Docstoc

Identifying Computer Systems

Document Sample
Identifying Computer Systems Powered By Docstoc
					                      Final Exam Review
                               IS Audit (ISMT 350)

Time & Venue: 7 Dec 2006, 10:30 to 11:50 am

Note: You will be allowed one A4 sized sheet of paper as a “
Cheat Sheet” for your reference during the IST300S Final Exam.
You can fill out both sides, and there are no limits on handwriting,
font, or techniques for the information you place on the page. No
other materials will be allowed during the exam
Classes of Things
You have Learned

   Concepts: Things you need to know These include:
         Theories and frameworks
         Facts
   ‘
   Activities and Tasks: Things an auditor needs to
    do

   Tools: Used to make audit decisioms
   Logical Structure of the Course
   With Readings from the Text



                                                           IS Auditing




                    IS Components                                                           Current and
                                                       Audit Components
                       Ch. 1&2                                                            Future Issues in
                                                            Ch 3&4
                                                                                            IS Auditing




                                                 Audit Standards          Forensics and
                                                 and Procedures           Fraud Audits
Controls over IS                    Procedural       Ch. 10                  Ch. 12
    Assets                           Controls
  Ch. 7 & 8        Encryption         Ch. 9
                     Ch. 11
            Prac·ti·cum (prăk-tĭ-kəm) noun
            Lessons in a specialized field of study designed to give
            students supervised practical application of previously studied
            theory

     Student Competence                                Case Study

1    Evaluating IT Benefits and Risks                  Jacksonville Jaguars

2    The Job of the Staff Auditor                      A Day in the Life of Brent Dorsey

3    Recognizing Fraud                                 The Anonymous Caller

4    Evaluating a Prospective Audit Client             Ocean Manufacturing

5    Inherent Risk and Control Risk                    Comptronix Corporation

6    Evaluating the Internal Control Environment       Easy Clean

7    Fraud Risk and the Internal Control Environment   Cendant Corporation

8    IT-based vs. Manual Accounting Systems            St James Clothiers

9    Materiality / Tolerable Misstatement              Dell Computer

10   Analytical Procedures as Substantive Tests        Burlington Bees

11   Information Systems and Audit Evidence            Henrico Retail
IS Audit Programs

                                   Chapter 2

 What is IS Auditing?
 Why is it Important?
 What is the Industry Structure?
 Attestation and Assurance
                                                                    Transactions
                                                                                                  External Real
                                           Internal                                               World Entities
The Physical World                       Operations                                              and Events that
                                         of the Firm                                               Create and
                                                                                                  Destroy Value
                                                                    Transactions



                                               'Owned' Assets                                    Corporate Law
                                                and Liabilities




                                                                                                                              Tests of Transactions
                                                                                   Attes
                                                 Audit                                                       Audit Report /
                                  ests




                                                Program                                                        Opinion



                                                                                        tation
Auditing
                     Substantive T




                                                                           ts
                                                             Analytical Tes




                                                                   Accounting
 The Parallel (Logical)                                             Systems
 World of Accounting

                                         Ledgers:
                                                                                                                                            Auditing
                                         Databases                                                  Journal Entries


                                                                     Reports:
                                                                     Statistics
Audit Objectives

                             Control Process Risks
    Reporting Risks                                           Asset Loss Risks
                              (Internal & External
    (External Audit)                                          (Internal Audits)
                                     Audits)




                             Transaction Flows




                            Business Application
                                 Systems



                                                                      How Auditors
                           Operating Systems
                       (including DBMS, network                       Should Visualize
                       and other special systems)
                                                                      Computer Systems
                          Hardware Platform


                                       Physical and Logical
                                       Security Environment
The IS Auditor’s Challenge
   Corporate Accounting is in a constant state of flux
       Because of advances in Information Technology applied to
        Accounting
         Information that is needed for an Audit is often hidden from
          easy access by auditors
         Making computer knowledge an important prerequisite for
          auditing
   IS (and also just Information) assets are increasingly
    the main proportion of wealth held by corporations
The Challenge to Auditing Presented
by Computers
   Transaction flows are less visible
          Fraud is easier
          Computers do exactly what you tell them
              To err is human
              But, to really screw up you need a computer
   Audit samples require computer knowledge and access
   Transaction flows are much larger (good for the company, bad for the
    auditor)
          Audits grow bigger and bigger from year to year
              And there is more pressure to eat hours
   Environmental, physical and logical security problems grow
    exponentially
          Externally originated viruses and hacking
          are the major source of risk
                  (10 years ago it was employees)
The Challenge to Auditing Presented
by The Internet
   Transaction flows are External
       External copies of transactions on many Internet nodes
       External Service Providers for accounting systems
         require giving control to outsiders with different incentives


   Audit samples may be impossible to obtain
       Because they require access to 3rd party databases

   Transaction flows are intermingled between companies

   Environmental, physical and logical security problems grow exponentially
           Externally originated viruses and hacking
           are the major source of risk
                  (10 years ago it was employees)
Practicum:

A Day in the Life of Brent Dorsey
   A Staff Auditors’ Professional Pressure


   Understand some of the pressures faced by young
    professionals in the workplace
   Generate and evaluate alternative courses of action
    to resolve a difficult workplace issue
   Understand more fully the implications of "eating
    time" and "premature sign-off"
   More fully appreciate the need to balance
    professional and personal demands
Ideas, not Things, have Value
… and these ideas are tracked in the computer


                                                16                                     600

                                                14                                     500




                                                                                              5-yr Shareholder Return %
                                                12
                                                                                       400




                       (Fixed Assets / Sales)
                                                10
                                                                                       300




                           Asset Intensity
                                                8
                                                                                       200
                                                6
                                                                                       100
                                                4

                                                2                                      0

                                                0                                      -100
                                                     Rank order by increasing return
       How Accounting has had to Change
       Because of Business Automation
             Labor
Material
                           Capital
                 30%                                                              Knowledge
                                                                                  Integrator
           50%             20%                                                                                 Knowledge
                                                                                                               Integrator
                                                    Knowledge
                                                    Integrator

           Manufacturing                          Consumer
            Value Added              110%                                         Knowledge Base (uncertain
                                                                                  claims, contributions and
                                                                                       property rights)

                                                     Labor
                                       Material
                                                                   Capital
                                                                                                  80%                       Consumer
                                                         5%

                                                   5%              10%
                                                                                             Knowledge        110%
                                                                                             Integrator
                                                                            d 0%
                                                                         she
                                                   Manufacturing      ini uct 2
                                                                     F d
                                                    Value Added       Pro              ing
                                                                                    tur ns
                                                                                fac io
                                                                             anu ificat
                                                                           M ec
                                                                             Sp
     Flowcharting Accounting
                    Systems
Each   bubble is associated with a person or entity
that is responsible for that process
The same individuals with:
   Managerial Control
   Accountability
   Responsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems
                 
                      A data flow diagram

                     Data Flow Diagram
                     Notations
Flowcharting Accounting Systems

                   A process transforms
                   incoming data flow into
                   outgoing data flow.
Flowcharting Accounting Systems


                      Datastores are repositories
                       of data in the system.
                      They are sometimes also
                       referred to as databases or
                       files.
Flowcharting Accounting Systems

                    Dataflows are pipelines
                     through which transactions
                     (packets of information)
                     flow.
                    Label the arrows with the
                     name of the data that
                     moves through it.
Flowcharting Accounting Systems
                    External entities are entities
                     outside the firm, with which the
                     accounting system
                     communicates
                        E.g., vendors, customers,
                         advertisers, etc.


                    External entities are sources
                     and destinations of the
                     transaction input and output
Flowcharting Accounting Systems
                    The Context diagram lists
                     all of the external
                     relationships
Flowcharting Accounting
Systems …Levels
   Context

          known as Level 0) data flow diagram. It only
           contains one process node (process 0) that
           generalizes the function of the entire system in
           relationship to external entities.


   DFD levels

          The first level DFD shows the main processes
           within the system.
           Each of these processes can be broken into
           further processes until you reach the level at
           which individual actions on transaction flows
           take place

   If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily
    nest data flow diagrams in SmartDraw. Draw the high-level diagrams first,
    then select the process you want to expand, go to the Tools menu, and
    select Insert Hyperlink. Link the selected process notation to another
    SmartDraw diagram or a web page.
The Datastore
                   The Datastore is used to
                    represent Ledgers, Journals
                   Or more often in the current
                    world
                       Their computer
                        implemented counterpart
                       Since almost no one keeps
                        physical records
Flowcharting Accounting
Systems …Lower Level with Multiple
Processes
                       Data Flow Diagram Layers
                           Draw data flow diagrams in
                            several nested layers.
                           A single process node on a
                            high level diagram can be
                            expanded to show a more
                            detailed data flow diagram
Practicum:

Jacksonville Jaguars
   Assurance Services for the Electronic Payments
    System of a privately held company

       Identify benefits, costs and risks to businesses from
        implementing information technologies
       Determine how CPAs can provide assurance about
        processes designed to reduce risks created when new IT
        systems are introduced
       Understand ways CPAs can identify new assurance
        services opportunities (i.e., new areas for revenue
        generation)
              Identifying Computer
                       Systems

                                           Chapter 1
1.   Identifying what you are going to audit
2.   The Computer Asset Inventory
3.   Identification of Transactions, and Risk Levels
4.   Audit programs for high risk transactions
Audit Program
           Audit programs are checklists of the various tests (audit
            procedures) that auditors must perform within the scope of their
            audits to determine whether key controls intended to mitigate
            significant risks are functioning as designed.
       Objective
           To determine the adequacy of the controls over the particular
            accounting processes covered by the audit program
           This is fundamentally what the assurance and attestation
            aspects of the audit are expected to achieve
             during the ‘tests of transactions’ or
             mid-year or
             internal control tests
    The objective
   The reason for an audit is to write an opinion:
       Saying stock price is fairly stated (external)
       Control processes are effective (internal & external)
       Assets are not at risk of theft or damage (internal)


   We only need to identify computer systems where one
    of more of these objectives is affected
Benefits
   The use of audit programs is fairly standard for audit firms,
    and is considered good business practice. List three (3)
    benefits to the audit firm of using an audit program
       The improve resource planning (where to spend money and
        employ people on an audit)
       They promote consistency from year to year when personnel and
        situations of an audit change
       Prior years’ programs are the basis for the current year’s audit
        procedures
       Anything else that seems reasonable
Control assessment
        Information systems audit programs should assess
         the adequacy of controls in four (4) areas.
    1.    Environmental controls
    2.    Physical security controls
    3.    Logical security controls
    4.    IS operating controls
Computer Assets
                                            Central Processing Unit



                                             Peripheral Processor
                    Memory                                                    Network Devices
                                              (Video, Bus, Etc.)


                                   Optical &
   RAM / ROM
                                 Magnetic Media


                                      Operating Systems


               Specialized
                  O/S
                                                                      Utilities    Applications

                                                  Programming Languages,
 Network O/S                 Database O/S                                Utilities and Services
                                                    Tools & Environments
The main categories of Computer
Applications, and their relative importance


Information               Annual           Employees     Major Suppliers
Technology                Expenditures     (thousand)
Market                    ($US billion)


Operations & Accounting              500          2000   US, India


Search & Storage                    1000          5000   US

Tools                                300           300   US, Germany

Embedded                            1500           700   US, Japan, Korea, Greater China

Communications                       700          2000   US, Germany, Japan, Greater China

Total                              4,000        10,000   GWP ~$45 trillion (Pop: 6 billion)
                                                         US GDP ~$10 trillion (Pop: 300 million)
The Risk Assessment Database
                   Asset (Ex 2.1)                                                           Risk Assessment (Ex. 2.2 with improvements)
                                                                                                                                                         Cost of
                                      Asset Value                               Total Annual Transaction                       Probability of            single
                          Applicati   ($000,000 to           Transaction Flow   Value Flow managed by                          Occurrence (# per         occurrence   Expected
Primary OS   Owner        on          Owner)*                Description        Asset($000,000)*            Risk Description   Year)                     ($)          Loss

             Receiving                                       RM Received from
Win XP       Dock         A/P                        0.002   Vendor                                    23   Theft                                  100          100         10000

             Receiving                                       RM Received from                               Obsolescence
Win XP       Dock         A/P                        0.002   Vendor                                    23   and spoilage                           35           350         12250




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




                                      *Whether you list depends on
                                      Audit Materiality
Materiality
   Materiality represents the maximum, combined, financial statement
    misstatement or omission that could occur before influencing the decisions of
    reasonable individuals relying on the financial statements.
    The magnitude and nature of financial statement misstatements or omissions
    will not have the same influence on all financial statement users.
                 For example, a 5 percent misstatement with current assets may be more relevant for a creditor
                 than a stockholder, whereas a 5 percent misstatement with net income before income taxes
                 may be more relevant for a stockholder than a creditor. Therefore, the primary consideration
                 when determining materiality is the expected users of the financial statements.
   The specific amounts established for each financial statement element must be
    determined by considering the primary users as well as qualitative factors.
                For example, if the client is close to violating the minimum current ratio requirement for a loan
                 agreement, a smaller planning materiality amount should be used for current assets and
                 liabilities.
                Conversely, if the client is substantially above the minimum current ratio requirement for a loan
                 agreement, it would be reasonable to use a higher planning materiality amount for current
                 assets and current liabilities.
   Planning materiality should be based on the smallest amount established from
    relevant materiality bases to provide reasonable assurance that the financial
    statements, taken as a whole, are not materially misstated for any user.
Tolerable misstatement
   This is essentially materiality for individual financial statement
    accounts. The amount established for individual accounts is
    referred to as "tolerable misstatement."
    Tolerable misstatement represents the amount an individual
    financial statement account can differ from its true amount
    without affecting the fair presentation of the financial
    statements taken as a whole.
   Establishment of tolerable misstatement for individual
    accounts enables the auditor to design and execute an audit
    strategy for each audit cycle.
   Tolerable misstatement should be established for all balance
    sheet accounts (except "retained earnings" because it is the
    residual account).
Practicum:

Dell Computer
   This is the case that required you to come up with
    hard numbers for materiality!

   Determine planning materiality for an audit client
   Allocate planning materiality to financial statement
    elements
   Provide support for your materiality decisions
IS Security
          Chapter 3
What is Security?
   Security involves:
       the protection of a person, property or organization from attack.
       Knowing the types of possible attacks,
       being aware of the motivations for attacks and your relationship to those
        motives.
   Proper security
       makes it difficult to attack,
       threatens counter-measures, or
       make a pre-emptive attack on a source of threat.

   IS Security is a collection of investments and procedures that:
           Protect information stored on computers
           Protect Hardware and Software assets
           From theft or vandalism by 3rd parties
    What is a Lock & Key?
   Lock is a security system
       The key is its password
       Keys used to be worn visibly around the neck
           As a sign of authority (similar to employee
            badges today)


   Newer Technology
           Badges and electronic keys
           Biometrics (M-28 fingerprint lock at right)
           Remote controls (Lexus keys)
   ‘Keys’ are just another Security Policy
Effective security policy
   Security policy defines the organization’s attitude to Assets, and
       announces internally and externally which assets are mission critical
           Which is to be protected from unauthorized access, vandalism and destruction
            by 3rd parties
   Effective information security policies
       Will turn staff into participants in the company’s security
       The process of developing these policies will help to define a company’s
        assets
   An effective security policy also protects people.
       Anyone who makes decisions or takes action in a situation where
        information is a risk incurs personal risk as well.
       A security policy allows people to take necessary actions without
        fear of reprisal.
       Security policy compels the safeguarding of information,
           while it eliminates, or at least reduces, personal liability for
            employees.
IP
       There are four types of Intellectual Property (IP) that are
        protected by law
         Copyright
         Patent
         Trade secret
         Trademark
       Two aspects of the use of IP are covered by intellectual
        property laws
         Right of publicity
         Privacy
       Almost All Security Controls use the Lock & Key paradigm.
         Authorization system = Who gets a Key (And Why?)
         Password, etc. = Key
         Encryption algorithms, SSL, etc. = Lock
Entry into Computer Crime

   This flowchart describes the
    points at which Control              Personal
                                         Backgroun d

    Processes may be created
    to stop criminals                    Learning
                                                                             Motives

                                         Skills to
   Controls may:                        Commit
                                         Crime
                                                       Un-premeditated
                                                                                    Premeditated


       Prevent access to the asset
                                                                             Choose
                                                                             "Best"
       Detect asset access                                                  Op tion


       Correct the problems or
                                                                           Decision / Action Matrix
        losses after an illicit access                                   Commit Crime        Don't Commit


   Remember that criminals              Reaction to
                                         Chance
                                         Event                           • Face Penalties
                                                                                              • Too Hard
                                                        Select Asset                          • Monitored
                                                                         • Enjoy Rewards
    specialize in one type of
    crime                                                                                   • Unfamilar
                                                                              N/A           • Not enough value
                                                        Don't Select
       Bringing a computer
       crime to court


Step                              Potential Terminal Outcome

Crime committed                   Not detected
Reported                          Not investigated
Investigation                     Unsolved
Arrest                            Released without prosecution
Booking                           Released without prosecution
Preliminary appearance in court   Charges dropped or dismissed
Bail or detention
Adjudication                      Arbitration, Settled "Out of Court"
Arraignment                       Charge dismissed
Trial                             Acquitted
Sentencing                        Appeal
Sentencing                        Probation
Sentencing                        Prison
Practicum:

The Anonymous Caller
   Recognizing It's a Fraud and Evaluating What to Do

   How would you politely and ethically handle a ‘dodgy’ request
    for help

   Appreciate real-world pressures for meeting financial
    expectations
   Distinguish financial statement fraud from aggressive
    accounting
   Identify alternative actions when confronted with suspected
    financial statement fraud
   Develop arguments to resist or prevent inappropriate
    accounting techniques
 Utility Computing and IS
Service Organizations

                Chapter 4
Old and New
   Service Organizations like EDS
       Are in the business of running IS shops
       Only the transactions are handled by the client


   They are being replaced by Utility Computing
       Which is an outgrowth of software vending business
        models
       Particularly those of Oracle, SAP and Salesforce.com
Why do firms choose Utility
computing?
   Utility computing offers greater flexibility in the creation of computing
    environments when they are needed.
       It opens up usage-based pricing and reduces users' use of capital.
   Utility Computing allows an organization to have the ability to
    harness latent computing power and resources, regardless of
    application or other physical or organizational boundaries.
       It allows an organization to virtually repurpose operating systems,
        application mix, processing power, and storage to the immediate needs
        of the corporation, to meet new demand or to rapidly create computing
        environments for projects.
Pervasiveness of Utility
Computing
   Recent moves like
       Oracle's acquisition of Siebel,
       And The growing popularity of software-as-a-service vendors like
        Salesforce.com
   are indicators that the software industry is tilting toward an on-demand
    future

   Still, on-demand services are likely to account for less than 10 percent
    of business application use through 2010 (Gartner)
   The reason why
           the on-demand model is not suitable for complex business uses like logistics
            support and order handling
           nor for large complex companies requiring business process support
    But the "complexity constraint bar" will rise over time since on-demand
    vendors can add functionality easily
Consequences: Control of Data
and Programs
   Copies of data outside the organization
       Accounting transactions (fraud, loss, alteration)
       Personnel and customer records (privacy, theft)


   Operation of programs may be less well understood
       since there are no in-house experts
       This may lead to more audit exceptions
The Risk Assessment Database
                   Asset (Ex 2.1)                                                           Risk Assessment (Ex. 2.2 with improvements)
                                                                                                                                                         Cost of
                                      Asset Value                               Total Annual Transaction                       Probability of            single
                          Applicati   ($000,000 to           Transaction Flow   Value Flow managed by                          Occurrence (# per         occurrence   Expected
Primary OS   Owner        on          Owner)*                Description        Asset($000,000)*            Risk Description   Year)                     ($)          Loss

             Receiving                                       RM Received from
Win XP       Dock         A/P                        0.002   Vendor                                    23   Theft                                  100          100         10000

             Receiving                                       RM Received from                               Obsolescence
Win XP       Dock         A/P                        0.002   Vendor                                    23   and spoilage                           35           350         12250




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




Etc          Etc          Etc         Etc                    Etc                Etc                         Etc                Etc                       Etc          Etc




                                      *Whether you list depends on
                                      Audit Materiality
Practicum:

Ocean Manufacturing
   Deciding whether to accept a new client

   Understand the types of information relevant to
    evaluating a prospective audit client
   List some of the steps an auditor should take in
    deciding whether to accept a prospective client
   Identify and evaluate factors important in the
    decision to accept or reject a pro-spective client
   Understand the process of making and justifying a
    recommendation regarding client acceptance
Physical Security   Chapter 7
Logical Security    Chapter 8
Security Policy
Information               Manager                Action                   Inputs   Outputs    Objectives




  Environmental
   Competitive                                                      Manpow er
                                                  Plan                             Quantity   Profitability
Internal Financial                                                    Money
                                                Organize                           Quality    Efficiency
     Internal                                                       Machines
                                                Actuate                             Cost       Grow th
  Non-financial                                                      Methods
                                                 Control                            Time       Survival
                                                                     Materials




                     Information System

                               Information Systems
                                          Information System

                                                     Information System
Strategy  Policy
   Strategy defines the way that Top Management
    achieves corporate objectives

   Policy is a written set of procedures, guidelines and
    rules
       Designed to accomplish a subset of strategic tasks
       By a particular subgroup of employees
Effective security policy
   An effective security policy also protects people.
   Anyone who makes decisions or takes action in a situation where
    information is a risk incurs personal risk as well.
   A security policy allows people to take necessary actions without
    fear of reprisal.
   Security policy compels the safeguarding of information,
       while it eliminates, or at least reduces, personal liability for
        employees.
Effective information security
policy
   Information security policy defines the organization’s attitude to
    information, and
     announces internally and externally that information is an asset
          Which is to be protected from unauthorized access, modification,
           disclosure, and destruction
   Effective information security policies
     Will turn staff into participants in the company’s security

     The process of developing these policies will help to define a
       company’s information assets
Why Do You Need Security Policy?

    A security policy should Protect people and information
      Set the rules for expected behavior by users, system
        administrators, management, and security personnel
      Authorize security personnel to monitor, probe, and investigate

      Define and authorize the consequences of violation
The Three Elements of Policy
Implementation

   Standards – Standards specify the use of specific technologies in a
    uniform way. The example the book gives is the standardization of
    operating procedures

   Guidelines – Similar to standards but are recommended actions

   Procedures – These are the detailed steps that must be performed
    for any tasks.
Steps to Creation of IS Security Policy
Policy Development Lifecycle


1.    Senior management buy-in
2.    Determine a compliance grace period
3.    Determine resource involvement .
4.    Review existing policy
5.    Determine research materials (Internet, SANS, white papers, books…)
6.    Interview parties {Responsible, Accountable, Controlling} assets
          1.   Define your objectives
          2.   Control the interview
          3.   Sum up and confirm
          4.   Post-interview review
7.    Review with additional stakeholders
8.    Ensure policy is reflected in “awareness” strategies
9.    Review and update
10.   Gap Analysis
11.   Develop communication strategy
12.   Publish
What’s in a Policy Document
Governing Policy
   Should cover
       Address information security policy at a general level
       define significant concepts
       describe why they are important, and
       detail what your company’s stand is on them
   Governing policy will be read by managers and by technical
    custodians
   Level of detail: governing policy should address the “what” in
    terms of security policy.
Governing Policy Outline
might typically include


   1. Authentication
   2. Access Control
   3. Authorization
   4. Auditing
   5. Cryptography
   6. System and Network Controls
   7. Business Continuity/Disaster Recovery
   8. Compliance Measurement
Technical Policies
   Used by technical custodians as they carry out their
    security responsibilities for the system they work
    with.

   Are more detailed than the governing policy and will
    be system or issue specific, e.g., AS-400 or physical
    security.
Technical Policy Outline
might typically include


   1. Authentication
   2. Authorization
   3. Auditing
   4. Network Services
   5. Physical Security
   6. Operating System
   7. Business Continuity/Disaster Recovery
   8. Compliance Measurement
User Policies
   Cover IS security policy that end-users should ever have to know about,
    comply with, and implement.
   Most of these will address the management of
       transaction flows and
       databases associated with applications

   Some of these policy statements may overlap with the technical policy

   Grouping all end-user policy together means that users will only have to
    go to one place and read one document in order to learn everything
    they need to do to ensure compliance with company security
User Policy Outline
    might typically include

       1. User Access
       2. User Identification and Accountability
       3. Passwords
       4. Software
       5. System Configuration and Settings
       6. Physical
       7. Business Continuity Planning
       8. Data Classification
       9. Encryption
       10. Remote Access
       11. Wireless Devices/PDAs
       12. Email
       13. Instant Messaging
       14. Web Conferencing
       15. Voice Communications
       16. Imaging/Output
Practicum:

Comptronix Corporation
   Identifying Inherent Risk and Control Risk
    Factors


   * Understand how managers can fraudulently
    manipulate financial statements
   * Recognize key inherent risk factors that increase
    the potential for financial reporting fraud
   * Recognize key control risk factors that increase the
    potential for financial reporting fraud
   * Understand the importance of effective corporate
    governance for overseeing top executives
IS Operations

    Chapter 9
What are ‘Operations’
   Development and Test
   Production
   Outsourcing and Utility Computing

   Also, two sides to one system
       Business Operations
         All the tangible physical things that go on in a corporation

       Computer Operations
                                                   Transactions
                                                                                                    External Real
                            Internal                                                                World Entities
Business Operations       Operations                                                               and Events that
                          of the Firm                                                                Create and
                                                                                                    Destroy Value
                                                   Transactions



                                'Owned' Assets                                                     Corporate Law
                                 and Liabilities

                                                                                                                                    Business &




                                                                  Meas
                                                                                                                                     Computer




                                                                      urem easurme
                                                                          M
                                                                                                                                     Operations



                                                                          ent / P nt /
                                  Audit                                                                       Internal Control
Internal Control Review                                                                                            Memo




                                                                                 osting Postin
                                 Program
Over Operations




                                                                                               g
The Parallel (Logical)
                                                   Computer
World of Computer Operations                       Systems


                          Ledgers:
                          Databases                                                                   Journal Entries


                                                    Reports:
                                                    Statistics
                                                                    Transactions
                                                                                                  External Real
                                           Internal                                               World Entities
The Physical World                       Operations                                              and Events that
                                         of the Firm                                               Create and
                                                                                                  Destroy Value
                                                                    Transactions



                                               'Owned' Assets                                    Corporate Law
                                                and Liabilities




                                                                                                                               Tests of Transactions
                                                                                   Attes
                                                 Audit                                                       Audit Report /
                                  ests




                                                Program                                                        Opinion



                                                                                        tation
Auditing
                     Substantive T




                                                                           ts
                                                             Analytical Tes




                                                                   Accounting
 The Parallel (Logical)                                             Systems
 World of Accounting

                                         Ledgers:
                                         Databases                                                  Journal Entries
                                                                                                                              Look Familiar?
                                                                     Reports:
                                                                     Statistics
Computer Operations
   Only a subset of business operations are computerized (automated)

   Computers do the following well:
       High-speed arithmetic operations
       Storage and search of massive quantities of data
       Standardization of repetitive procedures

   All other Business Operations require human intervention
   Even computer operations require human intervention at some level
       E.g., turning the computer on and off

   In both business and computer operations
       Human interventions demand the most auditing
Automation & Operations Objectives
   Operations should be about following predetermined procedures
   The appeal rests largely on the ability to reduce or alter the role of
    people in the process
   The intent is to take people out of the loop entirely,
   Or to increase the likelihood that people will do what they are
    supposed to do, and that they do it accurately
       People are flexible and clever
       We sometimes don’t want to take people out of the loop on a lot of
        systems
       The problem is when a lot of things break at the same time.
             There’ll probably be a few things that are hard to fix, a cascade of effects
   Fully automated (computerized) procedures
       Can be audited once with a small data set
       And these results can be considered to hold over time
Operations Objectives
What to look for in an audit

   Production jobs are completed in time
   Output (information) are distributed on time
   Backup and recovery procedures are adequate
    (requires risk analysis)
   Maintenance procedures adequately protect
    computer hardware and software
   Logs are kept of all changes to HW & SW
Backup and Recovery Objectives
Best Practices

   Determination of appropriate recovery and resumption objectives for
    activities in support of critical markets.
       Core organizations should develop the capacity to recover and resume activities within
        the business day on which the disruption occurs.
       The overall goal is to resume operations within two hours
    
   Maintenance of sufficient geographic dispersion of resources to meet
    recovery and resumption objectives.
       back-up sites should not rely on the same infrastructure components used by the
        primary site, and
       back-up operations should not be impaired by a wide-scale evacuation or
        inaccessibility of staff that services the primary site

   Routine use or testing of recovery and resumption arrangements.
       Testing should not only cover back-up facilities of the firm,
         but connections with the markets,
         third party service providers
         and customers
       Connectivity, functionality and volume capacity should be covered.
How Does Backup & Recovery
Fit into your Risk Assessment Framework?
         Your Toolkit:
          Computer Inventory, Risk Assessment Matrix, Dataflow Diagrams and
          Systems Components Hierarchy


                             Asset (Ex 2.1)                                                                         Risk Assessment (Ex. 2.2 with improvements)
                                                                                                                                                                                 Cost of
                                                            Asset Value                                 Total Annual Transaction                       Probability of            single
                                          Applicati         ($000,000 to             Transaction Flow   Value Flow managed by                          Occurrence (# per         occurrence   Expected
  Primary OS            Owner             on                Owner)*                  Description        Asset($000,000)*            Risk Description   Year)                     ($)          Loss

                        Receiving                                                    RM Received from
  Win XP                Dock              A/P                              0.002     Vendor                                    23   Theft                                  100          100        10000

                        Receiving                                                    RM Received from                               Obsolescence
  Win XP                Dock              A/P                              0.002     Vendor                                    23   and spoilage                           35           350        12250


 Audit Objectives

                                    Control Process Risks
     Reporting Risks                                                   Asset Loss Risks
                                     (Internal & External
     (External Audit)                                                  (Internal Audits)
                                            Audits)




                                    Transaction Flows




                                    Business Application
                                         Systems




                                 Operating Systems
                             (including DBMS, network
                             and other special systems)




                                Hardware Platform


                                                Physical and Logical
                                                Security Environment
Prioritizing Backup & Recovery
Tasks
   Find the critical transactions (High value; High
    volume)
   Identify the critical applications for processing these
    transactions
   Identify the critical personnel
           including those you may not have hired or defined jobs for
           Who are essential to processing these transactions
Practicum:
Easy Clean

   Evaluation of Internal Control Environment



   Evaluate a new audit client's control environment.
   Provide an initial evaluation of certain components
    of the client's control environment
   Appreciate the judgment involved in evaluating the
    overall internal control environment based on
    interview data
   Provide support for your internal control
    assessments
Controls Self Assessment

                   Chapter 10
                 What is ‘Control Self-Assessment’?
   DEFINITION
   Control Self-assessment (CSA) is a leading edge process
       in which auditors
           facilitate a group of staff members
               who have expertise in a specific process,
       with the objective of identifying opportunities for internal control enhancement
           pertaining to critical operating areas designated by management
   Originally a way of measuring ‘soft controls' which traditional
    auditing found difficult to measure, e.g.
           Management integrity, honesty, trust
           Willingness of employees to circumvent controls
           Employee morale
   The tone and ethics of a firm are set by top management
       And this is a way of eliciting these
   It’s become especially important post Sarbanes-Oxley
Why is CSA Important?
   Without commitment to good internal control
       And inherent honest and ethical behavior of employees throughout
        the organization
   Internal control systems (preventive, detective and corrective)
       Would quickly become the single most expensive part of the firm’s
        accounting systems
   Internal and external audits would become prohibitively expensive
   Financial statements would lose their value to outside investors
           Causing stock price to fall
           Bank borrowing interest rates to rise
           And firm operations to cease being competitive
   This happened in some of Arthur Andersen’s clients
       Where financial statements came to be known as:
       Andersen’s Fairy Tales
COSO Framework
   COSO (Committee of Sponsoring Organizations of
    the Treadway Commission)
       Founded in aftermath of the 1977 Lockheed Scandal


Internal Control was supposed to insure:
    Effectiveness and efficiency of operations
    Reliability of financial reporting
    Compliance with applicable laws and regulations
COCO Framework
   CoCo (Criteria of Control Board)
       Founded by Canadian Institute of Chartered Accountants
         The world’s premier group in setting internal auditing
          standards


Internal Control was supposed to insure:
    Effectiveness and efficiency of operations
    Reliability of financial reporting
    Compliance with applicable laws and regulations & internal
       policies
Cadbury Framework
   Committee of the Financial Aspects of Corporate Governance
    of the Institute of Chartered Accountants in England and
    Wales (Cadbury Committee … you can see why they adopted
    the latter name)
       Contemporaneous with CoCo

Internal Control was supposed to insure:
       Effectiveness and efficiency of operations
       Reliability of financial reporting
       Compliance with applicable laws and regulations
       Safeguarding of assets against unauthorized use of disposition
       Maintenance of proper accounting records and the reliability of
        financial information used with in the business or for publication
COBIT Framework
   COBIT (Control Objectives for Information and Related
    Technology)
       Contemporaneous with CoCo and Cadbury

Internal Control was supposed to insure:
       Effectiveness and efficiency of operations
       Reliability of financial reporting
       Compliance with applicable laws and regulations
       Safeguarding of assets against unauthorized use of disposition
       Maintenance of proper accounting records and the reliability of
        financial information used with in the business or for publication
An important difference as COBIT was directed specifically
  towards Information Technology
SAC / eSAC Framework
   SAC (Systems Auditability and Control report)
       Originally published in 1977, but updated in 1991-4
        contemporaneous with CoCo and Cadbury

Internal Control insure the same things as CoCo and Cadbury
       But provide an extensive module-based framework
                Audit & control Environment
                IT in Auditing
                Managing computer resources
                Managing Information and Developing System
                Business Systems
                End user and Departmental Computing
                Telecommunications Security
                Contingency Planning
                Emerging tech


An important difference as SAC / eSAC was directed specifically
  towards Information Technology, and provides more detailed
  direction for IT audits
SASs 55, 78 & 94
   Extensions to the COSO Framework that are essentially
    summarized in SAS 94 (2001)

   Specific IT related Internal Control risks are targeted:
               Reliance on IT that is inaccurately processing data
               Unauthorized access to data, destruction, inaccurate recording, privacy
                breach
               Unauthorized changes to systems
               Failure to make needed changes to systems
               Inappropriate manual intervention
               Potential loss of data


   SAS 94 also emphasizes the importance of specialized IT
    Auditing skills (important for this class)
Prisoner's dilemma
   Two suspects A, B are arrested by the police.
   The police have insufficient evidence for a conviction, and having separated both
    prisoners, visit each of them and offer the same deal:
           If one testifies for the prosecution (turns King's Evidence) against the other and the other
            remains silent, the silent accomplice receives the full 10-year sentence and the betrayer goes
            free.
           If both stay silent, the police can only give both prisoners 6 months for a minor charge.
           If both betray each other, they receive a 2-year sentence each.

   This can be summarized:



                        Prisoner A Stays Silent                    Prisoner A Betrays

Prisoner B                                                         Prisoner B serves ten years;
   Stays Silent Bother Serve 6 months                                  Prisoner A goes free

Prisoner B             Prisoner A serves ten years;
   Betrays                 Prisoner B goes free                    Both serve two years
The Dilemma
   Each prisoner has two options:
       to cooperate with his accomplice and stay quiet,
       or to betray his accomplice and give evidence.
   The outcome of each choice depends on the choice of the accomplice.
    However, neither prisoner knows the choice of his accomplice.

   The optimal solution would be for both prisoners to cooperate with each other,
    as this would reduce the total jail time served by the group to one year total.
       Any other decision would be worse for the two prisoners considered together.
        However by each following their individual interests, the two prisoners each
        receive a lengthy sentence

   The optimal multiperiod prisoner’s dilemma strategy is called ‘Tit-for-Tat’
       Cooperate by default
       If your opponent defects, you defect the next time, and then go back to cooperating if
        they opponent cooperates on that next play
       Be nice, but disciplined (tough love)
 Prisoner's dilemma
 (Corporate Setting)
    Two officers of the corporation – the CEO and the Comptroller are arrested for Financial
     Reporting fraud
    The police have insufficient evidence for a conviction (they didn’t take my course) and
     having separated both prisoners, visit each of them and offer the same deal:
            If one testifies for the prosecution against the other and the other remains silent, the silent
             accomplice receives the full 10-year sentence and the betrayer goes free.
            If both stay silent, the police can only give both prisoners 6 months for a minor charge.
            If both betray each other, they receive a 2-year sentence each.

    This can be summarized:



                           Comptroller Cooperates                      Comptroller Betrays


CEO Cooperates            -.5,-.5                                      0,-10


CEO Betrays               -10,0                                        -2,-2
  The Deal (another view)
     Or stated differently
       Here is how the deal will look to the CEO and the
        Comptroller




                 Comptroller Cooperates   Comptroller Betrays


CEO Cooperates   Win-win                  Win much – lose much


CEO Betrays      Lose much – win much     Lose - lose
  The Deal
     Or stated differently
       Here is how the deal will look to the CEO and the
        Comptroller




                 Comptroller Cooperates            Comptroller Betrays

                                                   Comptroller Temptation to Defect
CEO Cooperates   Cooperation, 6 months each          payoff of zero years

                 CEO Temptation to Defect payoff
CEO Betrays        of zero years                   Sucker’s Payoff (two years each)
Why Ethics are Important!
   The prisoner's dilemma is a type of non-zero-sum game
       it is assumed that each individual player ("prisoner") is trying to maximize his own
        advantage, without concern for the well-being of the other players.

   In Econo-speak: The Nash equilibrium for this type of game does not lead to
    Pareto optimums (jointly optimum solutions)

   Each side has an individual incentive to cheat even after promising to
    cooperate. This is the heart of the dilemma.

   In the iterated prisoner's dilemma the game is played repeatedly.
       Thus each player has an opportunity to "punish" the other player for previous non-
        cooperative play.
       Cooperation may then arise as an equilibrium outcome.
        The incentive to cheat may then be overcome by the threat of punishment, leading to
        the possibility of a superior, cooperative outcome.

   As the number of iterations approach infinity, the Nash equilibrium tends
    to the Pareto Optimum, because when you face eternity the threat of
    grudges is a grave one indeed
Practicum:

Cendant Corporation
   Evaluating Risk of Financial Statement Fraud and Assessing
    the Control Environment

   Describe the auditor's responsibility for considering a client's internal
    controls
   Describe the auditor's responsibility to detect material
    misstatements due to fraud
   Identify red flags present during the audits of CUC International,
    Inc.'s financial statements, which suggest weaknesses in the
    company's control environment (CUC was the predecessor
    company to Cendant Corporation)
   Identify red flags present during the audits of CUC's financial
    statements suggesting a higher likelihood of financial statement
    fraud
   Identify management assertions violated as a result of the
    misstatements included in CUC's 1995 through 1997 financial
    statements (prior to its merger with HFS, Inc.)
   Identify audit procedures that could have been performed to detect
    misstatements that occurred
Encryption and Cryptography

                 Chapter 11
Goal of Encryption
   To reasonable ensure the
       Confidentiality
       Integrity and
       Authenticity
   Of electronic storage and transmission of data
   System components:
       Encryption
       Hashing
       Digital Signatures
Uses of Encryption
   The most obvious application of a public key encryption system is
    confidentiality
       a message which a sender encrypts using the recipient's public key
       can only be decrypted by the recipient's paired private key

   Public-key digital signature algorithms can be used for sender
    authentication
       For instance, a user can encrypt a message with his own private key and
        send it
       If another user can successfully decrypt it using the corresponding public
        key, this provides assurance that the first user (and no other) sent it

   These characteristics are useful for many other applications
       digital cash,
       password-authenticated key agreement,
       multi-party key agreement
Types of Encryption
   Public key cryptography is a form of cryptography which generally allows users to
    communicate securely without having prior access to a shared secret key, by using a pair
    of cryptographic keys, designated as public key and private key, which are related
    mathematically.
   The term asymmetric key cryptography is a synonym for public key cryptography.
   In public key cryptography, the private key is generally kept secret, while the public key
    may be widely distributed. In a sense, one key "locks" a lock; while the other is required to
    unlock it. It should not be possible to deduce the private key of a pair given the public key.
   There are many forms of public key cryptography, including:
   public key encryption — keeping a message secret from anyone that does not possess a
    specific private key.
   public key digital signature — allowing anyone to verify that a message was created with
    a specific private key.
   key agreement — generally, allowing two parties that may not initially share a secret key
    to agree on one.
   Typically, public key techniques are much more computationally intensive than purely
    symmetric algorithms, but the judicious use of these techniques enables a wide variety of
    applications.
Applying the Keys
Asymmetric or Public Key Encryption
        Privacy: Single Key Encryption

   Encryption: scramble a message rendering it
    readable only to the intended recipient
   Single-key encryption:
       Sender supplies a "key" to encrypt the message
       Receiver uses the same key to decrypt it. At least
        that's how it works
       e.g., Federal Data Encryption Standard (DES)
       Not usable over insecure channels (if you have a
        secure channel for exchanging keys, why do you
        need cryptography in the first place?)
         Public Key Encryption


   Two related complementary keys
       a publicly revealed key and
       a secret key (called a private key)
       Each key unlocks the code that the other key
        makes.
   Anyone can use a recipient's public key to
    encrypt a message to that person
   That recipient uses her own corresponding
    secret key to decrypt that message
         Digital Signature

   Sender's secret key can be used to encrypt a
    message, thereby "signing" it.
   This creates a digital signature
   which the recipient can check by using the sender's
    public key to decrypt it.
       Proving that the sender was the true originator of the
        message
       Proving that the message has not been subsequently
        altered by anyone else
       Forgery of a signed message is infeasible
       The sender cannot later disavow his signature.
   These two processes can be combined
Asymmetric or Public Key Encryption
PGP (Pretty Good Privacy)
   What is PGP?
   Pretty Good Privacy (PGP) is strong encryption software that
    enables you to protect your email and files by scrambling
    them so others cannot read them.
   It also allows you to digitally "sign" your messages in a way
    that allows others to verify that a message was actually sent
    by you. PGP is available in freeware and commercial versions
    all over the world.
   PGP was first released in 1991 as a DOS program that
    earned a reputation for being difficult.
   In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP
    5.x included plugins for several popular email programs.
   http://www.pgp.com/
Hashing
   Uses one way ‘hash-function’ (i.e., you can’t determine the
    original message from the MAC)
   And a block of data called the ‘message digest’
   When both
       Electronic message, and
       Cryptographic key
   Are processed through a one-way hash function
   The resulting block of data is called
       a message authentication code (MAC)
       If it doesn’t match the message, discard the transmission
   Two common one-way hash functions are:
   Message Digest 5 (MD-5)
   Secure Hash Algorithm 1 (SHA-1)
‘Keys’ are just another Security
Policy
   A security policy
       establishes what must be done to protect information stored on computers

   Keys are physical manifestations of “Authorization”
   Issuance and control of keys are just part of the authorization scheme.

   Security policy defines the organization’s attitude to Assets, and
       announces internally and externally which assets are mission critical
         Which is to be protected from unauthorized access, vandalism and destruction by
           3rd parties
   Effective information security policies
       Will turn staff into participants in the company’s security
       The process of developing these policies will help to define a company’s assets
   Anyone who makes decisions or takes action in a situation where information is
    a risk incurs personal risk as well.
   A security policy allows people to take necessary actions without fear of reprisal.
   Security policy compels the safeguarding of information,
       while it eliminates, or at least reduces, personal liability for employees.
Who can revoke a key?

   Obviously, a malicious (or erroneously) revocation of some (or
    all!) of the keys in the system will most likely be a system-
    wide failure
   It is impossible to arrange things so that this can not happen
    (if keys can be revoked at all)

   Because the principal having authority to revoke keys is very
    powerful,
       the mechanisms used to control it should involve as many
        participants as possible to guard against malicious attacks,
       while at the same time as few as possible to ensure that a key
        can be revoked without delay
How to distribute a new key
   After a key has been revoked, a new key must be distributed in
    some pre-determined manner.
   Assume that Carol's key has been revoked.
       Until a new key has been disseminated, Carol is effectively silenced.
       No one will be able to send her data without violating system security,
        and data coming from her will be discarded for the same reason.
           Or, in other words, the part of the system controlled by Carol is
            disconnected and so unavailable.
           The need for security was deemed higher than the need for availability in
            this design.
   One could lump together the authority to create new keys (and
    certify them) with the authority to revoke keys,
       but there is no need to do so.
       In fact, for reasons of security, this likely a bad idea.
How to spread the revocation
   The notification that a key has been revoked and should not
    be used again must be spread to all those that potentially hold
    the key, and as rapidly as possible.
   There are two means of spreading information (e.g., a key
    revocation here) in a distributed system:
       either the information is pushed to users from a central point(s),
       or it is pulled from a central point(s) to end users.
           Pushing the information is the simplest solution in that a message
            is sent to all participants. However, there is no way of knowing
            that all participants actually receive the message, and, pushing is
            not very securable nor very reliable.
           The alternative to pushing is pulling. In this setup, all keys are
            included within a certificate that requires the one using them to
            verify that the key is valid.
Recovery from a leaked key
   If loss of secrecy and/or authenticity is a system-
    wide failure, a strategy for recovery must be in
    place.
   This strategy will determine who has authority to
    revoke the key,
       how to spread the revocation,
       also how to deal with all messages encrypted with the key
        since the leak is recognized
   This recovery procedure can be extremely
    complicated, and while it is in progress the system
    might be very vulnerable to Denial of Service attacks
Practicum:

St James Clothiers
   Evaluation of Manual & IT-Based Sales Accounting
    System Risks

   Recognize risks in a manual-based accounting sales
    system
   Explain how an information technology-based
    accounting system can reduce manual system risks
   Identify new risks potentially arising from the use of an
    information technology (IT)-based accounting system
   Recognize issues associated with the process of
    converting from a manual to an IT-based accounting
    system
   Prepare a formal business memorandum
Forensics and Ethics


       Chapter 12
Why ‘Computer’ Crime?
   ‘Because that's where the money is‘ (c. 2005)

   Money is no longer held in physical form

   How much money is being handled daily by
    computer exchange systems in 2005?
       Foreign exchange $2 trillion daily
       Derivatives markets $5 trillion daily
       Outstanding derivatives positions $200 trillion
       NYSE daily activity $1.6 trillion daily
Types of Computer Crime:



   Business as a Victim
       Employee Thefts
       Payroll Fraud
       Fraudulent Billing Schemes
       Fraud Committed by outsiders
       Management Thefts
       Corporate Thefts
   Business as a Vehicle
       Organized Crime
       Money laundering
       Theft from Minority Shareholders
       Other Stock Market Fraud
       Bankruptcy Fraud
Crime’s new venue
   The Internet (With an estimated 1 billion people ) is now in a golden age of criminal
    invention.
       It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business
        models.
   Even encryption, supposedly a defensive measure, has become a tool for extortion
       witness the weird new crime of breaking into a computer, encrypting its contents, and then
        demanding a payoff to supply a password to the victim's own data.
       The crime's so new, it doesn't even have a name yet.
   All the classic scams and rackets that city sharpies push on rubes can be digitized
   once there were a few relatively uncomplicated viruses, now there are torrents of fast-
    evolving, multifaceted viruses.
       Where once there was just small-time credit-card fraud, now there is international credit-card
        racketeering.
       Computer-network password theft has turned into sophisticated ID fraud that robs patrons of
        banks and online auction sites.
       Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion
        pieces a day worldwide last May, according to the e-mail security firm IronPort)
       Then there are the newer electronic crimes, proliferating so fast that even experts have
        trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS
        protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.
Hotspots for Internet crime
   Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan,
    Latvia, Malaysia, North Korea, Romania, Russia, and the
    United States are major centers for organized hacking
   Why are certain areas hotspots?
       Places where there's a significant amount of activity usually have
        a technically advanced population and a large population of
        computer users.
       You also have a poor economy, so you have people with the
        technical skills to do good work, but they can't find a job that will
        provide for them,
       so they may have to resort to doing things that are against the
        law
   These hotspots (other than the United States and Japan) also
    tend to be countries where laws and law enforcement lag
       hackers will find the weakest link, the country with no laws
Denial-of-service (DoS attack)
   A "denial-of-service" attack is characterized by an explicit
    attempt by attackers to prevent legitimate users of a service
    from using that service. Examples include
    1.   attempts to "flood" a network, thereby preventing legitimate
         network traffic
    2.   attempts to disrupt connections between two machines, thereby
         preventing access to a service
    3.   attempts to prevent a particular individual from accessing a
         service
    4.   attempts to disrupt service to a specific system or person
   Details are at
    http://www.cert.org/tech_tips/denial_of_service.html
    Zombies
   Zombies do a lot of the heavy lifting
       malware-infected computers that an online puppet master controls
       Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet"
        attempt to carry out the high-tech money grab.
   Botnets are popular because of their increasing sophistication and multiple uses.
       versatile zombie armies pull in cash for their controllers in a variety of ways.
       Sending spam (a big money-maker)is one common use.
   Zombie networks can also steal personal information for purposes of identity theft.


   When botnets are used to launch a DDoS attack,
       the ringleader instructs each zombie computer to send a flood of data to a particular Web site.
       By itself, the data from a single PC can't hurt a site.
       But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed
        and cut off from the Internet.

           E.g., MyDoom had a rather unsophisticated means of controlling host machines.
           Once it insinuated itself into an unprotected PC,
           anyone who knew a not-so-secret five-digit code could commandeer the computer for any
            desired purpose
           As a result, MyDoom-compromised computers were very popular with online criminals for a
            while
Botnets
   Malware turned an average of 172,009 previously healthy
    computers into zombies every day during May 2005
               CipherTrust, an e-mail security company that tracks botnets
   As processing power improves and broadband Internet
    connections become more widespread, zombie computers will
    be able to send more spam or hit Web sites harder
           and botnets will become more powerful.
   Also, the ability to shuffle funds
       including ransom payments
       anonymously through convoluted Internet paths using human
        mules (in much the same way as in the drug trade) and online
        payment services
       means that criminals can revisit old approaches.
Cops and Robbers
   Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs
    that are controlled by groups of people dispersed around the world
               Christopher Painter, deputy chief of the Computer Crime
                 section of the U.S. Department of Justice.

    Most perpetrators are adults who execute extremely sophisticated assaults.
    "They don't brag, and they cover their tracks very well," (Painter)

   One notorious cybergang, called Shadowcrew, reportedly had 4000
    members scattered across the United States, Brazil, Spain, and Russia.
Objectives
   Money is these cybergangs' primary
    motivation
       The asking price for temporary use of an army of
        20,000 zombie PCs today is $2000 to $3000,
        according to a June posting on SpecialHam.com,
        an electronic forum for hackers
       Marshaling their armies of zombie PCs, online
        extortionists may threaten to crash a company's
        Web site unless they are paid off.
       Hackers are not shy about asking for $20,000 to
        $30,000 from companies.
Payoffs
   Companies know it's far cheaper to pay the hackers
    than to get knocked offline and lose hundreds of
    thousands of dollars in lost business
       Many extortionists go unreported because businesses are
        unwilling to volunteer evidence of their coercion to law
        enforcement officials,
         corporations don't want to admit to their customers,
           stockholders, and business partners their networks were
           ever vulnerable to an attack.
       only about 20 percent of computer intrusions are ever
        reported to law enforcement agencies.
       The US Secret Service receives between 10 and 15
        inquiries per week from businesses owners who believe
        they may be the target of a cyberattack.
               2004 survey conducted by the Computer Security
                Institute
Client-side Targets
   About 60 percent of new vulnerabilities now affect client-side
    applications
       like Web browsers and media players
       And those vulnerabilities are drawing all the wrong sorts of
        attention
   In 2005, unwanted network traffic targeting Symantec Veritas
    BackupExec
       rocketed to 500,000 instances within days of an announced
        security hole in the product,
       up from a previous maximum of about 50,000 instances.
   Microsoft Office, Internet Explorer, Firefox, and AOL Instant
    Messenger also suffered from serious reported vulnerabilities,
    as did RealPlayer and iTunes
Focus of Client-side Attacks
   Attackers now target
   backup and recovery programs,
   as well as "the antivirus and other security tools that
    most organizations think are keeping them safe
               SANS Top 20 report for 2005 on the most critical Internet
                vulnerabilities
   The shift toward finding and exploiting vulnerabilities
    in programs represents a major change from past
    years,
       when Windows and other operating systems and Internet
        services like Web and e-mail servers were the preferred
        targets.
Phishing
   California has passed an antiphishing law,
        the Anti-Phishing Act of 2005
        With the passage of the Anti-Phishing Act of 2005, California joins such
        states as Texas, New Mexico, and Arizona, all of which adopted
        antiphishing legislation earlier this year.
   Phishing victims are typically sent fraudulent e-mail designed to trick
    them into revealing personal information, like bank account numbers,
    user names, and passwords.
       Under the Anti-Phishing Act, these victims may seek to recover either
        the cost of the damages they have suffered or $500,000, whichever is
        greater; government prosecutors can also seek penalties of up to $2500
        per phishing violation.
   Phishing attacks have been on the rise. Research firm Gartner
    estimates that 73 million U.S. Internet users received phishing e-
    mails during the 12 months ended May 2005, up 28 percent from the
    previous year.
Malware
   The mischief-making hacker of the 1990s gives way to the
    determined high-tech thief of the 21st century
       The 2005 E-Crime Watch survey of security and law enforcement
       estimated an average loss of $506,670 per organization due to
        malware
   It's gotten so bad that the U.S. Secret Service and Carnegie
    Mellon University's Computer Emergency Response Team
    (CERT)
   last year stopped publishing the number of computer crime
    incidents, saying:
       "Given the widespread use of automated attack tools, attacks
        against Internet-connected systems have become so
        commonplace that counts of the number of incidents reported
        provide little information with regard to assessing the scope and
        impact of attacks."
How to Build a Legal Case:
Inference Network Analysis
   Legal cases are proved through inferences.
   These inferences, built in chains, must lead logically from
    point A to point B
   He strength (or weakness) of these inferences determines the
    strength of the legal case



          Evidence            Inference           Proof
     Chain of Inferences
   Suppose we want to link the defendant
    (and ex-football player and aspiring
    movie star) to the murder of his ex-wife     Defendent
                                                                              murder
                                                                                                    Glove
   Initially the evidence is weak (dotted
    line)
   The defendant and victim were divorced,                     DNA                                         Victim
    and that may have been motive for the
    murder, but that is a weak case


                                                                      murder
                                                  Defendant                            Ownership            Unique




                                                              Glove                           DNA                         Victim



                       murder
         Defendent                   Victim


                                               Defendant                  DNA               Ownership            Unique




                                                                      Glove                         DNA                       Victim
Analytical and Automated Fraud
Auditing Approaches
   Looks at the general (qualitative) factors of a company.
       Based on tangible and measurable factors (quantitative).
   Used in conjunction with tests of transactions and substantive
    tests
     Analytical techniques provide an important, macro-level,
      detective control over fraud and misstatement in financial
      statements
   Goals
   Such an analysis has for objective to assess the firm's:
       performance, for the management to improve it,
       solvency, so as for a bank or a supplier to grant a credit,
       potential value to decide an investment or divestment. Then it is called
        fundamental analysis and is linked to business valuation and stock
        valuation
How to: Analytical Techniques
   Compare financial ratios (of solvency, profitability, growth...)
       between several periods (the last 5 years for example)
       and between similar firms.
   Those ratios are calculated by dividing a (group of) account
    balance(s),
       taken from the balance sheet and / or
       the income statement,
       by another,
   for example :
       Net profit / equity = return on equity
       Gross profit / balance sheet total = return on assets
       Stock price / earnings per share = P/E-ratio
Where to find the data
   Company websites
   almost every public company has a website or investor relations department.
    For the most current quarterly or annual report you might want to check in these
    places first.
   http://www.gm.com/company/investor_information/stockholder_info/

   Securities and Exchange Commission (SEC) - The information posted in the
    "EDGAR" database includes the annual report (known as the 10-K), quarterly
    report (10-Q), and a myriad of other forms that contain every type of financial
    data.

   http://www.edgar-online.com/products/edgarpro.aspx

   Hoovers.com - another source for company analysis (some of the data requires
    a subscription)
   http://www.hoovers.com/free/
Fraud Detection Using Digital
Analysis
   A growing area of fraud prevention and detection involves the
    examination of patterns in data – i.e., Digital Analysis
   The rationale is that unexpected patterns can be symptoms of
    fraud. A simple example of the application of this technique is
    a search for duplicate transactions, such as identical invoice
    or vendor numbers for the same amount.
   A simple digital analysis technique is to search for invoices
    with even dollar amounts, such as $200.00 or $5,000.00.
       The existence of particular even amounts may be a symptom of
        fraud and should be examined.
Ratio Analysis
   Another useful fraud detection technique is the calculation of data analysis
    ratios for key numeric fields.
   Like financial ratios that give indications of the financial health of a company,
    data analysis ratios report on the fraud health by identifying possible symptoms
    of fraud.
   Three commonly employed ratios are:
       * the ratio of the highest value to the lowest value (max/min);
       * the ratio of the highest value to the second highest value (max/max2); and
       * the ratio of the current year to the previous year.

   For example, auditors concerned about prices customers were being charged
    for products could calculate the ratio of the maximum sales price to the
    minimum sales price for each product.
       If the ratio is close to 1.0, they can be sure that there is little variance between the
        highest and lowest prices charged to customers.
       However, if the ratio is large this could indicate that a customer was being charged too
        much or too little for the product.
Benford's Law

   Benford's Law, developed by Frank Benford in the 1920s, predicts the
    occurrence of digits in data. Benford's Law concludes that the first digit in a
    large population of transactions (10,000 plus) will most often be a 1. Less
    frequently will the first digit be a 2; even less frequently a 3.

   An analysis of the frequency distribution of the first or second digits can detect
    abnormal patterns in the data and may identify possible fraud. An even more
    focused test can be used to examine the frequency distribution of the first two
    digits (FTD). The formula for the expected frequencies is:
   Expected FTD Frequency = log(1+1/FTD)
   Therefore, the expected frequency of 13 is log(1+1/13). The expected
    frequencies range from 0.041 for 10, to 0.004 for 99.
   Some audit software programs can be used to determine the frequency
    distribution for first digits, first two digits, and second digits.

                 Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid
                  rationale for certain numbers occurring more frequently than expected. For example, if a
                  company sends a large amount of correspondence via courier, and the cost is a standard rate
                  ($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits
                  (61) may occur more often than predicted by Benford's Law.
Practicum:

Burlington Bees
   Using Analytical Procedures as Substantive
    Tests
   OBJECTIVES
            Use analytical procedures to develop expectations for
             revenue accounts
            Recognize factors that lead to precise expectations of
             account balances
            Appreciate the degree of professional judgment involved in
             evaluating differences between expected and reported
             account balances
            Understand the audit planning implications of using
             analytical procedures as substantive tests of account
             balances
New Challenges from the Internet:
         Privacy, Piracy, Viruses

                    Course Wrap-up
Password Cracking
   Password cracking is the process of recovering secret
    passwords from data that has been stored in or transmitted by
    a computer system, typically, by repeatedly verifying guesses
    for the password

   The purpose of password cracking might be to help a user
    recover a forgotten password (though installing an entirely
    new password is less of a security risk), to gain unauthorized
    access to a system, or as a preventive measure by the
    system administrator to check for easily crackable passwords.
    Guessing
   Not surprisingly, many users choose weak passwords, usually one related to
    themselves in some way. It may be:
              blank
              the word 'password'
              the user's name or login name
              the name of their significant other or another relative
              their birthplace or date of birth
              a pet's name
              automobile licence plate number
              and so on,


   Some users even neglect to change the default password that came with their
    account on the computer system.
        And some administrators neglect to change default account passwords provided by
        the operating system vendor or hardware supplier.

   A famous example is the use of FieldService as a user name with Guest as the
    password. If not changed at system configuration time, anyone familiar with
    such systems will have 'cracked' an important password, and such service
    accounts often have higher access privileges than a normal user account.

   The determined cracker can easily develop a computer program that accepts
    personal information about the user being attacked and generates common
    variations for passwords suggested by that information.
Dictionary attack
   A dictionary attack also exploits the tendency of people to choose weak
    passwords,

   Password cracking programs usually come equipped with "dictionaries", or word
    lists, with thousands or even millions of entries of several kinds, including:
           words in various languages
           names of people
           places
           commonly used passwords

   The cracking program encrypts each word in the dictionary, and
       simple modifications of each word, and
        checks whether any match an encrypted password.
       This is feasible because the attack can be automated and, on inexpensive modern
        computers, several thousand possibilities can be tried per second


   Guessing, combined with dictionary attacks, have been repeatedly and
    consistently demonstrated for several decades to be sufficient to crack
    perhaps as many as 50% of all account passwords on production systems.
Brute force attack
   Try every possible password up to some size,
       This is known as a brute force attack.

   As the number of possible passwords increases rapidly as the length of the password
    increases, this method is unlikely to be successful unless the password is relatively
    small

   How small is too small?
    A common current recommendation is 8 or more randomly chosen characters
    combining letters, numbers, and special (punctuation, etc) characters

   Systems which limit passwords to numeric characters only, or upper case only, or,
    generally, which exclude possible password character choices make such attacks
    easier.

   Using longer passwords in such cases (if possible on a particular system) can
    compensate for a limited allowable character set.
           The real threat may be likely to be from smart brute-force techniques
           that exploit knowledge about how people tend to choose passwords.

    Most commonly used hashes can be implemented using specialized hardware,
    allowing faster attacks. Large numbers of computers can be harnessed in parallel,
    each trying a separate portion of the search space. Unused overnight and weekend
    time on office computers can also be used for this purpose.
Precomputation
   Precomputation involves hashing each word in the dictionary
   or any search space of candidate passwords
   and storing the <plaintext, ciphertext> pairs in a way that enables
    lookup on the ciphertext field
   This way, when a new encrypted password or is obtained, password
    recovery is instantaneous

   There exist advanced precomputation methods that are even more
    effective.
       By applying a time-memory tradeoff, a middle ground can be reached
       a search space of size N can be turned into an encrypted database of
        size O(N2/3) in which searching for an encrypted password takes time
        O(N2/3).
   The theory has recently been refined into a practical technique, and
    the online implementation at http://passcracking.com/ achieves
    impressive results on 8 character alphanumeric MD5 hashes.
Salting (a remedy)
   The benefits of precomputation and memoization
       can be nullified by randomizing the hashing process
   This is known as salting

   When the user sets a password,
           a short string called the salt is suffixed to the password before
            encrypting it;
           the salt is stored along with the encrypted password so that it can
            be used during verification
   Since the salt is different for each user,
           the attacker can no longer use a single encrypted version of each
            candidate password.

   If the salt is long enough, the attacker must repeat the
    encryption of every guess for each user,
       and this can only be done after obtaining the encrypted password
        record for that user.
Programs for password cracking
John the Ripper
   John the Ripper is password cracking software. Initially developed
    for the UNIX operating system,
   It currently runs on fifteen different platforms.
       It is one of the most popular password testing/breaking programs as it
        combines a number of password crackers into one package, autodetects,
        and includes a customisable cracker.
       The encrypted password formats which it can be run against include
        various DES formats, MD4, MD5, Kerberos AFS, and Windows LM hash.
        Additional modules have extended its ability to include passwords stored
        in LDAP, MySQL and others.

   John is designed to discover weak passwords from the encrypted
    information in system files. It operates by taking text strings (usually
    from a file containing words found in a dictionary), encrypting it in
    the same format as the password being examined, and comparing
    the output to the encrypted string. It also offers a brute force mode.
Programs for password cracking
L0phtCrack
   L0phtCrack is a password auditing and recovery
    application (now called LC5),
         originally produced by L0pht Heavy Industries (later
          produced by @stake and now by Symantec, which
          acquired @stake in 2004)
   It is used to test password strength and to recover
    lost Microsoft Windows passwords,
         by using dictionary, brute-force, and hybrid attacks.
         It is one of the crackers' tools of choice
Practicum:
Henrico Retail
   Understanding the IT Accounting System and
    Identifying Audit Evidence for Retail Sales

         Outline the audit trail for processing retail sales transactions
         Develop audit plans for gathering evidence to test the
          existence and valuation of retail sales
         Recognize when audit evidence must be gathered
          electronically if a traditional paper trail is absent

   Identifying audit trails in preparation for flowcharting
    accounting cycle processing required for writing an
    audit program

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:8/17/2012
language:
pages:145