CHAP 3 Auditing Operating Systems PDF

Preview

Summary

CIS auditing...

Description

AUDITING OPERATING SYSTEMS The operating system is the computer's control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers. Because the operating system is common to all users, the larger the computer facility, the greater the scale of potential damage. Thus, with an ever-expanding user community sharing more and more computer resources, operating system security becomes an important internal control issue

OPERATING SYSTEM Perform 3 main tasks: 1. Translates high-level languages into the machine- level language (CHAPTER 5 ) 2. Allocates computer resources to user applications 3. Manages the tasks of job scheduling and multiprogramming OPERATING SYSTEM OBJECTIVES 1. OS must protect itself from users 2. OS must protect users from each other 3. OS must protect users from themselves 4. OS must be protected from itself 5. OS must be protected from its environment ○ Such as power failures and other disasters

OPERATING SYSTEM SECURITY involves policies, procedures and controls that determine who can access the operating system. we have 4 security components found in secure operating systems 1. Log-On Procedure mangayo sya ug dialog box ● ● ● 1.

first line of defense – user IDs and passwords. If login failed, do not reveal whether the ID or the password caused the failure For more than five failed attempt, lock the system Access Token ○ log- on attempt is successful ○ contains key information (ID, password, group, privilege) about the user 2. Access Control List ○ defines access privileges of users ■ connected ni sya sa access token . access token indicate na

success imo pag log-in . so when a user attempt to access a resources ,i compare na niya ang imo key information sa access control list. If there is a match ,then the user is granted access. 3. Discretionary Access Control ○ allows user to grant access to another user ■ to picture out same ni sya sa GOOGLE docs nato , na when we share it,as a owner we can give grant access .either to edit or view.

Threats To Operating System Integrity ● Accidental threats include hardware failures that cause the operating system to crash. Errors in user application programs, which the operating system cannot interpret, also cause operating system failures. Accidental system failures may cause whole segments of memory to be dumped to disks and printers, resulting in the unintentional disclosure of confidential information. ●

Intentional threats to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain. However, a growing threat is destructive programs from which there is no apparent gain

.

Operating System Controls and Audit Tests If operating system integrity is compromised, controls within individual accounting applications that impact financial reporting may also be compromised. This section presents a variety of control techniques for preserving operating system integrity and describes the associated tests that auditors may conduct. 1. Controlling Access Privileges ● ●

User access privileges are assigned to individuals and to entire workgroups authorized to use the system. Audit objectives relating to access privileges Verify that access privileges are granted in a manner that is consistent with the need to separate incompatible functions and is in accordance with the organization’s policy

●

Audit procedures relating to access privileges - Ensure separation of incompatible functions - Review privileges of a selection of user groups - Verify users are granted access based on needs - Review security clearance check - Review employee records regarding confidentiality

1. Password Control

●

●

PASSWORD is a secret code the user enters to gain access to systems, applications , data files, or a network server. Common forms of contra-security behavior include: ○ Forgetting passwords and being locked out of the system. ○ Failing to change passwords on a frequent basis. ○ The Post-it syndrome, whereby passwords are written down and displayed for others to see. ○ Simplistic passwords that a computer criminal easily anticipates Reusable Passwords ○ User defines the password to the system once and then reuses it to gain future access. ○ Quality depends on the password itself ■ Passwords that contain random letters and digits are more difficult to crack, but are also more difficult for the user to remember. ○ To improve access control Management actions: ■ require passwords be changed regularly and disallow weak passwords ■ use extensive databases of known weak passwords to validate the new password and disallow weak ones

●

One-Time Passwords ○ The user’s password changes continuously ■ This technology employs a credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays a new and unique password every 60 seconds. ○ Common implementation ■ PIN + random generated password

●

Audit objectives ○ to ensure organization has an adequate and effective password policy for controlling access to the OS Audit procedure - Verify all users have a password - Verify new users are taught the importance of password control - Ensure passwords are changed regularly - Look for weak passwords in the password file - Verify the password file is encrypted

●

1. Controlling Against Malicious and Destructive Programs ○ Malicious and destructive programs are responsible for Corporate losses: ■ data corruption and destruction, degraded computer performance, hardware destruction, violations of privacy.

Example of malicious & destructive programs: ●

viruses, worms, logic bombs, back doors, and Trojan horses

●

Threats can be reduced through a combination of technology controls and administrative procedures:

● ●

Purchase software only from reputable vendors, factory-sealed packages. Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted software. Examine all upgrades to vendor software for viruses before they are implemented. Inspect all public-domain software for virus infection before using

● ● ● ● ●

● ●

Establish entity-wide procedures for making changes to production programs. Establish an educational program to raise user awareness Install all new applications on a stand-alone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or LAN (Local area network) Routinely make backup copies of key files ○ Limit users to read and execute rights only ○ Require protocols that explicitly invoke the operating system’s log- on procedures to bypass Trojan horses ○ Use antiviral software (also called vaccines) to examine application and operating system programs Audit objectives

●

verify that effective management policies and procedures are in place to prevent the introduction and spread of destructive programs, including viruses, worms, back doors, logic bombs, and Trojan horses Audit procedures - Interviews to determine that operations personnel have been educated about computer viruses and are aware of risky computer practices - Verify that new software is tested on standalone workstations - Verify that current versions of antiviral software is installed.

1. System Audit Trail Controls ○ System audit trails are logs that record activity at the system, application, and user level ○ Audit trails typically consist of two types of audit logs: ■ • Keystroke monitoring involves recording user’s keystrokes and the system’s response. ■ Keystroke monitoring is the computer equivalent of a telephone

■

wire tap . Like a surveillance . Which can violate the privacy . • Event monitoring summarizes key activities related to system resources.

Setting audit trail objectives: Audit trails can be used to: ● ●

●

detecting unauthorized access to the system, ○ Is to protect the system from outsiders attempting to breach system controls. facilitating the reconstruction of events, ○ Audit trail can be used to reconstruct the steps that led to events such as system failures, or security violations by individuals. promoting personal accountability. ○ Audit trails can be used to monitor user activity at the lowest level of detail. ■ Individuals are less likely to violate an organization's security policy when they know that their actions are recorded in an audit log.

Implementing a system audit trail. ●

Information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders.

Audit objectives ●

ensure that audit trail system is adequate for preventing & detecting abuses, reconstructing key events that precede systems failures, & planning resource allocation

Audit procedures - Verify that the audit trail has been activated according to organization policy - Review the audit log viewer - Select a sample of security violation cases and evaluate their disposition

____________________________________________________________________________________

AUDITING NETWORKS ●

reliance on networks for business communications poses concern about UNAUTHORIZED ACCESS to confidential information. organizations connected to their customers and business partners via the internet are particularly exposed. so without adequate protection, firms open their doors to

computer hackers , thieves , industrial spies. Intranet Risks INTRANET RISKS - posed by dishonest employees who have the technical knowledge and position to perpetrate frauds. -DIFFERENCE● Connects a limited number of computers owned by private entities ● Private network and only the limited number of users predefined by the

organization have access to the information on the intranet. 1. Interception of network messages ○ Sniffing confidential data such as passwords, confidential emails, and financial data files 2. Access to corporate databases ○ Intranets connected to central database increases the risk that an employee will view, corrupt, change, or copy data such as customer listings, credit card information, recipes, formulas, and design specifications 3. Privileged employees ○ middle managers, who often possess access privileges that allow them to override controls, are most often prosecuted for insider crimes 4. Reluctance to prosecute ○ Many organizations reluctance to prosecute the criminal , fear of negative publicity

Internet Risks to Businesses ● INTERNET RISK - that threaten both consumer and business entities. -DIFFERENCE ● Connects different computer networks simultaneously ● Public network and anyone can have access to the information available on the

internet ●

●

●

IP spoofing : ○ masquerading to gain access to a Web server and/or to perpetrate an unlawful act without revealing one’s identity ■ Modifies the IP address to make a message packet. ■ For example hacker may spoof a manufacturing firm with a false sales order that appears to come from a legitimate customer. If the spoof goes undetected , the manufacturer will incur the cost of producing and delivering a product that was never order. Denial of service (DOS) attacks: ○ assaulting a Web server to prevent it from servicing users particularly devastating to business entities that cannot receive and process business transactions Other malicious programs:

○

viruses, worms, logic bombs, and Trojan horses pose a threat to both Internet and Intranet users

Three Common Types of DOS Attacks • SYN Flood: When the three-way handshake needed to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits. a scenario where we've got two machines making a connection machine one in this case it's going to be the attacker and machine two which in this case will be the victim there's an initial handshake between these machines and what happens in that handshake is that the first machine sends a synchronize request often referred to as sin the second machine then acknowledges that by sending a synchronized acknowledgment response you usually see that referred to as sync now all going well the first machine will then come back and send an acknowledgment an ACK response and this is the 3-way handshake they've now established a connection together let's move on though and see how this can be exploited in a syn flood attack so we'll start the same way machine one is sending the syn machine two is sending the syn ACK and then nothing it just waits and waits and nothing actually happens machine to the target is sitting there waiting for a response from machine one but it never gets a response machine two doesn't know if it's just Network latency it could just take a while for that response to come back now the problem with this is that the connection on that target machine is left open until it decides that there's never going to be a response

• Smurf: DOS attacker uses numerous intermediary computers to flood the target computer with test messages, “pings” causing network congestion. FIGURE 3.1 smurf attack Involves 3 parties the perpetrator, The intermediary and the Victim DOS attack which is commonly turn down a computer system completely. ● Attacker creates lots of ICMP packets/ ping (with spoofed IP ) with the intended victim IP address as a source IP and broadcast those packets in a computer network using an IP broadcast address as a result most devices of the net will respond by sending replied to the victim IP address if the number, if the number of devices in the network is very large and most of the devices send reply, the victim machine blurred with the network traffic this can slow down the victims computer to such extent that to Resulting denial of service attack ● ● Firewall • Distributed Denial of Service:

May take the form of Smurf or SYN attacks, but distinguished by the vast number of zombie computers hijacked to launch the attacks FIGURE 3.2 Distributed Denial of Service ATTACK In a DDoS attack, a perpetrator intentionally floods the system, like a server, website or other network resource, with fake traffic. By overwhelming the system, the activity triggers a system to deny even legitimate users access. The attack begins when the hacker identifies and exploits a vulnerability in one master system. And through that master, gains control over other vulnerable systems by introducing malware or bypassing authentication controls. A host of an infected system is referred to as a bot . And the attacker controls the network of bots, or botnet through a command and control server. There can be tens, hundreds, or thousands of bots in the botnet. The attacker then uses its bot army to invade the target domain and knock it offline. There can be network centric attacks that consume bandwidth, protocol attacks that target network and transport layer protocols, and application layer attacks that overload application services or databases. It's near impossible to prevent a DDoS attack. But victims can minimize the impact of an attack through security assessments to identify vulnerabilities as well as network security controls.

IP stands for "Internet Protocol," which is the set of rules governing the format of data sent via the internet or local network. pings are often used for troubleshooting.

● ●

●

Motivation behind DOS attacks For financial gain Ddos attacks are relatively easy to execute and can hav a devastating effect on the victim. Risks from Equipment Failure Include: ○ Disrupting, destroying, or corrupting transmissions between senders and receiver ○ Loss of databases and programs stored on network servers

____________________________________________________________________________________

CONTROLLING NETWORKS we examine various control techniques employed to mitigate the risk outline in the previous section.

Controlling Risks from Subversive Threats Firewalls ● ●

a system that enforces access control between two networks Only authorized traffic between the organization and the outside is allowed to pass through the firewall PURPOSE OF FIREWALL ? - It is used to authenticate an outside user of the network, verify his/her level of access authority, and then direct the user to the suitable program,data, or service. ● Types: ○ Network-level firewalls: ■ screening router that examines the source and destination addresses ○ Application-level firewalls: ■ run security applications called proxies Controlling DOS Attacks ● Controlling for three common forms of DOS attacks: ○ Smurf attacks— ■ organizations can program firewalls to ignore an attacking site, once identified ○ SYN flood attacks—two tactics to defeat this DOS attack ■ Get Internet hosts to use firewalls that block invalid IP addresses ■ Use security software that scan for half-open connections ○ DDos attacks – ■ many organizations use Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) ■ IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks ●

DPI searches for protocol non-compliance and employs predefined criteria to decide if a packet can proceed to its destination

WHY THEY NEED TO HAVE A HIGH LEVEL OF FIREWALL SECURITY USING DUAL HOME SYSTEM? -

This is has 2 face firewall . one screen incoming requests from the internet: the other provides access to the organizations intranet. Direct communication to the internet is disable and 2 networks are fully isolated. Proxy applications that impose separate log-on procedures perform all access. Encryption ● The conversion of data into a secret code for storage and transmission • Two fundamental components: ● ●

Key is a mathematical value sender selects. • Algorithm is procedure of shifting letters in clear text message number of positions key value indicates.

Two general approaches to encryption are private key and public key encryption. ●

Private key encryption ○ Advanced encryption standard (AES), uses a single key known to both the sender and the receiver of the message

To en-code a message, the sender provides the encryption algorithm with the key, which is used to produce a ciphertext message. The message enters the communication channel and is trans-mitted to the receiver's location, where it is stored. The receiver decodes the message with a decryption program that uses the same key the sender employs. ○

●

Triple Data Encryption Standard (DES), Triple DES provides considerably improved security over most single encryption techniques. ○ uses three keys ■ Techniques: EEE3 & EDE3 Public key encryption ○ uses two different keys: one for encoding messages and the other for decoding them ○ each recipient has a private key that is kept secret and a public key that is published

Controlling Risks from Subversive Threats ● Digital signature – electronic authentication technique to ensure that transmitted message originated with the authorized sender ● Digital certificate - like an electronic identification card used with a public key encryption system • Message sequence numbering inserts a sequence number in each message to prevent attempts to delete, change or duplicate a message. • Message transaction log records all attempted accesses with user ID, time of access and location. • Request-response technique sends control messages and responses randomly making it difficult for an intruder to circumv...