Transcript Computer Operating Systems

Auditor’s Guide to
IT Auditing
by Richard Cascarino
Part V: Protection of Information Assets
•
•
•
•
Information assets security management
Logical IT security
Application of IT security
Physical IT security
Information Assets Security
Management
• Includes:
•
•
•
•
•
•
•
•
•
•
•
•
Physical security
Personnel security
Data security
Application software security
Systems software security
Telecommunications security
Computer operations security
Vital records retention
IS insurance
Outside contract services
Disaster-recovery plans
Computer crime and fraud
Security Myths
•
•
•
•
•
Computer security is a technical problem
Security breakdowns only happen to other firms
The major threat is the data processing staff
The major threat is outsiders
Only a computer wizard can perpetrate a
computer fraud
• Computer security is physical security
• It is not my problem
Management Concerns (1)
• Accounting, financial, and operating records may
be falsified
• Unauthorized employees may access confidential
data
• Authorized employees may prove to be risk
agents
• Employees may sell confidential data to
competitors or others
• Computer facilities, hardware, and software may
be subject to damage by disgruntled employees
• Unauthorized outsiders may attempt to break in
Management Concerns (2)
• Data integrity could be undermined by
inadequacies in security
• Computer software that is not secured, is
obsolete, or is inappropriate will lose its
competitive edge
• Business viability could be jeopardized in a
disaster situation
• Insurance coverage on IT equipment may be
inadequate
• Selfinsurance may be too risky and/or too
expensive
Management Concerns (3)
• Gap between computer technology and computer
security is widening
• Erroneous management decisions based on
altered or manipulated data may occur
• Data inadequacies and transaction-processing
delays may disrupt business activities
• Data-processing departments’ security goals and
objectives may not be compatible with the
organization’s information security goals and
objectives resulting in inefficiencies and
ineffective security
A Business Problem
• Implementation responsibility of IT
management and user management
• Audit responsible to examine technical
implementation
– Achievement of business control objectives
– On a continuous basis
• Integrity
• Confidentiality
• Availability
Integrity
• Fundamental basis for trust in computer
systems
– Information remains unchanged except where
intended and authorized
• Physically
• Logically
Confidentiality
•
•
•
•
•
From:
Minor embarrassment
Minor inconvenience to:
Major losses
Terrorist opportunities
Logical IT Security
• Minor level:
– ATM offline
– Web site and available
• Corporate level:
– Extended unavailablity
– Inability to service customers
– Threat to ongoing survival
Risk Analysis
• Assessing the impact of losses or damage to
the assets in question
• Identification of vulnerabilities
• Identification of sources of threat
• Selection of the appropriate control
techniques
• Assessment of the residual risk after the
control techniques have been applied
Control Techniques
•
•
•
•
•
Workstation security
Communications security
Encryption
Message authentication
Standard business controls
– Segregation of duties
– Appropriate supervision
Data Integrity
• Ensuring data has not been:
– Changed
– Added
– Erased
• Without detection
– Use of message authentication codes
– Double public key encryption
– Steganography
Information Security Policy
• Spelling out in detail:
• Information an important asset and must be protected
as such
• Organization will comply with all applicable laws and
regulations
• Access to information granted to individuals as
required to perform their business function
• Confidentiality of information will be maintained
• Information must be appropriately protected
• Information will be available as and when required
• Appropriate control structures will be implemented
Logical IT Security
•
•
•
•
•
•
•
Computer operating systems
Tailoring the operating system
Auditing the operating system
Security packages
User authentication
Bypass mechanisms
Security testing methodologies
Computer Operating Systems
(1)
• Mainframe operating systems
– Handling batch processing, transaction
processing, and timesharing
• Server operating systems
– Serving multiple users at once over a network
facilitating the sharing of hardware and software
resources
• Multiprocessor operating systems
– Also known as parallel computers or multi
computers, these are variations on the server
operating systems
Computer Operating Systems
(2)
• PC operating systems
– Intended to provide an easy interface for one
single user
• Embedded operating systems
– Designed for palmtop computers and personal
digital assistants (PDAs) as well as controlling
single devices such as mobile telephones or
microwave ovens
• Smart card operating systems
– Primitive operating systems normally handling
one single function
Tailoring the Operating System
(1)
• Tailored by parameter selection
– Only authorized personnel should be capable of
changing operating parameters and such
changes should be independently scrutinized by
a knowledgeable third party.
– Powerful utilities that run under the control of the
operating system should be accessed by a
limited number of individuals because these can,
in some cases, bypass other security features of
the operating system or even amend the
operating system itself directly.
Tailoring the Operating System
(2)
– Critical directories should have access restricted
in a similar manner.
– Default users and accounts should either be
removed or have their passwords changed
immediately upon installation.
– Certain rights can be granted to individuals that
go well beyond the normal scope of user rights
and can affect internal functionality of the
operating system. Once again, the number of
users with these rights should be limited.
Tailoring the Operating System
(3)
– Appropriate log files should be created and
retained to record security events and these log
files must be scrutinized on a regular basis.
– Share permissions granting users and programs
access into remote volumes or servers should be
restricted on a needtohave basis.
– Trust relationships between domains should be
minimized to as low a level as possible taking into
consideration the practicalities of trusts required.
Tailoring the Operating System
(4)
– System integrity should be monitored on an
ongoing and frequent basis using appropriate
software to verify that system configuration
parameters, ownerships, permissions, and
application software have not been changed
maliciously or accidentally.
– Firewalls should be in place to ensure that only
authorized accesses are permitted and user
access outward is controlled.
– Antivirus and malware protection should be
utilized to protect the operating system itself
against malicious damage.
Auditing the Operating System
• Checking:
– Password rules
– Password history
– Password aging
– Login time restrictions
– Login station restrictions
– Event logging parameters
– Operating-system-access control
Security Packages
• RACF
– IBM
• User profile detailing what resources the user can
access
• User password (hidden)
• User attributes and authorities
• Group option to protect all new data sets
• Connect profiles
• Group profiles
RACF User Attributes
•
•
•
•
•
•
•
Special
Auditor
Operations
CLAUTH
GRPACC
ADSP
REVOKE
Auditing RACF
•
•
•
•
•
•
Identify RACF-protected resources
Record administration procedures
Identify which resources are protected
Analyze resource profile
Evaluate adequacy of security and test
Identify who can control the security
Security Packages
• ACF2
– Computer Associates
– Multiple modes of operation
– Quiet Mode. Disables ACF2 data set rules only
– Log Mode. Permits access but records the fact
– Warn Mode. Issues warning but allows access
– Abort Mode. Logs, issues messages, bars
access (default)
– Rule Mode. Individual access rules are defined
User Privileges
•
•
•
•
•
Account
Security
Audit
Consult
Leader
Security Packages
• Top secret
– Computer Associates
• Multiple modes of operation
– Dormant mode
– Warn mode
– Implement mode
– Fail mode
User Authentication
• Fundamental control underlining segregation
of duties
• Authentication by:
• Something the user knows
• Something the user has
• Something the user is (biometrics)
Passwords and PINs
• Must be:
– Hard to guess
– Easy to remember
– Well guarded
– Frequently changed
Authentication Devices
•
•
•
•
•
•
Smartcards
Microchip cards
Laser cards
Operate in challenge and response mode
Used to establish interactive sessions
Multiple recurrent verification
Biometrics
•
•
•
•
•
•
Fingerprint scanning
Voice recognition
Optical scanning
Holographic recognition
Signature recognition
Password entry rhythm
Bypass Mechanisms
• Trapdoors
• Back doors
• Software loopholes deliberately left in
systems
• Permit entry in an unauthorized manner
Security Testing Methodologies
• Open Source Security Testing Methodology
Manual (OSSTMM)
• National Institute of Standards and
Technology (NIST) 800-115
• Information Systems Security Assessment
Framework (ISSAF)
• Open Web Application Security Project
(OWASP)
Application of IT Security
•
•
•
•
•
•
Communications and network security
Network protection
Hardening the operating environment
Client-server and other environments
Firewalls and other protection resources
Intrusion-detection systems
Communications and Network
Security
• Security failure risks:
– Loss of reputation
– Loss of confidentiality
– Loss of information integrity
– User authentication failure
– System unavailability
• Risk evaluation
• Design of system of internal controls
Network Protection (1)
• Use of Trust Zones
– Network areas containing sensitive systems with
all accesses directly controlled
• Unauthorized access in such an area could be highly
detrimental
• Would be seen as hostile zones
– Network areas containing information resources
open to the public
• Still require user identification and authentication
• Would be seen as untrustedd zones
Network Protection (2)
– Network areas containing information resources
open to a restricted number of authorized outside
users
• Users identified and authenticated
• Would be seen as semitrusted zones
– Network areas with no outside access containing
systems
• Requiring full access by internal users and systems
Users can be validated and controlled directly under
the authority of the organization
• Would normally be seen as trusted zones
Network Audit
• Auditor will seek to ensure:
– Physical security of the network
– Use of data encryption and digital certificates
– Appropriate monitoring
– Access control lists within the routers
– Use of appropriate firewalls
Hardening the Operating
Environment (1)
• Removing unneeded functionality and
Services
• Activating selected security capabilities
• Ensuring service packs and software patches
are appropriately activated
• Renaming or disabling default system
accounts and passwords
• Access granted on a need-to-have or least
privilege basis
Hardening the Operating
Environment (2)
• Activation of antivirus and malware protection
software
• Ensuring definitions are up to date
• Ongoing scrutiny of system log files
• Retention of log files for appropriate periods
• Restriction of access to log files
Client-server
• Architecture where functionality and
processing split
– Client WorkStation / Database server
• Physically and logically separated
• Distributed nature may increase systems
vulnerability particularly on network
component
– Use of single Logins
– Customer convenience but security
inconvenience
Firewalls etc.
• Mechanism for implementing and enforcing
security policies
• Filtering insecure services
• Blocking the unauthorized outsiders
• Control access in both directions
• Not always the most appropriate control
• May require restructuring
• Maybe bypassed accidentally or deliberately
Digital Signatures
• Mathematical summary of information
encrypted using a signer’s private encryption
key
• May then be decrypted using the sender’s
public key
• Anyone can read
• Only the authorized signator can send
Digital Certificates
• Electronic verification
– Issued and digitally signed by the Certification
Authority (CA)
– Utilizes Public Key Infrastructures (PKIs)
– Perspective subscriber registers the public key
and requests a certificate
– Certificates generated and issued to the
subscriber
– Positively identifies the authenticity of the
transmitter
Intrusion-Detection Systems
• Modern systems based on anomaly detection
• Capable of detecting:
– Break-ins
– Penetrations
– Abnormal activities
– Deviant behavior
Physical IT Security
• Physical threats:
• Physical damage and destruction
– From minor to catastrophic
– Accidental or with malicious intent
– Insiders or outsiders
• Theft of equipment
• Loss of data confidentiality
– From DVDs to thumb drives
Physical Access Control
• Risks of natural events
• Risks from manmade problems
• Broadly categorized:
– Physical damage and destruction
– Theft of equipment
– Loss of data confidentiality
Control Mechanisms
• Physical access control
•
•
•
•
•
•
•
•
•
•
Identification of risk areas
Adequate perimeter protection
Locks on doors
Formal ID card system
Physical access restrictions
Motion detectors
Use of scrap shredders
Destruction of outdated storage media
Removal of sense to media when equipment repaired
Use of scanners and de-gaussers
Environmental Controls
• Securing the environment against fire
– Required for fire:
• Heat
• Fuel source
• Oxygen
– Commonly caused by power problems
– Ideally preventative controls
– Otherwise rapid detection and ability to extinguish
• Beware of the extinguisher causing more
damage than the fire
Other Environmental Controls
• Loss of power
– Uninterruptible power supplies
– Constant voltage chokes
– Standby generators
• Inadequate temperature and humidity control
– Appropriate air conditioning
• Building collapse
– Proper design and construction of buildings
– Contingency plans
Implementing the Controls
• Coexist with logical security controls
• Control surrounding the efficiency and
effectiveness of information processing
• The more control the more resources
consumed
• Some controls required by legislation