Chapter 3Security Part I: Auditing Operating Systems and Networks

Review Questions

1. What are the five control objectives of an operating system?Response: a. The operating system must protect itself from users.b. The operating system must protect users from each other.c. The operating system must protect users from themselves.d. The operating system must be protected from itself.e. The operating system must be protected from its environment.

2. What are the three main tasks the operating system performs?Response:a. Translates high-level languages into the machine-level language the computer

can execute.b. Allocates computer resources to users.c. Manages the tasks of job scheduling and multiprogramming.

3. What is the purpose of an access control list?Response: An access control list is assigned to each computer resource such as

directories, files, programs, and printers. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.

4. What are the four techniques that a virus could use to infect a system?Response: The virus program can attach itself toa. an .EXE or .COM file,b. an OVL (overlay) program file,c. the boot sector of a disk, ord. a device driver program.

5. What is an access token?Response: At login, the operating system creates an access token that contains

key information about the user, including user ID, password, user group, and privileges granted to the user. The information in the access token is used to approve all actions attempted by the user during the session.

6. Explain discretionary access privileges.Response: In distributed systems, end users may control (own) resources.

Resource owners in this setting may be granted discretionary access control, which allows them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the

budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt the budgeting manager makes to add, delete, or change the general ledger will be denied. Discretionary access control needs to be closely supervised to prevent security breaches resulting from too liberal use.

7. What is event monitoring?Response: Event monitoring is an audit log that summarizes key activities related

to users, applications, and system resources. Event logs typically record the IDs of all users accessing the system; the time and duration of a user’s session; programs that were executed during a session; and the files, databases, printers, and other resources accessed.

8. What is keystroke monitoring?Response: Keystroke monitoring is the computer equivalent of a telephone

wiretap. It is a log that records both the user’s keystrokes and the system’s responses to them. This form of log may be used after the fact to reconstruct the details of an event or as a real-time control to monitor or prevent unauthorized intrusion.

9. What is a vaccine and what are its limitations?Response: Avaccine anti-virus program detects and removes viruses from the

infected programs or data files. Most antiviral programs run in the background on the host computer and automatically test all files that are uploaded to the host. Its limitation is that it works only on known viruses and versions of the virus.

10. What are the risks from subversive threats?Response: The risks from subversive threats include: a computer criminal

intercepting a message transmitted between the sender and the receiver, a computer hacker gaining unauthorized access to the organization’s network, and a denial-of-service attack from a remote location of the Internet.

11. What are the risks from equipment failure?Response: The risks from equipment failure include the fact that they can cause

transmissions between senders and receivers can be disrupted, destroyed, or corrupted. Equipment failure can also result in the loss of databases and programs stored on the network server.

12. What is a firewall?Response:

A firewall is a system that enforces access control between two networks. Firewalls can be used to authenticate an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. In addition to insulating the organization’s network from external networks, firewalls can also be used to insulate portions of the organization’s intranet from internal access.

13. Distinguish between network-level and application-level firewalls.Response: A network-level firewall accepts or denies access requests based on

filtering rules, and then directs the incoming calls to the correct internal receiving node.

Network-level firewalls are insecure because they are designed to facilitate the free flow of information rather than restrict it. A network level firewall does not explicitly authenticate outside users.

An application-level firewalls provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks. Application-level firewalls also provide comprehensive transmission logging and auditing tools for reporting unauthorized activity.

14. What are the most common forms of contra-security behavior?Response:

Forgetting passwords and being locked out of the system.Failing to change passwords on a frequent basis.The Post-it syndrome, whereby passwords are written down and displayed forothers to see.Simplistic passwords that a computer criminal easily anticipates.

15. What can be done to defeat a DDos attack?Response: As a countermeasure to DDos attacks, many organizations have

invested in intrusion prevention systems (IPS) that employ deep packet inspection (DPI) to determine when an attack is in progress. DPI uses a variety of analytical and statistical techniques to evaluate the contents of message packets. It searches the individual packets for protocol noncompliance and employs predefined criteria to decide if a packet can proceed to its destination. This is in contrast to the normal packet inspection that simply checks the header portion of a packet to determine its destination. By going deeper and examining the payload or body of the packet, DPI can identify and classify malicious packets based on a database of known attack signatures. Once classified as malicious, the packet can

16. How does public key encryption work?Response:

Public key encryption uses two different keys: one for encoding messages and the other for decoding them. Each recipient has a private key that is kept secret and a public key that is published. The sender of a message uses the receiver’s public key to encrypt the message. The receiver then uses his or her private key to decode themessage. Users never need to share their private keys to decrypt messages, thus reducing the likelihood that they fall into the hands of a criminal.

17. What is a digital envelope?Response: DES and RSA encryption are used together in what is called a digital

envelope. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DESK key, which is then used to decode the message.

18. What is a digital signature?Response: A digital signature is an electronic authentication that cannot be

forged. It ensures that the message or document transmitted originated with the authorized sender and that it was not tampered with after the signature was applied. The digital signature is derived from the computed digest of the document that has been encrypted with the sender’s private key.

19. Categorize each of the following as either an equipment failure control or an unauthorized access control:

Response:a. message authentication: unauthorized access controlb. parity check: equipment failure controlc. call-back device: unauthorized access controld. echo check: equipment failure controle. line error: equipment failure controlf. data encryption: unauthorized access controlg. request response technique: unauthorized access control

20. What is DPI?Response: DPI (deep packet inspection) is a technique that searches individual

network packets for protocol non-compliance to decide if a packet can proceed to its destination. DPI can identify and classify malicious packets based on a database of known attack signatures.

21. At what three points in an electronic data interchange transaction and validation process can authorization and validation be accomplished?

Response:a. At the VAN level: The vendor logon is validated by comparing vendor

passwords and IDs against a valid master file.b. Before being converted: The translation software validates the trading

partner’s password and ID against a valid master file.c. Before processing: the trading partner’s application software references the

valid customer and vendor files to validate the transaction.

22. What is packet switching?Response:

The Internet employs communications technologies based on packet switching, whereby messages are divided into small packets for transmission. Individual packets of the same message may take different routes to their destinations. Each packet contains address and sequencing codes so they can be reassembled into the original complete message at the receiving end. The choice of transmission path is determined according to criteria that achieve optimum utilization of the long-distance lines, including the degree of traffic congestion on the line, theshortest path between the end points

23. What is a VPN?Response: A virtual private network (VPN) is a private network that exists within

a public network. VPNs are private from the client’s perspective, butphysically share backbone trunks with other users. Maintaining security and privacy in this setting, however, requires encryption and authentication controls.

24. Name three types of addresses used on the Internet?Response: The Internet uses three types of addresses for communications:a. e-mail addresses,b. Web site (URL) addresses, andc. the addresses of individual computers attached to a network (IP addresses).

25. Describe the elements of an e-mail address.Response: The format for an e-mail address is

USER_NAME@DOMAIN_NAME. There are no spaces between any of the letters. A domain name is an organization’s unique name combined with a top-level domain name, i.e. “com”, “edu”, etc.

26. Networks would be inoperable without protocols. Explain their importance and what functions they perform.

Response: Network protocols are the rules and standards governing the design of hardware and software that permit users of networks manufactured by different vendors to communicate and share data. Without protocols, data transmission between two incompatible systems would be impossible. Protocols facilitate the physical connection between the network devices. Protocols also synchronize the transfer of data between physical devices. They provide a basis for error checking and measuring network performance. They promote compatibility among network devices. Lastly, they promote network designs that are flexible, expandable, and cost-effective.

27. What is the purpose of the TCP portion of TCP/IP?Response: Transfer Control Protocol (TCP) ensures that the total number of bytes

transmitted is equal to the total number of bytes received.

28. What does the HTTP do?Response: Hypertext Transfer Protocol (HTTP) controls Web browsers that

access the Web. When the user clicks on a link to a Web page, a connection is established, the Web page is displayed, then the connection is broken.

29. How do HTTP and HTTP-NG differ?Response: HTTP-NG is the new generation of the Hypertext Transfer Protocol.

It is an enhanced version of the HTTP protocol that maintains the simplicity of HTTP while adding important features such as security and authentication.

30. What is a digital certificate? How is it different from a digital signature?Response: A digital certificate is used to verify the sender’s identity. It is issued

by a trusted third party called a certification authority (CA). A digital certificate is used

in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. A digital signature proves that the message received was indeed sent by the sender, and was not tampered with during transmission. However, it does not prove that the sender is who he or she claims to be. The sender could be an impersonator. The digital certificate proves the identity of the sender.

31. What is a certification authority, and what are the implications for the accounting profession?

Response: A certification authority is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. The question then becomes, who vouches for the CA? How does one know that the CA who awarded a seal of authenticity to an individual is itself reputable and was meticulous in establishing his or her identity? These questions hold specific implication for the accounting profession. Since they enjoy a high degree of public confidence, public accounting firms are natural candidates for certification authorities.

Discussion Questions

1. Why is human behavior considered one of the biggest potential threats to operating system integrity?

Response: Unfortunately, some computer hackers enjoy the challenge of creating devices, such as viruses and logic bombs, to damage systems. They gain nothing of monetary or financial value; they just enjoy knowing they accomplished their goal of penetrating and affecting an operating system.

2. Why would a systems programmer create a back door if he or she has access to the program in his or her day-to-day tasks?

Response: A back door is created so that the programmer may gain future access to the program without needing a user password (in other words after the programmer no longer has a valid password). The backdoor may be used legitimately to gain easy access to perform maintenance or it may be used by a programmer who has no legitimate reason to be accessing the system in that manner or at all.

3. Discuss the issues that need to be considered before implementing keystroke monitoring.

Response: Keystroke monitoring is the computer equivalent of a telephone wiretap. Whereas some situations may justify this level of surveillance, keystroke monitoring may also be regarded as a violation of privacy. Before implementing this type of control, management and auditors should consider the possible legal, ethical, and behavioral implications.

4. Explain how an access token and an access control list are used to approve or deny access.

Response: When a log-on attempt is successful, the operating system creates an access token that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The information in the access token is used to approve all actions the user attempts during the session.

An access control list is assigned to each IT resource (computer directory, data file, program, or printer), which controls access to the resources. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.

5. Explain how a Trojan horse may be used to penetrate a system.

Response:

A Trojan horse is a program whose purpose is to capture IDs and passwords from unsuspecting users. These programs are designed to mimic the normal log-on procedures of the operating system. When the user enters his or her ID and password, the Trojan horse stores a copy of them in a secret file. At some later date, the author of the Trojan horse uses these IDs and passwords to access the system and masquerade as an authorized user.

6. Discuss six ways in which threats from destructive programs can be substantially reduced through a combination of technology controls and administrative procedures.

Response: The following examples controls and procedure that can reduce the threat from destructive programs:

i. Purchase software only from reputable vendors and accept only those products that are in their original, factory-sealed packages.

ii. Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted software.

iii. Examine all upgrades to vendor software for viruses before they are implemented.

iv. Inspect all public-domain software for virus infection before using.

v. Establish entity-wide procedures for making changes to production programs.

vi. Establish an educational program to raise user awareness regarding threats from viruses and malicious programs.

vii. Install all new applications on a standalone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or LAN server.

vii. Routinely make backup copies of key files stored on mainframes, servers, and workstations.

ix. Wherever possible, limit users to read and execute rights only.

x. Require protocols that explicitly invoke the operating system’s logon procedures in order to bypass Trojan horses. Some operating systems allow the user to directly invoke the operating system logon procedure by entering a key sequence such as CTRL + ALT + DEL. The user then knows that the logon procedure on the screen is legitimate.

xi. Use antiviral software (also called vaccines) to examine application and operating system programs for the presence of a virus and remove them from the affected program.

7. Explain the three ways in which audit trails can be used to support security objectives.

Response: Audit trails can be used to support security objectives in three ways:

i. detecting unauthorized access to the system,

ii. reconstructing events, and

iii. promoting personal accountability.

DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed.

RECONSTRUCTING EVENTS. Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future.

PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individuals are less likely to violate an organization’s security policy if they know that their actions are recorded in an audit log. An audit log can also serve as a detective control to assign personal accountability for actions taken. Serious errors and the abuse of authority are of particular concern.

8. Explain how poorly designed audit trail logs can actually be dysfunctional.

Response: Audit logs can generate data in overwhelming detail. Important information can easily get lost among the superfluous details of daily operation. Protecting exposures with the potential for material financial loss should drive management’s decision as to which users, applications, or operations to monitor, and how much detail to log. As with all controls, the benefits of audit logs must be balanced against the costs of implementing them.

9. Many authorities believe that the employer does not prosecute 90 percent of all computer fraud acts. What do you think accounts for this lack of prosecution? Discuss the importance of the establishment of a formal policy for taking disciplinary (or legal) action against security violations.

Response: A common belief by management of publicly traded firms is that the public will perceive fraudulent acts that have taken place as a sign of control weaknesses. The management teams may prefer to handle the computer fraud by dismissal of the employee rather than have the stockholders and analysts lose faith in the internal control procedures of the firm. Unfortunately, this type of behavior by employers sends the wrong message to potential perpetrators. The message from top management needs to be clear regarding fraudulent acts-they will not be tolerated and any acts will be prosecuted. The message means absolutely nothing if the firm does not back up this policy with actions if such crimes are committed.

10. How can passwords actually circumvent security? What actions can be taken to minimize this?

Response: Users may share their passwords, write-down their passwords, or use easily guessed passwords. Protection against these security breaches includes software that allows only smart passwords and one-time passwords used in conjunction with smart cards.

11. Explain how the one-time password approach works.

Response: Under this approach, the user’s password changes continuously. To access the operating system, the user must provide both a secret reusable personal identification number (PIN) and the current one-time only password for that point in time. One technology employs a credit-card-sized device (smart card) that contains a microprocessor programmed with an algorithm that generates, and visually displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe host or network server computer. At any point in time both the smart card and the network software are generating the same password for the same user. To access the network, the user enters the PIN followed by the current password displayed on the card. The password can be used one time only.

12. Explain how smurf attacks and SYN flood attacks can be controlled.

Response: In the case of a smurf attack, the targeted organization can program their firewall to ignore all communication from the attacking site, once the attackers IP address is determined. In the case of SYN Flood, two things can be done:

i. Internet hosts can program their firewalls to block outbound message packets that contain invalid internal IP addresses.

ii. Security software can scan for half-open connections that have not been followed by an ACK packet. The clogged ports can then be restored to allow legitimate connections to use them.

13. Discuss the risks from equipment failure and how they can be controlled.

Response:

Risks: Transmissions between senders and receivers can be disrupted, destroyed, or corrupted by equipment failures in the communications system. Equipment failure can also result in the loss of databases and programs stored on the network server. The most common problem in data communications is data loss due to line error. The bit structure of the message can be corrupted through noise on the communications lines. Noise is comprised of random signals that can interfere with the message signal when they reach a certain level.

Controls:i. Echo Check. The echo check involves the receiver of the message returning the

message to the sender. The sender compares the returned message with a stored copy of the original. If there is a discrepancy between the returned message and the original, suggesting a transmission error, the message is retransmitted.

ii. Parity Check. The parity check incorporates an extra bit (the parity bit) into the structure of a bit string when it is created or transmitted. The value of the parity bit (1 or 0) is determined by the bit value of the character being transmitted. Parity can be both vertical and horizontal (longitudinal). When the message is received, the parity is checked again. A discrepancy in the parity bit value that is recalculated at the receiving end indicates that a bit value in the character was changed during transmission.

iii. Network Backup. Data backup in networks is accomplished in several different ways depending on the network’s complexity.

14. Does every organization that has a LAN have need a firewall?

Response: Firewalls can provide protection against unauthorized access by both internal and external intruders depending on the type of firewall. An organization with a LAN with NO connections to ANY external networks may be safe without firewalls, but some sort of network security is necessary for multiple users.

15. Describe three ways in which IPS can be used to protect against DDos attacks.

Response:i. IPS can work inline with a firewall at the perimeter of the network to act as a

filer that removes malicious packets from the flow before they can affect servers and networks.

ii. IPS may be used behind the firewall to protect specific network segments and servers.

iii. IPS can be employed to protect an organization from becoming part of a botnet by inspecting outbound packets and blocking malicious traffic before it reaches the Internet.

16. What problem is common to all private key encryption techniques?Response: The more individuals who need to know the private key, the greater

the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages.

17. What is RSA encryption?

Response: RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography method. This method is, however, computationally intensive and much slower than standard DES encryption. Sometimes, both DES and RSA are used together in what is called a digital envelope. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message.

18. Explain the triple-DES encryption techniques known as EEE3 and EDE3.

Response: EEE3 uses three different keys to encrypt the message three times. EDE3 uses one key to encrypt the message. A second key is used to decode it. The resulting message is garbled because the key used for decoding is different from the one that encrypted it. Finally, a third key is used to encrypt the garbled message. The use of multiple keys greatly reduces the chances of breaking the cipher. Triple DES encryption is thought to be very secure and is used by major banks to transmit transactions. Unfortunately, it is also very slow.

19. Distinguish between a digital signature and a digital certificate.

Response: A digital signature is electronic authentication that cannot be forged. It ensures that the message or document transmitted originated with the authorized sender and that it was not tampered with after the signature was applied. The digital signature is a derived from the computed digest of the document that has been encrypted with the sender’s private key. This process proves that the message received was indeed sent by the sender and was not tampered with during transmission. However, it does not prove that the sender is who he or she claims to be. The sender could be an impersonator.

A digital certificate, which is issued by a trusted third-party called a certification authority (CA). is used to verify the sender’s identity. A digital certificate is used in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. It involves establishing one’s identity with formal documents such as a driver’s license, notarization, and fingerprints and proving one’s ownership of the public key. After verifying the owner’s identity the CA creates the certification, which is the owner’s public key and other data that has been digitally signed by the CA.

20. Describe a digest within the context of a digital signature.

Response: A digest is a mathematical value calculated from the text content of a message. The sender uses a one-way hashing algorithm to calculate a digest of the text message. The digest is then encrypted using the sender’s private key to produce the digital signature.

21. What is a digital envelope?

Response: Sometimes DES and RSA are used together to create a digital envelope that is both more secure and faster than using RSA encryption alone. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message.

22. Why is inadequate segregation of duties a problem in the personal computer environment?

Response: An employee may have access to multiple applications that process incompatible transactions. For example, a single individual may be responsible for entering all transaction data, including sales orders, cash receipts, invoices, and disbursements. This degree of authority would be similar, in a manual system, to assigning accounts receivable, accounts payable, cash receipts, cash disbursement, and general ledger responsibility to the same person. The exposure is compounded when the operator is also responsible for the development (programming) of the applications that he or she runs.

23. Why is the request-response technique important? Discuss the reasons an intruder may wish to prevent or delay the receipt of a message.

Response: This method is important in order to prevent intruders from preventing or delaying messages. An intruder might intercept data such as credit card numbers and expiration dates or bank debit cards and personal identification numbers in order to use this data to commit crimes. Another possibility is that sales orders could be intercepted and destroyed in a malicious attempt to sever customer-supplier relations.

24. Discuss how the widespread use of laptop and notebook computers is making data encryption standards more easily penetrable.

Response: Business travelers with laptop and notebook computers are just beginning to realize how carefully they should safeguard their computers while traveling on subways, planes, cars, and staying in hotels. Theft of these computers is becoming a serious problem. These computers are being stolen just as often for the information contained on the hard drives as they are for the resale values. Unfortunately, these stolen computers often have the DES keys contained on floppy diskettes, which are stored in the carrying cases. The carrying cases are usually also stolen, or the encryption keys may be on the hard drive. Thus, the thief gains access to the key and can decode messages.

25. Discuss the unique control problems EDI creates.

Response: One problem is ensuring that transactions are authorized and valid. Both the customer and supplier must establish that the transaction being processed is with a valid trading partner and is an authorized transaction. Another problem is that, in most situations, the trading partners must agree to give their trading partner access to files, which previously were entirely internal documents, such as inventory files. Prior to EDI, firms did not exchange inventory file data. Thus, the accuracy of these files AT ALL TIMES is crucial. Further, these files should not be allowed to be altered, in any fashion, by the trading partner’s computer. Only the organizations application programs should be allowed to process inventory records.

26. “In and EDI system, only the customer needs to verify that the order being placed is from a valid supplier and not vice versa.” Do you agree with this statement? Why or why not?

Response: No. The supplier needs to verify that the purchaser is a valid purchaser and has authorization to scan the inventory file.

27. Discuss how EDI creates an environment in which sensitive information, such as inventory amounts and price data, is no longer private. What potential dangers exist if the proper controls are not in place? Give an example.

Response: In an EDI environment, the selling firm opens up previously considered private files, such as inventory and in some cases the master production schedule, to the customer’s order system so that the inventory status can be checked. If the proper controls are not in place, a perpetrator could alter these records so that inventory is shown to be lower than it actually is, and the organization could lose orders as the customer contacts another vendor. If this situation went undetected for a length of time, the organization could have such a decline in sales and loss in customer base that it could be forced out of business.

28. What purpose do protocols serve?

Response: Protocols serve network functions in several ways.

First, they facilitate the physical connection between the network devices. Through protocols, devices are able to identify themselves to other devices as legitimate network entities, and thus initiate (or terminate) a communications session.

Second, protocols synchronize the transfer of data between physical devices. This involves defining the rules for initiating a message, determining the data transfer rate between devices, and acknowledging message receipt.

Third, protocols provide a basis for error checking and measuring network performance. This is done by comparing measured results against expectations. For example, performance measures pertaining to storage device access times, data transmission rates, and modulation frequencies are critical to controlling the network’s function. The identification and correction of errors thus depends on protocol standards that define acceptable performance.

Fourth, protocols promote compatibility among network devices. To successfully transmit and receive data, the various devices involved in a particular session must

conform to a mutually acceptable mode of operation, such as synchronous or asynchronous and duplex or half-duplex. Without protocols to provide such conformity, messages sent between devices will be distorted and garbled.

Finally, protocols promote network designs that are flexible, expandable, and cost-effective. Users are free to change and enhance their systems by selecting from the best offerings of a variety of vendors. Manufacturers must, of course, construct these products in accordance with established protocols.

29. Explain the purpose of the two elements of TCP/IP.

Response: The TCP portion of the TCP/IP protocol supports the transport function of the OSI model. This ensures that the total number of data bytes transmitted was received. The IP component provides the routing mechanism. Every server and computer in a TCP/IP network requires an IP address, which is either permanently assigned or dynamically assigned at startup. The IP part of the TCP/IP protocol supports the network layer of the OSI model. It contains a network address and is used to route messages to different networks. IP receives message packets from the transport protocol and delivers them to the data link layer.

30. Distinguish between the FTP and TELNET protocols.

Response: FTP (File Transfer Protocol) is used to transfer text files, programs, spreadsheets, and databases across the Internet. TELNET is a terminal emulation protocol used on TCP/IP-based networks. It allows users to run programs and review data from a remote terminal or computer. Telnet is an inherent part of the TCP/IP communications protocol. While both protocols deal with data transfer, FTP is useful for downloading entire files from the Internet; TELNET is useful for perusing a file of data as if the user were actually at the remote site.

31. Distinguish between a network-level firewall and an application-level firewall.

Response: Network-level firewalls provide efficient but low-security access control. This type of firewall consists of a screening router that examines the source and destination addresses that are attached to incoming message packets. The firewall accepts or denies access requests based on filtering rules that have been programmed into it. The firewall directs incoming calls to the correct internal receiving node. Network-level firewalls are insecure because they are designed to facilitate the free flow of information rather than restrict it. This method does not explicitly authenticate outside users.

Application-level firewalls provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks. Application-level firewalls also provide comprehensive transmission logging and auditing tools for reporting unauthorized activity.

32. What is a certification authority, and what are the implications for the accounting profession?

Response: A certification authority is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. The question then becomes, who vouches for the CA?

How does one know that the CA who awarded a seal of authenticity to an individual is itself reputable and was meticulous in establishing his or her identity? These questions hold specific implication for the accounting profession. Since they enjoy a high degree of public confidence, public accounting firms are natural candidates for certification authorities.

33. Discuss the key aspects of the following five seal-granting organizations: BBB, TRUSTe, Veri-Sign, Inc., ICSA, and AICPA/CICA WebTrust.

Response:

Better Business Bureau. The Better Business Bureau (BBB) is a non-profit organization that has been promoting ethical business practices through self-regulation since 1912. BBB has extended its mission to the Internet through a wholly owned subsidiary called BBBOnline, Inc. To qualify for the BBBOnline seal an organization must:

Become a member of BBB. Provide information about the company’s ownership, management, address, and

phone number. This is verified by a physical visit to the company’s premises. Be in business for at least one year. Promptly respond to customer complaints. Agree to binding arbitration for unresolved disputes with customers.

The assurance provided by BBBOnline relates primarily to concerns about business policies, ethical advertising, and consumer privacy. BBBOnline does not verify controls over transaction-processing integrity and data-security issues.

TRUSTe. Founded in 1996, TRUSTe is a non-profit organization dedicated to improving consumer privacy practices among Internet businesses and Web sites. To qualify to display the TRUSTe seal the organization must:

Agree to follow TRUSTe privacy policies and disclosure standards. Post a privacy statement on the Web site disclosing the type of information being

collected, the purpose for collecting information, and with whom it is shared. Promptly respond to customer complaints. Agree to site-compliance reviews by TRUSTe or an independent third party.

TRUSTe addresses consumer privacy concerns exclusively and provides a mechanism for posting consumer complaints against its members. If a member-organization is found to be out of compliance with TRUSTe standards, its right to display the trust seal may be revoked.

Veri-Sign, Inc. Veri-Sign, Inc. was established as a for-profit organization in 1995. Veri-Sign, Inc. provides assurance regarding the security of transmitted data. The organization does not verify security of stored data or address concerns related to business policies, business processes, or privacy. Its mission is to “provide digital certificate solutions that enable trusted commerce and communications.” Its products allow customers to transmit encrypted data and verify the source and destination of transmissions. Veri-Sign, Inc. issues three classes of certificates to individuals, businesses, and organizations. To qualify for class-three certification the individual, business, or organization must provide a third-party confirmation of name, address, telephone number, and Web site domain name.

ICSA. The International Computer Security Association (ICSA) established its Web Certification Program in 1996. ICSA certification addresses data security and privacy concerns. It does not deal with concerns about business policy and business processes. Organizations that qualify to display the ICSA seal have undergone an extensive review

of firewall security from outside hackers. Organizations must be recertified on an annual basis and undergo at least two surprise checks each year.

AICPA/CICA WebTrust. The AICPA and CICA established the WebTrust program in 1997. To display the AICPA/CICA WebTrust seal the organization must undergo an examination according to the AICPA’s Standards for Attestation Engagements, No. 1, by a specially Web-certified CPA or CA. The examination focuses on the areas of business practices (policies), transaction integrity (business process), and information protection (data security). The seal must be renewed every 90 days.

32. Differentiate between a LAN and a WAN. Do you have either or both at your university or college?

Response: The primary difference between LANs and WANs is the geographic area coverage. LANs are typically confined to a single room, floor, or building. WANs are used to connect various LANs and computing centers that are geographically dispersed across distances that range from less than a mile to transcontinental.

Multiple-Choice Questions

1. B

2. A

3. A

4. C

5. A

6. A

7. C

8. C

9. B

10. D

11. B

Problems

1. Operating System and Network Control

Required: Describe a well-controlled system in terms of access controls for a major insurance company that equips each salesperson with a laptop.

Response: The company needs to make sure that the following items are included in its system design:

Data encryption techniques for the sending of sensitive data from one file to another over the LAN.

Access controls for files on the home computer.

Access controls for data on hard drives of the personal computers.

Back-up policy and procedures for data on the home computer and the PC’s.

Virus Protection for the home computer and for the PC’s.

2. Operation System Controls

Required:

a. What internal control problems do you find?

Response: There are a few security control problems within MM’s operating system. First, access control is a problem because there is not secure protection from unauthorized users. Also, there is a problem with malicious and destructive programs. Controls that combine technology and administrative procedures need to be implemented. There also is a lack of audit trail controls, which are needed for proper accounting records.

b. How can MM improve internal controls?

Response: In order to improve the security issues in part A, MM should implement more controls. MM system security needs to make sure access privileges are assigned only to legitimate users. Reusable passwords should be implemented especially amongst the managers in MM in order to protect against an unauthorized user. Additionally, controls to protect against malicious programs consist of purchasing software from only reputable vendors, inspecting all public software for viruses prior to use, and establishing MM entity-wide procedures for software and programs. Also, backup files should be made of servers, mainframes and workstations. Antiviral software should be purchased and a set of protocols should occur at system log-on to avoid Trojan horses. Finally, audit trail controls can be improved with detailed logs of individual key strokes and an event-oriented log. These improvements can help Mr. Rollerball find out about an individual user’s session who is a suspect to possible tampering with the computer system.

3. Internal Control and Fraud

Required: What control technique(s) discussed in this chapter could you use to help detect this type of fraud?

Response: If the company uses a call back device, Charles Hart’s home phone should not be on the approved phone list. Since Charles is an hourly worker, he should not be expected to take work home with him. Further, a transaction log listing time of data input and user ID would be informative to Charles’ boss. If Charles has not been approved for overtime during the past month, and Charles’ supervisor notices that Charles has entered some transactions into the system late in the evening, then Charles’ supervisor should investigate these actions. A message transaction, which contains a log of users on the system by login time, would also be useful.

4. Internal Control and Fraud

Required: a. What weaknesses in the organization’s control structure must have existed to permit this type of embezzlement?

Response: The control over output documents (i.e. the MRP, inventory ordering system, billing, sales order, accounts payable, and the operating manuals) was very weak. These documents should not be discarded in a manner in which they can be retrieved and read by anyone. Inadequate operating system controls were in place that allowed a Trojan horse program to retrieve user ID’s and passwords. Management reports reflecting new vendors, new suppliers, and new systems personnel ID’s were either not being prepared or not being carefully reviewed. Inadequate reports reflecting changes to the transaction log were being kept or the changes in them would have been noticed.

Required: b. What specific control techniques and procedures could have helped prevent or detect this fraud?

Response: All documentation manuals should be shredded or placed into an incinerator. An operating system should have controls to protect it against breaches such as the Trojan horse programming technique. Reports reflecting any additions to vendors or suppliers should be carefully reviewed by management for accuracy. A periodic list of all systems personnel and their passwords should be printed and reviewed. A sign-off procedure for verification of these reports would send a strong message to the managers that these reports should be carefully reviewed. The numbering of transactions on the transaction log, such as sales orders and purchase orders should be implemented so that transactions cannot be deleted without the occurrence of a gap in the sequence.

5. Input Controls and Networking

Required:

a. Identify and explain the data security and integrity problems that can occur.

b. For each problem identified, describe a control procedure that could be employed to minimize or eliminate the problem.

Problem Identification and Explanation Control Procedure and Explanation

Unauthorized access to the reporting system

Establish access privileges based on need

Implement Passwords and password management procedures

Encrypt password file

Establish system audit trail

Employ antiviral software

Unauthorized access to report database Establish database authority table based on need

Assign user views based on need

Establish user-defined procedures

Encrypt financial data in the database

Unauthorized intrusion to system and data from the internet, including denial of service attack

Implement an application-level firewall

Encrypt financial data in the database

Use digital signatures

Implement security software to identify open connections that indicate a SYN flood

Use message sequence numbering

Use security techniques such as request-response and call-back

Transmitted data received at corporate headquarters from the reporting units may be corrupted by line errors or other hardware failure.

They system should have built-in controls including echo check and parity check to correct line errors.

6. Preventive Controls

Required: For each scenario, discuss the possible damages that can occur. Suggest a preventive control.

Responses:

a. The intruder can then withdraw money from the ATM cardholder accounts. (This actually happened in California; the intruder was a systems consultant who had helped to set up the communication system.) Digital encoding of data with the algorithm being changed periodically, especially after the systems consultants have completed their jobs, and the system is in use.

b. Noise on the line may be causing line errors, which can result in data loss. Echo checks and parity checks can help to detect and correct such errors.

c. If data is being lost, echo checks and parity checks should also help; however, the problem may be that an intruder is intercepting messages and tampering with them. Message sequence numbering will help to determine if messages are being lost, and if they are perhaps a request-response technique should be implemented that makes it difficult for intruders to circumvent.

d. If messages are being delayed, an important customer order or other information could be missed. As in item c, message sequence numbering and request-response techniques should be used.

e. Messages altered by intruders can have a very negative impact on customer-supplier relations if orders are being altered. In this case, data encryption is necessary to prevent the intruder from reading and modifying the data. Also, a message sequence numbering technique is necessary to make sure the message is not deleted.

7. Operating System Exposures and Controls

Required: For each scenario, discuss the potential consequences and give a prevention technique.

Responses:

a. A potential consequence is that hardware could be damaged if the sprinklers are not strategically placed. Data losses could be incurred as well due to damaged storage tapes. A corporate policy should be in place and strictly enforced banning food and drink from this area. In case the alarms are set off, a water sprinkler system is not appropriate due to the damage it can cause to a computer. The automatic fire extinguishing systems should dispense an appropriate type of suppressant, such as carbon dioxide. Another alternative is to have a warning sound that the automatic fire extinguishing system is going to activate in a certain amount of time (maybe 5 seconds) if an override button is not pushed. In the case of a fire, this will allow the systems personnel time to protect themselves from the suppressant, which will be sprayed.

b. The exposure in this situation is that user IDs and passwords residing in main memory will be dumped and used to gain unauthorized access to the system. One method would be to configure the operating system so that in the case of a failure, the contents of main memory is to be dumped to a disk file only. Further, a password, or maybe a combination of passwords, should be necessary to retrieve the data from the disk.

c. Employees that have been terminated should also have their passwords expired immediately. The network should require a password to log on.

d. The potential exposure is that data and/or application programs may ultimately be lost if the virus is not caught before it causes damage. Antivirus software should be placed onto the network server to prevent any files from being uploaded before they are checked for viruses. Also, an antiviral program should examine the network server to detect any viruses.

e. Upon Murray’s announcement that he is leaving, his passwords should be expired immediately. Further, since he has had access to all other users’ passwords, a message should immediately be sent to all users requiring them to change their passwords immediately or have the account expire. The account will have to be re-established with a new password if the user does not change his/her password within the time period, maybe 24 hours. During this 24-hour period, all log on attempts with old passwords should fail; the only action which should be allowed is the changing of the old passwords.

8. Encryption

Required: Determine the key used to produce the coded message and decode it.

Response: Key = +3, Decoded message:

LETS DO JULIUS ON MONDAY MARCH 15

DRESS: TOGA CASUAL (Bring Your Own Dagger)

9. Security and Control Assessment

Required: Based on BBC’s plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework.

Response: The potential risks in BBC new computer-based information system are as follows:

Security

BBC should hold a training seminar since most employees will be using the computer system. The purpose of the seminar is to educate users on the policies and procedures of the system and to inform them about viruses and measures they can take to prevent infection.

Virus updates should be performed on a daily basis by the systems administrator rather than on a weekly basis.

If a password is entered incorrectly three times, the system should automatically reject any further entries, this is a security measure that prevents someone from attempting to gain unauthorized access to another user’s account. If this situation arises, the system should make note of the date and time in case this information is ever needed in an investigation.

Passwords should be changed at least twice a year. The more often passwords are changed the more secure the system will be. Furthermore, software should be installed that rejects “weak” passwords.

Event monitoring should be used for purposes of a systems audit trail. The system will record the user name and then all information regarding the tasks performed during the period that they are logged on.

An upper level manger should also have access to the transaction log. This will prevent the systems administrator from potentially trying to hide his own fraudulent actions involving the computer system.

To prevent against physical damage in the case of fire, a water sprinkler system is not appropriate due to the damage it can cause to a computer. The automatic fire extinguishing systems should dispense an appropriate type of suppressant, such as carbon dioxide.

Systems Development

Employees should not be allowed to purchase and install software on company computers even if it is for work related reasons. All software should be purchased from single company to ensure reliability and compatibility.

Program Changes

The newly hired systems administrator should not be involved in the initial computer programming since they will be updating the system when needed. This person would have the knowledge of how to hide illegal changes.

All systems changes should be carefully documented and filed. This serves as a control and can help somebody see exactly what was done if a problem with the change occurs.

10. Encryption

Response: Answers will vary among the class. This is a fun assignment that results in interesting coding schemes.

Problems 11–14 will result in varying answers.