SlideShare a Scribd company logo

Chapter 7

Download as PPTX, PDF
S
Seth Nurul

Accounting information system

Internet
1 of 56
CHAPTER 7 IT CONTROLS PART II : SECURITY AND ACCESS
PRESENT BY : NURULHIDAYAH MOHD NOOR 62288112187 SARAH MOHAMAD 62288112274 NUR ATIQAH MOHD NASARUDDIN 62288112181 NUR SABRINA AB RAHIM 62288112270 NURUL IZZATY ROZLAN 62288112292
LEARNING OBJECTIVES • Be able to identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual exposures. • Be familiar with the principal risks associated with electronic commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. • Be familiar with the risks to database integrity and the controls used to mitigate them. • Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced.
Operating System What is Operating System ? - Is the computer’s control program. - Allows users and their applications to share and access common computer resources, such as processors, main memory, databases and printers.
Operating System Perform three main tasks: – translates high-level languages into the machine-level language. – allocates computer resources to user applications. – manages the tasks of job scheduling and multiprogramming.
Operating System Requirements for Effective Operating Systems Performance ; • Protect against tampering by users • Prevent users from tampering with the programs of other users • Safeguard users’ applications from accidental corruption • Safeguard its own programs from accidental corruption • Protect itself from power failures and other disasters
Operating System - Because the operating system is common to all users, the larger the computer facility, the greater the scale of potential damage. - Therefore, OPERATING SYSTEM SECURITY becomes an important issue.
Operating System Security - Involves policies, procedures and controls that determine ; -who can access the OS, -which resources (files, programs, printers) they can access -what actions they can take - The following security components are found in secure operating systems: -Log On Procedure -Access Token -Access Control List -Discretionary Access Privilege
L O G O N P R O C E D U R E
• The OS’s first line of defense against unauthorized access. • Presented with a dialog box requesting the user’s ID and password. • The system compares the ID and password to a database of valid users. • If the system finds a match, then the log on attempt is authenticated, h/ever if the password or ID is entered incorrectly, the log on attempt fails and a message is returned to the user. • After a specified number of attempts, the system should lock out the user from the system. L O G O N P R O C E D U R E
A C C E S S T O K E N
• If the log on attempt is successful, the OS creates an ccess token that contains key information about the user (including user ID, password, user group, and privileges granted to the user). • The information in the access token is used to approve all actions the user attempts during the session. A C C E S S T O K E N
A C C E S S C O N T R O L L I S T
• An access control list assigned to each resource controls access to system resources such as directories, files, programs, and printers. • These lists contain information that defines the access privileges for all valid users of the resource. • When a user attempts to access a resource, the system compares the user ID and privileges contained in the access token with those contained in the access control list, if there is a match, the user is granted access. A C C E S S C O N T R O L L I S T
D I S C R E T I O N A R Y A C C E S S P R I V I L E G E
• The central system administrator usually determines who is granted access to specific resources and maintains the access control list. • Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. • The use of discretionary access control needs to be closely supervised to prevent security breaches because its liberal use D I S C R E T I O N A R Y A C C E S S P R I V I L E G E
Threats to OS Control Accidentally Hardware failures -Cause the OS crash Errors in user application programs -Operating system cannot interpret and cause OS failures Whole segments of memory to be dumped to disks and printers -Resulting in the unintentional disclosure of confidential info Intentionally Privileged personnel who abuse their authority -Systems administrators and systems programmers may use their authority to access user’s programs and data files Individuals both internal and external in the organization -browse the OS to identify and exploit security flaws. Individuals who intentionally/ accidentally -insert computer viruses to destruct programs into the OS
OS Controls Access Privileges • Audit objectives: verify that access privileges are consistent with separation of incompatible functions and organization policies • Audit procedures: review or verify.. – policies for separating incompatible functions – a sample of user privileges, especially access to data and programs – security clearance checks of privileged employees – formal acknowledgements to maintain confidentiality of data – users’ log-on times
OS Controls Password Control • Audit objectives: ensure adequacy and effectiveness of password policies for controlling access to the operating system • Audit procedures: review or verify.. – passwords required for all users – password instructions for new users – passwords changed regularly – password file for weak passwords – encryption of password file – password standards – account lockout policies
OS Controls Malicious & Destructive Programs • Audit objectives: verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses • Audit procedures: review or verify… – training of operations personnel concerning destructive programs – testing of new software prior to being implemented – currency of antiviral software and frequency of upgrades
OS Controls Audit Trail Controls • Audit objectives: used to (1) detect unauthorized access, (2) facilitate event reconstruction, and/or (3) promote accountability • Audit procedures: review or verify… – how long audit trails have been in place – archived log files for key indicators – monitoring and reporting of security violations
Database Management Controls Two category : A . Access Control - design to prevent unauthorized individual to view, corrupting and destroying company’s data B. Backup Control - to ensure that the data that loss due to unauthorized access or equipment failure, the company can recover its file and database.
Access Controls • User views a subset of the total database that defines the user’s data domain and restrict his or her access to the accordingly • Database authorization table allows greater authority to be specified Each user is granted certain privileges that are coded in the authority table
Subschema Restricting Access to Database
Database Authorization Table
• User-defined procedures  Allow user to create a personal security program or routine to create more positive identification than a password can.  For example, addition to password, the security procedure asks a series of personal question. • Data encryption  encoding algorithms to scramble selected data, thus making it unreadable to an intruder browsing the database • Biometric devices  Measure various personal characteristic such as fingerprints, retina prints, or signature characteristics  Users characteristic will be digitized and stored permanently in database security file. Access Controls (Cont’)
Access Controls (Cont’) Audit Objectives For Testing Access Controls (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data
Access Controls (Cont’) Audit procedures for testing Access Controls 1. Responsibility for Authority Tables & Sub-schemas  Should verify that database administration personnel responsibility for creating authority tables and designing user views.  Evidence of compliance: i. Reviewing company policy and job description ii. Examining programmer authority table for access privileges to data definition language (DLL) commands iii. through personal interviews with programmers and database administration personnel.
Audit procedures for testing Access Controls 2. Appropriate Access Authority  Select a sample of user and verify that their access privileges stored in an authority table are consistent with their organizational function. 3. Use or Feasibility of Biometric Controls  Evaluate the cost and benefits of biometric controls. 4. Use of Encryption Control  Verify that sensitive data, such as passwords are properly encrypted. Access Controls (Cont’)
• Database backup Backup Controls  Makes an automatic periodic backup of entire data.  Should be performed at least once a day.  Then be stored in a secure remote area. • Transaction log (journal)  list of transactions that provides an audit trail of all processed transaction. • Checkpoint features  Suspends all data during system reconciliation and database change log against the data base. • Recovery module  Uses the log and backup files to restarts the system after a failure
Backup Controls (Cont’) • Audit objectives: backup controls can adequately recover lost, destroyed, or corrupted data • Audit procedures: 1. to verify that production databases are copied at regular intervals 2. to verify through documentation that backup copies of the database are stored off site to support disaster recovery procedures
Control Network A. Controlling risk from subversive treats i. Firewall ii. Controlling denial of service iii. Encryption iv. Digital signature v. Digital certificate vi. Massage sequence numbering vii. Massage transaction log viii. Request response technique ix. Call back devices
Control Network B. Controlling risk from equipment failure • Line errors i. Echo check ii. Parity check
A. Controlling risk for Subversive Threats i. Firewalls provide security by channeling all network connections through a control gateway. • Network level firewalls – Low cost and low security access control – Do not explicitly authenticate outside users – Filter junk or improperly routed messages – Experienced hackers can easily penetrate the system • Application level firewalls – Customizable network security, but expensive – Sophisticated functions such as logging or user authentication
Dual-Homed Firewall
A. Controlling risk for Subversive Threats (Cont’) ii. Denial-of-service (DOS) attacks – Security software searches for connections which have been half-open for a period of time. iii. Encryption – The conversion of data into secret code for storage in database and transmission over networks. – Two general approaches to encryption are private key and public key encryption.
SYN Flood DOS Attack 38 Sender Receiver Step 1: SYN messages Step 2: SYN/ACK Step 3: ACK packet code In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.
Controlling DOS Attacks • Controlling for three common forms of DOS attacks: i. Smurf attacks — organizations can program firewalls to ignore an attacking site, once identified ii. SYN flood attacks — two tactics to defeat this DOS attack • Get Internet hosts to use firewalls that block invalid IP addresses • Use security software that scan for half-open connections iii. DDos attacks – many organizations use Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) • IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks • DPI searches for protocol non-compliance and employs predefined criteria to decide if a packet can proceed to its destination
• The conversion of data into a secret code for storage and transmission • The sender uses an encryption algorithm to convert the original cleartext message into a coded ciphertext. • The receiver decodes / decrypts the ciphertext back into cleartext. • Encryption algorithms use keys – Typically 56 to 128 bits in length – The more bits in the key the stronger the encryption method. • Two general approaches to encryption are private key and public key encryption. Encryption
Private Key Encryption • Advance encryption standard (AES) – A 128 bit encryption technique – A US government standard for private key encryption – Uses a single key known to both sender and receiver • Triple Data Encryption Standard (DES ) – Considerable improvement over single encryption techniques – Two forms of triple-DES encryption are EEE3 and EDE3 – EEE3 uses three different keys to encrypt the message three times. – EDE3—one key encrypts, but two keys are required for decoding • All private key techniques have a common problem – The more individuals who need to know the key, the greater the probability of it falling into the wrong hands. – The solution to this problem is public key encryption.
The Advanced Encryption Standard Technique
A. Controlling risk for Subversive Threats (Cont’) iv. Digital signature – electronic authentication technique to ensure that… – transmitted message originated with the authorized sender – message was not tampered with after the signature was applied v. Digital certificate – like an electronic identification card used with a public key encryption system – Verifies the authenticity of the message sender
Digital Signature Digital Certificate
A. Controlling risk for Subversive Threats (Cont’) vi. Message sequence numbering – sequence number used to detect missing messages vi. Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers vi. Request-response technique – random control messages are sent from the sender to ensure messages are received vi. Call-back devices – receiver calls the sender back at a pre-authorized phone number before transmission is completed
Auditing Procedures for Subversive Threats • Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of systems, audit tools, and probing for weaknesses. • Review data encryption security procedures • Verify encryption by testing • Review message transaction logs • Test procedures for preventing unauthorized calls
B. Controlling Risk from Equipment Failure Line errors are data errors from communications noise. • Two techniques to detect and correct such data errors are: i. echo check - the receiver returns the message to the sender ii. parity checks - an extra bit is added onto each byte of data similar to check digits
Vertical and Horizontal Parity using Odd Parity 48 Figure 16-8
Auditing Procedures for Equipment Failure • Using a sample of messages from the transaction log: – examine them for garbled contents caused by line noise – verify that all corrupted messages were successfully retransmitted
Electronic Data Interchange  Electronic data interchange (EDI) uses computer-to-computer communications technologies to automate B2B purchases.  EDI system that link two trading partners which the customer (Company A) and Vendor (Company B) without human intervention. Figure 16-9 Audit objectives: 1. Transactions are authorized, validated, and in compliance with the trading partner agreement. 2. No unauthorized organizations can gain access to database 3. Authorized trading partners have access only to approved data. 4. Adequate controls are in place to ensure a complete audit trail.
51 EDI System Figure 16-9
EDI Risks and Control • Transaction Authorization and Validation – automated and absence of human intervention – Both customer and vendor must establish that the transaction is to a valid trading partner and is authorized. – Control : use of passwords and value added networks (VAN) to ensure valid partner • Access Control – need to access EDI partner’s files – For example, it may permit customer’s system to access the vendor’s inventory files to determine if inventories are available. – Control: software to specify what can be accessed and at what level • Audit trail – paperless and transparent (automatic) transactions – Control: Maintain control log, which records the transactions flow through each phase of EDI system.
53 EDI System using Transaction Control Log for Audit Trail Figure 16-10
Auditing Procedures for EDI • Tests of Authorization and Validation Controls – Review procedures for verifying trading partner identification codes are verify before transaction are processed. – Review agreements with VAN facility to validate transaction and ensure information is complete and correct. – Review trading partner files for accuracy and completeness • Tests of Access Controls – Verify limited access to vendor and customer files to limited authorized employees only – Verify limited access of vendors to database – Test EDI controls by simulation by a sample of trading partners and attempt to violate access privileges. • Tests of Audit Trail Controls – Verify existence of transaction logs – Review a sample of transactions and tracing the process which auditor verify that key data were recorded correctly at each point.
Q & A
Chapter 7

Recommended

Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measuresDnyaneshwar Beedkar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...David Menken
 
3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security3 Most Common Threats Of Information Security
3 Most Common Threats Of Information SecurityAna Meskovska
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 

Recommended

Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measuresDnyaneshwar Beedkar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...David Menken
 
3 Most Common Threats Of Information Security
3 Most Common Threats Of Information Security3 Most Common Threats Of Information Security
3 Most Common Threats Of Information SecurityAna Meskovska
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Computer security
Computer securityComputer security
Computer securityAyesha Arshad
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
SECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptSECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptDimpyJindal4
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
system Security
system Security system Security
system Security Gaurav Mishra
 
Database auditing models
Database auditing models Database auditing models
Database auditing models ERSHUBHAM TIWARI
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 
NIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware PreventionNIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware PreventionDavid Sweigert
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
Chapter Last.ppt
Chapter Last.pptChapter Last.ppt
Chapter Last.pptmiki304759
 

More Related Content

What's hot

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
SECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptSECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptDimpyJindal4
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 
NIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware PreventionNIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware PreventionDavid Sweigert
 

What's hot (20)

New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Protection and security
Protection and securityProtection and security
Protection and security
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Computer security
Computer securityComputer security
Computer security
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit View
 
SECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.pptSECURITY PROTOCOLS.ppt
SECURITY PROTOCOLS.ppt
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
system Security
system Security system Security
system Security
 
Database auditing models
Database auditing models Database auditing models
Database auditing models
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
NIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware PreventionNIST SP 800-83 Malware Prevention
NIST SP 800-83 Malware Prevention
 

Similar to Chapter 7

System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
Chapter Last.ppt
Chapter Last.pptChapter Last.ppt
Chapter Last.pptmiki304759
 
Joe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controlsLou Foja
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptxams1ams11
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7limsh
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 

Similar to Chapter 7 (20)

System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
Chapter Last.ppt
Chapter Last.pptChapter Last.ppt
Chapter Last.ppt
 
Joe Buonomo-ASQ Presentation
Joe Buonomo-ASQ PresentationJoe Buonomo-ASQ Presentation
Joe Buonomo-ASQ Presentation
 
4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.ppt
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Address book
Address bookAddress book
Address book
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controls
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
A075434624
A075434624A075434624
A075434624
 
Os unit i
Os unit iOs unit i
Os unit i
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 

Recently uploaded

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...kumargunjan9515
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...Sareena Khatun
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxjeykeydeveloper
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 

Recently uploaded (20)

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 

Chapter 7

  • 1. CHAPTER 7 IT CONTROLS PART II : SECURITY AND ACCESS
  • 2. PRESENT BY : NURULHIDAYAH MOHD NOOR 62288112187 SARAH MOHAMAD 62288112274 NUR ATIQAH MOHD NASARUDDIN 62288112181 NUR SABRINA AB RAHIM 62288112270 NURUL IZZATY ROZLAN 62288112292
  • 3. LEARNING OBJECTIVES • Be able to identify the principal threats to the operating system and the control techniques used to minimize the possibility of actual exposures. • Be familiar with the principal risks associated with electronic commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. • Be familiar with the risks to database integrity and the controls used to mitigate them. • Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced.
  • 4. Operating System What is Operating System ? - Is the computer’s control program. - Allows users and their applications to share and access common computer resources, such as processors, main memory, databases and printers.
  • 5. Operating System Perform three main tasks: – translates high-level languages into the machine-level language. – allocates computer resources to user applications. – manages the tasks of job scheduling and multiprogramming.
  • 6. Operating System Requirements for Effective Operating Systems Performance ; • Protect against tampering by users • Prevent users from tampering with the programs of other users • Safeguard users’ applications from accidental corruption • Safeguard its own programs from accidental corruption • Protect itself from power failures and other disasters
  • 7. Operating System - Because the operating system is common to all users, the larger the computer facility, the greater the scale of potential damage. - Therefore, OPERATING SYSTEM SECURITY becomes an important issue.
  • 8. Operating System Security - Involves policies, procedures and controls that determine ; -who can access the OS, -which resources (files, programs, printers) they can access -what actions they can take - The following security components are found in secure operating systems: -Log On Procedure -Access Token -Access Control List -Discretionary Access Privilege
  • 9. L O G O N P R O C E D U R E
  • 10. • The OS’s first line of defense against unauthorized access. • Presented with a dialog box requesting the user’s ID and password. • The system compares the ID and password to a database of valid users. • If the system finds a match, then the log on attempt is authenticated, h/ever if the password or ID is entered incorrectly, the log on attempt fails and a message is returned to the user. • After a specified number of attempts, the system should lock out the user from the system. L O G O N P R O C E D U R E
  • 11. A C C E S S T O K E N
  • 12. • If the log on attempt is successful, the OS creates an ccess token that contains key information about the user (including user ID, password, user group, and privileges granted to the user). • The information in the access token is used to approve all actions the user attempts during the session. A C C E S S T O K E N
  • 13. A C C E S S C O N T R O L L I S T
  • 14.
  • 15. • An access control list assigned to each resource controls access to system resources such as directories, files, programs, and printers. • These lists contain information that defines the access privileges for all valid users of the resource. • When a user attempts to access a resource, the system compares the user ID and privileges contained in the access token with those contained in the access control list, if there is a match, the user is granted access. A C C E S S C O N T R O L L I S T
  • 16. D I S C R E T I O N A R Y A C C E S S P R I V I L E G E
  • 17. • The central system administrator usually determines who is granted access to specific resources and maintains the access control list. • Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. • The use of discretionary access control needs to be closely supervised to prevent security breaches because its liberal use D I S C R E T I O N A R Y A C C E S S P R I V I L E G E
  • 18. Threats to OS Control Accidentally Hardware failures -Cause the OS crash Errors in user application programs -Operating system cannot interpret and cause OS failures Whole segments of memory to be dumped to disks and printers -Resulting in the unintentional disclosure of confidential info Intentionally Privileged personnel who abuse their authority -Systems administrators and systems programmers may use their authority to access user’s programs and data files Individuals both internal and external in the organization -browse the OS to identify and exploit security flaws. Individuals who intentionally/ accidentally -insert computer viruses to destruct programs into the OS
  • 19. OS Controls Access Privileges • Audit objectives: verify that access privileges are consistent with separation of incompatible functions and organization policies • Audit procedures: review or verify.. – policies for separating incompatible functions – a sample of user privileges, especially access to data and programs – security clearance checks of privileged employees – formal acknowledgements to maintain confidentiality of data – users’ log-on times
  • 20. OS Controls Password Control • Audit objectives: ensure adequacy and effectiveness of password policies for controlling access to the operating system • Audit procedures: review or verify.. – passwords required for all users – password instructions for new users – passwords changed regularly – password file for weak passwords – encryption of password file – password standards – account lockout policies
  • 21. OS Controls Malicious & Destructive Programs • Audit objectives: verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses • Audit procedures: review or verify… – training of operations personnel concerning destructive programs – testing of new software prior to being implemented – currency of antiviral software and frequency of upgrades
  • 22. OS Controls Audit Trail Controls • Audit objectives: used to (1) detect unauthorized access, (2) facilitate event reconstruction, and/or (3) promote accountability • Audit procedures: review or verify… – how long audit trails have been in place – archived log files for key indicators – monitoring and reporting of security violations
  • 23. Database Management Controls Two category : A . Access Control - design to prevent unauthorized individual to view, corrupting and destroying company’s data B. Backup Control - to ensure that the data that loss due to unauthorized access or equipment failure, the company can recover its file and database.
  • 24. Access Controls • User views a subset of the total database that defines the user’s data domain and restrict his or her access to the accordingly • Database authorization table allows greater authority to be specified Each user is granted certain privileges that are coded in the authority table
  • 27. • User-defined procedures  Allow user to create a personal security program or routine to create more positive identification than a password can.  For example, addition to password, the security procedure asks a series of personal question. • Data encryption  encoding algorithms to scramble selected data, thus making it unreadable to an intruder browsing the database • Biometric devices  Measure various personal characteristic such as fingerprints, retina prints, or signature characteristics  Users characteristic will be digitized and stored permanently in database security file. Access Controls (Cont’)
  • 28. Access Controls (Cont’) Audit Objectives For Testing Access Controls (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data
  • 29. Access Controls (Cont’) Audit procedures for testing Access Controls 1. Responsibility for Authority Tables & Sub-schemas  Should verify that database administration personnel responsibility for creating authority tables and designing user views.  Evidence of compliance: i. Reviewing company policy and job description ii. Examining programmer authority table for access privileges to data definition language (DLL) commands iii. through personal interviews with programmers and database administration personnel.
  • 30. Audit procedures for testing Access Controls 2. Appropriate Access Authority  Select a sample of user and verify that their access privileges stored in an authority table are consistent with their organizational function. 3. Use or Feasibility of Biometric Controls  Evaluate the cost and benefits of biometric controls. 4. Use of Encryption Control  Verify that sensitive data, such as passwords are properly encrypted. Access Controls (Cont’)
  • 31. • Database backup Backup Controls  Makes an automatic periodic backup of entire data.  Should be performed at least once a day.  Then be stored in a secure remote area. • Transaction log (journal)  list of transactions that provides an audit trail of all processed transaction. • Checkpoint features  Suspends all data during system reconciliation and database change log against the data base. • Recovery module  Uses the log and backup files to restarts the system after a failure
  • 32. Backup Controls (Cont’) • Audit objectives: backup controls can adequately recover lost, destroyed, or corrupted data • Audit procedures: 1. to verify that production databases are copied at regular intervals 2. to verify through documentation that backup copies of the database are stored off site to support disaster recovery procedures
  • 33. Control Network A. Controlling risk from subversive treats i. Firewall ii. Controlling denial of service iii. Encryption iv. Digital signature v. Digital certificate vi. Massage sequence numbering vii. Massage transaction log viii. Request response technique ix. Call back devices
  • 34. Control Network B. Controlling risk from equipment failure • Line errors i. Echo check ii. Parity check
  • 35. A. Controlling risk for Subversive Threats i. Firewalls provide security by channeling all network connections through a control gateway. • Network level firewalls – Low cost and low security access control – Do not explicitly authenticate outside users – Filter junk or improperly routed messages – Experienced hackers can easily penetrate the system • Application level firewalls – Customizable network security, but expensive – Sophisticated functions such as logging or user authentication
  • 37. A. Controlling risk for Subversive Threats (Cont’) ii. Denial-of-service (DOS) attacks – Security software searches for connections which have been half-open for a period of time. iii. Encryption – The conversion of data into secret code for storage in database and transmission over networks. – Two general approaches to encryption are private key and public key encryption.
  • 38. SYN Flood DOS Attack 38 Sender Receiver Step 1: SYN messages Step 2: SYN/ACK Step 3: ACK packet code In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.
  • 39. Controlling DOS Attacks • Controlling for three common forms of DOS attacks: i. Smurf attacks — organizations can program firewalls to ignore an attacking site, once identified ii. SYN flood attacks — two tactics to defeat this DOS attack • Get Internet hosts to use firewalls that block invalid IP addresses • Use security software that scan for half-open connections iii. DDos attacks – many organizations use Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) • IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks • DPI searches for protocol non-compliance and employs predefined criteria to decide if a packet can proceed to its destination
  • 40. • The conversion of data into a secret code for storage and transmission • The sender uses an encryption algorithm to convert the original cleartext message into a coded ciphertext. • The receiver decodes / decrypts the ciphertext back into cleartext. • Encryption algorithms use keys – Typically 56 to 128 bits in length – The more bits in the key the stronger the encryption method. • Two general approaches to encryption are private key and public key encryption. Encryption
  • 41. Private Key Encryption • Advance encryption standard (AES) – A 128 bit encryption technique – A US government standard for private key encryption – Uses a single key known to both sender and receiver • Triple Data Encryption Standard (DES ) – Considerable improvement over single encryption techniques – Two forms of triple-DES encryption are EEE3 and EDE3 – EEE3 uses three different keys to encrypt the message three times. – EDE3—one key encrypts, but two keys are required for decoding • All private key techniques have a common problem – The more individuals who need to know the key, the greater the probability of it falling into the wrong hands. – The solution to this problem is public key encryption.
  • 42. The Advanced Encryption Standard Technique
  • 43. A. Controlling risk for Subversive Threats (Cont’) iv. Digital signature – electronic authentication technique to ensure that… – transmitted message originated with the authorized sender – message was not tampered with after the signature was applied v. Digital certificate – like an electronic identification card used with a public key encryption system – Verifies the authenticity of the message sender
  • 45. A. Controlling risk for Subversive Threats (Cont’) vi. Message sequence numbering – sequence number used to detect missing messages vi. Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers vi. Request-response technique – random control messages are sent from the sender to ensure messages are received vi. Call-back devices – receiver calls the sender back at a pre-authorized phone number before transmission is completed
  • 46. Auditing Procedures for Subversive Threats • Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation of systems, audit tools, and probing for weaknesses. • Review data encryption security procedures • Verify encryption by testing • Review message transaction logs • Test procedures for preventing unauthorized calls
  • 47. B. Controlling Risk from Equipment Failure Line errors are data errors from communications noise. • Two techniques to detect and correct such data errors are: i. echo check - the receiver returns the message to the sender ii. parity checks - an extra bit is added onto each byte of data similar to check digits
  • 48. Vertical and Horizontal Parity using Odd Parity 48 Figure 16-8
  • 49. Auditing Procedures for Equipment Failure • Using a sample of messages from the transaction log: – examine them for garbled contents caused by line noise – verify that all corrupted messages were successfully retransmitted
  • 50. Electronic Data Interchange  Electronic data interchange (EDI) uses computer-to-computer communications technologies to automate B2B purchases.  EDI system that link two trading partners which the customer (Company A) and Vendor (Company B) without human intervention. Figure 16-9 Audit objectives: 1. Transactions are authorized, validated, and in compliance with the trading partner agreement. 2. No unauthorized organizations can gain access to database 3. Authorized trading partners have access only to approved data. 4. Adequate controls are in place to ensure a complete audit trail.
  • 51. 51 EDI System Figure 16-9
  • 52. EDI Risks and Control • Transaction Authorization and Validation – automated and absence of human intervention – Both customer and vendor must establish that the transaction is to a valid trading partner and is authorized. – Control : use of passwords and value added networks (VAN) to ensure valid partner • Access Control – need to access EDI partner’s files – For example, it may permit customer’s system to access the vendor’s inventory files to determine if inventories are available. – Control: software to specify what can be accessed and at what level • Audit trail – paperless and transparent (automatic) transactions – Control: Maintain control log, which records the transactions flow through each phase of EDI system.
  • 53. 53 EDI System using Transaction Control Log for Audit Trail Figure 16-10
  • 54. Auditing Procedures for EDI • Tests of Authorization and Validation Controls – Review procedures for verifying trading partner identification codes are verify before transaction are processed. – Review agreements with VAN facility to validate transaction and ensure information is complete and correct. – Review trading partner files for accuracy and completeness • Tests of Access Controls – Verify limited access to vendor and customer files to limited authorized employees only – Verify limited access of vendors to database – Test EDI controls by simulation by a sample of trading partners and attempt to violate access privileges. • Tests of Audit Trail Controls – Verify existence of transaction logs – Review a sample of transactions and tracing the process which auditor verify that key data were recorded correctly at each point.
  • 55. Q & A