IT Controls Part II,Security and Access:Controlling the Operating System

Controlling the Operating System

The operating system is the computer’s control program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers. If operating system integrity is compromised, controls within individual accounting applications may also be circumvented or neutralized. Because the operating system is common to all users, the larger the computer facility, the greater the scale of potential damage. Thus, with an ever-expanding user community sharing more and more computer resources, operating system security becomes an important control issue.

OPERATING SYSTEM OBJECTIVES

The operating system performs three main tasks. First, it translates high-level languages, such as COBOL, Cþþ, BASIC, and SQL, into the machine-level language that the computer can execute. The language translator modules of the operating system are called compilers and interpreters. The control implications of language translators are examined in Chapter 17.

Second, the operating system allocates computer resources to users, workgroups, and applications. This includes assigning memory work space (partitions) to applications and authorizing access to terminals, telecommunications links, databases, and printers.

Third, the operating system manages the tasks of job scheduling and multiprogramming. At any point, numerous user applications (jobs) are seeking access to the computer resources under the control of the oper- ating system. Jobs are submitted to the system in three ways: (1) directly by the system operator, (2) from various batch-job queues, and (3) through telecommunications links from remote workstations. To achieve efficient and effective use of finite computer resources, the operating system must schedule job processing according to established priorities and balance the use of resources among the competing applications.

To perform these tasks consistently and reliably, the operating system must achieve five fundamental control objectives.1

1. The operating system must protect itself from users. User applications must not be able to gain con- trol of, or damage in any way, the operating system, thus causing it to cease running or destroy data.

2. The operating system must protect users from each other. One user must not be able to access, destroy, or corrupt the data or programs of another user.

3. The operating system must protect users from themselves. A user’s application may consist of several modules stored in separate memory locations, each with its own data. One module must not be allowed to destroy or corrupt another module.

4. The operating system must be protected from itself. The operating system is also made up of individ- ual modules. No module should be allowed to destroy or corrupt another module.

5. The operating system must be protected from its environment. In the event of a power failure or other disaster, the operating system should be able to achieve a controlled termination of activities from which it can later recover.

OPERATING SYSTEM SECURITY

Operating system security involves policies, procedures, and controls that determine who can access the operating system, which resources (files, programs, printers) they can access, and what actions they can take. The following security components are found in secure operating systems: log-on procedure, access token, access control list, and discretionary access privileges.

Log-On Procedure

A formal log-on procedure is the operating system’s first line of defense against unauthorized access. When the user initiates the process, he or she is presented with a dialog box requesting the user’s ID and password. The system compares the ID and password to a database of valid users. If the system finds a match, then the log-on attempt is authenticated. If, however, the password or ID is entered incorrectly, the log-on attempt fails and a message is returned to the user. The message should not reveal whether the password or the ID caused the failure. The system should allow the user to reenter the log-on information. After a specified number of attempts (usually no more than five), the system should lock out the user from the system.

Access Token

If the log-on attempt is successful, the operating system creates an access token that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The in- formation in the access token is used to approve all actions the user attempts during the session.

Access Control List

An access control list assigned to each resource controls access to system resources such as directories, files, programs, and printers. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.

Discretionary Access Privileges

The central system administrator usually determines who is granted access to specific resources and main- tains the access control list. In distributed systems, however, end users may control (own) resources. Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt the budgeting man- ager makes to add, delete, or change the general ledger will be denied. The use of discretionary access control needs to be closely supervised to prevent security breaches because of its liberal use.

THREATS TO OPERATING SYSTEM INTEGRITY

Operating system control objectives may not be achieved because of flaws in the operating system that are exploited either accidentally or intentionally. Accidental threats include hardware failures that cause the operating system to crash. Errors in user application programs, which the operating system cannot interpret, also cause operating system failures. Accidental system failures may cause whole segments of memory to be dumped to disks and printers, resulting in the unintentional disclosure of confidential information.

Intentional threats to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain. However, a growing threat is destructive programs from which there is no apparent gain. These exposures come from three sources:

1. Privileged personnel who abuse their authority. Systems administrators and systems programmers require unlimited access to the operating system to perform maintenance and to recover from system failures. Such individuals may use this authority to access users’ programs and data files.

2. Individuals, both internal and external to the organization, who browse the operating system to iden- tify and exploit security flaws.

3. Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive programs into the operating system.

OPERATING SYSTEM CONTROLS AND TESTS OF CONTROLS

This section describes a variety of control techniques for preserving operating system integrity. If operating system integrity is compromised, controls within individual accounting applications that impact financial reporting may also be compromised. For this reason, the design and assessment of these controls are SOX compliance issues. In this section, controls and associated tests over the following areas are examined: access privileges, password control, virus control, and audit trail control.

Controlling Access Privileges

User access privileges are assigned to individuals and to entire workgroups authorized to use the system. Privileges determine which directories, files, applications, and other resources an individual or group may access. They also determine the types of actions that can be taken. Recall that the systems administrator or the owner of the resource may assign privileges. Management should be concerned that individuals are not granted privileges that are incompatible with their assigned duties. Consider, for example, a cash receipts clerk who is granted the right to access and make changes to the accounts receivable file.

Overall, the way access privileges are assigned influences system security. Privileges should, there- fore, be carefully administered and closely monitored for compliance with organizational policy and principles of internal control.

Audit Objectives Relating to Access Privileges

The objective of the auditor is to verify that access privileges are granted in a manner that is consistent with the need to separate incompatible functions and is in accordance with the organization’s policy.

Audit Procedures Relating to Access Privileges

• Review the organization’s policies for separating incompatible functions and ensure that they promote reasonable security.

• Review the privileges of a selection of user groups and individuals to determine if their access rights are appropriate for their job descriptions and positions. The auditor should verify that individuals are granted access to data and programs based on their need to know.

• Review personnel records to determine whether privileged employees undergo an adequately intensive security clearance check in compliance with company policy.

• Review employee records to determine whether users have formally acknowledged their responsibility to maintain the confidentiality of company data.

• Review the users’ permitted log-on times. Permission should be commensurate with the tasks being performed.

Password Control

A password is a secret code the user enters to gain access to systems, applications, data files, or a network server. If the user cannot provide the correct password, the operating system should deny access. Although passwords can provide a degree of security, when imposed on nonsecurity-minded users, pass- word procedures can result in end-user behavior that actually circumvents security. The most common forms of contra-security behavior include:

• Forgetting passwords and being locked out of the system.

• Failing to change passwords on a frequent basis.

• The Post-it syndrome, whereby passwords are written down and displayed for others to see.

• Simplistic passwords that a computer criminal easily anticipates.

REUSABLE PASSWORDS. The most common method of password control is the reusable password. The user defines the password to the system once and then reuses it to gain future access. The quality of the security a reusable password provides depends on the quality of the password itself. If the password pertains to something personal about the user, such as a child’s name, pet’s name, birth date, or hair color, a computer criminal can often deduce it. Even if the password is derived from nonpersonal data, it may be weak. For example, a string of keystrokes (such as A-S-D-F) or the same letter used multiple times can easily be cracked. Passwords that contain random letters and digits are more difficult to crack, but are also more difficult for the user to remember.

To improve access control, management should require that passwords be changed regularly and disallow weak passwords. Software is available that automatically scans password files and notifies users that their passwords have expired and need to be changed. These systems also use extensive databases of known weak passwords to validate the new password and disallow weak ones. An alternative to the standard reusable password is the one-time password.

ONE-TIME PASSWORDS. The one-time password was designed to overcome the aforementioned problems. Under this approach, the user’s password changes continuously. This technology employs a

credit card-sized smart card that contains a microprocessor programmed with an algorithm that generates, and electronically displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe or network server computer. Each user’s card is synchronized to the authentication software, so that at any point in time both the smart card and the net- work software are generating the same password for the same user.

To access the network, the user enters the PIN followed by the current password displayed on the card.

The password can be used one time only. If, for example, a computer hacker intercepts the password and PIN during transmission and attempts to use them within the 1-minute time frame, access will be denied. Also, if the smart card should fall into the hands of a computer criminal, access cannot be achieved with- out the PIN.

Another one-time password technique uses a challenge/response approach to achieve the same end. When the user attempts to log on, the network authentication software issues a six-character code (the challenge) that the card can either scan optically or it can be entered into the card via its built-in keypad. The card’s internal algorithm then generates a one-time password (the response) that the user enters through the keyboard of the remote terminal. If the firewall recognizes the current password, access is permitted.

Audit Objectives Relating to Passwords

The auditor’s objective here is to ensure that the organization has an adequate and effective password pol- icy for controlling access to the operating system.

Audit Procedures Relating to Passwords

The auditor may achieve this objective by performing the following tests:

• Verify that all users are required to have passwords.

• Verify that new users are instructed in the use of passwords and the importance of password control.

• Review password control procedures to ensure that passwords are changed regularly.

• Review the password file to determine that weak passwords are identified and disallowed. This may involve using software to scan password files for known weak passwords.

• Verify that the password file is encrypted and that the encryption key is properly secured.

• Assess the adequacy of password standards such as length and expiration interval.

• Review the account lockout policy and procedures. Most operating systems allow the system administrator to define the action to be taken after a certain number of failed log-on attempts. The auditor should determine how many failed log-on attempts are allowed before the account is locked. The duration of the lockout also needs to be determined. This could range from a few minutes to a permanent lockout that requires formal reactivation of the account.

Controlling against Malicious and Destructive Programs

Malicious and destructive programs are responsible for millions of dollars of corporate losses annually. The losses are measured in terms of data corruption and destruction, degraded computer performance, hardware destruction, violations of privacy, and the personnel time devoted to repairing the damage. This class of programs includes viruses, worms, logic bombs, back doors, and Trojan horses. Because these have become popular press terms in recent years, we will not devote space at this point to define them. Section A of the appendix to this chapter, however, contains a detailed discussion of this material.

Threats from destructive programs can be substantially reduced through a combination of technology controls and administrative procedures. The following examples are relevant to most operating systems.

• Purchase software only from reputable vendors and accept only those products that are in their original, factory-sealed packages.

• Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted software.

• Examine all upgrades to vendor software for viruses before they are implemented.

• Inspect all public-domain software for virus infection before using.

• Establish entity-wide procedures for making changes to production programs.

• Establish an educational program to raise user awareness regarding threats from viruses and malicious programs.

• Install all new applications on a stand-alone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or local area network (LAN) server.

• Routinely make backup copies of key files stored on mainframes, servers, and workstations.

• Wherever possible, limit users to read and execute rights only. This allows users to extract data and run authorized applications, but denies them the ability to write directly to mainframe and server directories.

• Require protocols that explicitly invoke the operating system’s log-on procedures to bypass Trojan horses. A typical scenario is one in which a user sits down to a terminal that is already displaying the log-on screen and proceeds to enter his or her ID and password. This, however, may be a Trojan horse rather than the legitimate procedure. Some operating systems allow the user to directly invoke the oper- ating system log-on procedure by entering a key sequence such as CTRL þ ALT þ DEL. The user then knows that the log-on procedure on the screen is legitimate.

• Use antiviral software (also called vaccines) to examine application and operating system programs for the presence of a virus and remove it from the affected program. Antiviral programs are used to safe- guard mainframes, network servers, and personal computers. Most antiviral programs run in the back- ground on the host computer and automatically test all files that are uploaded to the host. The software, however, works only on known viruses. If a virus has been modified slightly (mutated), there is no guarantee that the vaccine will work. Therefore, maintaining a current version of the vaccine is critical.

Audit Objective Relating to Viruses and Other Destructive Programs

The key to computer virus control is prevention through strict adherence to organizational policies and procedures that guard against virus infection. The auditor’s objective is to verify that effective management policies and procedures are in place to prevent the introduction and spread of destructive programs, including viruses, worms, back doors, logic bombs, and Trojan horses.

Audit Procedures Relating to Viruses and Other Destructive Programs

• Through interviews, determine that operations personnel have been educated about computer viruses and are aware of the risky computing practices that can introduce and spread viruses and other malicious programs.

• Verify that new software is tested on stand-alone workstations prior to being implemented on the host or network server.

• Verify that the current version of antiviral software is installed on the server and that upgrades are regu- larly downloaded to workstations.

System Audit Trail Controls

System audit trails are logs that record activity at the system, application, and user level. Operating systems allow management to select the level of auditing to be recorded in the log. They need to decide on their threshold between information and irrelevant facts. An effective audit policy will capture all significant events without cluttering the log with trivial activity. Audit trails typically consist of two types of audit logs: (1) detailed logs of individual keystrokes and (2) event-oriented logs.

KEYSTROKE MONITORING. Keystroke monitoring involves recording both the user’s keystrokes and the system’s responses. This form of log may be used after the fact to reconstruct the details of an event or as a real-time control to prevent unauthorized intrusion. Keystroke monitoring is the computer equivalent of a telephone wiretap. Whereas some situations may justify this level of surveillance, key- stroke monitoring may also be regarded as a violation of privacy. Before implementing this type of con- trol, management and auditors should consider the possible legal, ethical, and behavioral implications.

EVENT MONITORING. Event monitoring summarizes key activities related to system resources. Event logs typically record the IDs of all users accessing the system; the time and duration of a user’s session; pro- grams that were executed during a session; and the files, databases, printers, and other resources accessed.

Setting Audit Trail Objectives

Audit trails can be used to support security objectives in three ways: (1) detecting unauthorized access to the system, (2) facilitating the reconstruction of events, and (3) promoting personal accountability.

DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders attempting to breach system controls. A real-time audit trail can also be used to report changes in system performance that may indicate infestation by a virus or worm. Depending on how much activity is being logged for review, real-time detection can add significantly to operational overhead and degrade performance. After- the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed.

RECONSTRUCTING EVENTS. Audit trail analysis can be used to reconstruct the steps that led to events such as system failures or security violations by individuals. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future.

PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can influence behavior. Individuals are less likely to violate an organization’s security policy when they know that their actions are recorded in an audit log.

A system audit log can also serve as a detective control to assign personal accountability for actions taken

such as abuse of authority. For example, consider an accounts receivable clerk with authority to access customer records. The audit log may disclose that the clerk has been printing an inordinate number of records, which may indicate that the clerk is selling customer information in violation of the company’s privacy policy.

Implementing a System Audit Trail

The information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders. Audit logs, however, can generate data in overwhelming detail. Important information can easily get lost among the superfluous details of daily operation. Thus, poorly designed logs can actually be dysfunctional. Protecting exposures with the potential for material financial loss should drive management’s decision as to which users, applications, or operations to monitor, and how much detail to log. As with all controls, the benefits of audit logs must be balanced against the costs of implementing them.

Audit Objectives Relating to System Audit Trails

The auditor’s objective is to ensure that the established system audit trail is adequate for preventing and detecting abuses, reconstructing key events that precede systems failures, and planning resource allocation.

Audit Procedures Relating to System Audit Trails

• Most operating systems provide some form of audit manager function to specify the events that are to be audited. The auditor should verify that the audit trail has been activated according to organization policy.

• Many operating systems provide an audit log viewer that allows the auditor to scan the log for unusual activity. These can be reviewed on screen or by archiving the file for subsequent review. The auditor can use general-purpose data extraction tools for accessing archived log files to search for defined conditions such as:

• Unauthorized or terminated user

• Periods of inactivity

• Activity by user, workgroup, or department

• Log-on and log-off times

• Failed log-on attempts

• Access to specific files or applications

• The organization’s security group has responsibility for monitoring and reporting security violations.

The auditor should select a sample of security violation cases and evaluate their disposition to assess the effectiveness of the security group.

Comments

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

The Revenue Cycle:Manual Systems

Nassi-Shneiderman charts