Session 3

Technology and Security

Risk Services

IT Environment (2)

for
for Universitas
Universitas Padjadjaran
Padjadjaran
Accounting
Accounting Department
Department
IT
IT Audit
Audit S1
S1 Regular
Regular Class
Class

by Isnaeni Achdiat, CISA, CIA, CISM

Shinta Marina
3 Oct 2005

1 October 2005
1

IS Audit Syllabus
No

Subject Name

Date

Introduction of IS Audit

17-Sep-05

IT Environment (1)

24-Sep-05

IT Environment (2)

1-Oct-05

IT Processes

8-Oct-05

General Computer Control Review (1)

15-Oct-05

General Computer Control Review (2)

22-Oct-05

General Computer Control Case Study

29-Oct-05

Mid-semester Exam

12-Nov-05

Application Control Review (1)

19-Nov-05

10

Application Control Review (2)

26-Nov-05

11

Application Control Case Study

3-Dec-05

12

IT Sarbanes-Oxley and IT Governance

10-Dec-05

13

IT Security and Data Analysis Approach

17-Dec-05

14

IT Risk Management & ERP Systems

24-Dec-05

15

Final Exam

3 Oct 2005

TBA

Agenda

Technology and Security

Risk Services

Operating Systems
Application Software
Database and DBMS
Data Center
Network & telecommunication infrastructure
Internet & Firewalls

3 Oct 2005

Session 3 Objectives
Gain understanding of the importance and role of IT
for the Business
Understand IT organization & its requirements
Introduce the students to:
The
The concepts
concepts of operating systems, database, applications and
Data Centers.
The
The risks
risks and
and controls
controls associated
associated with
with them,
them, and
and
The
The basic
basic audit/review aspects and considerations of the above
concepts.

3 Oct 2005

Technology and Security

Risk Services

Operating Systems

3 Oct 2005

Operating Systems
Operating systems tasks
Major Operating Systems
Operating Systems Software Risks and Controls
Operating systems review/audit techniques
Operating systems Audit Tools

3 Oct 2005

Operating Systems
Operating systems task

Permits users to share hardware, data

Schedules resources among users
Informs users of any errors that occur with the
processor, I/O or programs
Recovery from system errors
Communication between the O/S and application
programs, allocating memory to processors, and
making the memory available upon the completion of a
process
System file and system accounting management

3 Oct 2005

Operating Systems
Major Operating systems
Mainframe
MVS, Unisys, etc
Midrange/Minicomputers
OS/400, VMS, Unix, SunOS, etc
Micro computers
Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,
DOS, Linux

3 Oct 2005

Operating Systems
Risks and Controls
Risks
Unauthorized access

Controls
Strong security management
(including user rights and password
controls management)
Separation of duties

Poor logging and audit trails Auditors involvement in requirement

and design phase
Incompatibility with
applications
3 Oct 2005

Periodic review of log

Change management

Operating Systems
Review/Audit techniques
System
System software
software selection
selection procedures
procedures
Address
Address IS
IS and
and business
business plan,
plan, meet
meet control
control requirement,
requirement, feasibility
feasibility study,
study, cost
cost benefit
benefit analysis
analysis

Installation
Installation controls
controls
Written
Written plan
plan for
for installation,
installation, documentations,
documentations, identification
identification before
before being
being placed
placed to
to production
production

Maintenance
Maintenance activities
activities
Change
Change controls
controls for
for system
system software
software
Access
Access limitation
limitation to
to library,
library, changes
changes are
are documented
documented and
and tested
tested

Systems
Systems documentation
documentation
Licensing
Licensing
protect
protect against
against the
the possibility
possibility of
of penalties
penalties
protect
protect from
from public
public embarrassment
embarrassment

Security
Security parameters
parameters (special
(special functions,
functions, passwords)
passwords)
Audit
Audit and
and logging
logging

3 Oct 2005

10

Operating Systems
O/S Audit tools
AS/400
PentaSafe
Windows NT
Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,
Retina, BindView
UNIX
COPS (Computer Oracle and Password System), Tripwire, NMAP,
PC-Unix Audit

3 Oct 2005

11

Technology and Security

Risk Services

Application Softwares

3 Oct 2005

12

What is Application Software?

A software that is designed and created to
perform specific personal, business or
scientific processing task, such as word
processing, interactive game, business
application, etc.

3 Oct 2005

13

Categories of software
In-house developed application
Integrated application (e.g. ERP systems:
SAP, JDE, PeopleSoft, Oracle, etc)
Package application (e.g. ACCPAC,
Picador, etc)

3 Oct 2005

14

Technology and Security

Risk Services

Database and DBMS

3 Oct 2005

15

Database & DBMS

What database is
Database structure
Data management
Database Management Systems (DBMS)
Risks and controls over database
Database audit/review consideration
Sample of ORACLE database review
3 Oct 2005

16

Database & DBMS

What database is
A collection of information organized in such a
way that a computer program can quickly
select desired pieces of data
Organized by:
Fields
Records
Files
3 Oct 2005

17

Database & DBMS

Database structure
Hierarchical
Hierarchical database
database model
model

Data
Data is
is organized
organized as
as aa tree
tree structure
structure
Parent
Parent and
and child,
child, child
child can
can not
not have
have more
more than
than 11 parent
parent
Ex.
Ex. IBMs
IBMs IMS
IMS (Information
(Information Mgt.
Mgt. Systems)
Systems)

Network
Network database
database model
model
Data
Data related
related through
through sets,
sets, allow
allow reverse
reverse pointers
pointers
Ex.
Ex. CAs
CAs IDMS
IDMS

Relational
Relational Database
Database model
model

Unlike
Unlike Hierarchical
Hierarchical and
and Network,
Network, RDBMS
RDBMS separated
separated app.
app. and
and data
data
Models
Models information
information in
in table
table (column
(column and
and rows)
rows)
Ex.
Ex. IBMs
IBMs DB2,
DB2, Oracle,
Oracle, Sybase,
Sybase, MS
MS Access,
Access, Paradox,
Paradox, DBASE
DBASE

Object-oriented
Object-oriented database
database
Simplify
Simplify programming,
programming, flexible,
flexible, deals
deals with
with variety
variety of
of data
data types
types
Ex.
Ex. Objectivity/DB,
Objectivity/DB, IBM
IBM San
San Fransisco,
Fransisco, ONTOS
ONTOS DB,
DB, ObjectStore
ObjectStore

3 Oct 2005

18

Database & DBMS

Database structure example

3 Oct 2005

19

Database & DBMS

Data Management
Data management
Process to control data buffering, performs I/O
operations and deals with file management activities

Data management file organization

Sequential
Indexed sequential
Direct random access

3 Oct 2005

20

Database & DBMS

Database Management Systems
DBMSs are software that organize, control, and use
the data required by application programs (act as an
interface).
Purpose:

To
To manage
manage data
Relieves the application of file handling
Maintains the integrity of data
Ensures that the data is available to multiple applications
applications
Provide access control and security over data

3 Oct 2005

21

Database & DBMS

Risks and Controls
Risks

Controls

Confidentiality

Access control mechanism

Integrity (incl. alteration)

Data ownership assignment

Referential integrity check
Logging

Availability

3 Oct 2005

Change management
Backup and recovery procedure

22

Database & DBMS

Review/audit consideration
Security (protection from unauthorized access)
User can only access authorized
authorized data
data (by
(by logon
logon ID
ID password,
password, and
and
access control)
Program
Program can
can only
only access
access the
the required
required data to complete a
transaction (by schema or subschema)

Integrity (protection from accidental or erroneous

destruction of data)

How
How DBMS
DBMS handle
handle concurrent
concurrent updates
updates
DBMS
DBMS maintenance
maintenance (including
(including fixing
fixing and
and testing)
testing)
Functions performed by DBA

3 Oct 2005

23

Technology and Security

Risk Services

Data Center

3 Oct 2005

24

Data Center
Data Center is the business of providing a physical
location as well as the applicable IT services (i.e.
bandwidth to the Internet, facilities management,
hardware/software, IT services, etc.) to run computer
applications (i.e. website, e-mail, trading systems etc.) at
a site that is generally, remotely located from a corporate
or individuals owned premises. The eventual goal is to
fully outsource corporate IT requirements, leveraging
economies of scale at price points and service levels that
are difficult to achieve in-house.

3 Oct 2005

25

3 Oct 2005

26

3 Oct 2005

27

3 Oct 2005

28

3 Oct 2005

29

3 Oct 2005

30

Discussion (Tugas Kelompok)

What are the risks associated with Data
Center??
and what controls can mitigate the risks??

3 Oct 2005

31

Technology and Security

Risk Services

Network

3 Oct 2005

32

Network & telecommunication infrastructure

Network Eras
Network architecture
Data Communication

Network Protocols
Transmission media

Local area network and Wide Area Network

Risks and controls

Audit and Evaluation Techniques

3 Oct 2005

33

Network infrastructure
Network Eras
ERA 1: Mainframe Networks (1965 - 1975)
ERA 2: Minicomputer Networks (1975 - 1985)
ERA 3: Shared-bandwidth LANs (1985 - 1995)
ERA 4: Switching LANs (1995 - )

3 Oct 2005

34

Network Eras
Mainframe Networks
Groups of terminals
attached to cluster
controllers
Controllers were
connected to the frontend processor through
point-to-point cables (for
local connections) or
leased telephone lines
(for remote connections).
3 Oct 2005

35

Network Eras
Minicomputers Networks
Terminals connected directly
to a port on the mini.
Statistical multiplexers provide
wide area fine sharing and
error protection.
Data PBXs were central to
many networks, allowing
terminal users to select
computers and contend for
expensive computer ports.

3 Oct 2005

36

Network Eras
Shared-bandwidth LANs
LAN-based network operating
systems emerged
Shared bandwidth, PCs and
other devices were attached
to a single Ethernet segment
or a single token ring

3 Oct 2005

37

Network Eras
Switched LANs
The rapid growth in the power of PCs (servers), which can handle
throughput rates significantly higher than Ethernet or token ring
provides.
Data representation through
through images rather than text.
Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require large
amounts of bandwidth).

3 Oct 2005

38

Network architecture
Bus configuration
Ring configuration
Star configuration
Mesh configuration
3 Oct 2005

39

Network architecture
Bus configuration
Advantages

Disadvantages

Reliable in very small networks

Easy to use and understand
Requires less amount of cables,
less expensive
Is easy to extend
A repeater can be used to
extend the configuration

Heavy network traffic can

slow the performance
Each connection between
two cables weakens the
electrical signal
Difficult to locate network
error. Difficult to trouble
shoot

3 Oct 2005

40

Network architecture
Ring configuration
Advantages
Every computer is given equal
access, since a token is passed
around the ring indicating
authorization to transmit
The network degrades
gracefully

3 Oct 2005

Disadvantages

Failure of one computer in the

network can affect the whole
network
Difficult to trouble shoot
Adding or removing computers
can disrupt the network

41

Network architecture
Star configuration
Advantages

Disadvantages

Easy
Easy to
to modify
modify and
and add
add new
new
computers
computers

If the central hub fails the whole

network cease to function
The
The center
center of
of the
the star
star is
is aa good
good place
place
Require a device at the center to
to
to diagnose
diagnose network
network problems
problems
rebroadcast or switch network
traffic
Single
Single computer
computer failures
failures do
do not
not bring
bring
down
More cable is required than bus
down the
the network
network
configuration
Several
Several cable
cable types
types can
can be
be used
used in
in the
the
configuration
configuration

3 Oct 2005

42

Network architecture
Mesh configuration
Advantages
Fault
Fault tolerant
tolerant
Easy to diagnose problems
Guaranteed channel capacity

3 Oct 2005

Disadvantages
Difficult to install and
reconfigure, since there is a
connection with every
machine on the network
High cost of installations

43

Telecommunication infrastructure
Data Communication
Simply put, it involves the
transmission of speech and, or
data between two connected
devices.
Data communications describes
the use of protocols (rules) and
specific equipment to coordinate
and facilitate the successful
transmission and receipt of data
between source and destination.
3 Oct 2005

44

Telecommunication infrastructure
Network Protocols
Protocols are the set of rules for the packaging
and transmission of data.
Examples:
Transmission Control Protocol/Internet Protocol
(TCP/IP)
Virtual telecommunications Access Method (VTAM)
IPX/SPX
AppleTalk
PPP (Point-to-Point Protocols), X.25
3 Oct 2005

45

Telecommunication infrastructure
Transmission media
Copper (twisted pair) circuits
Coaxial cables
Fiber optic systems
Radio systems
Microwave radio systems
Satellite radio link systems

3 Oct 2005

46

Telecommunication infrastructure
LANs and WANs
LANs

Within
Within buildings
buildings or departments
Digital signals used
Computer
Computer to
to computer
computer transmission
transmission
Use high quality cables
cables

WANs:

Spread over multiple sites

Require
Require the
the use
use of
of special
special communications hardware
May use public long distance
distance communications
communications links
links
Tend
Tend to
to be
be more
more complex than LANs.

3 Oct 2005

47

Telecommunication infrastructure
Network Risks and Controls
Risks`
Unauthorized access (incl.
tapping)
Performance degradation

Controls
Encryption
Access controls
Performance monitoring
Response time reports
Down time reports
Online monitors (Echo checking)
Help desk reports

Remote access & dial-up

Call back facility

Viruses, trojan

Anti-virus and forced-update

Clear policy
Astalavista.box.sk

3 Oct 2005

48

Telecommunication infrastructure
Audit and Evaluation Techniques
LAN review
Physical security
Observe LAN and transmission wiring closet, server
location, test access key
Environmental controls
Surge protector, Air conditioning, humidity, power
supply, backup media protection, fire extinguisher
Logical security
Interview LAN admin, penetration test, search for
written password, test log off period, dial-up
connection
3 Oct 2005

49

Technology and Security

Risk Services

Internet

3 Oct 2005

50

Internet
What is Internet
Why use Internet
The risk of Internet

How to control Internet use

What is a Firewall

How Firewall works

What can Firewall do

What cant Firewall do

3 Oct 2005

51

What is Internet ?
Worlds largest computer network.
Based on TCP/IP protocol suite
Links Universities, gov, companies, etc.
Large international presence > 170 countries

3 Oct 2005

52

Why Use Internet ?

Provides cost effective communication for:
eCommerce
Electronic Mail (SMTP)
Remote Terminal Access (Telnet)
File Transfer (FTP)

Good information source

World Wide Web access (HTTP)

3 Oct 2005

53

The Risk of Internet

Perhaps the biggest risk.......
You don
t know who is
risk.......You
dont
out there!
Because the Internet is so convenient to use, security
implications are often overlooked
Possible network backdoor connections open to
hackers
Viruses from downloaded software (e.g. screensavers)
Disclosure of sensitive info (e.g. credit card numbers)

3 Oct 2005

54

How to Control Internet Use ?

Develop policies to define acceptable usage
Personal use
Business use (encrypting messages to business
partners)
Educate users on internet risks
Use of Firewalls

3 Oct 2005

55

What is a Firewall ?
A firewall is a combination of hardware and software that
enforces an existing network access policy
Prevents unauthorized traffic in and out of a secure
network
It restricts people to entering at a carefully controlled
point
It prevents attackers from getting close to other network
security defenses

3 Oct 2005

56

How Firewall works?

Firewall
Gateway

Mainframe/
Legacy
Systems

Internet

Rejected external
traffic

Local Area Network

Wide Area Network

Firewall

3 Oct 2005

57

What can Firewall Do ?

A firewall is a focus for security decisions. Think
of a firewall as a choke point. All traffic in and
out must pass through this single checkpoint, or
Gateway
A Firewall can enforce security policy. Many of
the services that people want from the Internet
are inherently insecure. A Firewall acts as the
traffic cop for these services.

3 Oct 2005

58

What can Firewall Do ? (Contd)

A Firewall can effectively log Internet activity. Because
all traffic passes through the firewall gateway, it a good
place to collect information about the system and
network use .... AND misuse.
A firewall reduces external network exposure. It can also
be used to keep sections of a network separate from
other sections.
e.g. Preventing certain employees attaching documents
to e-mails

3 Oct 2005

59

What cant Firewall Do ?

A firewall cant protect you against malicious
insiders. If the fox is inside the hen house, a
firewall can do nothing for you.
A firewall cant protect you against connections
that dont go through it. There is nothing it can
do for traffic that does not go through it.

3 Oct 2005

60

What cant Firewall Do ? (Contd)

A firewall cant completely protect against new
threats. A firewall can only protect against
known threats. You cant set up a firewall once
and expect it to protect you forever.
A firewall cant protect against viruses as these
are typically spread within documents

3 Oct 2005

61

Summary
The hardware, systems software, communication lines,
networks, Internet and Data Center are all organizations assets
that should be properly controlled and managed by
management.
Todays auditors should familiar and be prepared to deal with
various rapid development in IT (hardware, OS,
communication, Networks, Internet and Data Center) and its
risks
IS Auditors tasks:

Review
Review the
the existing
existing controls
controls available
available
Test
Test the
the compliance
compliance
Recommend
Recommend adequate
adequate controls
controls

3 Oct 2005

62

Technology and Security

Risk Services

Question and Answer

3 Oct 2005

63

Technology and Security

Risk Services

Thank You

3 Oct 2005

64