Ch03-Security Part 1. Auditing Operating Systems and Networks

CHAPTER 3: Security part 1: auditing operating systems and networks CSI4601851 Dasar-Dasar Audit SI Semester Genap 2013/2014

Fakultas Ilmu Komputer Universitas Indonesia

Learning Objectives • Be able to identify the principal threats to the operating

system and the control techniques used to minimize the possibility of actual exposures. • Be familiar with the principal risks associated with commerce conducted over intranets and the Internet and understand the control techniques used to reduce these risks. • Be familiar with the risks associated with personal computing systems. • Recognize the unique exposures that arise in connection with electronic data interchange (EDI) and understand how these exposures can be reduced (reading assignment)

Operating Systems • Perform three main tasks: • translates high-level languages into the machinelevel language • allocates computer resources to user applications • manages the tasks of job scheduling and multiprogramming

Requirements for Effective Operating Systems Performance • OS must protect itself from users • OS must protect users from each other • OS must protect users from themselves

• OS must be protected from itself • OS must be protected from its environment • Such as power failures and other disasters

Operating Systems Security • Log-On Procedure • first line of defense – user IDs and passwords. • If login failed, do not reveal whether the ID or the password caused the failure • For more than five failed attempt, lock the system • Access Token • contains key information (ID, password, group, privilege) about the user

• Access Control List • defines access privileges of users • Discretionary Access Control • allows user to grant access to another user

Operating System Controls and Audit Tests • Controlling Access Privileges • Password Control • Controlling Against Malicious and Destructive Programs

• System Audit Trail Controls

Controlling Access Privileges • Audit objectives relating to access privileges • verify that access privileges are granted in a manner that is consistent

with the need to separate incompatible functions and is in accordance with the organization’s policy • Audit procedures relating to access privileges • Review the organization’s policies for separating incompatible functions • Review the privileges of a selection of user groups and individuals to determine if their access rights are appropriate for their job descriptions and positions • Review personnel records to determine whether privileged employees undergo an adequately intensive security clearance check in compliance with company policy • Review employee records to determine whether users have formally acknowledged their responsibility to maintain the confidentiality of company data • Review the users’ permitted log-on times

Password Control • Common forms of contra-security behavior include: • Forgetting passwords and being locked out of the system. • Failing to change passwords on a frequent basis. • The Post-it syndrome, whereby passwords are written down and displayed for others to see. • Simplistic passwords that a computer criminal easily anticipates

Password Control • Reusable Passwords • User defines the password to the system once and then reuses it to

gain future access. • Quality depends on the password itself • Management actions: • require passwords be changed regularly and disallow weak passwords • use extensive databases of known weak passwords to validate the new

password and disallow weak ones • One-Time Passwords • the user’s password changes continuously • Common implementation • PIN + random generated password • Additional device (with display such as: mobile phone) is usually needed

to generate one time password

Password Control • Audit objectives • to ensure organization has an adequate and effective password policy

for controlling access to the OS • Audit procedure • Verify that all users are required to have passwords. • Verify that new users are instructed in the use of passwords and the importance of password control. • Review password control procedures to ensure that passwords are changed regularly. • Review the password file to determine that weak passwords are identified and disallowed. • Verify that the password file is encrypted and that the encryption key is properly secured. • Assess the adequacy of password standards such as length and expiration interval. • Review the account lockout policy and procedures.

Controlling Against Malicious and Destructive Programs • Corporate losses: data corruption and destruction, degraded

computer performance, hardware destruction, violations of privacy, and the personnel time devoted to repairing the damage. • Example of malicious & destructive programs: viruses, worms, logic bombs, back doors, and Trojan horses • Threats can be reduced through a combination of technology controls and administrative procedures: • Purchase software only from reputable vendors, factory-sealed packages. • Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted software. • Examine all upgrades to vendor software for viruses before they are implemented. • Inspect all public-domain software for virus infection before using

Controlling Against Malicious and Destructive Programs • Threat can be reduced through a combination of

technology controls and administrative procedures (cont): • Establish entity-wide procedures for making changes to production

• •

• • •

•

programs. Establish an educational program to raise user awareness Install all new applications on a stand-alone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or LAN Routinely make backup copies of key files Limit users to read and execute rights only Require protocols that explicitly invoke the operating system’s logon procedures to bypass Trojan horses Use antiviral software (also called vaccines) to examine application and operating system programs

Controlling Against Malicious and Destructive Programs • Audit objectives • verify that effective management policies and procedures are in place to prevent the introduction and spread of destructive programs, including viruses, worms, back doors, logic bombs, and Trojan horses • Audit procedures • Determine that operations personnel have been educated • Verify that new software is tested on workstations prior to being implemented on the host or network server. • Verify that the current version of antiviral software is always up-todate

System Audit Trail Controls • System audit trails are logs that record activity at the

system, application, and user level • Audit trails typically consist of two types of audit logs: • Detailed logs of individual keystrokes • recording both the user’s keystrokes and the system’s responses

• Event-oriented logs • summarizes key activities related to system resources

• Event logs: IDs of all users accessing the system; the time and duration

of a user’s session; programs that were executed during a session; and the files, databases, printers, and other resources accessed

System Audit Trail Controls • Audit trail support security objectives in: • detecting unauthorized access to the system, • facilitating the reconstruction of events, and; • promoting personal accountability. • Information contained in audit logs is useful to

accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders.

System Audit Trail Controls • Audit objectives • ensure that audit trail system is adequate for preventing & detecting

abuses, reconstructing key events that precede systems failures, & planning resource allocation • Audit procedures • verify that the audit trail in OS has been activated according to organization policy • use general-purpose data extraction tools for accessing archived log files to search conditions: unauthorized or terminated user; periods of inactivity; etc. • select a sample of security violation cases and evaluate their disposition to assess the effectiveness of the security group

Internet and Intranet Risks • The communications component is a unique aspect of

computer networks: • different than processing (applications) or data storage

(databases)

• Network topologies – configurations of: • communications lines (twisted-pair wires, coaxial cable, microwaves, fiber optics) • hardware components (modems, multiplexers, servers, frontend processors) • software (protocols, network control systems)

Intranet Risks • Interception of network messages • Sniffing confidential data such as passwords, confidential e-mails,

and financial data files • Access to corporate databases • Central database increases the risk that an employee will view, corrupt, change, or copy data such as customer listings, credit card information, recipes, formulas, and design specifications • Privileged employees • middle managers, who often possess access privileges that allow them to override controls, are most often prosecuted for insider crimes • Reluctance to prosecute • fear of negative publicity

Internet Risks to Businesses  IP spoofing: masquerading to gain access to a Web

server and/or to perpetrate an unlawful act without revealing one’s identity  Denial of service (DOS) attacks: assaulting a Web server to prevent it from servicing users ◦ particularly devastating to business entities that cannot

receive and process business transactions

 Other malicious programs: viruses, worms, logic

bombs, and Trojan horses pose a threat to both Internet and Intranet users

Three Common Types of DOS Attacks  SYN Flood – when the three-way handshake needed

to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits.  Smurf – the DOS attacker uses numerous intermediary computer to flood the target computer with test messages, ―pings‖.  Distributed DOS (DDOS) – can take the form of Smurf or SYN attacks, but distinguished by the vast number of ―zombie‖ computers hi-jacked to launch the attacks.

SYN FLOOD DOS ATTACK Receiver

Sender Step 1: SYN messages Step 2: SYN/ACK

Step 3: ACK packet code  In a DOS Attack, the sender sends hundreds of messages,

receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.

SMURF Attack

Distributed Denial of Service Attack

Risks from Equipment Failure • Include: • Disrupting, destroying, or corrupting

transmissions between senders and receivers • Loss of databases and programs stored on network servers

Controlling Risks from Subversive Threats Firewalls • a system that enforces access control between two networks • Only authorized traffic between the organization and the outside is allowed to pass through the firewall • Types: • Network-level firewalls: screening router that examines the source

and destination addresses • Application-level firewalls: run security applications called proxies

Dual-Homed Firewall

Controlling Risks from Subversive Threats Controlling DOS Attacks • Controlling for three common forms of DOS attacks: •

Smurf attacks—organizations can program firewalls to ignore an attacking site, once identified SYN flood attacks—two tactics to defeat this DOS attack

• • •

•

Get Internet hosts to use firewalls that block invalid IP addresses Use security software that scan for half-open connections

DDos attacks–many organizations use Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) •

IPS works with a firewall filter that removes malicious packets from the flow before they can affect servers and networks • DPI searches for protocol non-compliance and employs predefined criteria to decide if a packet can proceed to its destination

Controlling Risks from Subversive Threats Encryption • The conversion of data into a secret code for storage

and transmission • Encryption algorithms use keys • •

Typically 56 to 128 bits in length The more bits in the key the stronger the encryption method.

Controlling Risks from Subversive Threats • Two general approaches to encryption are private key

and public key encryption. • Private key encryption

• Advance encryption standard (AES), uses a single key known to both

the sender and the receiver of the message • Triple Data Encryption Standard (DES), uses three keys • Techniques: EEE3 & EDE3 • Public key encryption

• uses two different keys: one for encoding messages and the other for

decoding them • each recipient has a private key that is kept secret and a public key that is published

Controlling Risks from Subversive Threats • Digital signature – electronic authentication technique to

ensure that… • transmitted message originated with the authorized sender • message was not tampered with after the signature was applied

• Digital certificate – like an electronic identification card

used with a public key encryption system • Verifies the authenticity of the message sender

EEE3 & EDE3 Technique

Public Key Encryption

Digital Signature

Controlling Risks from Subversive Threats • Message sequence numbering – sequence number

used to detect missing messages • Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers • Request-response technique – a control message form the sender and a response from the receiver are sent at periodic, synchronized intervals. • The timing of the messages should follow a random pattern that

will be difficult for the intruder to determine and circumvent

• Call-back devices – receiver calls the sender back at a

pre-authorized phone number before transmission is completed

Controlling Risks from Subversive Threats • Audit objectives, to verify the security and integrity of financial transactions by

determining that network controls • can prevent and detect illegal access both internally and from Internet • will render useless any data that a perpetrator successfully captures • are sufficient to preserve the integrity and physical security of data connected to the network • Audit procedures • (1) Review the adequacy of the firewall in balancing control and convenience. • Flexibility. The firewall should be flexible enough to accommodate new services • Proxy services. Adequate proxy applications should be in place to provide explicit user • • • •

authentication to sensitive services, applications, and data. Filtering. The firewall should specify which services the user is permitted to access Segregation of systems. Systems that do not require public access should be segregated from the Internet. Audit tools. The firewall should provide a thorough set of audit and logging tools that identify and record suspicious activity. Probe for weaknesses. Periodically probe the firewall for weaknesses just as a computer Internet hacker would do.

Controlling Risks from Subversive Threats • Audit procedures • (2) Verify that an intrusion prevention system (IPS) is in place for

• •

• •

organizations that are vulnerable to DDos attacks, such as financial institutions. (3) Review security procedures governing the administration of data encryption keys. (4) Verify the encryption process by transmitting a test message and examining the contents at various points along the channel between the sending and receiving locations. (5) Review the message transaction logs to verify that all messages were received in their proper sequence. (6) Test the operation of the call-back feature by placing an unauthorized call from outside the installation.

Controlling Risks from Equipment Failure • The most common problem in data communications is data loss due

to line error • Controls: • Echo Check -- the receiver returns the message to the sender • Parity Check -- incorporates an extra bit (the parity bit) into the structure of a bit string when it is created or transmitted • Audit objectives • verify the integrity of the transactions by determining that controls are in place to detect and correct message loss due to equipment failure. • Audit procedures • select a sample of messages from the transaction log and examine them for garbled content caused by line noise • verify that all corrupted messages were successfully retransmitted

Vertical and Horizontal Parity using Odd Parity

PC Systems Risks and Controls • OS weaknesses • minimal security for data files and programs • data stored on microcomputers that are shared by multiple users are exposed to unauthorized access, manipulation, and destruction • Weak access control • Logon procedures is usually active only when the computer is booted from the hard drive • How about booting from CD-ROM? • Inadequate segregation of duties • Computers are shared among end users • Operator may also act as developer

PC Systems Risks and Controls • Risk of Theft • PCs and laptops are easy to steal • Policy for managing sensitive data • Weak backup procedures

• disk failure, is the primary cause of data loss in PC environments • End users should back up their own PC, but mostly they lack of

experience • Risk of virus infection • ensure that effective antivirus software is installed on the PCs and kept up-to-date • Multilevel password control • When computers are shared among employees • each employee is required to enter a password to access his or her applications and data.

Audit Objectives • Verify that controls are in place to protect data, programs, and

•

•

•

•

computers from unauthorized access, manipulation, destruction, and theft. Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators. Verify that backup procedures are in place to prevent data and program loss due to system failures, errors, and so on. Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes. Verify that the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object.

Audit Procedures • Observe PCs are physically anchored to reduce the opportunity of theft. • Verify from organizational charts, job descriptions, and observation that •

• • • •

programmers of accounting systems do not also operate those systems. Determine that multilevel password control is used to limit access to data and applications and that the access authority granted is consistent with the employees’ job descriptions. If removable or external hard drives are used, the auditor should verify that the drives are removed and stored in a secure location when not in use. Select a sample of backup files and verify that backup procedures are being followed. Select a sample of PCs and verify that their commercial software packages were purchased from reputable vendors and are legal copies. Review the organization’s policy for using antiviral software