedures allows user to create a personal security
program or routine to provide more positive user identification than
a password can (like additional questions only user can answer)
d. Data encryption use of algorithm to scramble selected data
unreadable
e. Biometric device measure personal characteristics; ultimate
authenticator; appropriate when very limited no. of people may
access highly sensitive data
f. Audit objective verify if authorized users privileges are limited to
their needed resources to accomplish their task and that
unauthorized users are denied access
g. Audit procedure
i. Verify that DBA is solely responsible for creating authority
tables and designing user views; evidence of compliance can
come from:
1. Reviewing company policy and job descriptions
2. Examining programmer authority tables for access privileges to data
definition language commands (DDL)
3. Interview programmer and DBA personnel
ii. Verify if users access privilege stored in authority table is
consistent w/ his organizational function use sampling
iii. Cost-benefit analysis regarding biometric controls
iv. Verify that sensitive data are well encrypted print a hard
copy to see
2. Backup Controls ensure that in the event of data loss due to
unauthorized access, equipment failure or physical disaster, the
organization can recover files and databases

Hall Chapter 16
a. Database backup make periodic backup of entire database;
automatic; at least once a day; backup is stored in a secure remote
area
b. Transaction log (journal) provides audit trail for all processed
transactions; only list of transactions; changes to it are on a
separate database change log
c. Checkpoint feature suspends all data processing while the system
reconciles the transaction log and the database change log against
the database; system is at a quiet state here; checkpoints occur
automatically several times an hour; failure checkpoint
minimum processes to be repeated
d. Recovery module uses the logs and backup files to restart system
after a failure
e. Audit objective- verify that backup controls are adequate to
facilitate lost, destroyed or corrupted data
f. Audit procedure
i. Verify from system documentation that production databases
are copied at regular intervals (several times an hour)
ii. Verify through documentation and observation that backup
copied of the database are stored off-site to support disaster
recovery procedures
Controlling Networks
-

Network Topologies consists of various configurations of:

o Communications lines (fiber optics, microwaves, coaxial cable,
twisted-pair wires)
o Hardware components (modems, servers, multiplexers, front-end
processors)
o Software (protocols and network control system)
General Risks
o Subversive threats
o Equipment failure
Controlling Subversive Threats
o Firewall
A system that enforces access control b/w two networks
To accomplish:
All traffics b/w the outside network and the organizations
internet must pass through the firewall
Only authorized traffic b/w organization and the outside is
allowed to pass
Firewall must be immune to penetration from the outside and
the inside
Can be used to authenticate an outside user of the network,
verify his level of access authority and then direct the user to
the program, data or service requested

Hall Chapter 16
Can be used to insulate portions of the organizations
intranet to from internal access
Network-level firewalls
Efficient but low security access control
Consists of a screening router - examines the source and
destination addresses that are attached to incoming
message packet
Accepts or denies access requests based on filtering rules
programmed
Directs incoming calls to the correct internal receiving
node
Insecure designed to facilitate free flow of info and not
restrict it
Does no explicitly authenticate outside users
Application-level firewalls
A higher level of customizable network security
Add overhead to connectivity
Configured to run proxies (security applications) that
permit routine services (like email)
Can perform sophisticated functions such as
authentication of tasks
Provide comprehensive transmission logging and auditing
tools for reporting unauthorized activity
Dual-homed system
Has two firewall interfaces 1 screens incoming requests
from the internet; the other provides access to the
organizations intranet
Direct communication to the internet is disabled
The two networks are fully isolated
Proxy applications that impose separate log-on procedures
perform all access
Convenience vs. security trade-off --- acceptable risk
Controlling Denial of Service Attacks
Forms of DOS clogs internet ports w/ fraudulently generated
messages
SYN flood attacks
o Use IP spoofing to disguise the source
o Attack may be coming from a single disguised site host
computer views this as coming from all over the internet
o Two actions to defeat:
Program firewalls to block outbound message packets
that contain invalid internal IP addresses will prevent
attackers from hiding their locations from the targeted
site and would assure management of potential
intermediary hosts that no undetected attacks could

Hall Chapter 16
be launched from their sites wont prevent attacks
from internet sites that refuse to screen outgoing
transmissions
Security software scans for half-open connections
looks for SYN packets that has not been followed by
ACK packet
Smurf attacks
o Target organization can program their firewall to ignore all
communication from the attacking site, once attackers IP
address is determined
Distributed denial of service attacks (DDos)
o Most difficult to counter
o Messages from thousands of zombie sites that are
distributed across the internet cant block transmissions
from so many different locations
o Intrusion prevention systems (IPS) that employ deep
packet inspection (DPI) det. when an attack is in
progress
o IPS
Works inline with firewall at the perimeter of the
network to act as a filter that removes malicious
packets from the flow before they can affect servers
and networks
May be used behind firewall to protect specific network
segments and servers
Can be employed to protect an organization from
becoming part of a botnet by inspecting outbound
packets and blocking malicious traffic before it reaches
the internet
o DPI
uses a variety of analytical and statistical techniques
to evaluate contents of message packets
searches the individual packets for protocol
noncompliance and employs predefined criteria to
decide if a packet can proceed to its destination
can identify and classify malicious packets based on a
database of known attack signatures malicious
blocked and redirected to security team
in contrast to normal packet inspection checks
header portion of packet to det. destination
Encryption
conversion of data into a secret code for storage in
databases and transmission over networks
sender uses encryption algorithm to convert cleartext into
ciphertext; process is reversed by receiver

Hall Chapter 16

encryption algorithm uses a key -- a binary number from 56

to 128 bits in length (usually); more bits, stronger encryption
method; nothing less than 128 is considered truly secure
Private key encryption
o Advance encryption standard (AES) a 128-bit encryption
technique; uses a single key known by sender and
receiver; cleartext encryption algorithm using key
ciphertext communication channel transmitted
decipher using same key
o Triple-DES encryption enhancement to data encryption
standard (DES)
Very secure but very slow
EEE3 uses 3 different keys to encrypt message 3
times
EDE3 1 key to encrypt; 1 key to decode it then
garbled; 1 encrypt garbled message (decoding key not
same with encoding key)
o Problem: the more people who need to know key, the
greater of it falling into the wrong hands
Public key encryption
o Uses 2 different keys encoder and decoder
o Each recipient has a private key (kept secret) and a public
key (published)
o Sender uses receivers public key to encrypt message
receiver uses his private key o decrypt --- no need to
share private key
o Rivest-Shamir-Adleman (RSA) highly secure key
cryptography method; computationally intensive and
much slower than standard DES
o Digital envelope use of DES and RSA; cleartext in
encrypted using DES DES private key needed to
decrypt is encrypted using RSA and transmitted along the
message receiver decodes DES key then the message
Digital Signature
o electronic authentication that cant be forged
o ensures message was not tampered after signature was
applied
o sender uses a one-way hashing algorithm to calculate a
digest of the text message digest in encrypted using
senders private key to produce the digital signature
message and digital signature are encrypted using
receivers public key transmit decrypt both using
receivers private key receiver uses senders public
key to decrypt digital signature and see digest

Hall Chapter 16

recalculate digest and cleartext values should match if

authentic
o digest a mathematical value calculated from the text
content
Digital Certificate
o Issued by a certification authority (CS), a trusted 3 rd party
o Used in conjunction w/ a public key encryption system to
authenticate the sender of a message
o Process of certification depends on level of certification
desired
o involves establishing ones identity w. formal documents
and proving ones ownership of the public key
o is transmitted w/ the encrypted message to authenticate
the sender
o receiver decrypt the senders public key attached to the
message using CAs public key senders public key is
then used to decrypt message
Message Sequence Numbering sequence no. is inserted in
each message
Message transaction log records incoming and outgoing
messages, attempted and failed access, user ID, time of access
and terminal location or telephone no. from w/c access
originated
Request-response technique a control message from the
sender and a response from the receiver are sent at periodic,
synchronized intervals; timing of message should follow a
random pattern to know if communication channel was
interrupted
Call-back devices requires the dial-in user to enter a password
and be identified breaks connection to perform user
authentication authorized call-back device dials callers
number to establish new connection
Audit objectives verify security and integrity of financial
transaction by determining that network controls can prevent
and detect illegal access internally and externally, will render
useless any data the perpetrator successfully captures and are
sufficient to preserve integrity and physical security of data
connected to the network
Audit procedures
Review adequacy of firewall: assessment of effectiveness
o Flexibility
o proxy services
o Filtering
o Segregation of systems systems that dont require
public access should be segregated from the internet

Hall Chapter 16

o Audit tools
o Probe for weakness
Verify IPS w/ DPI is in place for organizations that are
vulnerable to DDos (like financial institutions)
Review security procedures governing administration of data
encryption
Verify encryption process by transmitting a test message and
examining the contents at various points along the channel
b/w sending and receiving locations
Review the message transaction logs to verify that all
messages were received in their proper sequence
Test the operation of the call-back feature by placing
unauthorized call from outside the installation
Controlling Risks from Equipment Failure
o Line errors
Most common cause of data loss in data communication
Messages bit structure can be corrupted through nose on
communication lines
Noise made up of random signals that can interfere w/ the
message signal when they reach a certain level
Random signal may be caused by electric motors,
atmospheric conditions, faulty wiring, defective components,
noise spilling over an adjacent communication channel
Echo check receiver returns message to sender sender
compares returned message w/ a stored copy of the original
presence of discrepancy transmission error retransmit
message
Usage of it is reduced by one-half throughput over
communications channels
Using full-duplex channels (allow both parties to transmit and
receive simultaneously) can increase throughput
Parity check incorporates the parity bit (extra bit) into the
structure of a bit string when its created or transmitted; can be
vertical and/or horizontal
Vertical parity adds parity bit to each character in the
message when the characters are originally coded and stored
in magnetic form
o Audit objective verify integrity of the e-commerce transactions by
determining that controls are in place to detect and correct message
loss due to equipment failure
o Audit procedure
See if messages have garbled contents that line nose causes
sampling
Verify that corrupted messaged were successfully retransmitted

Hall Chapter 16
Electronic Data Interchange (EDI) Controls
-

EDI concept links two trading partners A purchases system automatically

creates and sends an electronic purchase order to its EDI translation
software translation software converts PO from internal format to standard
format communications software adds the protocols to the message to
prepare it for transmission over the communication channel transmission
(direct or indirect connection (value-added network or VAN)) B reverses
process
There is an absence human intervention here
Uses computer-to-computer communications technologies to automate B2B
purchases
Transaction Authorization and Validation may be tested at 3 points
VANs can validate passwords and user ID codes for the vendor by
matching them against a valid customer file
Translation software can validate the trading partners ID and pw against
a validation file in the firms database
Trading partners application software references the valid customer and
vendor files to validate the transaction
Access Control
EDI trading partners must permit a degree of access to private data files
that would be forbidden in a traditional environment
Trading partner agreement will det. the degree of access control in place
Company must establish valid vendor and customer files to combat
against unauthorized access
Authority tables can be established
EDI Audit Trail

Maintain a control log records transactions flow through each phase of

the EDI system; can be reconciled

Audit Objective det. that:

1. All EDI transactions are authorized, validated and in compliance w/ the
trading partner agreement
2. No unauthorized organizations gain access to database records
3. Authorized trading partners have access only to approve data
4. Adequate controls are in place to ensure a complete audit trail of all EDI
transactions
Audit Procedures

Hall Chapter 16

Identification codes should be verified before transactions are processed;

done by:
o Review agreements with the VAN facility
o Review trading partner files must be accurate and complete
Verify limited access to vendor and customer files limited to authorized
passwords, tables and data must be encrypted
Verify limited access of vendors to database records table privilege
should match privilege in trading agreement
Test EDI controls by simulation sampling attempt access, violate
privilege
Verify that EDI produces a transaction log that tracks transactions
through all stages of processing review a sample of transactions to
know if recorded correctly

Appendix
Malicious and Destructive program
1. Virus
a. a program that attaches itself to a legit program to penetrate the OS
and destroy application program, data files and the OS
b. can spread first before perpetrating its destructive acts
c. can be modified to replicate itself first before it destroys
d. personal computers are major source of virus penetration; virus usually
attach themselves to the ff. type:
i. .EXE or .COM
ii. .OVL (overlay)
iii. Boot sector of a disk
iv. Device driver program
2. Worm virtually burrows into the computers memory and replicates itself
into areas of idle memory; systematically occupies idle memory until
memory is exhausted and system fails
3. Logic bomb triggered by a predetermined event like date or events
4. Back door (trap door) allows unauthorized access to system w/o going
through the normal log-on procedure (front door) programmers who
developed the system and wants unauthorized access can program it in a
way that their own password or the users can be used to access
5. Trojan horse captures IDs and passwords from users (mimic log-on
procedure) stored on a secret file author uses it to masquerade as

Hall Chapter 16
you

In a DOS Attack, the sender sends hundreds of messages, receives the

SYN/ACK packet, but does not response with an ACK packet. This leaves the
receiver with clogged transmission ports, and legitimate messages cannot be
received.

Hall Chapter 16