IT Controls Part II,Security and Access:Controlling Networks

Controlling Networks

Chapter 12 examined the operational characteristics of several network topologies used in Internet and intranet communications. Network topologies consist of various configurations of (1) communications lines (twisted-pair wires, coaxial cable, microwaves, and fiber optics), (2) hardware components (modems, multiplexers, servers, and front-end processors), and (3) software (protocols and network control systems). The technology of network communications are subject to two general forms of risk:

1. Risks from subversive threats. These include, but are not limited to, a computer criminal intercepting a message transmitted between the sender and the receiver, a computer hacker gaining unauthorized access to the organization’s network, and a denial of service attack from a remote location of the Internet.

2. Risks from equipment failure. For example, equipment failures in the communications system can disrupt, destroy, or corrupt transmissions between senders and receivers. Equipment failure can also result in the loss of databases and programs stored on network servers.

CONTROLLING RISKS FROM SUBVERSIVE THREATS

Firewalls

Organizations connected to the Internet or other public networks often implement an electronic firewall to insulate their intranet from outside intruders. A firewall is a system that enforces access control between two networks. To accomplish this:

• All traffic between the outside network and the organization’s intranet must pass through the firewall.

• Only authorized traffic between the organization and the outside, as formal security policy specifies, is allowed to pass through the firewall.

• The firewall must be immune to penetration from both outside and inside the organization.

Firewalls can be used to authenticate an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. In addition to insulating the organization’s network from external networks, firewalls can also be used to insulate portions of the organization’s intranet from internal access. For example, a LAN controlling access to financial data can be insulated from other internal LANs. Some commercially available firewalls provide a high level of security, whereas others are less secure but more efficient. Firewalls may be grouped into two general types: network-level firewalls and application-level firewalls.

Network-level firewalls provide efficient but low security access control. This type of firewall consists of a screening router that examines the source and destination addresses that are attached to incoming message packets. The firewall accepts or denies access requests based on filtering rules that have been programmed into it. The firewall directs incoming calls to the correct internal receiving node. Network- level firewalls are insecure because they are designed to facilitate the free flow of information rather than restrict it. This method does not explicitly authenticate outside users.

Application-level firewalls provide a higher level of customizable network security, but they add over- head to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks. Application-level firewalls also provide comprehensive transmission logging and auditing tools for reporting unauthorized activity.

A high level of firewall security is possible using a dual-homed system. This approach, illustrated in Figure 16-4, has two firewall interfaces. One screens incoming requests from the Internet; the other pro- vides access to the organization’s intranet. Direct communication to the Internet is disabled and the two networks are fully isolated. Proxy applications that impose separate log-on procedures perform all access.

Choosing the right firewall involves a trade-off between convenience and security. Ultimately, organization management, in collaboration with internal audit and network professionals, must come to grips with what constitutes acceptable risk. The more security the firewall provides, however, the less convenient it is for authorized users to pass through it to conduct business.

Controlling Denial of Service Attacks

Chapter 12 described three common forms of denial of service attacks: SYN flood attacks, smurf attacks, and distributed denial of service (DDos) attacks. Each of these techniques has a similar effect on the vic- tim. By clogging the Internet ports of the victim’s server with fraudulently generated messages, the targeted firm is rendered incapable of processing legitimate transactions and can be completely isolated from the Internet for the duration of the attack.

In the case of a smurf attack, the targeted organization can program their firewall to ignore all communication from the attacking site, once the attacker’s IP address is determined. SYN flood attacks that use IP spoofing to disguise the source, however, are a more serious problem. Although the attack may actually be coming from a single disguised site, the victim’s host computer views these transmissions as coming from all over the Internet. IT and network management can take two actions to defeat this sort of attack. First, Internet hosts must embrace a policy of social responsibility by programming their firewalls to block outbound message packets that contain invalid internal IP addresses. This would prevent attack- ers from hiding their locations from the targeted site and would assure the management of potential intermediary hosts that no undetected attacks could be launched from their sites. This strategy will not, however, prevent attacks from Internet sites that refuse to screen outgoing transmissions. Second, security software is available for the targeted sites that scan for half-open connections. The software looks for SYN packets that have not been followed by an ACK packet. The clogged ports can then be restored to allow legitimate connections to use them.

Distributed denial of service attacks are the most difficult of the three to counter. The victim’s site becomes inundated with messages from thousands of zombie sites that are distributed across the Internet. The company is rendered helpless because it cannot effectively block transmissions from so many differ- ent locations.

As a countermeasure to DDos attacks, many organizations have invested in Intrusion Prevention Systems (IPS) that employ deep packet inspection (DPI) to determine when an attack is in progress. DPI

IT Controls Part II,Security and Access-0082

uses a variety of analytical and statistical techniques to evaluate the contents of message packets. It searches the individual packets for protocol noncompliance and employs predefined criteria to decide if a packet can proceed to its destination. This is in contrast to the normal packet inspection that simply checks the header portion of a packet to determine its destination. By going deeper and examining the payload or body of the packet, DPI can identify and classify malicious packets based on a database of known attack signatures. Once classified as malicious, the packet can then be blocked and redirected to a security team and/or network reporting agent.

IPS works inline with a firewall at the perimeter of the network to act as a filter that removes malicious packets from the flow before they can affect servers and networks. IPS may also be used behind the fire- wall to protect specific network segments and servers. This provides additional protection against careless laptop users who have been unknowingly infected with a Trojan horse or worm while working outside the protected network environment. IPS techniques can also be employed to protect an organization from becoming part of a botnet by inspecting outbound packets and blocking malicious traffic before it reaches the Internet.

Encryption

Encryption is the conversion of data into a secret code for storage in databases and transmission over net- works. The discussion here pertains to transmitted data, but these basic principles apply also to stored data. The sender uses an encryption algorithm to convert the original message called cleartext into a coded equivalent called ciphertext. At the receiving end, the ciphertext is decoded (decrypted) back into cleartext. The encryption algorithm uses a key, which is a binary number that typically is from 56 to 128 bits in length. The more bits in the key, the stronger the encryption method. Today, nothing less than 128-bit algorithms are considered truly secure. Two general approaches to encryption are private key and public key encryption.

PRIVATE KEY ENCRYPTION. Advance encryption standard (AES) is a 128-bit encryption technique that has become a U.S. government standard for private key encryption. The AES algorithm uses a single key known to both the sender and the receiver of the message. To encode a message, the sender provides the encryption algorithm with the key, which is used to produce a ciphertext message. The message enters the communication channel and is transmitted to the receiver’s location, where it is stored. The receiver decodes the message with a decryption program that uses the same key the sender employs. Figure 16-5 illustrates this technique.

Triple-DES encryption is an enhancement to an older encryption technique called the Data Encryp- tion Standard (DES). Triple DES provides considerably improved security over most single encryption techniques. Two forms of triple-DES encryption are EEE3 and EDE3. EEE3 uses three different keys to encrypt the message three times. EDE3 uses one key to encrypt the message. A second key is used to decode it. The resulting message is garbled because the key used for decoding is different from the one that encrypted it. Finally, a third key is used to encrypt the garbled message. The use of multiple keys greatly reduces the chances of breaking the cipher. Triple-DES encryption is thought to be very secure, and major banks use it to transmit transactions. Unfortunately, it is also very slow. The EEE3 and EDE3 techniques are illustrated in Figure 16-6.

All private key techniques have a common problem: the more individuals who need to know the key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages. Therefore, encrypting data that are to be transmitted among large numbers of relative strangers (such as Internet transactions between businesses and customers) require a different approach. The solution to this problem is public key encryption.

PUBLIC KEY ENCRYPTION. Public key encryption uses two different keys: one for encoding messages and the other for decoding them. Each recipient has a private key that is kept secret and a public key that is published. The sender of a message uses the receiver’s public key to encrypt the message. The receiver then uses his or her private key to decode the message. Users never need to share their private keys to decrypt messages, thus reducing the likelihood that they fall into the hands of a criminal.

IT Controls Part II,Security and Access-0083

RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography method. This method is, however, computationally intensive and much slower than standard DES encryption. Sometimes, both DES and RSA are used together in what is called a digital envelope. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message.

Digital Signatures

A digital signature is electronic authentication that cannot be forged. It ensures that the message or docu- ment the sender transmitted was not tampered with after the signature was applied. Figure 16-7 illustrates this process. The sender uses a one-way hashing algorithm to calculate a digest of the text message. The digest is a mathematical value calculated from the text content of the message. The digest is then encrypted using the sender’s private key to produce the digital signature. Next, the digital signature and the text message are encrypted using the receiver’s public key and transmitted to the receiver. At the receiving end, the message is decrypted using the receiver’s private key to produce the digital signature (encrypted digest) and the cleartext version of the message. The receiver then uses the sender’s public key to decrypt the digital signal to produce the digest. Finally, the receiver recalculates the digest from the cleartext using the original hashing algorithm and compares this to the decoded digest. If the message is authentic, the two digest values will match. If even a single character of the message was changed in transmission, the digest figures will not be equal.

Digital Certificate

The aforementioned process proves that the message received was not tampered with during transmission. It does not prove, however, that the sender is who he or she claims to be. The sender could be an

IT Controls Part II,Security and Access-0084IT Controls Part II,Security and Access-0085

impersonator. Verifying the sender’s identity requires a digital certificate, which a trusted third party issues, called a certification authority (CA). A digital certificate is used in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. It involves establishing one’s identity with formal documents such as a driver’s license, notarization, and fingerprints and proving one’s ownership of the public key. After verifying the owner’s identity, the CA creates the certification, which is the owner’s public key, and other data the CA has digitally signed.

The digital certificate is transmitted with the encrypted message to authenticate the sender. The receiver uses the CA’s public key, which is widely publicized, to decrypt the sender’s public key attached to the message. The sender’s public key is then used to decrypt the message.

Message Sequence Numbering

An intruder in the communications channel may attempt to delete a message from a stream of messages, change the order of messages received, or duplicate a message. Through message sequence numbering, a sequence number is inserted in each message, and any such attempt will become apparent at the receiving end.

Message Transaction Log

An intruder may successfully penetrate the system by trying different password and user ID combinations. Therefore, all incoming and outgoing messages, as well as attempted (failed) access, should be recorded in a message transaction log. The log should record the user ID, the time of the access, and the terminal location or telephone number from which the access originated.

Request-Response Technique

An intruder may attempt to prevent or delay the receipt of a message from the sender. When senders and receivers are not in constant contact, the receiver may not know if the communications channel has been in- terrupted and that messages have been diverted. Using request-response technique, a control message from the sender and a response from the receiver are sent at periodic, synchronized intervals. The timing of the messages should follow a random pattern that will be difficult for the intruder to determine and circumvent.

Call-Back Devices

As we have seen, networks can be equipped with security features such as passwords, authentication devices, and encryption. The common weakness to all of these technologies is that they apply the security measure after the criminal has connected to the network server. Many believe that the key to security is to keep the intruder off the network to begin with.

A call-back device requires the dial-in user to enter a password and be identified. The system then breaks the connection to perform user authentication. If the caller is authorized, the call-back device dials the caller’s number to establish a new connection. This restricts access to authorized terminals or telephone numbers and prevents an intruder masquerading as a legitimate user.

Audit Objectives Relating to Subversive Threats

The auditor’s objective is to verify the security and integrity of financial transactions by determining that network controls (1) can prevent and detect illegal access both internally and from the Internet, (2) will render useless any data that a perpetrator successfully captures, and (3) are sufficient to preserve the in- tegrity and physical security of data connected to the network.

Audit Procedures Relating to Subversive Threats

To achieve these control objectives, the auditor may perform the following tests of controls:

1. Review the adequacy of the firewall in achieving the proper balance between control and convenience based on the organization’s business objectives and potential risks. Criteria for assessing the firewall effectiveness include:

• Flexibility. The firewall should be flexible enough to accommodate new services as the security needs of the organization change.

• Proxy services. Adequate proxy applications should be in place to provide explicit user authentication to sensitive services, applications, and data.

• Filtering. Strong filtering techniques should be designed to deny all services that are not explicitly permitted. In other words, the firewall should specify only those services the user is permit- ted to access, rather than specifying the services that are denied.

• Segregation of systems. Systems that do not require public access should be segregated from the Internet.

• Audit tools. The firewall should provide a thorough set of audit and logging tools that identify and record suspicious activity.

• Probe for weaknesses. To validate security, the auditor (or a professional security analyst) should periodically probe the firewall for weaknesses just as a computer Internet hacker would do. A number of software products are currently available for identifying security weaknesses.2

2. Verify that an Intrusion Prevention Systems (IPS) with deep packet inspection (DPI) is in place for organizations that are vulnerable to DDos attacks, such as financial institutions.

3. Review security procedures governing the administration of data encryption keys.

4. Verify the encryption process by transmitting a test message and examining the contents at various points along the channel between the sending and receiving locations.

5. Review the message transaction logs to verify that all messages were received in their proper sequence.

6. Test the operation of the call-back feature by placing an unauthorized call from outside the installation.

CONTROLLING RISKS FROM EQUIPMENT FAILURE

Line Errors

The most common problem in data communications is data loss due to line error. The bit structure of the message can be corrupted through noise on the communications lines. Noise is made up of random signals that can interfere with the message signal when they reach a certain level. Electric motors, atmospheric conditions, faulty wiring, defective components in equipment, or noise spilling over from an adjacent communications channel may cause these random signals. If not detected, bit structure changes to trans- mitted data can be catastrophic to the firm. For example, in the case of a database update program, the presence of line errors can result in incorrect transaction values being posted to the accounts. The following two techniques are commonly used to detect and correct such data errors before they are processed.

ECHO CHECK. The echo check involves the receiver of the message returning the message to the sender. The sender compares the returned message with a stored copy of the original. If there is a discrepancy between the returned message and the original, suggesting a transmission error, the message is retrans- mitted. This technique reduces, by one-half, throughput over communications channels. Using full-duplex channels, which allow both parties to transmit and receive simultaneously, can increase throughput.

PARITY CHECK. The parity check incorporates an extra bit (the parity bit) into the structure of a bit string when it is created or transmitted. Parity can be both vertical and horizontal (longitudinal). Figure 16-8 illustrates both types of parities. Vertical parity adds the parity bit to each character in the message when the characters are originally coded and stored in magnetic form. For example, the number of 1 bits in the bit structure of each character is counted. If the number is even (for instance, there are four 1 bits in a given eight-bit character), the system assigns the parity bit a value of one. If the number of 1 bits is odd, a 0 parity bit is added to the bit structure.

IT Controls Part II,Security and Access-0086

The concern is that during transmission, a 1 bit will be converted to a 0 bit or vice versa, thus destroying the bit structure integrity of the character. In other words, the original character is incorrectly presented as a different yet valid character. Errors of this sort, if undetected, could alter financial numbers. A parity check can detect errors at the receiving end. The system again counts the 1 bits, which should always equal an odd number. If a 1 bit is added to or removed from the bit structure during transmission, the number of 1 bits for the character will be even, which would signal an error.

The problem with using vertical parity alone is the possibility that an error will change two bits in the structure simultaneously, thus retaining the parity of the character. In fact, some estimates indicate a 40 to 50 percent chance that line noise will corrupt more than one bit within a character. Using horizontal parity in conjunction with vertical parity reduces this problem. In Figure 16-8, notice the parity bit following each block of characters. The combination of vertical and horizontal parity provides a higher degree of protection from line errors.

Audit Objectives Relating to Equipment Failure

The auditor’s objective is to verify the integrity of the electronic commerce transactions by determining that controls are in place to detect and correct message loss due to equipment failure.

Audit Procedures Relating to Equipment Failure

To achieve this control objective, the auditor can select a sample of messages from the transaction log and examine them for garbled contents that line noise causes. The auditor should verify that all corrupted messages were successfully retransmitted.

Comments

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

The Revenue Cycle:Manual Systems

Nassi-Shneiderman charts