Chapter 16

Controlling Computer-Based Information Systems, Part II

Objectives for Chapter 16

Risks associated with electronic commerce conducted over intranets and the Internet and the control techniques used to reduce these risks Exposures that arise in connection with electronic data interchange (EDI) and how these exposures can be reduced Exposures that threaten firms that rely on personal computers and the controls necessary to reduce risks in this environment The principal input, processing, and output controls that are used to ensure the integrity of computer applications

Organizational Structure Internet & Intranet

Operating System

Data Management

Internet & Intranet

Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

Organizational Structure Internet & Intranet

Operating System

Data Management

Internet & Intranet

Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

Internet and Intranet Risks

Communications is a unique aspect of the computer networks:
different than processing (applications) or data storage (databases)

Loss, destruction, and corruption of data from two main sources:

subversive activities, both inside or outside the firm equipment failure

Internet and Intranet Risks from Subversive Threats

These acts include:
unauthorized interception of a message gaining unauthorized access to an organizations network a denial-of-service attack from a remote location

Controlling Risks from Subversive Threats

Firewalls - software and hardware that provide security by channeling all network connections through a control gateway
Network level firewalls
low cost and low security access control does not explicitly authenticate outside users mainly for filtering out junk or improperly routed messages hackers can easily penetrate the system

Application level firewalls

a high level of customizable network security, but can be extremely expensive performs sophisticated functions such as logging or user authentication

Dual-Homed Firewall

Access Attempts from the Internet

HOST The Internet

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

LAN

First Firewall Restricts Access to Host Computer Operating System

Second Firewall Restricts Access to Network Server

Controlling Risks from Subversive Threats

Denial-of-service (DOS) attacks
Security software searches for connections which have been half-open for a period of time.

Encryption
Computer program transforms a clear message into a coded (cipher) text form using an algorithm.

DOS Attack
Sender Receiver

Step 1: SYN messages Step 2: SYN/ACK

Step 3: ACK packet code

In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received.

Variations of DOS Attacks

Smurfing
by sending pings to all members in a network to respond to the victims spoofed IP address causes the victims server to be flooded

SYN flooding
never sending the final (ACK) part of the threeway handshake causes the victim to keep sending the second (SYN/ACK) part until times out

Ping of death
send an invalid packet size in the protocol packet header confuses the operating system

Controlling Risks from Subversive Threats

Encryption
A computer program transforms a clear message into a coded (ciphertext) form using an algorithm. Encryption can be used for transmitted data and for stored data.

Data Encryption Standard Technique

Key Encryption Program

Cleartext Message

Ciphertext

Communication System

Cleartext Message

Encryption Program

Ciphertext

Communication System

Key

Public and Private Key Encryption

Message A Multiple people may have the public key (e.g., subordinates). Message B Message C Message D Public Key is used for encoding messages.

Ciphertext Typically one person or a small number of people have the private key (e.g., a supervisor). Message A

Ciphertext

Ciphertext

Ciphertext

Private Key is used for decoding messages.

Message B

Message C

Message D

Controlling Risks from Subversive Threats

Digital signature: electronic authentication
technique that ensures that the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied

Digital certificate: like an electronic

identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender

Senders Location

Receiver's Location
Compare

Text Message Encrypt Using Receivers Public Key Digital Signature Compute Digest of Message Digest Digest

Decrypt Using Senders Public Key

Compute Digest of Message

Digest

Encrypted Message with Digital Signature Attached

Digital Signature

Text Message

Encrypt Using Senders Private Key Decrypt Using Receivers Private Key

Digital Signature

Digital Signature

Controlling Risks from Subversive Threats

Message sequence numbering
sequence number used to detect missing messages

Message transaction log

listing of all incoming and outgoing messages to detect the efforts of hackers

Request-response technique
random control messages are sent from the sender to ensure messages are received

Call-back devices
receiver calls the sender back at a pre-authorized phone number before transmission is completed

Controlling Risks from Equipment Failure

Line errors from noise on a communications. Two techniques to detect and correct such data errors: echo check - the receiver returns the message to the sender parity checks - an extra bit is added onto each byte of data similar to check digits Backup control for networks small networks - a single workstation medium networks - a network server large networks - multiple servers

Vertical and Horizontal Parity

Vertical Parity Bit When Bit Structure Has an Even Number of 1 Bits, Parity Bit = 1

1 0 1 1 0 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 Bit Structure of Character 0 0 0 0 0 1 0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 1 0

0 0 0 0 0 0 1 1 1 1 1 1 0 0 1 1 1 1

0 1 0 1 1 0 1 0 0 Horizontal Parity Bit

Start of Message

Block of Data

End of Message

Organizational Structure Internet & Intranet

Operating System

Data Management

Internet & Intranet

Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

Electronic Data Interchange (EDI) Risks

Authorization
automated and absence of human intervention

Access
need to access EDI partners files

Audit trail
paperless and transparent (automatic) transactions

Electronic Data Interchange (EDI) Controls

Authorization
use of passwords and VANs to ensure valid partner

Access
software to specify what can be accessed and at what level

Audit trail
control log records the transactions flow through each phase of the transaction processing

EDI System without Controls

Company A
Application Purchases Software System

Company B (Vendor)
Sales Order System Application Software

EDI Translation Software Direct Connection

Communications Software

EDI Translation Software

Communications Software

EDI System with Controls

Company A
Application Purchases Software System Audit trail of transactions between trading partners

Company B (Vendor)
Sales Order System Application Software

EDI Translation Software

Communications Software

Transaction Transaction Log Log

EDI Translation Software

Communications Software

Software limits vendors (Company B) Company As mailbox access to company As database

Other Mailbox

VAN
Other Mailbox

Company Bs mailbox

Use of VAN to enforce use of passwords and valid partners

Organizational Structure Internet & Intranet

Operating System

Data Management

Internet & Intranet

Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

Personal Computer (PC) Controls

PCs
are relatively simple to use are frequently controlled and used by end users usually employ interactive (v. batch) data processing typically run commercial software applications allow users to develop their own applications

PCs, in contrast to servers and mainframes, have weak operating systems.

makes them easy to use but results in minimal security and weak controls

Access Risks in the PC Environment

PCs typically weak in controlling access data files Techniques to prevent theft or tampering of data:
data encryption - must decode even if stolen disk locks - software or physical locks to prevent booting from A:\

Inadequate Segregation of Duties

In PC environments, employees often have access to multiple applications that process incompatible transactions. Controls:
increased supervision detailed management reports more frequent independent verification

PC Backup Controls
PC end-users often fail to appreciate the importance of backup procedures until it is too late. Back up mechanisms:
tape--high capacity (3.2gb, inexpensive) CD--about 650mb (>450 floppies) dual internal hard drives (high capacity) dual external hard drives (>12 gb) USB memory attachments (portable, >64 mb)

Inadequate Systems Development and Maintenance Procedures in PCs Commercial software should be used when possible for accounting applications, and these systems should be purchased from a reputable vendor. Formal software selection procedures should be practiced by firms of all sizes.

Organizational Structure Internet & Intranet

Operating System

Data Management

Internet & Intranet

Systems Development

EDI Trading Partners

Systems Maintenance

Personal Computers Applications

Computer Center Security

General Control Framework for CBIS Risks

Application Controls
Narrowly focused exposures within a specific system, for example:
accounts payable cash disbursements fixed asset accounting payroll sales order processing cash receipts general ledger

Application Controls
Risks within specific applications Can affect manual procedures (e.g., entering data) or embedded procedures Convenient to look at in terms of:
input stage processing stage output stage
INPUT PROCESSING OUTPUT

Application Controls Input

Goal of input controls - inputted data are valid, accurate, and complete Source document controls
use prenumbered source documents auditing missing source documents
GIGO

Data coding controls

transcription errors check digits

Application Controls Input

Batch controls - used to reconcile the output produced by the system with the input originally entered into the system Based on different types of batch totals:
total number of records total dollar value hash totals - sum of non-financial numbers

Application Controls Input

Validation controls - intended to detect errors in transaction data before the data are processed
field interrogation - data in individual fields; for example, missing data, data type, range record interrogation - interrelationship of data in fields of a record file interrogation - the correct file; for example, internal and external labels compared, version, dates

Application Controls Input

Input error correction techniques
immediate correction during data entry error file creation batch rejection

Application Controls Input

Generalized data input systems (GDIS) centralized procedures to manage the data input for all of the organizations TPSs Five major components: generalized validation module - standard validation routines common to different applications validated data file error file error reports transaction log

G D I S

Application Controls Processing

Run-to-run controls - use batch figures to monitor the batch as it moves from one programmed procedure (run) to another Operator intervention controls - used to limit human involvement in certain actions in order to reduce error Audit trail controls - numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements

Transaction Log to Preserve the Audit Trail

Application Controls Output

Goal of output controls is to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated. In the following flowchart, there are exposures at every stage.

Output Run (Spooling)

Output Report

Output File Print Run Output Report

Data Control Output Report Report Distribution Output Report End User

Bursting Aborted Output Waste

Output Report File

STAGES IN THE OUTPUT PROCESS

Application Controls Output

Batch systems output: spooling creates a file as an intermediate step in the printing process that is a risk Report distribution: for sensitive reports, the following are available:
use of secure mailboxes in which to place reports require the user to sign for reports in person deliver the reports to the user

Application Controls Output

End user controls: end users need to inspect reports and report any inaccurately produced reports
Highly sensitive reports should be shredded after their use.

Controlling real-time system output: the primary output threat is the interception, disruption, destruction, or corruption of the output message as it passes along the communications link