Audit in CIS Environment Session 5
Audit in CIS Environment Session 5
Auditing IT
Controls Part II:
Security and
Access
Learning Objectives
• Be able to identify the principal threats to the operating system
and the control techniques used to minimize the possibility of
actual exposures.
• Be familiar with the principal risks associated with electronic
commerce conducted over intranets and the Internet and
understand the control techniques used to reduce these risks.
• Be familiar with the risks to database integrity and the controls
used to mitigate them.
• Recognize the unique exposures that arise in connection with
electronic data interchange and understand how these
exposures can be reduced.
2
Controlling the Operating System
• The operating system is the computer’s control program.
• It allows users and their applications to share and access
common computer resources, such as processors, main
memory, databases, and printers.
• If operating system integrity is compromised, controls
within individual accounting applications may also be
circumvented or neutralized.
3
Controlling Networks
• Network topologies consist of various configurations of (1)
communications lines, (2) hardware components, and (3)
software.
• The technology of network communications are subject to
two general forms of risk:
1. Risks from subversive threats
2. Risks from equipment failure
4
CONTROLLING RISKS FROM SUBVERSIVE
THREATS
• Firewalls
• A firewall is software and hardware that provide a focal point
for security by channeling all network connections through a
control gateway.
• Network-level firewalls are systems that provide basic
screening of low-security messages (for example, e-mail) and
routes them to their destinations based on the source and
destination addresses attached.
• Screening router is a firewall that examines the source and
destination addresses attached to incoming message packets.
• Application-level firewalls provide high-level network
security.
5
Dual-Homed Firewall
10
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Controlling Denial of Service Attacks
• An Intrusion Prevention System (IPS) uses deep packet
inspection (DPI) to determine when an attack is in progress.
• Deep packet inspection (DPI) is a program used to determine
when a DOS attack is in progress through a variety of
analytical and statistical techniques that evaluate the contents
of message packets.
• Encryption
• Encryption is the use of a computer program to transform a
standard message being transmitted into a coded (cipher text)
form.
• Private key is one method of encryption.
• Public key encryption is a technique that uses two encryption
keys: one for encoding the message, the other for decoding it.
11
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Encryption (continued)
• PRIVATE KEY ENCRYPTION: Advanced encryption
standard (AES) is a 128-bit encryption technique, also known
as Rijndael, a private key (or symmetric key) encryption
technique. Triple-DES encryption is an enhancement to an
older encryption technique for transmitting transactions. EEE3
is encryption that uses three different keys to encrypt the
message three times. EDE3 is encryption that uses one key to
encrypt the message.
• PUBLIC KEY ENCRYPTION: RSA (Rivest-Shamir-Adleman)
is one of the most trusted public key encryption methods. This
method, however, is computationally intensive and much
slower than private key encryption. A digital envelope is an
encryption method in which both DES and RSA are used
together.
12
The Advanced Encryption Standard
Technique
13
EEE3 and EDE3 Encryption
14
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Digital Signatures
• A digital signature is an electronic authentication technique
that ensures the transmitted message originated with the
authorized sender and that it was not tampered with after the
signature was applied.
• A digest is a mathematical value calculated from the text
content of the message.
• Digital Certificate
• A digital certificate is a sender’s public key that has been
digitally signed by trusted third parties.
• A certification authority (CA) is a trusted third party that
issues digital certificates.
15
Digital Signature
16
Digital Certificate Example
To enable a digital certificate for secure email communication (such
as encrypting or digitally signing emails) in Microsoft Outlook, follow
these steps:
1. Obtain a Digital Certificate:
• Before you can enable and use a digital certificate in Outlook, you
need to acquire one from a trusted Certificate Authority (CA) like
Comodo, DigiCert, or GlobalSign. These certificates are typically in
the S/MIME (Secure/Multipurpose Internet Mail Extensions) format.
• Once you have the certificate, you’ll need to install it on your
computer. This is typically done by opening the certificate file (.pfx or
.p12) and following the installation prompts. The private key is
securely stored in the system.
17
Digital Certificate Example
2. Install the Certificate in Outlook:
• Under the Encrypted email section, click on Settings next to the Digital IDs
(Certificates) option.
• In the Digital ID Settings window, click Choose under Signing Certificate and select
the installed certificate from your list.
• Optionally, choose the same certificate under Encryption Certificate if you want to
enable encrypted email.
3. Configure Email Signing and Encryption:
• Once the certificate is set up, you can configure your email to sign or encrypt
messages by default. Under Email Security in the Trust Center, check the boxes for:
• Encrypt contents and attachments for outgoing messages (if you want to
encrypt emails).
• Add digital signature to outgoing messages (if you want to sign all emails).
18
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Message Sequence Numbering
• Message sequence numbering is a sequence number
inserted in each message to foil any attempt by an intruder in
the communications channel to delete a message from a
stream of messages, change the order of messages received,
or duplicate a message.
• Message Transaction Log
• A message transaction log is a log in which all incoming and
outgoing messages, as well as attempted (failed) access,
should be recorded.
• Request-Response Technique
• The request-response technique is a technique in which a
control message from the sender and a response from the
sender are sent at periodic synchronized intervals.
19
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
• Call-Back Devices
• A call-back device is a hardware component that asks the
caller to enter a password and then breaks the connection to
perform a security check.
• Audit Objectives Relating to Subversive Threats
• Audit Procedures Relating to Subversive Threats
20
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Objectives Relating to Subversive Threats
Data Integrity:
Ensure that data is protected from unauthorized changes or
tampering, and that all transactions are processed
accurately.
Validate that controls are in place to prevent, detect, and
correct data manipulation or corruption caused by internal
or external threats.
Confidentiality:
Ensure that sensitive information is adequately protected
from unauthorized access and exposure to external
attackers or internal personnel without proper privileges.
21
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Objectives Relating to Subversive Threats
System Availability:
Ensure that systems remain operational and accessible to authorized users,
particularly in the face of potential subversive threats such as Denial of Service
(DoS) attacks or sabotage.
Verify that adequate backup, recovery, and incident response procedures are in
place to minimize downtime and data loss in the event of an attack.
Access Control:
Ensure that appropriate authentication and authorization mechanisms are in
place to prevent unauthorized access to systems and data.
Audit Trail Maintenance:
Ensure that systems maintain detailed logs of all user activities and access
attempts, allowing auditors to identify and investigate potential security
breaches or malicious activities.
22
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Procedures Relating to Subversive Threats
1. Review of Access Controls:
Procedure: Evaluate the effectiveness of user access controls by
reviewing policies related to user authentication (e.g., passwords, multi-
factor authentication) and authorization (e.g., role-based access).
Objective: Ensure that access to sensitive systems and data is
restricted to authorized personnel and that unauthorized access is
promptly detected and denied.
2. Examination of System Logs and Audit Trails:
Procedure: Examine logs and audit trails to identify any suspicious
activities, such as multiple failed login attempts, unauthorized access,
or unusual transaction patterns.
Objective: Ensure that a proper audit trail exists to detect and
investigate subversive activities, such as data tampering or
unauthorized changes.
23
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Procedures Relating to Subversive Threats
3. Testing Incident Response Procedures:
Procedure: Review and test the organization's incident response and
disaster recovery plans, including steps to identify, respond to, and
recover from subversive attacks (e.g., malware or DoS attacks).
Objective: Ensure that the organization is prepared to respond quickly
and effectively to potential threats, minimizing damage and restoring
operations promptly.
4. Penetration Testing:
Procedure: Conduct penetration testing to simulate subversive attacks
on the organization’s systems and assess the effectiveness of its
defenses.
Objective: Identify vulnerabilities that could be exploited by attackers
and ensure that appropriate controls are in place to mitigate these
risks.
24
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Procedures Relating to Subversive Threats
5. Review of Data Encryption Practices:
Procedure: Verify that sensitive data is encrypted both in transit and at
rest, using secure encryption methods such as AES or RSA.
Objective: Ensure that data confidentiality is maintained, preventing
unauthorized individuals from intercepting or accessing sensitive
information.
6. Evaluation of Physical Security Controls:
Procedure: Review physical security controls, such as secured server
rooms, access to data centers, and surveillance, to ensure that physical
access to critical systems is limited to authorized personnel.
Objective: Prevent physical tampering, theft, or destruction of
hardware that could lead to a breach of system integrity.
25
CONTROLLING RISKS FROM SUBVERSIVE
THREATS (continued)
Audit Procedures Relating to Subversive Threats
7. Verification of Backup and Recovery Systems:
Procedure: Assess the adequacy of backup and recovery systems by
reviewing the frequency of backups, their storage, and the
organization’s ability to restore data and systems in case of an attack.
Objective: Ensure that systems can be restored quickly in the event of
a data loss or system disruption caused by a subversive threat.
26
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
• Line Errors
• A line error is an error caused when the bit structure of the
message is corrupted through noise on the communications
lines.
• The echo check is a technique that involves the receiver of
the message returning the message to the sender.
• The parity check is a technique that incorporates an extra bit
into the structure of a bit string when it is created or
transmitted.
• Audit Objectives Relating to Equipment Failure
• Audit Procedures Relating to Equipment Failure
27
Vertical and Horizontal Parity Using Odd
Parity
28
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
The audit objectives related to equipment failure are aimed
at ensuring that an organization’s IT infrastructure is robust,
resilient, and capable of maintaining operations even in the
face of hardware failures. The objectives focus on
identifying weaknesses, ensuring recovery mechanisms
are in place, and minimizing the impact of any equipment
failure.
• Audit Procedures Relating to Equipment Failure
29
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Review of Backup and Recovery Procedures:
Procedure: Verify that the organization has a documented
backup procedure, and ensure that backups are performed
regularly and securely stored (preferably offsite or in the
cloud).
Objective: Ensure data integrity and the ability to restore
critical systems after an equipment failure.
Example: Review the frequency and testing of backups to
ensure they are reliable and recoverable in the event of
server or hardware failure.
30
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Evaluation of Redundancy and Failover Systems:
Procedure: Assess the design and implementation of
redundancy and failover systems. Test to ensure that these
systems can seamlessly take over when primary systems
fail.
Objective: Ensure system availability and business
continuity during hardware failures.
Example: Conduct a simulation of a failover scenario
(e.g., simulating a server crash) and observe whether the
backup system takes over without disruption.
31
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Inspection of Physical Security and Environmental
Controls:
Procedure: Conduct a physical inspection of the data
centers and server rooms to ensure they are secure,
properly ventilated, and protected from environmental
hazards (e.g., water damage, fire).
Objective: Ensure that physical security and environmental
controls are in place to prevent physical damage to critical
hardware.
Example: Verify that fire suppression systems, temperature
controls, and access controls are functioning properly.
32
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Testing of UPS and Backup Power Systems:
Procedure: Review the configuration and testing records
for Uninterruptible Power Supply (UPS) systems and
backup generators.
Objective: Ensure continuous power supply to critical
systems in the event of power failure.
Example: Perform a power failure test and observe how
long the UPS system can maintain the operation of critical
systems and ensure that backup generators activate as
intended.
33
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Review of Maintenance Logs:
Procedure: Review maintenance logs to ensure that
regular checks and repairs are conducted on critical
hardware components such as servers, routers, and
cooling systems.
Objective: Ensure that proactive maintenance reduces the
risk of unexpected equipment failure.
Example: Confirm that aging hardware components are
replaced on a regular schedule and that routine checks for
overheating, hardware degradation, and performance
bottlenecks are conducted.
34
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Examine the Disaster Recovery Plan (DRP):
Procedure: Review the organization's DRP to ensure it
includes contingencies for equipment failure. Verify that the
DRP is regularly updated and tested.
Objective: Ensure the organization can recover quickly
and efficiently after hardware failure.
Example: Examine the most recent disaster recovery drill
to assess the organization's readiness and response time
in recovering from equipment failures.
35
CONTROLLING RISKS FROM EQUIPMENT
FAILURE
Audit Objectives Relating to Equipment Failure
Test Load Balancing and RAID Configurations:
Procedure: Evaluate load balancing configurations and
RAID (Redundant Array of Independent Disks) systems to
ensure that data is distributed across multiple systems and
can be recovered in case of disk failure.
Objective: Ensure that system load is distributed evenly to
prevent overloading a single system, and that data
redundancy protects against hardware failure.
Example: Test a disk failure scenario to see if the RAID
system automatically recovers data without loss or
downtime.
36
Electronic Data Interchange Controls
37
Electronic Data Interchange Controls
38
Electronic Data Interchange Controls
39
Electronic Data Interchange Controls
40
Electronic Data Interchange Controls
42
EDI System
43
TRANSACTION AUTHORIZATION AND
VALIDATION
• Both the customer and the supplier must establish that the
transaction being processed is to (or from) a valid trading
partner and is authorized.
• This can be accomplished at three points in the process:
1. Some VANs have the capability of validating passwords and
user ID codes for the vendor by matching these against a valid
customer file.
2. Before being converted, the translation software can validate
the trading partner’s ID and password against a validation file
in the firm’s database.
3. Before processing, the trading partner’s application software
references the valid customer and vendor files to validate the
transaction.
44
ACCESS CONTROL
45
EDI AUDIT TRAIL
46
EDI AUDIT TRAIL
47
EDI AUDIT TRAIL
48
EDI AUDIT TRAIL
49
EDI AUDIT TRAIL
50
EDI AUDIT TRAIL
52
EDI System Using Transaction Control Log
for Audit Trail
53
Appendix - Malicious and Destructive
Programs
Malicious and destructive programs are designed to harm
computer systems, steal data, or disrupt operations. These
threats come in various forms and can have significant
effects on business operations, system security, and
auditing processes.
54
Appendix - Malicious and Destructive
Programs
1. Virus
Definition: A virus is a type of malware that attaches itself to a
legitimate program or file and spreads when that file or program is
executed. Viruses typically require human action to propagate, such as
opening an infected email attachment or downloading a malicious file.
Example: The ILOVEYOU Virus (2000) originated in the Philippines
and spread globally via email. The virus came in the form of an
attachment disguised as a love letter. When opened, it overwrote
system files and sent itself to all contacts in the victim's address book,
causing widespread damage to systems worldwide.
Timeline: The virus spread rapidly in May 2000, infecting millions
of computers within a day.
Impact on Auditing: Viruses can corrupt data and system logs,
making it difficult for auditors to trace transactions or activities.
Auditors need to ensure that anti-virus software is in place,
updated regularly, and capable of detecting and quarantining
viruses before they can spread.
55
Appendix - Malicious and Destructive
Programs
2. Worm
Definition: A worm is a standalone malware that replicates itself to
spread to other computers over a network. Unlike viruses, worms do
not need a host program to spread and can propagate automatically.
Example: The WannaCry Ransomware Worm (2017) exploited a
vulnerability in Microsoft Windows to spread rapidly across the globe. It
encrypted users' data and demanded ransom payments in Bitcoin to
decrypt the files.
Timeline: The attack began in May 2017 and spread to over 150
countries within hours. Key sectors, including healthcare (e.g., UK’s
NHS), were heavily affected.
Impact on Auditing: Worms can cause system-wide damage,
making it difficult for auditors to access logs or verify the integrity of
financial data. In response, auditors must check that systems are
patched regularly, and that network monitoring systems are in place
to detect unusual traffic patterns that might indicate worm activity.
56
Appendix - Malicious and Destructive
Programs
3. Logic Bomb
Definition: A logic bomb is a type of malicious code that is triggered
by a specific event or condition, such as a particular date or the
removal of an employee from the payroll. The bomb "detonates" once
the trigger condition is met, executing malicious actions like deleting
files or corrupting data.
Example: In 2006, Roger Duronio, a disgruntled IT worker at UBS
PaineWebber, planted a logic bomb to delete data across the
company's systems. The bomb was triggered after he resigned and
was dissatisfied with his bonus.
Timeline: The bomb was set to trigger after Duronio’s resignation
in 2006, causing millions of dollars in damages.
Impact on Auditing: Logic bombs are often hard to detect until
they are triggered. Auditors need to ensure that access controls
and employee monitoring are in place, especially when an
employee leaves the company. Regular system reviews can help
identify and remove unauthorized code or scripts.
57
Appendix - Malicious and Destructive
Programs
4. Back Door
Definition: A back door is a hidden entry point that bypasses normal
authentication methods, allowing unauthorized users to gain access to
a system. Back doors are often intentionally installed by developers for
maintenance purposes, but can also be planted maliciously by
attackers.
Example: The SolarWinds Hack (2020) involved a sophisticated
backdoor inserted into the SolarWinds Orion software updates. This
backdoor allowed attackers to access the systems of several
government agencies and private companies, including the U.S.
Treasury and Microsoft.
Timeline: The attack was discovered in December 2020, but the
backdoor had been active since at least March 2020.
Impact on Auditing: Back doors provide unauthorized access,
which can undermine the integrity of financial systems. Auditors
must verify that systems are regularly scanned for vulnerabilities
and that access logs are reviewed to detect unusual login patterns
or unauthorized access attempts. 58
Appendix - Malicious and Destructive
Programs
5. Trojan Horse
Definition: A Trojan horse is a type of malware that disguises itself as
legitimate software but contains malicious code. Once the software is
installed, the malicious payload is activated, allowing attackers to steal
data, take control of the system, or cause damage.
Example: The Zeus Trojan (discovered in 2007) is one of the most
well-known Trojans, used to steal banking information by logging
keystrokes and bypassing two-factor authentication.
Timeline: The Zeus Trojan was first discovered in 2007 and
continued to evolve and infect systems for several years, targeting
banking systems worldwide.
Impact on Auditing: Trojans can result in the theft of sensitive
financial data, making audits more challenging. Auditors must
ensure that organizations implement anti-malware solutions and
review access controls to prevent the installation of unauthorized
software.
59
END