AUDITING IT

ENVIRONMEN
T

TOPIC 4 (PART III)

AUDITING IT ENVIRONMENT 1
This Photo by Unknown Author is licensed under CC BY-SA
TOPIC CONTENTS

1 Auditing the computer centre

2 Auditing the Disaster Recovery Planning (DRP)
3 Auditing operating system
4 Auditing networks
5 Auditing Electronic Data Interchange (EDI)
AUDITING IT ENVIRONMENT 2
 1 Understand the controls required to ensure the security
of an organisation’s computer centre

2 Understand the key elements of a disaster recovery

TOPIC planning.

OUTCOME 3 Identify principal threats to the operating system and

control techniques used to minimise the risk of
exposures.
S 4 Familiar on the primary risk associated with business
transaction conducted over intranets and the internet,
plus control techniques to reduce these risks.
5 Recognise the operational features and risk associated
with EDI

AUDITING IT ENVIRONMENT 3
4
OPERATING
SYSTEM
• https://www.youtube.com/watch?feature=player
_embedded&v=pTdSs8kQqSA

5
WHAT IS OPERATING
SYSTEM?
• An interface between the user and the hardware and enables the
interaction of a computer’s hardware and software.
• A software which performs all the basic tasks like file management,
memory management, storage management, process
management, handling input and output, and controlling peripheral
devices such as disk drives and printers.
 Program that controls execution of application
programs and acts as intermediary between a
user of a computer and the computer
hardware.

What is
Must have an operating system to run other
Operating programs and applications.
System?
All computers and computer-like devices have
operating systems, including your laptop,
tablet, desktop, smartphone, smart watch and
router.

7
 1. provide security

2. memory management

FUNCTION 3. device management

S OF OS
4. file management

5. error detection and handling

OPERATING
SYSTEM

9
 In any organisation, there must be steps or
measures taken to protect the OS from
threats, viruses, worms, malware or remote
hacker intrusions

OPERATING This is called operating system security.

SYSTEM
SECURITY
Policies, procedures and controls that
determine who can access the operating
system

10
OPERATING SYSTEM SECURITY
• Secure operating systems consists
of four (4) security components:
• Log-on control procedure
• Access token
• Access control list
• Discretionary access privileges

11
OPERATING SYSTEM SECURITY: LOG-
ON PROCEDURE

First line of defense against unauthorized access.

When user initiates the process, dialog box appears requesting user’s ID and password.

The system compares ID and password to a database of valid users.

If the systems:
• Finds a match, then the log-on attempts is authenticated.
• Finds the password or ID is entered incorrectly , the log-on attempt fails, and a message is returned to the user.
• The message should not reveal whether the password or the ID caused the failure.
• The system should allow the user to re-enter the log-on information.
• After a specified number of attempts (<5) the system should lock out the user from the system.

12
LOG ON
CONTROL
PROCEDURE
LOG ON
CONTROL
PROCEDURE
LOG ON
CONTROL
PROCEDURE
 OPERATING SYSTEM SECURITY :
ACCESS TOKEN, ACCESS CONTROL
LIST
• Access token
• Log on → successful → OS creates an access
token(contains information about the user e.g. user id,
password)

• Access control list (ACL)

• Tells operating system which permission/access rights
each user has to a particular system object, such as a file
directory or individual file.

16
OPERATING SYSTEM
SECURITY:
DISCRETIONARY ACCESS
PRIVILEGES

• Each resource/file has an identified

owner (person who creates the
resource is the owner)
• The owner of resource decides at
his discretion to allow other user
access the resource.

17
THREATS TO OPERATING SYSTEM
INTEGRITY
ACCIDENTAL THREATS INTENTIONAL THREATS

HARDWARE ERRORS IN USER

FAILURES APPS

PERSONNEL ABUSE INDIVIDUALS PERSON INSERTS

OF POWER VIRUS

18
ERRORS IN USER
APPLICATIONS
Steps Taken to Reduce
Threats
• To ensure secured operating
system, must have controls
on:
• Access privileges
• Password
• Malicious and Destructive
Program
• System audit trail
20
 Must be carefully administered
and closely monitored to make
sure no violation on
segregation of duties.
Access Privileges
Control E.g., a cash receipts clerk who
is granted the right to access
must not make changes to the
accounts receivable file.

21
AUDIT OBJECTIVES AND
PROCEDURES
• To verify/ensure access privileges granted promotes segregation
of functions.
• Audit procedures include:-
• Review organisation's policy for separating incompatible
functions
• Review access rights/permission granted to employees to
determine the permission is appropriate for job descriptions.
• Review personnel records to determine privileged employees
undergo intensive security clearance.
• Review employee records on confidentiality of data.
• Review the user’s permitted log on times
22
PASSWORD CONTROL
• Most common forms of contra-security behaviour :-
• Forgot password
• Fail to change at frequent basis
• Post-it syndrome
• Too simple
• Methods to control passwords:
• Reusable password
• To improve access control, management should require that passwords be
changed regularly and disallow weak passwords.
• Software is available that automatically scans password files and notifies
users that their passwords have expired and need to be changed.
• One time password
• Alternative to reusable password.
• Audit objective: To ensure that organisation has adequate and effective password
policy to control access to operating system.

23
 To ensure organisation
has an adequate and Inquire client on
effective password policy requirements to have
for controlling access to password.
AUDIT the operating system.

OBJECTIVES Audit procedures Inquire client on policy

includes:- of password control.
AND
PROCEDURES Review the account lockout policy
and procedures (auditor should
determine how many failed log-on
attempts are allowed before the
account is locked and duration of
the lockout).

24
 Malicious and Destructive Programs
Controls
Responsible for millions of dollars of corporate losses.

Losses in terms of:-

• data corruption and destruction
• degraded computer performance
• hardware destruction
• violations of privacy
• time to repair the damage.

25
TYPES OF MALICIOUS AND
DESTRUCTIVE PROGRAMS
Virus

Trojan
Worm
horse

Trap
Logic
door/back
bomb
door
Types of Malicious &
Destructive Programs
• Virus
• Attached to legitimate program to
penetrate operating system.
• Destroy application programs, data
files, and the operating system
itself.
• Mechanisms for spreading viruses
include e-mail attachments,
downloading of public-domain
programs from the Internet, and
using illegal bootleg software.

27
Types of Malicious &
Destructive Programs
• Worm
• Operates
independently (does
not depend on host
program).
• Can replicate itself
from one computer to
another without being
activated by users.
28
Types of Malicious &
Destructive Programs
• Logic bomb
• A destructive program upon
some predetermined event
triggers the logic bomb
malware to start running on a
computer.
• Date (such as Friday the
13th, April Fool’s Day, or the
4th of July) often be the logic
bomb’s trigger.
29
 Back door/trap door
Types of • Software program that allows
unauthorized access to a system
Malicious without going through the normal (front
& door) log-on procedure.

Destructiv Trojan horse

e
• Program purposely to capture IDs and
Programs passwords from unsuspecting users.
• Disguised as legitimate software.

30
HOW TO CONTROL THREATS AGAINST
MALICIOUS & DESTRUCTIVE
PROGRAMS?
1 2 3 4

Purchase Accept Issue Use

• Purchase software • Accept only those • Issue policy on • Use antiviral
only from reputable products that are in using unauthorized software (also
vendors. their original, software or illegal called vaccines).
factory-sealed (bootleg) software.
packages.

31
 In computer and network contexts, an audit trail is
a time-stamped record of significant activities on a
system.

Recorded events include user logins and logouts

SYSTEM AUDIT to the system, as well as what commands were
issued by the user to the system while logged in.
TRAIL An audit trail keeps track of who did what, to
CONTROLS what, and when they did it, as well as who tried to
do something but was unsuccessful.

Useful for tracing unauthorized users and uses.

32