issue 19 ! February 2004 A Trojan can seriously damage your health! Why not visit the INTOSAI website, www.intosaiitaudit.org into IT editorial New legislation before the U.S. House of A recent prime-time UK television Representatives requires all publicly programme featured real-time burglary. quoted companies to conduct An ex (so we were told) professional independent, computer security burglar was hired by the programme assessments and report the results in producers to break into the homes of their annual reports. The Corporate volunteers and 'borrow' their valuables. Information Security Accountability Act It was disturbing to witness the ease of 2003, if approved, requires companies with which our resident expert generally "to assess the risk and magnitude of the accomplished his task. Truly, "penetration IntoIT is the journal of the INTOSAI harm that could result from the unautho- testing" in the raw. Standing Committee on IT Audit. rized access, use, disclosure, disruption, Entertainment aside, there was much to The journal is normally published modification, or destruction of such learn from the ensuing debate, which twice a year, and aims to provide an information or information systems," and considered the vulnerabilities uncovered interesting mix of news, views and "determine the levels of information and the countermeasures that ought to security appropriate to protect such comments on the audit of ICT and its have been in place1. Door and window information and information systems". use in Supreme Audit Institutions locks, security lights and their (SAIs). The Act requires companies to hire an positioning, intruder alarms, and a host independent auditor to assess existing of other techniques were examined and Material in the journal is not information security controls and ensure discussed. Household security was then copyrighted for members of that they meet basic standards that the strengthened and retested, and while the INTOSAI. Articles from intoIT can be U.S. Securities and Exchange improvements did not always withstand Commission has yet to determine. further attack, an important point copied freely for distribution within It will be interesting to see whether emerged. Potential intruders are deterred SAIs, reproduced in internal the standards will also extend to the by effective countermeasures because magazines and used on training independent auditor's qualifications and their penetration is time-consuming and courses. experience for reaching a meaningful and likely to attract unwelcome attention. reliable conclusion. Is the auditor likely The trade much prefers soft targets The Editor welcomes unsolicited to be a thoroughgoing, information from which, it seems, there are plenty articles on relevant topics, preferably security professional, or a financial to choose. accompanied by a photograph and auditor who has completed the (5-day, Although this scenario relates to the real short biography of the author, and or whatever) course? Will the audit world, it maps easily onto cyberspace, short news items for inclusion in merely confirm the existence of the right where network administrators have daily future issues. documents - suitably dated and to pit their wits against increasingly authorised - that say the right sorts of sophisticated intrusion techniques. As IT The views expressed by contributors things? Or will the auditor be required to systems become increasingly intercon- to this journal are not necessarily conduct more searching tests to assess nected, more national and global those of the editor or publisher. whether the documentation is a façade networks are emerging, and while this that, in good 'cowboy town' tradition, is opens up unprecedented opportunities propped up by nothing more than a few and benefits for both citizens and state editorial address scaffolding poles? And will organisations alike, it presents the criminal with new who, having acquired the auditor's seal of Contributions should be sent to: opportunities. Systems connected to the approval, rest complacently on their Internet and to other networks become The Editor of intoIT laurels for the next 12 months? We await potential targets and the high level of developments with interest. National Audit Office, attacks against commercial and 157-197 Buckingham Palace Road, government systems, as well as London SW1W 9SP 1 United Kingdom See…. http://www.bbc.co.uk/crime/prevention/yourhome.shtml E-mail firstname.lastname@example.org Web site www.intosaiitaudit.org contents Co u n t r y Fo c u s : Th e U K N a t i o n a l Au d i t O f f i ce 2 12 individuals, continually demonstrate the skill and determination of cyber criminals to exploit technical vulnerabilities and Not Knowing What human naivety. There can be no doubt Yo u D o N o t K n o w that, as more business is transacted on- 20 line, the potential for cyber crime and its incidence will increase. Although most State of network administrators take sensible Nor th Carolina precautions, they have other responsibil- 24 ities and cannot always be blamed if they are not abreast of the latest, often highly ingenious, technical exploits that facilitate Tr o j a n H o r s e s a n d cyber crime. This is work for the Ke r n e l R o o t K i t s out of the internal network, but growing specialist, and it is here that well planned recognition of the risk of attack from 26 and conducted penetration testing can within and the advent of e-mail as a expose serious vulnerabilities. vehicle for planting a Trojan in the Intrusion Detection V In this edition we highlight some of the system has changed the picture. I n t r u s i o n P r eve n t i o n technical and procedural countermea- Our next three articles develop this 29 sures for protecting networked theme. Written by staff at the UK's information systems, including National Infrastructure Security penetration testing, a technique that Coordination Centre2 they provide an Email Spoofing despite its risks is becoming a more overview of recent developments in widely accepted strategy for protecting intrusion detection systems; of e-mail 31 online information and services. spoofing, a technique sometimes used by hackers to obtain system passwords; and A State Auditor's Network Our first theme article provides a Security Case Study of Trojan horse software. And believe layman's guide to hacking. For the me, a Trojan can seriously damage your benefit of readers who are unfamiliar 36 health! with the subject, N. Nagarajan of the Office of the Comptroller and Auditor To round off this edition's theme of Risk Based Sampling General of India explains some of the hacking, we have received an excellent Us i n g CO B I T approaches to computer hacking and the article from the Auditor of Public 40 terminology that often crops up in Accounts of the Commonwealth of connection with it. Kentucky, USA. Ed Hatchett takes a robust stance on the subject of network Going Electronic Our second theme article describes a security, commissioning detailed penetration-testing project that was 43 technical appraisals of state departments' planned and supervised by the Office of controls and not being shy about the Auditor General for North Carolina. Fr e e d o m o f publishing his findings. In his article, Ed The article is interesting both for its Information describes the results of an audit of the description of the outcome (21 of the 22 Transportation Cabinet network in which 48 target systems were penetrated success- his team uncovered both hackers at fully, most in less than 30 minutes) and work and criminal activity. And yet top for the approach to the task. D i g t h e S p a ce d i r t of his recommendations is the simple The focus of network security used to expedient of applying a good standard of 51 be at the perimeter, where firewalls password management. were positioned to keep uninvited guests G AO Wo r k i n g 2 w i t h Co n g r e s s NISCC's role is to co-ordinate and develop the UK critical national infrastructure's defences against electronic attack... 55 http://www.niscc.gov.uk A C h i l l i n g Th o u g h t ! 2 I into IT Country Focus: The UK: some facts and figures UK: 244,820 sq km - approximately the size of the U.S. state of Oregon or the African country of Guinea - comprises England, Wales, Scotland and Northern Ireland, plus many surrounding islands but excluding the dependencies of the Isle of Man and the Channel Islands. No part is more than 75 miles from the sea. Population: 60M Ethnic groups: English 81.5%, Scottish 9.6%, Irish 2.4%, Welsh 1.9%, Ulster 1.8%, West Indian, Indian, Pakistani, and other 2.8% Languages: English and Welsh, but Gaelic, Urdu, Hindi, Punjabi and other languages are spoken. Religions: Anglican and Roman Catholic 40 million, Muslim 1.5 million, Presbyterian 800,000, Methodist 760,000, Sikh 500,000, Hindu 500,000, Jewish 350,00 Government: parliamentary monarchy and part of the European Union. Everyone over the age of 18 can vote. Legal system: common law with early Roman and modern continental influences. Judicial review of Acts of Parliament under the Human Rights Act of 1998. The UK does not have a written constitution. into IT I 3 National Audit Office The UK: historical were to use the same strategy to subdue the Scottish clans during the background 18th century). Following the collapse of the Roman W hat scant knowledge we have of Britain before the Empire early in the fourth century, Roman conquest comes urban life in Britain declined and we mainly from archaeology, which provides sank again into an age of intellectual clues about our early culture and darkness and barbarity that was to economic development but rarely continue for 600 years. Christianity and identifies personalities, motives, or exact the use of money ceased for some two dates. Julius Caesar left us his centuries, while the physical character of impressions of Britain at the time of his our people, language, and institutions brief visits in 55 & 54BC, which is the changed. Germanic tribes from Europe earliest coherent account we have. Even replaced a significant part of our lowland in later Roman times, Britain was population, their dialects replaced Latin considered to lie at the periphery of the and Celtic (later giving rise to the English civilised world, and Roman historians left spoken today), and loosely knit and us little more than a framework in feuding hereditary kingships replaced which to slot the results of archaeologi- the centrally governed Roman cal research. provinces. Among these illiterate and pagan tribes were the Angles and the The Roman invasion of Britain began in Saxons, and Britain came to be called 43AD. While many British tribes made "England" after the former (a derivation political deals with the invaders, they of "Engla-lond" or "land of the Angles"). also encountered stout resistance. Although the Anglo-Saxons were not as Indeed, the Romans never fully occupied sophisticated as their Roman predeces- Britain, concluding that Scotland wasn't sors, within a few centuries they had worth the effort. Roman Britain's built a hierarchical, regulated society in northern border was eventually which agriculture and trade flourished. stabilised on a heavily fortified wall in northern England, slightly south of the Later in the millennium, the Anglo- existing border. Much of "Hadrian's Wall" Saxons found themselves invaded from still exists and is a popular tourist Scandinavia by the "Vikings". Sometimes attraction. the Vikings were beaten back, at other times not. Eventually they were granted For over three centuries, Roman life parts of the country where their own prospered in what is now England. The laws prevailed, although by 1066 - a local tribes became integrated into an highly significant year in our history - an urban, governmental system, and grew Anglo-Saxon king was in control. accustomed to a peaceful, ordered way of life. Roman towns had properly Reliable written evidence from the first drained and metalled streets, water millennium is limited1, but archaeology supplies, forums and other public provides many clues about Roman, buildings. But perhaps the Roman's Anglo-Saxon and Viking settlements and greatest achievement was their system daily life, and all of these peoples left us of magnificently engineered roads, built examples of beautiful jewellery, pottery, to allow the swift movement of troops, sculpture, and metalwork. The study of munitions, and supplies from one names and language shows more strategic centre to another (the English enduring effects, while in the case of the Vikings DNA analysis provides some insight into their effects on our genetic stock. 1 For anyone interested in delving deeper, there is a good source is at... http://www.britannia.com/history/docs/ 4 I into IT In 1066, our neighbours, the Norman French, successfully invaded England; they were the last to do so. Since then, despite occasional periods of civil war, England has remained a unified entity. Under the Normans, government was again centralised, a bureaucracy built up, and written records maintained. The roots of the English "common law" legal system date from this period. Wales and Scotland, originally independent kingdoms, both strongly resisted English rule. King Edward I conquered Wales in 1282 and an Act of 1536 completed the political and admin- istrative union of the two countries; Carew Castle 1707 saw the union of Scotland and England and our adoption of the name The English built a fine set of castles in Wales to help encourage the indigenous "Great Britain". population to toe the line. Many remain and are worth visiting. As for, Ireland, invasion by the Anglo- Normans in 1170 was to lead to centuries of strife, with successive English monarchs (and Oliver Cromwell) seeking to gain control, with varying degrees of success. To cut short a painful story, the Anglo-Irish treaty of 1921 formalised a partition of Ireland. The six counties that constitute "Ulster" maintain their constitutional links with Great Britain, while the other 26 counties became the "Irish Free State" (and in 1949 the "Republic of Ireland"). In 1927, we adopted the name "United Kingdom of Great Britain and Northern Ireland", usually abbreviated to 'United Kingdom' or 'UK'. The British Empire The British Empire began to grow at the beginning of the 17th century, eventually expanding over much of the globe, particularly in North America and India. It was built on colonial trade, Giant's Causeway which originally went hand in hand with When the giant Finn McCool fell in love with a lady giant on Staffa, an island in the slavery; slaves bought in West Africa Hebrides, he built this wide commodius highway to bring her across to Ulster. were shipped to the Americas where into IT I 5 Stonehenge, Wiltshire, England Erected in stages between 3000 and 1500 BC, no one really knows why. they were sold to plantation owners in exchange for produce, which was then producing about 60% of our food needs with only 1% of the labour force. We About the NAO: shipped back to Britain. Later came the have significant coal, natural gas, and oil the early years Industrial Revolution, which was to reserves, primary energy production dominate 19th century British history. accounting for 10% of GDP one of the , The National Audit Office has existed in Queen Victoria's reign in particular saw highest shares of any industrial nation. A its present form since 1983, but the the products of our engineering decline in our manufacturing industry public audit function in central expertise together with our commerce, has been offset by our expanding service government has a long history. language, and systems of law and sector - particularly in banking, The earliest surviving mention of a government spread throughout the insurance and business services - which public official charged with auditing Empire, which at its zenith accounts for by far the largest government expenditure is a reference encompassed roughly one-fifth of the proportion of our GDP . to the Auditor of the Exchequer in 1314. globe. The Auditors of the Imprest were Our long-established pariamentary The heyday of Empire ended in 1914. system is currently the subject of established under Queen Elizabeth I in During the following decades, our reform. Herediatary membership of our 1559 with formal responsibility for economic strength was devastated by upper legislative assembly, The House of auditing Exchequer payments. This two World Wars. The post-war years Lords, is being abandoned in favour of system gradually lapsed and in 1780, saw the rapid dismantling of our Empire politically appointed representatives. Commissioners for Auditing the Public and our transition to a European nation. Scotland and Wales now have National Accounts were appointed by statute. Assemblies with varying degrees of From 1834, the Commissioners worked power, and further assemblies for the in tandem with the Comptroller of the The UK today English regions seem likely. Exchequer, who was charged with controlling the issue of funds to the The UK today is a leading trading power The UK's role as a major world financial government. However, Parliament's role and financial centre, and one of the four centre, our strong ties with the in this process was limited. 'trillion dollar' Western Europe Commonwealth, and a permanent seat economies. Our agriculture is highly on the UN Security Council help us Parliament had for several centuries efficient by European standards, continue to exert significant influence in been responsible for raising revenue and world affairs. authorising expenditure (the English 6 I into IT Forth Railway Bridge, Scotland Civil War had been fought largely on this issue of funds, and accounts were legislation, the Exchequer and Audit issue) but their control and scrutiny of produced by departments and audited Departments Act 1921, addressed this public spending was weak. It was not by the Comptroller and Auditor by allowing the C&AG to rely in part on until the 1860s that the first major steps General. The results of the C&AG's departmental systems of control and were taken towards proper financial investigations were considered by a thus examine only a sample of transac- accountability to Parliament. dedicated Parliamentary committee, the tions. This Act also required the C&AG Committee of Public Accounts (PAC). to report to Parliament that money had From the 1870s, the PAC took evidence been spent in accordance with Parliamentary audit from senior officials, normally Heads of Parliament's wishes. Departments, who were designated as The Exchequer and Audit Departments "Accounting Officers" by the Treasury. Act of 1866 established a cycle of Initially, the C&AG and his staff were Reform accountability for public funds in which The House of Commons authorised required to examine every transaction, Pressure for the reform of the public expenditure, the Comptroller and but this became unrealistic as the level audit system again grew from the 1960s, Auditor General (C&AG) controlled the of government activity expanded, partic- following concerns expressed by ularly during the First World War. New Is Comptroller a misspelling? The Cycle of Accountability Should it not read Controller? Once public money has been spent by a central government body, the C&AG is "Comptroller" first appeared around free to report to Parliament on the regularity, propriety, and value for money 1500 and is thought to be a misspelling with which this has been done. of "controller". This embodied an older The Committee of Public Accounts can take evidence on this report from the error arising from the false most senior official in that public body and can then make recommendations to presumption that the responsibilities which the Government must respond within two months. The C&AG and/or the involved were somehow connected PAC can decide to conduct a follow up investigation into the issues raised. with "accompt" or account, the controller being the "contrarolutator", We are also willing to assist Parliament in whatever way we can. Each year, we one who kept a counter-roll as a respond to over 400 queries from Members of Parliament on issues affecting double check on transactions. public spending. into IT I 7 Parliamentarians and academics that the scope of public audit needed to be "The Committee of Public Gladstone's reforms modernised to reflect the significant changes in the role of government over Accounts would not get Champion of reform, William Ewart the course of the twentieth century. In very far as a bunch of 15 Gladstone, was Chancellor of the Exchequer from 1859-1866 (and, for particular, it was argued that there was a need for a specific power to allow the Members of Parliament, good measure, four times Prime C&AG to report to Parliament at his Minister - 1868-74, 1880-85, 1886, own discretion on the value for money unless we had the quality and 1892-94). achieved by government departments. Reformers also argued that more robust and depth of research As Chancellor, Gladstone initiated major reforms of public finance and arrangements should be put in place to ensure the independence of public contained in the reports Parliamentary accountability. His 1866 Exchequer and Audit auditors from government. we receive from the NAO." Departments Act required all departments, for the first time, to These changes were reflected in the produce annual accounts, known as National Audit Act 1983, under which Rt Hon Alan Williams MP, Chairman, appropriation accounts. The Act also the C&AG formally became an "Officer of the House of Commons" with the The Public Accounts Commission established the position of Comptroller and Auditor General and express power to report to Parliament an Exchequer and Audit at his own discretion on the economy, Department to provide supporting efficiency, and effectiveness with which The development of audit staff from within the civil service. government bodies have used public funds. The Act also established the The work of successive C&AG's had The C&AG was given two main National Audit Office (NAO) - which reflected changes in the nature of functions; to authorise the issue of replaced the Exchequer and Audit government over the years. public money to government from Department - to support the C&AG in the Bank of England, having In the later years of the nineteenth satisfied himself that this was within discharging his role. century, much audit work concentrated the limits Parliament had voted, and Further important changes have on issues of propriety, with the C&AG to audit the accounts of all occurred in recent years. Following repeatedly reporting to Parliament on Government departments and report devolution, new Auditors General have irregular payments and practices by to Parliament accordingly. been appointed in Scotland and Wales to Government departments. The Gladstone also created the Public audit the expenditure of the new expansion of government in the Accounts Committee. Parliament and Assembly. In Scotland, twentieth century led to substantial the Auditor General is supported by a changes in the C&AG's work, with new body, Audit Scotland2, which reports to Parliament concerning large oversees local government audit. The budgets, such as those for old age NAO in Cardiff provides audit services pensions, hospital construction to the Auditor General for Wales3. programmes, and payments to universi- There has been a separate C&AG for ties. Northern Ireland since the foundation of Over time, the focus of our work has the state in 1921. He heads the shifted from reporting simply on the Northern Ireland Audit Office4 and details of expenditure to consideration reports to the Northern Ireland of the value for money achieved by Assembly. government expenditure, a process that The introduction of resource accounting was accelerated greatly by the passing of and budgeting is another important the 1983 National Audit Act. development for the NAO, involving a change from a 'cash' to an 'accruals' based system of planning and accounting for expenditure. William Ewart Gladstone 2 Audit Scotland... http://www.audit-scotland.gov.uk/ 3 Auditor General for Wales... http://www.agw.wales.gov.uk/ 4 Northern Ireland Audit Office... http://www.niauditoffice.gov.uk/ 8 I into IT opinion where material misstatements We support the development of The Three E's are identified, but where this is not the Information Age Government through Under the 1983 Act, the C&AG case, may still report to Parliament on our examinations of the implementation can examine and report on the other significant matters. Even where no of IT projects and of the reliability of IT economy, efficiency, and effective- report is made, we often write to our systems. Here, our work has revealed ness of public spending. We use clients suggesting ways they could that complex IT projects often the following definitions for the improve their systems; such encounter serious problems, resulting in 'three Es': "management letters" often lead to delays and the disruption of e- significant changes. Government services. We have sought I Economy: minimising the cost to promote improvements by drawing of resources used or required In addition to financial audit, the C&AG out the lessons learned so that poor - spending less; presents around 50 reports to performance is not repeated. Parliament each year on the value for I Efficiency: the relationship money obtained by Government Other subjects that our IT-related value between the output from departments and other public bodies. In for money reports have touched on goods or services and the the last 3 years, savings resulting from include information security resources to produce them - our work have amounted to £1.46 management; software licensing; spending well; billion, £487 million each year. identifying and tracking livestock I Effectiveness: the relation- (essentially about information Our value for money work covers a ship between the intended management); and on-line learning wide range of topics, ranging from and actual results of public (essentially about fraud control). examining the entire operation of the spending - spending wisely. criminal justice system to major defence procurement projects and the adminis- tration of agricultural schemes funded by Information and Our current role the European Union. We identify the communications topics for examination by carefully Under the law, the C&AG and the NAO monitoring and analysing the risks to technology in support are responsible for auditing the accounts value for money across the full range of The 1970s saw us getting to grips with of all Government departments and our responsibilities, and in undertaking the technical aspects of computers. agencies, and reporting the results to reviews, we use staff with a wide range Some of our more adventurous Parliament. The C&AG also audits over of professional expertise, including colleagues acquired the skills necessary half of the 'arms-length' public bodies external consultants where necessary. to extract information from the payroll, (also known as non-Departmental public bill paying and stores inventory systems bodies), all National Loans Fund accounts, and several international Auditing information that were then emerging during our government's first wave of computerisa- clients, who we win in open technology tion. This was the punched competition against other auditors. card/mainframe era, and extracting Currently, we audit over 600 accounts IT provides many opportunities to information from these early systems covering some £298 billion of deliver better services to citizens. It also required a good knowledge of data expenditure; £29 billion of income; £336 has considerable potential to improve storage techniques, programming skills billion in tax revenue; fixed assets worth the efficiency of government organisa- (that often extended to a need for £203 billion; and long-term liabilities of tions in all aspects of their business. assembly language), much ingenuity - £37 billion. Achieving Information Age Government and hours of card-punching! is central to the UK's modernisation The C&AG is required to form an Things remained much at this level until programme, but for this to become a opinion as to whether audited accounts the 1990s, when the first of the reality, citizens must have confidence in are free from material misstatements powerful and truly portable (rather than departments' IT systems in terms of and that the transactions they contain 'transportable') PCs - plus software tools their reliability and the protection of have appropriate Parliamentary to match - arrived to lift audit computing personal information. authority. He will issue a qualified out of the realm of the technical into IT I 9 Many of the value for money reports we publish focus on government's use of IT. Recent examples include: e-Accessibility: older people are major users of public services but, as a section of society, are far less likely to access those services electronically. However, these e- services are potentially a great boon to older people, many of whom have mobility specialist and place it firmly within problems, have difficulty in gaining access to sources of information, live alone or want everyone's grasp. Today, all our profes- to remain independent and involved. If government is to take full advantage of the sional staff are allocated a modern potential of technology, it must make sure its e-services are accessible to all and work laptop PC with which to access our to avoid a 'digital divide'... corporate systems - remotely if ...http://www.nao.gov.uk/publications/nao_reports/02-03/0203428.pdf necessary - to exchange e-mail and other documents, and to search the The Libra Project: described by the Chairman of the Public Accounts Committee as World Wide Web. We continue to "one of the worst IT projects ever seen", Libra was intended to provide our magistrates' maintain technical support teams to courts with a standard computer support system. By 2003, the initial project budget, support our financial and value for set at £146M in 1998, had rocketed to £318M with reduced functionality... money auditors in the more difficult ...http://www.nao.gov.uk/publications/nao_reports/02-03/0203327.pdf tasks, but audit computing now lives Tax Credits: the Inland Revenue introduced new tax credits, but the systems did not very much on the auditor's laptop. work as intended, causing major problems for claimants, employers and the Good software can make an important Department. There were serious problems with system performance, which affected contribution to the various stages of stability (staff could not complete the processing of claims and had to start again); audit, particularly in collecting, sorting, speed (staff had to wait too long to access information and records); and availability analysing and interpreting data, and in (significant time in the working day was lost when the system was closed down to presenting the results. Each of our clear internal queues)... laptops carries a comprehensive ...http://www.nao.gov.uk/publications/nao_reports/02-03/02031072.pdf software toolkit comprising Microsoft Government Communications Headquarters: houses one of Europe's largest computer , Office XP IDEA and TeamMate, and complexes and its new accommodation exhibits radical differences from most office staff receive in-house training in their building projects. To sustain the flow of vital intelligence to the Government, GCHQ use. In addition, our technical support retained responsibility for moving its technical capability into the new building. In teams are equipped with specialist doing so, GCHQ failed initially to consider all the implications of the move. As a result software packages for designing ques- estimates for the technical move increased more than ten fold from £40M to £450M... tionnaires, analysing survey results, ...http://www.nao.gov.uk/publications/nao_reports/02-03/0203955.pdf providing statistical analysis, etc. Government Call Centres: can provide services and information in a way that is The 1990s saw our original local area convenient and cost effective. Most of the public tell us that they are willing to use network, which provided internal e- them and are mostly satisfied with the service received. However, there is room for mail, text-based word-processing and improvement. In particular, call centres need to collect full and reliable information spreadsheet, and rudimentary search about their services, and departments need to ensure that efficiency and quality are facilities. Our second-generation delivered... Intranet system, "Merlin", began to roll ...http://www.nao.gov.uk/publications/nao_reports/02-03/0203134.pdf out in 1998, and what an improvement it was! Merlin provides us with access to You can find information about our work in progress, including contact details on our our internal databases, with external e- website at... mail, with access to information held on http://www.nao.gov.uk/publications/workinprogress/index.htm the UK Government Intranet and, via the Internet, to information held on the World Wide Web. Merlin is an object lesson on how a business can come to depend on good information and com- munications technology - we would be lost without it! For this reason we devote considerable resources to IT service management, where we model our management processes on BS 10 I into IT IDEA is a comprehensive file interrogation tool for auditors Teamate that can be used to... .. is an electronic documentation I Import data from a wide range of file types package marketed by PriceWaterhouse Coopers. It's easily I Perform analyses of data including comprehensive statistics, profiles, customised to individual needs and summaries and ageing does not prescribe a particular way I Conduct exception tests of unusual or strange items using simple or of performing an audit. Its main complex criteria. IDEA has 103 built-in special functions as well as normal benefits are that it: arithmetic capabilities I stores and references audit I Perform calculations working papers electronically; I Test for missing or duplicate items I makes for easier and more timely review of audit work. I Select samples using systematic, random or monetary unit techniques The package highlights I Match or compare different data sources important issues, and their review does not have to wait until the paper file is in your Helping the nation spend wisely hand. Many staff can work on The UK National Audit Office scrutinises public spending on behalf of Parliament. the audit at the same time and at different locations; The Comptroller and Auditor General, Sir John Bourn, is an Officer of the House of Commons. He is the head of the National Audit Office, which is based in London I generates reports easily and (with regional offices in Cardiff, Newcastle, and Blackpool) and employs some 800 quickly, and allows them to be staff. He, and the National Audit Office, are totally independent of Government. He customised to meet individual certifies the accounts of all Government departments and a wide range of other client requirements; public sector bodies; and he has statutory authority to report to Parliament on the I makes for better management economy, efficiency, and effectiveness with which departments and other bodies of audits by identifying have used their resources. completed tests (and also Our work saves the taxpayer millions of pounds every year. those that should be At least £8 for every £1 spent running the Office. complete, but are not!); following audit by rolling forward one year's audit to 150005, and to the management of information by staff and more efficient the next. information security. And under the administrative support. Our medium latter heading, we are currently using term (3-5 year) vision is to enable staff TeamMate also provides the government-approved specialists to to work efficiently at client sites for opportunity to embed and enhance carry out "penetration testing" of our much longer periods, with access to the underlying methodologies, thus network to provide positive evidence of full range of resources available to staff providing consistent minimum effective security. at NAO offices. Currently we use dial- standards across all audit work. up for remote access, but are looking to Our IT Strategy will continue to evolve exploit broadband technology further as with technological development. The it becomes more widely available. main thrust of future developments is to improve audit efficiency through Overall, ICT has come to play a vital improved audit support tools, remote support role in achieving our corporate working, and knowledge management, vision of "Helping the Nation Spend and to providing wider access to Wisely". 5 BS 15000 is the first worldwide standard specifically aimed at IT Service Management. It describes an integrated set of management processes for the effective delivery of services to the business and its customers. into IT I 11 The INTOSAI IT Audit Committee I NTOSAI celebrated its 50th anniversary last year. It has grown from a small group of 34 supreme audit institutions (SAIs) that met in Cuba in 1953 to become the voice of the SIR JOHN BOURN worldwide SAI community. Its nearly COMPTROLLER AND AUDITOR GENERAL 190 members represent a wide NATIONAL AUDIT OFFICE OF THE UNITED KINGDOM spectrum of audit institutions working in many different ways to provide their Sir John Bourn has been Comptroller and Auditor General of the United Kingdom since 1988 parliaments and citizens with an and, as well, Auditor General of Wales since 1999. He was educated at the London School of effective audit of public finances. Economics, where he took the BSc (Economics) degree and a PhD. He has worked in INTOSAI, as an apolitical international several government departments, including the Treasury, the Northern Ireland Office and at institution working for the mutual the Civil Service College. Before his present appointment, he was Deputy Under Secretary of State for Defence Procurement at the Ministry of Defence. Sir John sits on the Financial The International Training Reporting Council of the United Kingdom, is a member of the UK's Financial Review Panel Course and a Member of the Panel of External Auditors of the United Nations. Since 1993 the National Audit Office Sir John is a Visiting Professor at the London School of Economics. (NAO) has offered staff from overseas exchange of ideas on best practice, is The UK NAO plays an enthusiastic role SAIs the opportunity to participate in without parallel anywhere else in the in these activities. We host the INTOSAI an annual audit training course in public sector. IT Audit Committee web site London (usually in September). To date (http://www.intosaiitaudit.org), which staff from many countries have partici- Recent years have seen a substantial offers both our members and the world pated in the course, which includes growth in bilateral and multilateral at large a range of training and guidance intensive training in the National Audit cooperation among SAIs. Increasingly, material on various aspects of IT audit, Office's methodologies for both SAIs recognise the need to learn from while other areas of the site catalogue Financial audit and Value for Money each other if they are to keep pace with material useful to the IT auditor that can work. The training approach is the rapid changes in public sector be found on SAI's, state auditor's, and classroom based but both modules management, accounting and auditing government web sites. The UK is also a include practical illustrations, examples standards, and expectations of the role member of the INTOSAI Governing and case studies drawn from accounts of public auditors. Many formal and Board and chairs the INTOSAI working audited and value for money studies informal structures have been group on the audit of privatisation and carried out by the NAO. The course developed by SAIs to identify and regulation. Oh! - we also publish this aims to be interactive and participants promote good practice and to tackle magazine. are encouraged to question and issues that cross national boundaries. introduce elements from their own Among these, the INTOSAI IT Audit During 2003, 600 representatives experience. Extensive course notes, Committee is extremely active, with a from 70 countries visited our office. booklets and reference materials are regular programme of liaison meetings In turn, we sent more than 50 provided for the participants retention and IT seminars hosted by member NAO staff abroad on short-term and future reference. countries. Members also collaborate in assignments ranging from a few the development of training and days to several months. We often Course applications are available on guidance material, our current enrich our projects with expertise our web site... programme including the development drawn from across the UK and http://www.nao.gov.uk/conferences/int of a range of guidance on auditing beyond. ernational_training_application.pdf electronic government and on electronic records management. Ian Petticrew 12 I into IT You can manage what you know about; it's what you don't know about that creeps up and stabs you. For the IT The hacker manager, computer hacking is one such sword of Technically, a "hacker" is someone who is enthusiastic about computer programming and all things computer Damocles for which sensible preventive related, and is motivated by curiosity to reverse engineer software and to explore. and detective measures have become essential. And in common with other disasters in waiting, infiltration should feature in contingency planning. For the benefit of those readers unfamiliar with computer hacking, N. Nagarajan of the Office of the Comptroller and Auditor General of India gives an overview and explains some of the terms associated with it. The basics of protecting against computer hacking into IT I 13 The term "cracker", on the other hand, describes those who apply hacking skills Computer hacking the area of fraud. However, other motives include espionage (both to gain unauthorised access to a Hacking is in some ways the online governmental and commercial computer facility, often with sinister equivalent to burglary; in other words secrets) and the obtaining of motives. But "cracking" never really breaking into premises against the personally sensitive information that caught on, perhaps due to the grey wishes of the lawful owner - in some might be used for tracing people, area that exists between the two jurisdictions a crime in itself - from deception and blackmail; activities and to the media's widespread which other criminal acts such as theft G alteration or deletion of data use of "hacking" as a term synonymous and/or damage generally result. and code: most organisations now with computer crime. I will not Computer hacking refers to gaining depend to some extent on comput- therefore try to buck the trend in this unauthorised access to, and hence some erised information systems, and any article. measure of control over, a computer act resulting in significant corruption facility, and most countries now have or deletion of corporate data could specific legislation in place to deter have serious implications on their those who might wish to practice this ability to transact business; art and science. In some jurisdictions, G degradation or cessation of unauthorised access alone constitutes a service: acts that result in systems criminal offence, even if the hacker being unable to carry their attempts nothing further. However, in workload or that fail altogether, practice, hackers generally have a could also have serious business particular target in mind, so their unau- implications; thorised access leads to further acts, which national law might also define as G use of computer resources: criminal activities. These can be this impact is really inherent in the summarised under the headings of previous three, but it's worth unauthorised: mentioning separately because an emerging problem is the use by G obtaining of confidential hackers of other people's systems information: perhaps the major (extending to home PCs) to store growth area in computer crime is illegally obtained data or to mount "identity theft", in other words the attacks on other systems. There are obtaining of personal information documented cases of systems that can then be used to commit hacked in this way - sometimes other serious offences, usually in referred to as "zombies" because they are no longer in the full control The Ten Immutable Laws of Security of their unsuspecting owners - being used to store child 1 If a bad guy can persuade you to run his program on your computer, it's pornography and material that not your computer anymore. breaches copyright law (e.g. 2 If a bad guy can alter the operating system on your computer, it's not your copyrighted music files), to mount computer anymore. distributed denial of service attacks 3 If a bad guy has unrestricted physical access to your computer, it's not on other systems, and to distribute your computer anymore. spam e-mail. 4 If you allow a bad guy to upload programs to your web site, it's not your Finally, it's worth emphasising that the web site any more. term "hacker" applies both to outsiders 5 Weak passwords trump strong security. and to otherwise authorised personnel 6 A machine is only as secure as the administrator is trustworthy. who misuse their system privileges, or who impersonate higher privileged 7 Encrypted data is only as secure as the decryption key. users. This sad fact needs to be 8 An out of date virus scanner is only marginally better than no virus recognised when formulating corporate scanner at all. security policy. 9 Absolute anonymity isn't practical, in real life or on the web. 10 Technology is not a panacea. Source - www.microsoft.com/technet 14 I into IT dential waste can prove fruitful. Just another security update for Microsoft Internet Explorer Perhaps the quickest and easiest way to Are You on a Network? gain physical access to an organisation's computer facilities is to join the If your computer is part of a managed network, contact your organization's system contract cleaning force, which often administrator before making changes to your computer. works unsupervised and outside normal Why We Are Issuing This Update office hours. A number of security issues have been identified in Microsoft® Internet Explorer that Password attacks: obtain a valid could allow an attacker to compromise a Microsoft Windows®-based system and then password to the system and you take a variety of actions. For example, an attacker could run programs on a computer become just another legitimate user. used to view the attacker's Web site. This vulnerability affects computers that have This is particularly dangerous where Internet Explorer installed. (You do not have to be using Internet Explorer as your Web the hacked account has special browser to be affected by this issue.) You can help protect your computer by installing privileges assigned to it that permit this update from Microsoft. wide-ranging system access and use. Source - Microsoft Security Bulletin MS03-032 A successful password attack is both difficult to detect and difficult to Approaches to hacking weaknesses) in infrastructure software and communications protocols offer prevent because password security depends largely on the user. Keystroke There are several basic strategies for seemingly endless tactical possibilities, loggers and social engineering (see hacking a computer facility: physical as is evidenced in the never-ending terminology below) are methods of intrusion; password attacks; network stream of security updates (see capturing passwords, while people access; web server attacks; and e-mail example). often share their personal passwords attacks, but there are a multitude of Physical intrusion: an attacker's work with others, write them on notes that tactics that can be used to implement is made easier by gaining physical they attach to their terminals, and fail them. For example, security flaws (or access to a machine's keyboard or to to change them periodically. Password design network junction boxes. Physical access cracking programs perform an opens up such possibilities as elaborate process of guessing 'weak' installing a keystroke passwords by trial and error, using logger1; installing combinations of words from different unauthorised languages, names (places, people, hardware devices characters in books), jargon, slang, and (e.g. linking a acronyms. These are tried backwards, modem that in two-word combinations, in combina- bypasses the tions with numbers substituted for corporate firewalls to letters, etc. Vendors often ship infra- the network); tapping structure software with the administra- junction boxes through tor account passwords set to default which network traffic values; because these are widely might be analysed; gaining known in the hacking community, they access to system docu- provide an easy route into a computer mentation, printouts and facility if left unchanged. to written notes of their Network Access and Web Server passwords left by reckless Attacks: computers forming part of a users. Even access to confi- local area network that is in turn 1 Hardware or software than captures the user's keystrokes, including their passwords. into IT I 15 connected to the Internet are exposed to a range of potential logical access Managing common G systems administrators occupy positions of extreme trust; it risks. A network's primary purpose is vulnerabilities follows that they should themselves to permit users to access resources be trustworthy. Be very careful and exchange information, but hackers A compromised system can be a self- who you permit to have system can also use the network for the same inflicted injury due simply to the basic administrator-level access to your purpose. There are different ways to precautions having being ignored: network particularly when hiring achieve unauthorised access under this G ensure that your computer has new staff or appointing people to heading, many being technically sophis- good physical security, consistent cover for absences. Consider ticated. One set of approaches exploits with both its value in terms of implementing a policy of "least features of networking software that replacement cost and the conse- privilege"3 and review periodically make it accessible from outside the quences that could stem from its the privileges that have been network. Another set exploits data being disclosed or destroyed. allocated, to whom and for what browsers; for example, browsers Secure sensitive areas; manage purpose; maintain or have access to information access keys; consider installing G infrastructure software - in about the user and computer that a intruder alarms. Ensure communica- particular the operating system and hacker can exploit. A hacker could also tions junction boxes are secured firewalls - generates logs that cause a browser to launch an "applet" and inspect them periodically for record who is using (or attempting (a program that runs in conjunction signs of tampering - network admin- to use) the system, for what with the browser) to hack the istration packages can detect unau- purpose and when. This computer or network, or to send back thorised physical devices connected information can prove vital in information that is not normally to the network. Provide a secure detecting unauthorised activity - for accessible from outside. Once access is waste disposal service for computer example, attempted access to par- gained, "island hopping" through the printouts and removable media; ticularly sensitive accounts or files - network is sometimes possible by G formulate a sensible password and system use at unusual times. exploiting trusted relationships policy for authenticating users and Logs should be reviewed frequently between interconnected computers - enforce it. Consider the need to - it may be necessary to develop or the fact is that a network of computers strengthen password authentication purchase a log monitoring and that trust each other is only as secure as with tokens or biometrics. Disable analysis package to enable key its weakest link. unnecessary services and accounts system messages to be detected The basic solutions to this family of promptly; quickly. An unplanned increase in security risks are to keep abreast of vendor security updates - such as the Microsoft example illustrated - and to Autorooter maintain an effective "firewall"2. ...a Trojan horse, potentially spread by e-mail, which exploits a Windows vulnerability to allow a hacker to gain control of infected computers. Email Attacks: e-mail is a major route into networked computers. Typically, a This DCOM-RPC exploit only affects Windows XP/2000 Pro/NT computers, which can Trojan horse program is buried within use Remote Procedure Call. As the Trojan is incapable of spreading by itself, the file an innocuous-looking attachment to an reaches computers through infected e-mail messages, inside files downloaded from the e-mail message (see the Autorooter Internet or even on floppy disks. example). The Trojan is launched when When run, Autorooter creates files, including RPC.EXE, which exploit the operating the attachment is opened (or system vulnerability by opening communication port 57005 and logging on with the sometimes viewed) and covertly passes same privileges as the computer's user. It also downloads a file called LOLX.EXE, control of the computer to the hacker. which opens a backdoor in the computer. After that, the infected computer is at the mercy of the hacker who can gain remote control through the port created. 2 Because it doesn't show any messages or warnings that may indicate that it has A combination of hardware and software that limits reached the computer, Autorooter is difficult to recognise. external access to networked computers and resource. 3 The least level of privilege consistent with performing a particular role. 16 I into IT disc storage, slower than expected successfully tested) disaster recovery network performance and It's vital to appreciate that: arrangements in place may find it com- suspicious-looking outbound G security consists of both paratively easy to transfer their key connections can be other indicators technology and policy; that is, operations to a disaster recovery site that you have a cuckoo in the nest; it's the combination of the while they thoroughly investigate and technology and how you use it sanitise their home site. G make sure that your system files (including the Registry) are well that ultimately determines how You should consider the extent to protected from unauthorised secure your systems are; which you back up your firewall and change. Apply the principle of least G security is journey, not a other significant logs. Assuming the vul- privilege to limit what users are able destination. It's not a problem nerability that gave rise to the attack is to do. Implement a change control that can be "solved" once and for not apparent, you may need to look procedure to ensure at least two all, but a continual series of back, perhaps weeks, to identify when people are involved in important moves and countermoves and how the intrusion occurred system changes and that all changes between the good guys and the (another plus in favour of frequent log are recorded. Periodically audit bad guys; reviews). Furthermore, should events your system software for unautho- G the key is to ensure that you finish up in the hands of the police, the rised executables; have good security awareness, police are likely to need the evidence appropriate security policies contained in your logs to support a G never run or download software (that you enforce), and that you prosecution. from an untrusted source (the source from which it was obtained exercise sound judgment. You will also need to consider who to might not be the same as the inform when you discover the developer). If you run a web site, you should control closely what Planning for hacking problem. This will involve striking a balance between those who need to be visitors can do; in particular, you incidents involved in the investigation, top should only permit programs on the management - but only when you have site that you obtained from a So, you discover that your system has concrete proposals to make to them - trusted developer; been hacked. What next? Well, first it's and everyone else, at least until the necessary to backtrack and consider evidence has been preserved. G typically, a new virus or Trojan does planning for this possibility. Sit down the greatest amount of damage with colleagues and write down a Investigation needs to be thorough; early in its life when few people are strategy to guide your response, focusing on a single vulnerability before able to detect it. Thus, an out of exactly as you would for any other restoring service might overlook the date virus scanner is only marginally aspect of contingency planning. Who existence of backdoors that the hacker better than no virus scanner. New will form your incident response team? has inserted to enable easy re-entry viruses and Trojans are created What are your goals going to be and in later. A thorough investigation will virtually every day, so it's vital to what order of priority? In most cases involve advanced networking keep your scanner's signature file up they are likely to be first, to prevent techniques, adeptness with software to date - virtually every vendor further intrusion, then to identify the tools, system administration, provides a means to obtain free vulnerabilities that led to the attack, data/system recovery, technical skills updated signature files from their assess the damage and consider what that might not be at your immediate web site. remedial action needs to be taken (e.g. disposal. Thus, it might be prudent in When you're satisfied that the basics what would you do were you to are both in place and operating, why suspect identity theft?). Will you assign The hackers' hit parade not consider hiring a reputable firm of resources to identifying the intruder? Security firm Qualys produces a security specialists to undertake a Will you involve the police? real-time index of the vulnerabilities "penetration testing" programme to One of the first points to consider is that are the current favourites of the assess the extent to which your whether to disconnect from your Internet's computer hacking scheme of control rests on solid external networks to limit damage and community. You can obtain details of foundations rather than on sand? prevent further infiltration to other each vulnerability by clicking on each trusted networks. Assuming the attack entry in the 'ID' column of the vulner- is external, remaining connected may ability table. leave the hacker able to observe and http://www.qualys.com/services/threa negate the response team's actions. ts/current.html. Organisations that have reliable (i.e. into IT I 17 Responding to intrusions Conclusion Firewall - the online equivalent of the 'man on the door' who, when a visitor G understand the extent and In the context of computer hacking, arrives in the foyer, asks for proof of source of an intrusion; knowing what you do not know is identity, checks the appointments book, G protect sensitive data contained manageable, hence the importance of contacts the host, issues a temporary on systems; good preventive and detective pass and perhaps inspects the visitor's measures, such as log review and baggage before permitting - or denying G protect the systems, the intrusion detection systems. The less - entry. networks and their ability to fortunate are those who remain in self- A network firewall sits at the junction continue operating as intended; inflicted ignorance - maybe for weeks point or gateway between two G recover systems; or months - that their system has been networks - usually a private network G collect information to better infiltrated and their business is being and a public network such as the understand what happened. damaged. Internet - its purpose being to reduce Without such information, you Regardless of the strength of your the risk to networked computers of may inadvertently take actions preventive and detective measures, be intrusion. It may be a hardware device that can further damage your prepared for hacking incidents, particu- or software running on a secure host systems; larly if your organisation relies heavily computer. In either case, a firewall has G support legal investigations. at least two network interfaces, one for on networks (the Internet, WANs and Source: www.cert.org LANs) for its operations and customer the network it is protecting and one for services. Should you fall victim, a the untrusted network to which it is your planning to identify reputable thorough investigation of a exposed. Because firewalls cannot security specialists well versed in compromised system - while decide for themselves whether traffic is penetration testing that might be called disruptive, time-consuming, expensive, hostile or benign, they must be upon to assist with sanitising and and tedious - is essential. The programmed with rules (a "security rebuilding your systems. temptation is to give in to pressure to policy") that govern the types of traffic resume operations quickly by closing to allow or deny. In addition to identifying the system the obvious vulnerabilities and trusting In addition to guarding external vulnerabilities exploited by the hacker, to luck that the system is clean. That connections, firewalls are also a critical review and reconciliation of could easily be a false economy. sometimes used internally to provide activated accounts (particularly those of guests, supposedly disabled accounts additional security by segregating sub- network that give access to highly and those whose presence can't be explained) and their associated system Some terminology sensitive applications. privileges, while tedious, could reveal Buffer overflows - are due partly to a Honey Pots - decoy servers or other unused entry points the hacker characteristic of some programming systems designed to gather information has set up against a rainy day; likewise, languages, such as C, which poor about attackers. A honey pot, which is you should confirm the status of all programming practices then set up to be easier prey for attackers interconnected 'trusted' systems. exacerbate. An overflow occurs when a than genuine production systems, program attempts to store more data incorporates modifications that enable Scan the system for Trojans. These are in temporary storage area, or "buffer", intruders' activities to be logged and typically identified by antivirus than it can hold. Since buffers are of traced. The theory is that when an packages, but their scan engines have finite size, the extra information intruder breaks into a system, they will varying degrees of success, particularly overflows into adjacent buffers thereby return. During subsequent visits, if not up-to-date, so scan using (up-to- corrupting or overwriting the valid data additional information can be gathered date versions of) several packages. held in them. This would normally and additional attempts at file, security, Note: there is more information on cause a program failure or even a and system access on the Honey Pot incident response at... system crash, but a skilfully crafted can be monitored and saved. Most http://www.cert.org/security- overflow can also be exploited as a firewalls can be configured to alert improvement/modules/m06.html form of security attack. The attacker system administrators when they can gain control by creating an detect traffic entering or leaving a overflow containing code designed to honey pot. send new instructions to the attacked computer, hence the relevance of Identity theft - involves taking over an buffer overflows to hacking. individual's identity by stealing critical private information, such as the Social Security number, driver's license 18 I into IT resources and activities and, using compromise the system, or be used in Example of a buffer overflow information gathered from these a social engineering attack. For vulnerability sources, alerts system administrators example, a keylogger will reveal the on identifying possible intrusion. contents of all e-mail composed by the The Phone Book Service that runs on user. Keylogger programs are Internet Information Services (IIS) 5.0 Firewalls (see above) work only at a commonly included in rootkits and has an unchecked buffer (a network's point of entry with packets remote administration Trojans. A temporary data storage area that has as they enter and leave the network. keystroke logger can also take the form a limited capacity but no specification An attacker that has breached the of a hardware device, independent of for the amount of information that can firewall can roam at will through a the operating system, which plugs in be written into it) in the code that network - this is where an ID system between the keyboard and the main processes requests for phone book becomes important. system (for PCs). They simply record updates. A specifically malformed Intrusion Prevention - systems what is typed at the keyboard; the HTTP request from a malicious user monitor for suspicious activity with the hacker can later retrieve the device can cause a buffer overflow in the aim of proactively blocking potential and examine its contents. Phone Book Service, which might attacks. Typically, an IP system allow the malicious user to run unau- Phishing - occurs when a consumer comprises a software agent that resides thorized code on the server, or cause receives a deceptively legitimate near to the host's operating system the service to fail. looking e-mail from what appears to be kernel, which monitors system calls Source: extract from a Microsoft a reputable company (see Spoofing). before they reach the kernel using a security update. The e-mail might ask a recipient to, for rules engine to identify potentially example, update their credit card suspicious activity. This can then be information, and/or provide other number, address, credit card number, halted, or the systems administrator personal details to avoid their account or bank account number. The identity alerted. A drawback is that IP systems being terminated. Another approach is thief can then use the stolen can respond to legitimate activities and for the sender of the message to offer information to obtain loans or credit generate false alarms. Defining a service, for example to protect their lines to buy goods and services under exceptions can reduce such false alarms, credit cards from possible fraud. Those the stolen name. Identity thieves but there are pros and cons to this. stung by phishing are victims of typically change the consumer's mailing Keystroke logger (or keylogger) - is "identity theft" (see above). address to hide their activities. a program that runs in the background Intrusion detection - the art and recording all keystrokes. Once logged, science of detecting when a computer the keystrokes are returned to the hacker who peruses them carefully to Attempted identity theft or network is being used inappropri- ately or without authority. An ID identify passwords and other useful National Australia Bank customers system monitors system and network information that could be used to became targets for an e-mail fraud in which they were sent (grammatically incorrect) requests, purportedly from the bank, requesting them to connect to the NAB web site. "Dear valued customer," it read, "Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety." The e-mail encouraged recipients to click a link in the body of the message, which then connected them to a site that mimicked the NAB Web site but that had been set up to capture their login and password details. The scam used a message previously used to targeted other banks' customers. into IT I 19 Rootkit - a collection of tools and Spoofing - in essence a technique that Trojan horse - a name derived from utilities that a hacker can use to hide depends on forging the identity of the classic Trojan horse in Homer's their presence and gather data to help someone or something else ("mas- Iliad. After spending many months them further infiltrate a network. querading"), the aim being to alter the unsuccessfully besieging the fortified Typically, a rootkit includes tools to log trust relationship between the parties city of Troy, the Greeks evolved a keystrokes (see keylogger above), to a transaction. strategy. They departed leaving behind create secret backdoor entrances to them as a gift a large wooden horse, In the online world, there are different the system, monitor packets on the which the citizens of Troy brought into flavours of spoofing. A hacker might network to gain information, and alter town. Unknown to them the horse employ sophisticated e-mail spoofing to system log files and administrative tools contained Greek warriors, who at night make it appear that an e-mail requiring to prevent detection. jumped out and opened the city gates the victim to confirm their account letting in the Greek army who had Social engineering - in his book, The details, including such information as been in hiding. Art of Deception: Controlling the Human their logon ID and password, has been Element of Security4, arch hacker Kevin sent by a reputable person or organisa- In the IT environment - and setting Mitnick poses the question: why bother tion (see "phishing" and "social aside the legitimate use of network attacking technology when the weakest engineering" above). administration tools - Trojans are link lies not in the computer hardware generally considered a class of IP spoofing is another common form of or software, but in humans who can be "malware" that, like their predecessor, online camouflage, in which a hacker tricked into giving up their passwords contain covert functionality. They act as attempts to gain unauthorised access to and other secrets? Mitnick goes on to a means of entering a target computer a computer or network by making it state that social engineering "uses undetected and then allowing a remote appear that a packet has come from a influence and persuasion to deceive hacker unrestricted access and control. trusted machine by spoofing its unique people by convincing them that the social They generally Internet IP address. A countermeasure engineer is someone he is not, or by incorporate a rootkit is to use of a Virtual Private Network manipulation. The social engineer is able (see above). (VPN) protocol, a method that involves to take advantage of people to obtain encrypting the data in each packet as information with or without the use of well as the source address using technology." encryption keys that a potential attacker 4 doesn't have. The VPN software or Wiley, ISBN 0-471-23712-4 firmware decrypts the packet and source address, and performs a About the author checksum. The packet is discarded if N. Nagarajan CISA joined the Office either the data or the source address of the Comptroller and Auditor has been tampered with. General of India in 1989, and is presently employed as Senior Deputy Accountant General in Mumbai. In addition to his wide experience in auditing IT (particularly in the field of Electronic Data Interchange) and in training staff in IT audit skills, Nararajan has also worked as a developer of pensions systems. Nagarajan's international work includes audit assignments at the United Nations in New York, and a two year secondment to the Office of the Auditor General of Mauritius where he was involved in training staff and in the audit of EDI systems operated by the Customs department. Nagarajan has been published in a number of international journals. 20 I into IT State of North Carolina Office of the State Auditor: INFORMATION SECURITY VULNERABILITY ASSESSMENT The State Auditor of North Carolina supervised a penetration test on 22 of the state's network security systems - in 21 cases the test team were able to take control of the target computers using programs that are readily available to hackers and the public. This article describes the approach to testing taken by the Office of the State Auditor. The full audit report can be downloaded from the State Auditor's web site at... http://www.osa.state.nc.us Overview that security engineers gained control of computers in 21 of the target systems Phase I - preliminary using programs that are readily available state-wide assessment I n a series of projects to evaluate the network and computer security in to hackers and the public. place within selected areas of state Our assessment determined that the To further assist agencies achieve a "best State's systems were at high risk for government, contractors employed by practice" level of information security the Office of the State Auditor (OSA) Internet-based attacks. We subjected over their internal systems, data and the twenty two agencies that hosted the attempted to penetrate the network assets, we performed a comprehensive security systems at 22 of the State's critical information systems for the information security assessment at the Executive, Legislative, and Judicial computer systems. The outcome was Dept of Revenue, Dept of Treasurer, branches of state government to an Office of the State Controller, and Dept External Network Penetration Test. This of Health and Human Services. While was broken down into four separate our assessments identified well-defined phases: and effective security controls, we also identified several areas that posed Phase 1 - intelligence gathering: extreme security risks and exposed the using common communications agency concerned to possible internal or protocols and applications, our security external attack. We classified control engineers determined what information weaknesses as High, Medium, or Low in was available to the general public relation to the level of risk, and on this regarding the State's network. This basis concluded that the overall risk that information was then reviewed to the agency or state network could be determine whether it offered potential compromised was High. intruders an adequate view of the network infrastructure from which they "Capitol Building, Raleigh" could develop a network blueprint. into IT I 21 North Carolina Office of the State Auditor The State Auditor is a member of the Council of State and is elected by the voters of North Carolina every four years. Under the State's Constitution and General Statutes the State Auditor is responsible for conducting and coordinating audits of state agencies and programs supported by state funds. The audits conducted by the Office of the State Auditor include financial and compliance audits on state agencies including community colleges, the Clerks of Superior Court, and the Smart Start partnerships; performance audits to evaluate the effectiveness and efficiency of state agencies and programs; information systems audits on the state's data processing systems; and special reviews to investigate allegations of fraud, waste, or abuse in the state supported agencies or programs. Phase 2 - active reconnaissance: our control of proprietary agency and exploited being on a device owned security engineers used a combination of information. It also provided an by a different agency, our security "hacker" utilities along with the additional buffer for service restoration; engineers were unable to complete the contractor's internally developed audit should a target machine break down attack in the 1 hour and 30 minutes tools to identify specific hosts and during an attack the responsible allowed them. services that were accessible from the individuals could be notified immediately. Internet. This resulted in a partial list of accessible hosts and a list of possible Our security engineers succeeded in penetrating 21 of the 22 agencies Conclusion services offered. identified as part of this test. In almost At the time of our testing the security Phase 3 - attack and toehold: the every case they gained full control of an posture of the State's network offered object of this phase was to gain user agency computer or device in little protection from hacker attacks via level access to (at least) one host in each 30 minutes or less, and in some cases the Internet and was therefore at high agency. Using a combination of "hacker" were able to monitor work being risk of compromise. Our testing enabled utilities and internally developed auditing carried out while having complete us to provide each agency and tools our security engineers tested the control over the computer. After gaining Information Technology Services with vulnerability of popular services offered control they were able to monitor detailed reports describing the on various hosts to undetected, unau- network traffic, capture other user ids weaknesses we had identified and our thorised access to the State's network. and passwords, and launch other attacks recommendations for corrective action. In cases where automated scanners did that went undetected. However, in one These security enhancements have been not determine the nature of a specific case, due to the vulnerability identified acted on. service, the engineers connected directly to the service to verify the security issues. This comprehensive information security assessment focused on five key areas: Phase 4 - privilege escalation: our security engineers manually demonstrat- G Security Policy Assessment, which evaluates the implementation of security ed their ability to increase their policies and procedures. privileges on host sites managed by each G Network Architecture Assessment, which is a detailed review of a network Agency in the presence of the Agency design. Head (or Chief Deputy) and the G Network Vulnerability Assessment, which provides a thorough understanding of Information Systems Director. This security-related weaknesses and exposures in networks. technique provided a real-time G Host Vulnerability Assessment, which reviews the current security configuration perspective for agency representatives of mainframes and operating systems. regarding the amount of time required to penetrate their networks and gain G Secure Build Review (one agency only), which is a security analysis in a non- production environment for the build procedure for a desktop client computer. 22 I into IT Agency Security Policy Network Network Host Secure Build Network Vulnerability Assessment: Assessment Architecture Vulnerability Vulnerability Review having gained an understanding of the Assessment Assessment Assessment network architecture, we assessed network vulnerabilities. We examined Dept of the configuration of network devices, Revenue ✗ ✗ ✗ ✗ ✗ firewalls, and public web servers to Dept of provide a current view of vulnerabilities the State and threats. Our assessment consisted ✗ ✗ ✗ ✗ Treasurer of a review of devices owned and maintained by each agency and devices Office of owned and maintained by Information the State ✗ ✗ ✗ ✗ Technology Services. Controller Host Vulnerability Assessment: the Dept of aim in this stage was to provide a Health and ✗ ✗ current view of threats and vulnerabili- Human ties. Our assessment covered the Services agency's client services and supporting infrastructure, and consisted of a review of a number of hosts owned and Risk Levels Dept of Dept of State Office of the Dept of Health maintained by the agency. Revenue Treasurer State Controller and Human Secure Build Review (Dept of Services Revenue Only): During the Secure Build Review we examined the build process created by the Information High 7 5 4 23 Technology group (within the Medium 7 6 2 6 Department of Revenue) for building Low 5 2 1 3 desktop client computers. Overall Moderate High Moderate High Findings Our testing uncovered a number of weaknesses at each of the agencies, Phase II - comprehensive reviewing security policy and associated procedures for complete- some being sufficient to permit unautho- rised access, data manipulation, or data vulnerability assessment ness, accuracy, and appropriateness. destruction. We classified each We also reviewed current incident weakness according to its relative risk Following Phase I, four agencies response policies and procedures; using the following definitions: volunteered to be subjected to a more comprehensive assessment of their G provide recommendations based High-level Risk: defined as a vulnerabil- production networks. Phase II on best practices and knowledge of ity that could cause grave consequences addressed five key areas: Security Policy the client's business objectives and if not addressed and remedied Assessment, Network Architecture organisational infrastructure. immediately. This type of vulnerability is Assessment, Network Vulnerability Network Architecture Assessment: evident within the most sensitive Assessment, Host Vulnerability in this stage we focused on the internal portions of the network, as identified by Assessment, and Secure Build Review network infrastructure, Wide Area the data owner. This vulnerability could (Dept of Revenue only). Network (WAN) connections to cause network functionality to cease or remote locations, and Internet connec- control of the network to be gained by The table shows the tests we carried tivity through the North Carolina an intruder; out at each agency. These can be summarised as follows (further details Integrated Information Network. We Medium-level Risk: defined as a vul- are set out in the Annex): examined the business and technical nerability that should be addressed requirements of the current network within the near future. There is urgency Security Policy Assessment: our infrastructure to ensure a proper in correcting this type of vulnerability; objectives here were to: balance between functionality, cost, and however; this may be either a more G evaluate current security policies security. difficult exploit to perform or of lesser and practices: this involved concern to the data owner; into IT I 23 Annex Low-level Risk: defined as a vulnerabil- Further details of our test objectives during "Phase II - Comprehensive ity that should be fixed; however, it is Vulnerability Assessment" are as follows: unlikely that this vulnerability alone would allow the network to be Network Architecture G analyse the perimeter firewall's rule set; exploited and/or it is of little Assessment G assess the configuration and architecture consequence to the data owner. of directory services; This assessment was divided into the following We provided each agency with a G assess the mainframe environment's key areas: detailed report that set out the specific security configuration; vulnerabilities we had identified G Network Overview; G identify and validate vulnerabilities in together with our recommendations for G Segmentation Model; network components, and overall archi- corrective action. In each of the four G IP Routing; tecture; agency assessments we also identified G Redundancy; G identify quick fixes for vulnerabilities; vulnerabilities affecting devices controlled by Information Technology G Encryption; G develop long-term recommendations to Services, and we disclosed these to ITS G Remote Access; enhance security. for corrective action. G Network Management; Host vulnerability assessment The vulnerability assessment performed G Anti-Virus; at the Department of Health and The key objectives of this assessment were to: G Intrusion Detection Systems; Human Services covered nine of the G assess server configuration (domain G Backups; Department's divisions. Although the controllers, web servers, application G Firewalls. servers, database servers) for vulnerabili- results have been consolidated for this article, we evaluated and reported on Our key objectives were to: ties or insecure configurations; each division separately. G interview business and technical repre- G identify and validate vulnerabilities in sentatives to gain a solid understanding of network and server components, and overall architecture; Next Steps business objectives and requirements; G identify quick fixes for vulnerabilities; G review technical requirements for the The four agencies that volunteered to network; G develop long-term recommendations to participate in this vulnerability G review required data flows; enhance security. assessment should be commended for G assess security zones and access controls; their concern for information systems Secure Build Review (Department security. The results of these tests will G review at a high level the host and of Revenue Only) assist both them and ITS to strengthen network management strategy; The key objectives of this review were to: network security. However, every state G review at a high level the enterprise G interview technical and business rep- government agency should be subject to backup strategy; a thorough vulnerability assessment, resentatives to gain a solid under- G review at a high level the enterprise virus with regular follow-ups. standing of the demands placed upon strategy; the system and how they impact the Our participation in these assessments G identify applicable industry best practices; host; helped the Office of the State Auditor's G identify and validate security issues of G review the intended use of the Information Systems Audit Division to immediate consequence; platform to understand requirements develop the skills and testing expertise G develop long-term recommendations to and tailor recommendations; to perform these tests in the future. To enhance security; G establish secure build methodology be successful in these efforts, OSA must acquire the testing software necessary G transfer knowledge. for evaluating the build; to analyse networks for vulnerabilities, G examine existing hosts in the establish testing facilities, and continue Network vulnerability assessment production environment for the to receive specialised training in the Our key objectives in this stage were to: application of patches and upgrades; latest advances in networks and the G develop a picture of the network, G assess operating system configura- related vulnerabilities. including topology, devices and hosts, and tion, including: insecure services, North Carolina Office services for correlation against provided permissions, and registry settings as of the State Auditor information and documentation; well as unnecessary services and packages; G assess network device configuration for vulnerabilities or insecure configurations; G identify and validate security issues of immediate consequence; G use active probing to assess network security features such as firewall configu- G develop recommendations to ration, intrusion detection systems (IDS), enhance security. and virtual private networks for vulnera- bilities or insecure configuration; 24 I into IT Trojan Horses and A Trojan horse program -"Trojan" for short - is a piece of computer software that provides intentionally hidden or covert functionality. T his definition includes a wide made. A variation on the traditional range of malicious software, rootkit replaces some system library such as keystroke loggers1 and functions with Trojan versions, thereby logic bombs2. However, the commonest avoiding detection by a system adminis- types of Trojans are those that, once trator who was using checksum and file executed, enable attackers to bypass integrity checking software to identify existing security measures to access a changes to key programs. However, computer. Among these, the most changes to library files are also likely to effective incorporate a "rootkit" program be detected by integrity checking designed to conceal their presence. software, although the system adminis- trator may ignore the warning because Trojans are usually network applications new programs might at any rate require that typically comprise a server installed updated libraries. on the victim's computer and a client on the attacker's computer. The server The most sophisticated type of Trojan listens for commands sent from the modifies some objects or processes that client and responds by returning data to run with system privilege. Some the client. It is also possible for Trojans techniques used by hackers are to: to be "peer-to-peer" applications, such G modify the system kernel executable as file sharing software or Internet Relay file and its integrity checking; Chat (IRC). Although these types of applications may be installed by G install a device driver, loadable attackers on compromised machines, kernel module or other program they are not Trojans in themselves. running at system level, and use it to modify the code executed by Trojans, which are continually evolving, another system process; can undermine the central pillars of information security; confidentiality, G patch system memory or running integrity, and availability. For "stealthi- processes. ness" reasons, they have an increasing Each of these techniques requires tendency to make their network traffic administrator access to load a system appear as existing services in order to level executable or to patch a system obscure their presence. For example, file, while writing an effective rootkit of Setiri, a recent proof-of-concept Trojan, this kind also requires a good bypasses network intrusion detection knowledge of system programming. devices and firewalls by using commands There are, however, kernel rootkits embedded in web traffic to available for both Windows (for communicate. example, NT Rootkit) and UNIX Rootkits designed to hide Trojans fall systems (for example, Adore/ava) and a into three types: file system rootkits, number of do-it-yourself guides. It's library rootkits and kernel rootkits. important to appreciate that because kernel rootkits undermine the trusted "Trojans, trust not the Traditional rootkits simply modify common user programs so that the computing base, they represent the horse. Whatever it be, most serious way in which a computer Trojan is invisible to the system adminis- trator when file and process listings are can be compromised. I fear the Greeks, even when bringing gifts." 1 Virgil (70-19BC) - Aeneid, Book II Keystroke loggers - software that covertly monitors what is typed at the keyboard (including passwords). 2 Logic bombs - software that can be triggered to damage data on your computer system. into IT I 25 Kernel Rootkits v ...an anti-virus or Trojan detection program might detect malicious software on your system, but it might not, especially if the system kernel has been compromised. Common examples of Trojans - which should be detected by your organisation's firewall - are Subseven, Back Orifice 2000 (BO2K), Netbus and distributed denial of service tools such as Trinoo and Stacheldraht. They provide a rich set of functionality, including: G logging the victim's keystrokes (including passwords); G representing the victim's screen on the attacker's computer; G monitoring network traffic on the victim's network; G hijacking TCP sessions involving the victim's computer; G recording conversations via the victim computer's microphone or controlling a webcam; G sending files from the victim's computer to the attacker; G using the computer as a platform for attacks on other computers (denial of service, for example); G using the compromised host for email, chat and file storage; G modifying data on the victim's computer. With a kernel rootkit installed perimeter, or at the very least malicious software on your system, but a computer becomes totally ensure that they are digitally signed it might not, especially if the system untrustworthy and might not by a trusted party; kernel has been compromised. In implement any of the general you will need to employ G ensure that the security permissions security measures that the specialist analysis tools, perhaps through of all users reflect least privilege (for standard operating system a specialist security consultant. example, restricting installation implements. privileges to a sensible number of N.I.S.C.C. (http://www.niscc.gov.uk) A key message to system administrators); Editor: the major anti-virus software conclude this brief G follow the vendor's best practice suppliers provide good descriptions of overview of Trojans security advice for operating system many Trojans (and viruses and worms) on and rootkits is that and application configuration; their web sites. For example: prevention is far better than cure. G use an appropriate virus/Trojan Sophos... http://www.sophos.com/virus Fortunately there are a scanner on a regular basis. info/analyses/ number of steps that you Least privilege can be hard to enforce, Symantec... can use to reduce the chances of but system administrators should ensure http://securityresponse.symantec.com/a system compromise by a Trojan: that users have appropriate read, write vcenter/vinfodb.html/ G follow good network security and execute permissions on system Network Associates... practice3; objects, including keys in the Microsoft http://www.mcafee.com/antivirus/virus_ Windows registry. G because e-mail is a common way for glossary.asp a Trojan to be sent to a victim's If you suspect that your system has been MessageLabs (managed service)... computer, block all executable mail compromised, an anti-virus or Trojan http://www.messagelabs.com/viruseye/t attachments at the network detection program might detect hreats/default.asp 3 See NISCC Technical Note 01/02... http://www.uniras.gov.uk (see Alerts & Briefings for 2002) 26 I into IT intrusion detection intrusion prevention Intrusion Detection Systems are the burglar alarms of IDSs come in two main flavours, Network-based IDS (or NIDS) and the network security world, while Intrusion Prevention Host-based IDS (or HIDS). As their names imply, NIDS systems examine data on the Network link being Systems can additionally be programmed to respond to monitored for signs of attack, whilst HIDS reside on a Host machine (for an attack. This article describes the concepts behind example a file server or a web server) and examine transactions with that both IDS and IPS technologies, and compares and particular Host for signs of malicious activity (this may be achieved using data contrasts their different approaches. passed to the application or logs generated by the application or server). Introduction you recognise the significance on the IDSs are generally 'passive' - they sixth occasion or just ignore it? observe and report on potentially F irewalls have long been the Alternatively, the response may depend malicious activity rather than actively mainstay of network security. on the availability of someone with the responding to stop an attack. Their role is to control access to right experience to analyse the event There are three main mechanisms by network components or services in and take appropriate action. which IDSs attempt to identify attacks: accordance with the policy defined by the system owner. They achieve this by Intrusion Prevention systems (IPS) also G Rule based: in this architecture examining the headers of IP packets and aim to detect indications of an attack in the IDS contains a library of making decisions accordingly. However, progress, but they can respond 'signatures' that correspond to this does leave the host system automatically and in a predefined known attack vectors. For potentially vulnerable to attacks against manner to prevent an attack from example, a signature for detecting its permitted services - such as exploits impacting the target system. This ability the actions of the Code Red worm against a publicly-accessible web server - to respond means an IPS offers the may involve detecting a request for because in general no account is taken potential to enable a system to remain . 'default.ida' over HTTP Each data of the content of the packet, only that it on-line despite being under attack. item - for example, a packet that corresponds to a permitted service. passes 'on the wire' (i.e. in transit Intrusion Detection Systems on the network) or data that Intrusion Detection systems (IDS) are This article only summarises the arrives at a particular host - is the 'burglar alarms' of network security, principles of IDS, but interested reader compared to the signature library designed to go off when activated by a may wish to refer for further and an alert or log entry is particular trigger. In common with information to the NISCC Technical generated as appropriate. burglar alarms, the response then often depends on past experience - if your Note 05/02: Understanding Intrusion G Anomaly detection: this category neighbour's house alarm has gone off by Detection Systems, which is available on of IDS attempts to determine the mistake five times in the last week, do our web site (http://www.uniras.gov.uk). presence of an attack based on the into IT I 27 presence of data items or activities Anomaly detection engines are Fig 1a Possible deployment architecture that fall outside the 'normal' designed to detect attacks through pattern of behaviour. For these to comparison with a baseline of the for NIDS be effective, the system needs normal system behaviour. This approach 'training' to learn what constitutes will always be more prone to 'false normal behaviour. positives' because a statistical metric is G used to determine 'good' and 'bad'; thus Protocol Analysis: attempts to benign traffic from an application that detect protocol elements that do wasn't in the 'training set' of the IDS not conform to the appropriate could be flagged as anomalous and raise standard, anomalies that may an alert. indicate an attempted attack. Of these differing modes of operation, Intrusion Prevention Systems the signature based approach to IDS is IPSs, which are relatively new to the the more mature technology, and most market, respond in a proactive manner commercially available IDS systems fall when they detect a potential attack. into this category. The response may take a number of NIDS systems are usually deployed different forms, such as: where they can view the most traffic, or G logging the event (like a standard at least the traffic on those segments IDS); that are considered most important. On a segmented network, they can be G blocking the transit of the data; connected to a monitoring port on a G resetting the connection between switch, although data aggregation can source and destination; result in problems for the IDS. HIDS would normally be deployed on the G limiting the rate of connection more important servers within a between source and destination; network. Figure 1a shows an example G re-writing firewall rules for of a deployment architecture, the idea Fig1b Possible deployment architecture particular conditions. being that IDSs are transparent to the for IPS end user and do not add any processing IPSs are designed to sit 'in-line' with the overhead to the data passing between target system (see figure 1b), effectively the end points of a transaction. acting as a 'bridge' between the internal systems requiring protection and the Signature based IDS systems are rest of the network. In this architecture very good at detecting known attacks, all traffic must pass through the IPS but they are not so at detecting 'new' device, which inspects all the data for attacks due to the time delay between a signs of attack (against the signatures it new vulnerability or attack being has been configured to use). discovered, and a vendor releasing a signature to detect it. Ideally, the IDS An immediate issue with this type of should provide an interface by which architecture is the potential administrators can define their own consequence of the IPS crashing, which signatures relevant to local conditions. may effectively cut off the target system from the rest of the network. When discussing IDS, it is impossible to Depending on the nature of the avoid considering 'false positives', which business, it may be preferable for the are alerts generated by an IDS due to system to fail 'open' thereby providing benign activity. Signature based IDSs are continued availability of the network prone to generating false positives, services at the cost of removing the though a good understanding of the additional layer of security provided by network being monitored and a period the IPS. of 'training' should ensure that these are minimised. 28 I into IT IPS systems do have the potential to form a valuable tool for network security, and they provide a means for reducing the amount of attack traffic reaching vital systems within a network. The different types of IPS system that are available commercially include: definition may indicate an attack, the IPS then responding in the manner in Summary G which it has been configured. IDSs and IPSs are useful tools in the Network (or Gateway IPS): sit in the network line, monitoring all G Anomaly Detection: similar to IDS, system administrator's armoury for network traffic for malicious activity, uses techniques to determine helping to ensure the security of their and are able to block packets that anomalous traffic and then respond. networks. The choice of which system are designated as attacks; to deploy will depend on a number of Issues with detection of attacks within local considerations, such as: G Web server shields: sit on the web IPSs are similar to those within IDSs - G cost; server, effectively 'wrappering' the the time delay between new attacks and server software. Attacks are signature availability, false positive rates, G which parts of the network are to detected by monitoring the activity etc. However, in this instance the conse- be protected by the deployed undertaken by the web server quences of 'false positives' may be more system; account; serious, especially if the IPS is configured G availability of resource to administer G to block traffic from a source in the Web application firewalls: sit in the system; event of an 'attack' being detected. the network path and inspect the G requirement for alerts or a system contents of packets destined for any IPS systems have the potential to form a web server or web application for valuable tool for network security, and making proactive defence responses; signs of attack. for providing a means of reducing the G availability of resource to investigate amount of attack traffic reaching vital the causes of alerts generated by IDS Trusted operating systems can also be systems within a network. Their use to systems; considered to be a form of IPS because filter out traffic corresponding to known they implement access control function- G applicability of detection techniques worms (such as CodeRed and Nimda) ality and enforce user privilege restric- to local network services; and……. may, for example, greatly reduce the tions. load on a web server. However, this G the degree of tolerance to loss of Attack detection within the IPS can be must be offset against the risk of service. achieved in several ways, including: misidentification of attacks on service 'availability'. In common with an IDS, Neither type of system can be G Signature Detection: the IPS holds implementing an IPS is not a 'set and considered to be 'set and forget'. Each a library of signatures (similar to IDS) requires monitoring to ensure that it forget' task. Careful performance corresponding to known attacks that meets its objectives; that signature monitoring is necessary both to ensure it compares with data on the wire. libraries remain up to date and accurate; that an IPS is meeting it's objectives, and Ideally, the administrator should have and that administrators are aware of that the administrators remain aware of the capacity to define additional what is happening in their networks. what is happening in their networks. signatures relevant to local Where an IPS is used to respond to an conditions. attack proactively, administrators must G Protocol Analysis: here the IPS be aware of any configuration changes compares the elements of the data made by the IPS (such as addition/modi- on the wire with protocol definitions fication of firewall rules) to their that it understands. Any deviations network. from the accepted protocol N.I.S.C.C. (http://www.niscc.gov.uk) into IT I 29 Email spoofing is a technique frequently used by perpetrators of all manner of email hoaxes to hide email their identities and point the blame at somebody else. It is a favourite with spammers and also used by hackers. Spoofing received some media spoofing coverage recently when a 12-year-old was able to demonstrate how he apparently sent an email purporting to come from the UK Prime Minister to the Chancellor of the Exchequer. Background The sending of spoof email is usually carried out for the purposes of causing embarrassment or the misinterpretation of the individual or organisation whose address has been spoofed. Consequences could include recipients of the email divulging information to those not entitled to have it. The information may then be used in a manner detrimental to the victim of the spoof. For example, interference with customer records, with a resultant impact on the customer. In the UK, the sending of spoof email is, in itself, not illegal although there is scope for legal action where personal information is obtained by deception or the email has threatening content. Methodology Sending spoof email is very simple. Most email software displays the "date Email spoofing - the threat received", "from" and "subject" fields. The email header containing address Any IT literate individual or group could use simple email spoofing. The effects and routing information is generally which they can achieve with such attacks are limited only by their imagination and hidden from view to prevent cluttering ability to write a convincing bogus content. The following scenarios could be the screen and confusing the user. imagined: Consequently a user can be deceived if G Producing spoof press releases from a company or Government department the sender simply changes the "from" to cause embarrassment. field. The address is not normally G Causing disruption and wasted time by feeding misinformation to critical checked at any stage in the process of sending an email and does not even national infrastructure organisations. have to be a valid address. There is little G Encouraging users to switch off IT security features or passwords by spoofing emails from a security department. 30 I into IT that can be done at the server end to stop this, the only available options Identification Other indicators may include: G The grammar, language or style of being: Once an email has been received, there writing is not consistent with the G to make employees aware of the is likely to be little about it that email address the email claims to email spoofing risk; immediately identifies it as spoofed. The come from. only technical indicators, to be found in G to require all email addresses to G The email may be missing the the "internet" or full email header are: contain a valid domain name. This standard 'signature' the apparent G Instead of being marked as "From:" is currently being done, but even sender may use. though the domain names can be the email is marked as "Apparently- G The email claims to be from an checked, the email addresses From:". This usually indicates a hand-built email and as such the individual who doesn't exist within themselves cannot; address is likely to be false. the organisation in question. G for internal mail servers to require G If email purports to come from a G The "Message-ID:" header and the all source email addresses to "Received" header immediately government site, but does not bear contain the organisation's domain, above it in the internet headers list a government address. unless the email is coming from an external mail server; contain different domain names. With all of the above, the common This usually indicates that the requirement is that users should be both G to provide some form of digital headers have been faked. aware of and alert to what indicators signature, as per Public Key G The "Message-ID" header contains they should be looking out for. Infrastructure (PKI). This is the only real countermeasure, but even this a domain that differs from the If the sender desired further is not perfect; domain in the "From:" address. concealment, they could use an open However, this does not guarantee email relay server. These are poorly G authentication on the mail server that the email is spoofed. secured servers that allow anybody on (SMTP AUTH), which can provide G The domain in the first "Received:" the Internet to connect to them and assistance in tracking down internal header is different from that in the send email out. In this case, investigators staff who create spoofed email, as "From:" address. Again, this does examining the header of the email can the use of the IDENT protocol, not guarantee that the email is would only be able to trace back as far which may provide the username spoofed. as the open mail relay, and not to the of the sender. true originator. Various domain name checks, such as allowing the recipient server to check the existence of the source domain as Conclusion well as that of the recipient, can be The effects of email spoofing can be done, but this will depend on the limited by the appropriate configuration software being used. of email servers and improved user awareness of the problem. Currently, Sending spoof email is very simple... Once an email the only real countermeasure is the use of digitally signed messages that allow a has been received, there is likely to be little about it that recipient to authenticate the identity of the sender. immediately identifies it as spoofed. N.I.S.C.C. (http://www.niscc.gov.uk) into IT I 31 a state auditor's Vulnerability network security case Assessment becomes Incident Handling in study Kentucky's Transportation Cabinetet Abstract The Commonwealth of Kentucky's Auditor of Public Accounts began performing network vulnerability assessments in state agencies in June 2000. One such assessment performed in July 2003 revealed a significant, long- term intrusion during which hackers with French addresses broke into Kentucky's Transportation Cabinet network and used it to: G Store and distribute pirated recently-released movies, music CDs and DVDs, TV shows, and new computer games; G Post and distribute copyrighted French medical textbooks; G Host an Internet chat room. In addition, auditors found that Cabinet computers had been used to visit and view thousands of pornographic websites or images. Auditors provided detailed evidence of the intrusion and misuse to Transportation Cabinet officials and state and federal law enforcement, highlight- ing for network administrators seven Capitol Building, Frankfort security issues, to wit: G Persistent null passwords; The first vulnerability assessment performed by Kentucky's G Vulnerable administrative accounts; Auditor of Public Accounts tested the security of the G Compromised data; Commonwealth's accounting and reporting system in June 2000. G Password harvesting by hackers; Within minutes, auditors were able to gain administrator G Hacker-installed tools; control over 14 of 17 system servers. G Pirated copyrighted materials on servers; Thus began three years of random, surprise vulnerability tests G Widespread viewing of porno- in 16 state government cabinets and agencies. graphic sites by system users. 32 I into IT Auditors recommended a variety of assessments and publicized embarrass- to system weaknesses. As random measures designed to strengthen user ing findings to motivate government IT testing continued, however, frustrating passwords, fortify firewalls, remove managers to give network security the similarities emerged to reveal a compromised machines from the priority it must have. Experience shows government-wide inattention or indiffer- network, assume tainted application and that if you exclude the element of ence to network security. The Auditor data back-ups, rebuild compromised surprise and the specter of adverse of Public Accounts reluctantly concluded machines from the ground up, refer publicity, network insecurity may go that raising public interest in the subject forensic evidence to proper authorities, undetected and important findings may was essential to strengthening network notify business partners and the public, be unaddressed, leaving systems security in government, and the office and anticipate retaliatory attacks. unprotected. shifted toward making a public example of those agencies found to have Network security weaknesses threaten disturbing weaknesses. taxpayer dollars and facilitate identity theft. Three years of performing vul- Common among the findings of Common among the findings of the vul- nerability assessments leads Kentucky's the vulnerability assessments nerability assessments was an institu- Auditor of Public Accounts to conclude that (1) a universal formula such as was an institutional failure to tional failure to observe basic security principles. Perhaps the most basic ICAMP1 for quantifying the economic observe basic security security measure, the use of passwords, cost of insecure government networks was frequently ignored or ineffective. In must be adopted, (2) accountability for principles. Perhaps the most agency after agency, auditors found network security is largely absent in Kentucky state government agencies, basic security measure, the computers and servers with no password protection. Many administra- and (3) auditors must perform surprise use of passwords, was tor accounts were discovered to have vulnerability assessments and publicize their findings in order to have the frequently ignored or null or weak passwords. Another issue brought to light by the greatest impact upon network security. ineffective. vulnerability assessments is the widespread belief by state government The first vulnerability assessment Introduction performed by Kentucky's Auditor of employees that network security is a responsibility reserved for the highest Public Accounts tested the security of While auditors have performed level of administrators. There is a the Commonwealth's accounting and information systems audits for many mindset that network security is not a reporting system in June 2000. Within years, it was the Y2K alarum that fore- universal component in the job minutes, auditors were able to gain shadowed a more systematic, focused description of every network user. This administrator control over 14 of 17 inquiry on network security. Insecure rejection by network users of personal system servers. Following weeks of government networks place taxpayer accountability for security has been extensive consultations with network dollars at risk of cyber-theft and loss fostered by the tendency of state administrators, the assessment was re- through network downtime. They also performed in December 2000, revealing jeopardize the security of the unique identifiers like social security numbers a significant strengthening of system The failure to implement and other confidential financial security. internal controls is too costly Thus began three years of random, information of which government agencies are the repositories. surprise vulnerability tests in 16 state not to implement, as was Moreover, hackers may exploit insecure government cabinets and agencies. demonstrated in 1996 when the systems in the commission of other Each assessment produced both a crimes. Known variously as ethical written report of findings and recom- failure to properly employ and hacking, penetration testing, and vulner- ability assessments, the procedures mendations for agency managers and contributed to a rising sense of alarm at manage passwords allowed a applied by auditors at every level of the weak network security discovered five million dollar embezzle- throughout state government. During government have revealed alarming weaknesses, indifferent network the first two years, the Auditor of Public ment in the Kentucky Revenue managerial attitudes, and costly Accounts refrained from publicizing Cabinet. intrusions. Kentucky's Auditor of Public assessment findings so as not to Accounts has performed surprise imprudently alert opportunistic hackers 1 Incident Cost & Analysis Modeling Projects... www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/archive/Report/ICAMP.shtml into IT I 33 government systems managers to seek rational explanations, and make excuses, The Kentucky Auditor of Public Accounts' vulnerability assessments Case Report for insecure systems. during the last three years included two The Kentucky Transportation Cabinet's highly publicized findings that resulted in system is a centrally managed, One such excuse refers to the the issuing of separate Auditor Alerts to enterprise class network, serving democratic, open culture of all state and local government agencies. thousands of users at hundreds of government. Government's information In one such assessment, a randomly remote sites, and interfaces with other systems are therefore logically open and tested surplus agency computer was state and federal networks. The system accessible. Polemics aside, it is disingen- found, without password protection, to is used to manage massive road con- uous to assert that prudent security contain in clear text significant struction and maintenance projects, measures should be compromised by components of Kentucky's STD and warehouse vehicle registration records, fidelity to open government and trans- AIDS database, including identities of and house the personal, confidential parency. those tested, their test results, and their information of licensees. It is directly Cost is the most frequently cited sexual partners. An Auditor Alert linked to the Commonwealth's impediment to network security, and to advising effective methods of scrubbing accounting and reporting system. The be sure, the latest architectural advance- the hard drives of surplus machines was Transportation Cabinet's system uses ments in network security may require issued. industry standard rather than significant investment. Unfortunately, proprietary hardware and software. In another assessment, a series of tight state budgets characteristically penetration tests was performed on As part of the audit of the leave few, if any, dollars for security. agency wireless networks by "war Commonwealth's Comprehensive Still, there are fundamental security driving." The ease of penetration led to Annual Financial Report, the Auditor of measures and attitudes absent from issuance of an Auditor Alert discussing the Public Accounts performed a risk Kentucky government agencies that special challenges posed to network assessment of the Transportation require few additional resources beyond security by wireless networks, including Cabinet's information system. This a commitment of reasonable diligence. the widespread failure of network assessment consisted of two activities: For example, the Auditor of Public administrators to enable the security scanning and enumeration. Accounts' work revealed a widespread components of such systems. One failure of agency administrators to timely During the scanning phase, auditors unexpected collateral finding of this apply free downloadable system used fscan.exe, nmap.exe, and work was the absence of an effective patches, resulting in significant, costly superscan.exe to identify potential vul- firewall separating Kentucky's state downtime when assorted viruses and nerabilities among the Transportation government network from the worms attacked. Furthermore, auditors computers and servers providing University of Kentucky's network. are quite accustomed to effectively exploitable services such as web, telnet, rebutting the argument that internal Tempered by this body of work, the and Microsoft shares. controls are too costly to implement. Auditor of Public Accounts undertook a The failure to implement internal vulnerability assessment of the controls is too costly not to implement, information systems in the Kentucky as was demonstrated in 1996 when the Transportation Cabinet in July 2003. failure to properly employ and manage passwords allowed a five million dollar embezzlement in the Kentucky Revenue Cabinet. Government managers seem surprisingly Auditor analysis... led to the discovery of a malicious, on-going intrusion. This oblivious to the cost of insecure discovery transformed the auditors' vulnerability assessment into an incident- networks. It has been difficult, handling project where criminal activity was observed….. therefore, to get their attention. System G Hacker installed applications and services operating in stealth mode; crashes, downtime, and labor-intensive G A list of cracked administrative passwords; triage for compromised networks take a verifiable and meaningful economic toll, G Gigabytes of data in daily transport; but network managers are often G Harmful software stored on the system, e.g., netcat for creating covert conflicted about revealing such problems and agency heads have no backdoors, pwdump for extracting passwords, regedit for altering a accepted formulae for calculating the system's registry, and prockill, for terminating procedures. losses. 34 I into IT G We wish you a pleasant stay on this pubstro; G Thank you has all those which make live the French scene. Among the hacker configuration files and logs, auditors observed 25 IP addresses of intruders. Using McAfee's neotrace program, auditors traced these addresses to their geographic points of origin in France, Croatia, and Canada. They also found that a remote Internet relay chat room was being controlled by eggdrop, a hacker program residing on a Transportation Cabinet server. This allowed the hackers to control admittance to the chat room and to exploit the anonymity it provided. Kentucky Senate Chamber Unrelated to the intrusion noted above, auditors discovered web proxy logs detailing the browsing habits of system During the enumeration phase, auditors prockill, for terminating users. A cursory examination of these used enum.exe, net.exe, and procedures. logs revealed that several hundred nbtdump.exe to analyze vulnerabilities computers were used to visit several Auditors acquired irrefutable evidence identified by the scans. This hundred unique, pornographic websites that these programs, and several others, enumeration highlighted (1) the in violation of the Commonwealth's had been used. They observed hackers existence of devices and user accounts acceptable use policies governing actively managing their ownership of the lacking passwords, (2) version numbers information technology systems. The system, and unauthorized persons of running programs, (3) user names and auditors chose to focus on pornographic uploading and downloading pirated groups, including assigned privileges, and site browsing because such sites are multimedia software. This material (4) unprotected Microsoft shares known to be a disproportionately large included (1) pirated new release movies, allowing privileged access to file systems source of malware, software intended music CDs, DVDs, TV shows, and new of many computers. to compromise a visitor's computer or computer games, and (2) newly Auditor analysis of one of the first vul- copyrighted French medical textbooks. system. Such attacks go largely nerabilities that came to light during unreported by victims because they are Included in the hacker configuration files enumeration led to the discovery of a self-incriminating. and documentation was the following malicious, on-going intrusion. This Later, more detailed analyses of the web statement, in clear text French. discovery transformed the auditors' vul- proxy logs indicated the intentional, Auditors used bablefish.altavista.com to nerability assessment into an incident- persistent browsing of websites produce the following translation: handling project where criminal activity displaying pornographic images of was observed. G This server was hacké by SuBy on children. Some 34 computers were request of a person. SuBy declines The following hacker exploits were found to have been used to search for any responsibility towards this observed: and access child pornographic material. person and could not be held for The findings were promptly referred to G Hacker installed applications and person in charge for though it is; state and federal law enforcement. services operating in stealth mode; G This server does not exist 2) all this For two weeks, auditors performed G A list of cracked administrative Of course is legal ;D 3) SuBy rox their scanning, observing, and evidence passwords; 4) racism No (ouai C rare I C ;p) 5) gathering undetected, even though no the 1337 are not authorized 6) the G Gigabytes of data in daily transport; attempt was made to mask the files are has an informative title ;D G activities. Harmful software stored on the 7) the hackers could not be held system, e.g., netcat for creating for persons in charge! 8) the files covert backdoors, pwdump for must be unobtrusive in the 24 extracting passwords, regedit for hours 9) §§§--- IT IS NECESSARY altering a system's registry, and TO OBSERVE the RULES ---§§§; into IT I 35 Conclusion adopted, (2) accountability for network security is largely absent in Kentucky The Auditor of Pubic Accounts found state government agencies, and (3) The Commonwealth of Kentucky Kentucky's Transportation Cabinet auditors must perform surprise vulnera- network to be inadequately protected bility assessments and publicize their Originally part of Virginia, the land that and unmonitored. While firewalls, findings in order to have the greatest is now Kentucky became Kentucky activity auditing software, content impact upon network security. County in 1776 and the fifteenth of the managing software, and intrusion Edward B. Hatchett, Jr., United States in 1792. The use of "com- detection systems were in place, none Auditor of Public Accounts, monwealth" doesn't have any particular was being used effectively, and some not Commonwealth of Kentucky significance, being a term commonly at all. used in the eighteenth century meaning http://www.kyauditor.net the same as "state". Auditors recommended a variety of e-mail to... ED.Hatchett@KYAuditor.net measures designed to recover from the Kentucky covers a land area of 40,395 malicious intrusion and establish effective B.J. Bellamy, SANS GSEC, GCIH, GCFA, square miles (104, 623 sq km) and has a defenses. The detailed findings of the Chief Information Officer population of just over 4 million people. vulnerability assessment and its accom- The State is divided into 120 counties, panying recommendations were com- its capital Frankfort being in Franklin municated to the Transportation Cabinet County. Kentucky's state constitution prior to public disclosure. The recom- was adopted in 1891. The Governor is mendations included: elected for a term of four years, the General Assembly, or legislature, is G Applying strong passwords; bicameral, with a senate of 38 members G Enabling and fortifying firewalls; and a house of representatives of 100 members. Kentucky is represented in G Removing compromised machines the U.S. Congress by six representatives from the network; and two senators, and has eight G Working from the assumption that electoral votes. application programs and data back- Within the Commonwealth's ups are tainted; Constitution, the role of the Auditor of G Rebuilding compromised machines Public Accounts is to ensure that public from the ground up; resources are protected, accurately G valued, properly accounted for, and Quarantine compromised machines effectively employed to raise the quality and make them available for of life of Kentuckians. Within the State forensic analysis; Audit Office, the Information G Notifying business partners and the Technology Branch audits government public; computer systems and the data they G generate. The branch also produces Anticipating retaliatory attacks; auditable information for financial and G Installing network sniffers to detect performance auditors by extracting, traffic to or from previously analysing, and reporting data derived identified hacker addresses. from agency computer systems. Network security weaknesses threaten Editor taxpayer dollars and facilitate identity theft. Three years of performing vulner- ability assessments leads Kentucky's Auditor of Public Accounts to conclude Kentucky Legislature Home Page….. that (1) a universal formula such as http://www.lrc.state.ky.us/home.htm Incident Cost and Analysis Modeling Projects, Kentucky Constitution…… (www.cic.uiuc.edu/groups/ITSecurityWo http://www.lrc.state.ky.us/Legresou/Consti rkingGroup/archive/Report/ICAMP .shtml) tu/intro.htm for quantifying the economic cost of Lincoln Statue, Capitol Rotunda. insecure government networks must be Abraham Lincoln was born in Hodgenville, Kentucky, and served as the 16th president of the United States. 36 I into IT Risk-based Sampling Using COBIT By Rune Johannessen CISA, CIA, Dip. Internal Audit In this article, I would like to share some useful experiences that I have gained in my work with the COBIT (Control Objectives for Information and related Technology) tool kit. The following is not intended to be a template for the execution of risk-based audits, but rather a tentative suggestion towards a possible audit method. M any public and private organi- Selection based on targets/processes/resources sations now use COBIT, and I PHASE 1 am fairly confident that anyone who has experience of the tool would confirm that it is highly compre- hensive and its use quite time consuming. This is often in stark contrast to our everyday situation, where time is a critical factor of which we often have too little to carry out the PHASE 2 Risk assessment of tasks that have been assigned to us. It is selected processes therefore important that within our given time frames we select the areas and processes that are most important and pose the highest risk, in order that we provide our client with maximum added value. In my opinion, COBIT does not provide clear guidelines on how to carry out an PHASE 3 overall (or "high level") audit risk IT audit assessment; in other words how to select the most important areas and/or Phase 1: Selection based on targets/processes/resources processes for auditing. I have therefore chosen to illustrate my solution with a This phase consists of deciding, at a general level, what to focus on, which may be a general model for carrying out the sample of domains, processes, IT resources and/or a sample of information criteria. auditing cycle. My method, which is On the basis of the selected priorities the auditor derives a list of processes that it based on qualitative assessments and might be relevant to examine in more depth. In the following example I have tried to allows considerable flexibility in relation illustrate this for the domain "Acquisitions and implementation", where the processes to the audit client, can be represented "Change management" and "Acquisition and maintenance of software" are identified as in graphical form thus: highly important to the audit client and are therefore selected as relevant to the audit. into IT I 37 Phase 2: Risk assessment of selected processes As a result of the selections made in Phase 1, the auditor now has a sample of processes that have been ascribed priorities. In the example above, AI2 and AI6 were identified as relevant within the domain "Acquisitions and implementation". As a result of restric- tions on time and resources, it is often necessary to further limit the amount of work. In Phase 2 the auditor again ascribes priorities to the processes selected in phase 1, and then selects those with the highest risk. I have tried to illustrate this in the following example, where the auditor completes the following form for each of the processes that were selected in Phase 1, in this case AI6: The table lists a number of control questions linked to each process - these have been derived from the points listed under the title "and takes into consider- ation" on the first page of each process1. On the basis of a sample, the auditor formulates some general control questions intended to give a 'feel' for the routines, documentation and processes in use in this area. The information required to answer the sample questions can be gathered through interviews and by observation of the routines in use. At this stage, the auditor does not make any comprehensive assessments of the content and quality The next step involves making an overall Scale Probability of the available material. assessment of the probability of there being errors, weaknesses or loopholes H It is regarded as highly probable The column for control routines should that this process will be in a process. This assessment will have be marked as documented, undocument- negatively affected by internal or as its starting point a preliminary review ed or don't know. The following criteria external events. of the process and, as appropriate, the may be used to answer the questions: auditors' own opinions. The auditor M It is regarded as possible that this should include internal and external process will be negatively Scale Control routines factors that can adversely affect the affected by internal or external Documented The audited entity has process. The results are presented in a events. a routine, process or matrix with the following scale: documentation that L It is not regarded as very deals with the matter. probable that this process will be negatively affected by internal or Undocumented The audited entity external events. does not have routines, processes or documentation that deal with the matter. 1 See full COBIT documentation set. This can be downloaded from... http://www.isaca.org/ 38 I into IT The next step is to assess the conse- Phase 3: IT audit quences of a negative incident. In addition to any monetary losses, factors An IT audit is then carried out on the processes that have been identified as having the such as reputation and working highest risk, using the COBIT "Audit Guidelines": environment should also be taken into consideration. IT process and audit questions Results of Recommendation Ref. Scale Consequence evaluation and testing H Negative internal or external AI6 Change management incidents are expected to have Has a method been Observation: We recommend… major consequences for the established for prioritisa- process. Method for changes… tion of change recom- M Negative internal or external mendations from users, There is no procedure incidents are expected to have and if so, is it being used? for sudden changes … medium consequences for the Have procedures been Etc. process. compiled for sudden Assessments: L Negative internal or external changes, and if so, are incidents are expected to have they being used? The methodology is minor consequences for the incomplete in terms of Is there a formal process. sudden changes… procedure for monitoring changes, and In this way, each process is subject to a if so, is it being used? risk assessment through probability and consequences being considered Are changes logged in a Conclusion: together. On the basis of how the way that shows whether process is rated in terms of risk (H high, they have been carried M medium, L low), a sample is selected out in a satisfactory way? The methodology is to be used in the following IT audit Etc. inadequate... phase. I hope that these observations and out using COBIT. I also hope that this suggestions will contribute to article will inspire others to share their development of a practical approach to experiences and describe their routines how a risk-based audit can be carried when using this tool. About the author Rune Johannessen is a Senior Audit Adviser at the Office of the Auditor General of Norway, where he is involved in both IT auditing and the development of methodology. Rune has 7 years experience in the field of internal auditing, financial auditing, IT auditing and quality assurance in IT projects. Before joining the Auditor General of Norway, he worked as a senior adviser for PricewaterhouseCoopers on quality assurance in system development projects and in IT security. Rune holds a bachelor of management degree from the Norwegian School of Management and a higher degree from the University of Oslo, and is certified CISA and CIA. into IT I 39 COBIT ability, compliance and reliability), as well Audit Guidelines: analyse, assess, as which IT resources (people, applica- interpret, react, implement. To achieve tions, technology, facilities and data) are your desired goals and objectives you important for the IT processes to fully must constantly and consistently audit support the business objective. your procedures. Audit Guidelines outlines and suggests actual activities to Management Guidelines: to ensure a be performed corresponding to each of successful enterprise, you must the 34 high-level IT control objectives, COBIT, developed by ISACA, is a effectively manage the union between while substantiating the risk of control generally applicable and accepted business processes and information objectives not being met. standard for good Information systems. The new Management Technology (IT) security and control Guidelines is composed of Maturity Implementation Tool Set: an practices that provides a reference Models, Critical Success Factors, Key Implementation Tool Set, which contains framework for management, users, and Goal Indicators and Key Performance Management Awareness and IT Control IS audit, control and security practition- Indicators. These Management Diagnostics, Implementation Guide, ers. Guidelines will help answer the questions frequently asked questions, case studies of immediate concern to all those who from organizations currently using COBIT comprises the following main have a stake in enterprise success. COBIT and slide presentations that can products: be used to introduce COBIT into organ- Detailed Control Objectives: the key Framework: a successful organisation is izations. The tool set is designed to to maintaining profitability in a techno- built on a solid framework of data and facilitate the implementation of COBIT, logically changing environment is how information. The Framework explains relate lessons learned from organiza- well you maintain control. COBIT's how IT processes deliver the tions that quickly and successfully Control Objectives provides the critical information that the business needs to applied COBIT in their work environ- insight needed to delineate a clear policy achieve its objectives. This delivery is ments and assist management in and good practice for IT controls. controlled through 34 high-level control choosing implementation options. Included are the statements of desired objectives, one for each IT process, results or purposes to be achieved by COBIT can be downloaded from... contained in the four domains. The implementing the 318 specific, detailed http://www.isaca.org Framework identifies which of the seven control objectives throughout the 34 information criteria (effectiveness, high-level control objectives. efficiency, confidentiality, integrity, avail- COBIT FAMILY OF PRODUCTS 40 I into IT Going electronic By Andrée Lavigne U sing information technologies issues deriving from the use of electronic and computer systems to gather, documents (e-documents) and and Caroline Émond process, transmit, maintain and signatures. present information is nothing new. What EAE is information created, transmitted, is new is an added dimension. In the past, processed, recorded, and/or maintained automation affected only some aspects of electronically that supports the content of information processing. T oday, the an audit report. The information can only development and convergence of IT and be accessed using proper equipment and the integration of information systems technologies such as a computer, allow for the seamless flow of software, printer, scanner, sensor or information. An integrated IS magnetic media. E-documents may take environment is a paperless environment such forms as text, images, audio or where information is exchanged without video. EAE includes accounting records, space constraints and transmitted from source documents and such vouchers as one application to another, one entity to electronic contracts, e-documents another, or one country to another via pertaining to billing, procurement and electronic networks. payment, electronic confirmations and all Paperless environments are other electronic data pertinent to the commonplace and in this context audit. auditors have to gather electronic EAE differs from traditional audit information as audit evidence. What is evidence in several respects. First, it electronic audit evidence (EAE)? What consists of information in a digital format are its attributes? How does it differ from whose logical structure is independent of traditional audit evidence? How does it the information. Second, the impact the audit approach? What are the information's origin, destination and sent risks and the controls that can be applied and received dates are not an integral to reduce them? These questions are part of the e-document, message or being addressed by a CICA study group, other information format. which, at the request of the Assurance Standards Board and Information The more integrated the IS, the more Technology Advisory Committee, is business transactions will be processed preparing a report on EAE issues. and documented solely by electronic means. Auditors are most likely to use EAE has an impact on the reliability of EAE in internal and external integrated IS evidence and professional competence, environments - for example in ERP knowledge of the entity's business, the systems, e-commerce or e-business envi- audit approach, detection of misstate- A study group ments and illegal acts and documentation ronments. Some risks inherent in these types of environments include the entity's of audit evidence. The report will set out examines the issues recommendations for assurance dependence on its own IS and on those of its partners and third-party service standards to provide guidance on these auditors face in issues and will deal with the risks of using providers, together with the risk of failure at each of these levels. Other risks are EAE, the controls and technologies that loss of integrity, non-authentication, gathering electronic may mitigate these risks, and the legal repudiation and violation of confidentiality of data, as well as loss of an adequate information as audit trail, and legal uncertainties. evidence and its impact on the audit. This article is reproduced by permission from CAmagazine, published by the Canadian Institute of Chartered Accountants, Toronto, Canada. into IT I 41 To assess the sufficiency and appropri- Paper versus electronic ateness of the EAE gathered to support the audit report, the auditor should Paper audit evidence Electronic audit evidence consider the specific risks associated Origin with the use of such evidence. These Proof of origin easily established Proof of origin difficult to establish solely by can't be assessed solely by reviewing the examining electronic information. It is documentary evidence, as is usually the determined using controls and security case with paper documents. A printout techniques that allow for authentication and of the electronic information, or non-repudiation. onscreen reading, is only one format. Alteration And it provides no indication of origin and authorization, nor does it ensure the Paper evidence difficult to alter without Alterations difficult, if not impossible, to integrity or completeness of the detection. detect solely by examining the electronic information. Auditors should ensure that information. Information integrity depends on controls and technologies to create, reliable controls and security techniques. process, transmit and maintain Approval electronic information are sufficient to Paper documents show proof of approval Approval difficult to establish solely by guarantee its reliability. The table below on their face. examining the electronic information. It is presents the criteria to assess the determined using controls and security reliability of electronic information as techniques. audit evidence. The importance of each Completeness criterion depends on the nature and origin of the electronic information and All relevant terms of a transaction Relevant terms often contained in several its intended use for audit purposes. In usually included in one same document. data files. addition to assessing reliability of audit Reading evidence, the auditor looks into the No equipment needed. Various technologies and equipment needed. availability of electronic evidence for Format audit purposes. Data confidentiality is Integral part of document. Separate from data and can be changed. also of interest to the auditor as a breach of confidentiality could represent Availability and accessibility a business risk that could impact the Not usually a constraint during the audit. Audit trail for electronic data may not be entity's financial position. available at the time of the audit and accessing the data may prove more difficult. The reliability of electronic information depends on the reliability of the IS and Signature supporting technologies. Where Simple matter to sign a paper document Appropriate technologies are required to significant information underlying one or and review the signature. issue a reliable electronic signature and more assertions in financial statements is review it. gathered, processed, recorded or maintained electronically, it may be Assessing reliability of electronic information as audit evidence impossible to reduce detection risk to an acceptable level by relying solely on Authentication The identity of the person or entity that created the information can be the application of substantive confirmed. procedures. In such cases, there is a high Integrity The completeness, accuracy, current nature and validity of the risk that misstatements in the electronic information. Integrity is the assurance that the information was information obtained as audit evidence validated and was not intentionally or accidentally altered or may not be detected. The auditor may destroyed when it was created, processed, transmitted, maintained need to adopt a combined approach and and/or archived. perform tests of controls to get Authorization The information was prepared, processed, amended, corrected, sent, appropriate audit evidence. received and accessed by persons entitled to do so or responsible for Because signing documents takes on a doing so. new dimension in an electronic Non-repudiation A party, person or entity having sent or received an information cannot environment, this issue needs to be deny having taken part in the exchange and repudiate the information examined closely. A signature primarily content. Depending on whether there is irrefutable proof of origin, functions as a symbol signifying the receipt or content of the electronic information, there is non- signer's intention and authenticating the repudiation of origin, non-repudiation of receipt or non-repudiation of document. A handwritten signature on a content. paper document is affixed by an identifi- The criteria could be used to assess the reliability of any documentary information, whether in paper able person and is intended to authenti- or electronic form. cate the intention inherent in the signed 42 I into IT document. In a virtual environment, the signer cannot be identified visually. That Reliability criteria for an electronic signature is why the signature has to be used to Authentication G identification of the signer confirm consent and to identify the G unique to the user signer. When a handwritten signature is G authentication of the signed document affixed on a paper document, it is "merged" so to speak with that Authorization G confirmation of consent; the mechanism for incorporating the document. Since electronic information signature is the sole responsibility of the signer can migrate easily from one medium to Integrity G confirmation of the integrity of the signed document another, the signature and the document Non-repudiation G confirmation of the link between the document and the signature are independent of one another. The G continuation of the link between the document and the signer signature has to be bound with a specific from the time of signing document and the document's integrity needs to be established. The objective is G if need be, confirmation of the origin and destination of the to reduce the legal uncertainty as to the document electronic signature's admissibility. Electronic signature is a generic term to to encrypt or decrypt data. One of the In cases where the admissibility of an e- describe a technology-neutral signature keys is kept secret by its holder, the document is questioned, it is up to the in electronic and binary form. It may other is freely available. The digital person wanting the document admitted take various forms and be created in signature is generated by calculating a to establish its integrity and authenticity. different ways. It may be created message digest and encrypting it with It is up to the court whether the without any controls (a name typed at the signer's private key. The message evidence is admissible. The best way for the end of a document); created using digest is a unique number calculated an entity to mitigate the legal risks non-cryptographic security techniques using a hashing algorithm. This is a associated with the admissibility of e- (password, PIN number, biometric ID, unique way to represent messages of documents and establish data integrity is digitized signature); or created using varying lengths in much smaller format. to institute and maintain reliable IS and cryptographic security techniques If only one character of the original use appropriate technologies. The (symmetric or secret key cryptography, message is changed, the message digest admissibility of an e-signature is also asymmetric or public key cryptography will be changed. If the value of the subject to certain conditions. The or a digital signature). message digest calculated on the technology must allow for the identifica- message received is identical to the tion of the signer, and the link between Relevant controls and technologies must original message, the authentication, the signature and the e-document must be used to obtain a reliable electronic non-repudiation and integrity of the be created in such a way that signature. Non-cryptographic security message are ensured. However, subsequent alterations of the document techniques, based on a shared secret, assurance as to the signer's identity can be detected. In addition, some help control authentication and authori- largely depends on the controls legislation sets out standards requiring zation of the electronic document and implemented to guarantee the security the use of certain technologies or the signature. However, these security of the signer's private key and on the application of specific procedures. methods have limitations. Shared-secret receiver's confidence that the identity authentication supposes that the parties Clearly, electronic information raises associated with the public key is have already exchanged information to important issues of interest to authentic. A public key infrastructure is a agree on the secret. Moreover, a secret management, which needs reliable solution that may ensure sound key is only effective if it hasn't been decision-making information, and management and provide assurance as forgotten or discovered. Non-crypto- auditors, who rely on this information to to the signer's identity. graphic security techniques offer no gather sufficient and appropriate audit security as to the non-repudiation, Much progress has been made to legally evidence to support the content of the integrity or confidentiality of e- recognize e-documents and signatures audit report. documents and signatures. as evidential matter. Ottawa and most Cryptographic security techniques, on the other hand, offer a secure way to provinces have passed e-commerce legislation and have amended evidence About the authors ensure the authentication, non- acts to recognize e-documents and Andrée Lavigne, CA, is a principal repudiation, integrity and / or confiden- signatures and establish admissibility in the CICA's Research Studies tiality. Non-cryptographic and criteria for this evidence. However, department. cryptographic security techniques are there is still some legal uncertainty about often used in tandem to deliver a high e-documents. Major ambiguities persist level of reliability. regarding jurisdiction and laws applicable Caroline Émond, CA, is partner in to cyber transactions. Some uncertainty global risk management services at Digital signatures are based on remains about admissibility conditions PricewaterhouseCoopers in asymmetric or public key cryptography. for e-documents and signatures under Montreal. This technique involves mathematically Canadian law. generating a related key pair and using it into IT I 43 The Audit Office of New South Wales: Auditing the implementation of To comply with the law on Freedom Of Information, agencies need to impose sound standards of information management. But as Stephen Horne explains, there are wider issues to consider, not least of which is whether decisions on information disclosure are taken objectively. What is FOI? Most democratic societies recognise The audit aimed to answer some basic questions... that Freedom of Information (FOI) is a fundamental element of government accountability. Opening government 1. Do agencies comply with the spirit of the Act? processes to scrutiny allows the public to question and better evaluate the 2. Do agencies help applicants with their requests? activities the Government carries out on their behalf. FOI legislation, introduced in New 3. Are fees and charges kept to a minimum? South Wales (NSW) in 19891, gave members of the public the legal right to 4. How thoroughly do agencies search for documents? access most information in most government agencies. They may: 5. Do agencies provide supporting reasons for their G obtain access to information held as records by State Government decisions? Agencies, a Government Minister, local government and other public 6. Do agencies meet the time requirements? bodies; G request amendments to records of a 7. Do agencies conduct reviews of decisions? personal nature that are inaccurate; and 1 More details... http://www.premiers.nsw.gov.au/NSWCommunity/FreedomOfInformation/ 44 I into IT A full copy of the Freedom of Information report, G appeal against a decision not to grant access to information or to amend on which this article is based, is available on the personal records. It follows that in order to comply with the Act, departments and agencies need to manage their information in a manner Auditor General's web site... that enables them to trace, recover, and reproduce the information requested http://www.audit.nsw.gov.au/repperf.htm within the Act's stipulated period (generally 21 days). Sound information In order to test key provisions of the Independent decision-making management is therefore essential. Act, we focused on requests in which access to non-personal information was We found that standard practice in the refused, granted in part, or subject to an MoT, and in about 25 per cent of the Background internal review. We selected FOI cases we reviewed in the Premier's Department, was to refer proposed requests for non-personal information Dealing with FOI requests can be because they were more likely to determinations to the chief executive difficult for agencies. They may believe involve policy-related information and (CEO) before they were finalised and that information they provide could be offer an insight to government decision- sent to the applicant. In DET, the taken 'out of context' and give an unfair making (most of the requests we records suggest that two draft determi- view of their operations. Releasing examined were made by media nations were discussed with the then information about sensitive decisions personnel or Members of Parliament). Minister's Office before being finalised. they have made may be embarrassing. We did not review the basis of these We have three concerns about the Senior staff may also be well aware that decisions, but whether the agencies had involvement of CEOs or Ministerial staff certain information they release could acted in accordance with the spirit of prior to a determination being made: be used in a political context and create FOI legislation; in particular, with Section difficulties for their Minister. G it opens the possibility for 5(3) the Act, which requires agencies to behave in a manner that furthers its perceptions of interference, even The FOI Act recognises that agencies objectives to ...facilitate and though this may not have been might be tempted to avoid these encourage, promptly and at the intended; potential difficulties, by using the discretions set out in the Act to limit the lowest reasonable cost, the disclosure G it may affect an agency's capacity to information released. This would of information [Section 5(3)(b) of the conduct an unbiased internal review, frustrate the spirit of the Act, so it Act]. as it must be undertaken by specifically requires agencies to apply We also focused on the agencies' someone who did not "deal with" FOI laws in a way that favours disclosure processes for handling requests; for the original application and who is of information. While this audit covered example, for providing assistance to not subordinate to the original only three agencies, we believe that the applicants, assessing costs, locating decision-maker; issues and recommendations relate to all documents, response times and making G it presents efficiency issues, as bodies that handle FOI requests decisions on access to information. agencies have tight timeframes to including Ministers, most NSW meet FOI requirements. government agencies, and local government. Audit Findings It may be necessary to contact the office of the CEO or the Minister to ascertain During the audit we identified a number the documents that exist and their Audit scope of concerns that we subsequently raised exemption status. This is not where our with the appropriate departments; these concern lies. We also recognise that it is Against this background, we reviewed are described in our full report, which is appropriate for CEOs and Ministers to the FOI arrangements within three available to download from the Auditor be informed of decisions. However, we government agencies2; we also General's web site. I would like to focus believe this is best done when the examined 84 FOI requests for non- on two of them; independence in applicant is advised of the determina- personal information. decision making, which goes to the tion. This process issue is an important heart of an equitable FOI process, and one in our view, is easily solved, and the important administrative role of FOI would resolve all of our concerns on this Coordinators. matter. 2 Ministry of Transport (MOT), Premier's Department,Department of Education and Training (DET) into IT I 45 At least half of the officers we have lapsed and no determination was applicant, search unit, any third party, interviewed in DET and MoT reported made. The other remained unchanged. and the decision-maker - and monitor that, at some stage, Ministerial staff or In this case, the CEO sought unsuccess- time limits. They must also be aware of senior departmental officers sought to fully to release more information than the Act's requirements, including any be involved in the review of determina- had been proposed. When we discussed new judgments made by the courts or tions or participate in the decision- these cases with him, he indicated that it the NSW Ombudsman. We found that making process. Sometimes they was his policy not to interfere. FOI Coordinators and their staff attributed this to particular individuals However, he believed there were supported the Act's objectives. A who misunderstood or were unaware special circumstances, and his concerns number of the issues raised above were of the provisions of the Act. Others were documented on file to ensure caused by factors outside their reported that the situation had transparency. In DET, agency records immediate control, for example dealing improved following a change in suggest that one draft determination with uncooperative or uninformed units managements' attitude or a more was altered following comments from elsewhere in the agency. centralised FOI process. staff of the then Minister. It is important that agencies ensure that In a small number of the cases we all staff, not just those directly involved examined, involvement of this nature affected the outcome of the determina- The Role of FOI staff in processing requests, are aware of the Act's aims and key provisions. FOI tion. The CEO of the former MoT FOI Coordinators play an important Coordinators should be at a relatively suggested that proposed determinations role in ensuring agencies comply with senior level in the agency with authority for two requests be revised or altered. the spirit of the Act. They manage all to administer FOI arrangements as Subsequently, one matter appeared to the stakeholders in the process - the required. 46 I into IT Conclusion Overall, we found that FOI All agencies that handle FOI requests should... Coordinators and their staff supported the legislation, but the agencies examined can do considerably more to Assist applicants: G ensure that decisions on access to information are made independent achieve the intentions of the Act. G clarify the scope of FOI requests at of any undue influence; the earliest opportunity, particularly G ensure that all staff are aware of the On the positive side, each agency had for large and complex applications; purpose and key provisions of the made a number of changes to improve the effectiveness of their processes for G provide applicants with information Act; handling FOI requests. In most cases, on the FOI process and the status of G ensure that staff involved in the FOI they did not charge processing fees, but their request. process have full authority to make if charged the fees were reasonable. decisions as required under the Act. However, we believe that further improvements should be made to Fees and charges: address the following issues: G ensure that fees and charges are Internal reviews: G processing fees being charged in applied consistently. G ensure internal reviews are some cases and not others even conducted by someone other than, and more senior to, the original though a similar amount of work had been undertaken; Searching for documents: decision maker, as required by the G conduct thorough and complete Act; G little documented evidence of the extent of searching which had been searches for documents; G introduce formal systems for undertaken to locate documents, G document the types of searches reviewing the outcomes of internal making subsequent reviews more undertaken to locate information; and external reviews of FOI deter- difficult; minations. G ensure that adequate records G supporting reasons for refusing management systems are in place to access to information not always facilitate document searches. FOI laws: being provided to applicants; G Any review of FOI legislation in NSW involvement of CEOs or Ministerial staff prior to some determinations Making decisions on should consider: being finalised, which opens the access: G the value of Statements of Affairs and possibility for perceptions of inter- Summaries of Affairs, and whether ference and may affect an agency's G document the decision-making they serve their intended purpose; capacity to conduct an unbiased process, including all deliberations G extending timeframes when internal review; and viewpoints considered; consulting the applicant or handling G no routine or formal analysis of G provide supporting reasons for large multi-faceted requests. reviews of decisions to determine refusing access to information; whether changes in practice are required; G identify all relevant documents to the applicant; Review mechanism: G timeframes not being achieved. The Government should consider G advise all applicants of their right to DET advised us that prior to the audit it appeal. introducing a review mechanism that had been reviewing its FOI routinely oversees FOI arrangements in performance and was implementing a NSW government agencies. number of reforms (developed in con- Independent sultation with the NSW Ombudsman) to improve the effectiveness of its FOI decision-making: process. The Premier's Department G inform CEOs of the outcome of and the MoT already have, or plan to decisions in parallel with, rather than change various processes to address prior to, issuing the determination to the issues we raised. applicants; into IT I 47 About the author Stephen Horne is a Director in the Performance Audit Branch of the Audit Office of New South Wales. He has twenty-five years' experience in a range of organisations in the NSW public sector, and is a recognised authority in the fields of e-government; corporate governance; fraud control strategies; corruption prevention, and performance reporting. Stephen has also contributed widely to public sector improvement in a variety of capacities, including responsibility for over forty major performance audits. Stephen Horne, B.Bus (Distinction) UTS, FIIA. E-mail... email@example.com Website... http://www.audit.nsw.gov.au About Us The New South Wales investigates allegations of serious Empathy – be understanding of others. Auditor-General... and substantial waste of public Customer Focus – be courteous, profes- money sional and add value. helps the New South Wales determines whether an agency or Continuous Improvement – listen, think, Parliament hold Government government activity is achieving what it challenge and work smarter. accountable for its use of public set out to do, economically, efficiently resources; is independent of and according to the law has 205 Clients... Government and reports directly to the employees. our clients are the Parliament of NSW, Parliament; operates under the Public the Government and its agencies, and Finance and Audit Act 1983. Vision... ultimately the public of NSW. The Audit Office... to be recognised as a centre of excellence in auditing. supports the Auditor-General in his Scissors used to open the Sydney Mission... work; reviews more than 400 New Harbour Brodge in 1932, to assist Parliament to improve the South Wales government agencies NSW Parliament House accountability and performance of the to: State. G give Parliament reasonable Values... certainty that agencies’ financial Independence – work without fear or reports are prepared correctly; favour. G confirm that agencies adhere to Equity – be fair, just and impartial. specific laws, regulations and Integrity – be open, honest and reliable. Government directions. Sydney Harbour Bridge 48 I into IT Dig the "To fail to plan, is to plan to fail". IEEE 829 is arguably still the most used software testing standard." "Why standards? The use of measurable?) gains while not adding dis- IEEE 829 is often thought of as being the standards simplifies communication, proportionate overheads. I once standard for a "High Level Test Plan" or promotes consistency and worked for a large organisation that had "Master Test Plan" (HLTP or MTP). It is uniformity, and eliminates the need an internal (and mandatory) standard for more than this, as the standard to invent yet another (often almost all documents. It was such that describes eight documents that can be different and even incompatible) its use transformed a document of 200 produced as part of the testing effort. solution to the same problem. real words into 18 pages after all the These documents are sometimes Standards, whether 'official' or necessary parts ('glossary', 'associated distributed between different categories merely agreed upon, are especially documents', etc) were added. Perhaps and although there is no consensus on important when we're talking to this was counterproductive and the subdivisions, I find the following par- customers and suppliers, but it's unnecessary. titioning helpful: easy to underestimate their G Test Planning importance when dealing with different departments and An overview of IEEE 829 Test Plan disciplines within our own organisa- G There have been diverse document Test Specification tion. They also provide vital types used in software testing, Test design specification continuity so that we are not developed in many cases for the needs forever reinventing the wheel. They Test case specification of a particular organisation. IEEE 829 are a way of preserving proven (1983) - the Standard for Software Test procedure specification practices above and beyond the Test Documentation - was an attempt inevitable staff changes within G Test Reporting to pull sources together and present organisations." [Ed Kit - Software some best practice ideas. The standard Test Item transmittal report Testing in the Real World] was revisited and revised in 1998. Please That paragraph neatly and (quite) note that the standard applies to any Test log succinctly describes why standards exist. level of testing that may take place, Test incident summary But how does that affect testing practi- including acceptance testing, although its tioners who live, as in the title of Ed Kit's application in agile development Test summary book, in the real world? methodologies may be less obvious. It is Most of these eight document types are Anything that promotes better project usual to have 'a full set' of IEEE 829 well known, but figure 1 (opposite) communication has to be good for documents for each testing stage that is provides a very brief summary. testers. Standards have, therefore, to be to be undertaken. effective and produce recognisable (and into IT I 49 Test planning revisited It is worth noting at this point that the standard lists as 'deliverables' the seven it is unnecessary to obtain individual and departmental sign-off; sign-off is Test planning is a key activity in any other document types that perform part achieved based on what is known at the software testing project and for that of the standard. Some organisations add time. In one organisation, sign-off is reason many would associate IEEE 829 to this basic list by including key items achieved by stating that unless this is only with test planning. The standard such as 'glossary' and 'references' to received by a specified (and realistic) defines 16 items that should be other documents. I usually keep MTP date, it will be assumed. It is remarkable , considered for an MTP including the key documents from previous projects and how that concentrates the minds of activities of estimation ('schedule' is one for projects that I worked on for other those concerned! of the 16) and risk, both of which are organisations, so that I can look back Two areas that indicate the dynamic large topics in their own right. and see what specific details were nature of the MTP concern schedules included. The 16 are given below for complete- and risks. During the testing phase, good ness together with a well-known news and bad news can act to change mnemonic (SPACEDIRT) for MTP is a LIVING document priorities. Does this mean that the original MTP was wrong? No; the MTP remembering the list; more detail on each can be found in textbooks and on This document specifies what is going to is what its name suggests, just a plan. At web sites that deal with this subject: be done and how it is going to be done. the time, it was based on the best It needs to be published, to appropriate available information, incomplete though S Scope test items, what to people, to make others aware of what is this was. Information will improve as test, what not to test - and what is not - going to be tested. testing progresses; for example, what P People training, responsibili- However, don't wait for everything to was once a critical risk might now have ties, schedule be completed before the document is been addressed (e.g. by third-party circulated for comment and/or review. security testing). The risk is now A Approach the approach that will answered and will possibly require no The MTP will change during the life of be taken to testing further action. the project, but this does not mean that C Criteria entry/exit criteria, suspension/resumptio n criteria Figure 1 The eight parts E Environment test environment Test Plan A high level view of how testing will proceed; WHAT is to be needs tested, by WHOM, HOW, in what TIME frame, to what D Deliverables what is being QUALITY level. delivered as part of Test Design Spec Details the test conditions to be exercised, with the expected the test process outcome (in general terms). I Incidentals introduction, Test Case Spec Specific data requirements to run tests, based upon the test identification (of the conditions identified. document), approval Test Procedure Spec Describes how the tester will physically run the test, authorities including set up procedures. The standard defines ten R Risks risks and procedure steps that may be applied when running a test. contingencies Test Item Transmittal The recording of when individual items to be tested have been passed from one stage of testing to another. This T Tasks the test tasks that are includes where to find such items, what is new about them, involved in the testing and is in effect a warranty of 'fit for test'. process. Test Log Details of what tests were run, by whom, and whether individual tests passed or failed. Test Incident Summary Details of instances where a test 'failed' for a specific reason. Test Summary The Test Summary brings together all pertinent information about the testing, including the number of incidents raised and outstanding, and crucially an assessment about the quality of the system. Also recorded for use in future project planning is details of what was done, and how long it took. This document is important in deciding whether the quality of the system is good enough to allow it to proceed to another stage. This assessment is based upon detailed information that was documented in the Test Plan. 50 I into IT Figure 2 Relationship to other standards Where to learn more These are some of the other standards that may be referred to when documenting Template - Test Plan Template, based according to IEEE 829: on IEEE 829: Systeme Evolutif web-site: IEEE 1008 - Standard for Unit testing http://www.evolutif.co.uk/ tkb/guidelines/ieee829/) IEEE 1028 - Standard for Software Reviews IEEE 1044 - Standard Classification for Software Anomalies also... IEEE 1044-1 - Guide to Classification for Software Anomalies http://www.cs.swt.edu/~donshafer/proj BSS 7925-1 - Vocabulary of Terms in Software Testing ect_documents/test_plan_template.html BSS 7925-2 - Standard for Software Component Testing Sample - SAMPLE Test Plan, again based on IEEE 829: Systeme Evolutif web-site: http://www.evolutif.co.uk/tkb/ guidelines/ieee829/ and then select Review the document scriptive feature is to use of the 16 point "check-list". It is perfectly OK to exclude Sample MTP The MTP needs to be reviewed, with one of the 16 points, so long as the Worked example - reviews taking place face-to-face. If it is reasons for excluding it are listed and contentious, points of conflict need to agreed by the MTP's reviewers. The http://www.luckydogarts.com/dm158/d be talked through. The MTP is not MTP also includes risks and ocs/System_Test_Plan.doc solely "owned" by the testing team(s); assumptions; sometimes the explicit See also - developments groups and users can statement of a risk or assumption contribute significantly to its clarification promotes lively discussion, and even http://www.google.com and search for and suggest other items to be added. resolution! "IEEE 829" What is and what is not to be tested, All the web sites above were returned are two key elements in the MTP In. Conclusion from a 'Google' search. The author has no commercial or other interest in these October 2002, I worked on a project where testing was, as always, pushed for As a standard, IEEE 829 is not so much particular sites. time. The MTP specified that significant about how to test, but how to testing would concentrate on the retail system with respect to '53-week year' document that you have tested, and there is interplay between it and other About the author processing (2002 - 2003 was a 53-week of the project's standards and Peter Morgan is a senior practition- year). The development team failed to documents. er with e-testing Consultancy realise the significance of 53-week years, Ltd, a UK-based company that Adherence to IEEE 829 is no guarantee specialises in training in software but the mere insertion of the testing that the testing project will be intention resulted in better code testing and in consultancy. The successful. It should not be used blindly Company provides entry level (development extended unit test as a standard, but appropriately. Testing coverage, found some problems and training leading to the internationally is a service that adds nothing to the recognised ISEB Foundation implemented fixes). project team's output; a tester does not Certificate in Software Testing, It is usual for the detail listed in the MTP make better software (and testers details of which can be found at the to be used as a basis for deciding should not be allowed to alter code). British Computer Society web site - whether the software under test is We therefore need to slay the myth of http://www1.bcs.org.uk/ under suitable for the next stage of testing, "documentation for documentation's ISEB, Qualifications, Software deployment to production, etc. Thus, sake" and ask ourselves "does the output Testing. key individuals need to see and agree enable the test and/or development this detail before the crunch implemen- teams to do a better job; or help them Peter's testing assignments have tation meeting! to present the information found during included large-scale UK government testing in a clearer way; or demonstrate infrastructure projects. He can be to an outside agency (e.g. the auditors) contacted by e-mail at Facing Reality that testing has been properly planned PMorgan@etesting.com and further and completed? details of the company can be found The MTP is one place where testing at http://www.etesting.com. comes face-to-face with reality. Merely incorporating IEEE 829 will not make a success of a project. It can, This article first appeared in edition The MTP is not free-standing, but fits however, help to make a success by 16 of Professional Tester into the overall Test Strategy. In some providing guidelines and pointing the (http://www.professionaltester.com) ways, it is not a prescriptive approach, way to better understanding and to and is reproduced with the Editor's but a checklist to remind those better documentation. kind permission. responsible what should be considered . for inclusion in the MTP Its only pre- into IT I 51 GAO Working with Congress to Improve the Information Technology Acquisition Processes Without properly functioning hardware and software, the US Army's "Future Combat Systems" will be no more than a bunch of dumb boxes that sit and collect dust on the battlefield. Madhav Panwar and Lisa Marine Corp's V-22 - Pracchia of the General Accounting Office explains why Software Intensive Weapon System Congress now places heavy emphasis - backed up by In a 1998 CrossTalk article, Capers Jones of Software Productivity Research, legislation - on the process for acquiring high quality Inc. defined a major DOD system as having 12.5 million C Statements and a development team numbered in the computer hardware and software for military use. hundreds. A lack of mature development processes and communi- cations were R ecent military operations around Software enables a myriad of complex known to the world demonstrate the capabilities ranging from massive data pose superiority of US weapon fusion across geographically disparate problems on systems developed by the Department large-scale sensor systems; to decision such large of Defense (DOD). Furthermore, an systems that automatically select the development efforts. ever increasing percentage of a weapons most appropriate weapon and platform Configuration control system's functionality is provided by ever to attack a given target; and on to and change more sophisticated and complex autonomous systems that operate management were poorly software. While DOD has risen to the without human intervention to destroy implemented, and documentation and challenge, cost overruns and unsatisfac- incoming missiles. Software will create software rework absorbed the bulk of tory performance have led the General the network-centric operation, the development costs. Partly as a result of Accounting Office (GAO) to designate cornerstone of DOD's transformation. these weaknesses, Jones estimated that DOD systems development and mod- Other risk factors include the long- the probability of a major software- ernization efforts a high-risk area. standing "cultural" issues highlighted in intensive development project being Significant risk factors include the earlier GAO reports. Two of these terminated were as high as 65%. enormous size and complexity of the remain relevant; the acquisition In contrast, today's jointly-developed software used by these systems. community's bias towards hardware and large weapons systems, some of which Furthermore, most DOD acquisition their attention to critical software issues form an integrated set of systems organizations (i.e., the program offices too late in the acquisition process. (sometimes called "system of systems"), tasked with defining, developing and Typically, program managers do not are even larger, with software fielding weapons systems) lack both provide adequate oversight of the distributed among many subsidiary disciplined processes for managing software phase of an acquisition, relying systems. software-intensive system acquisitions, instead on contractors to manage and the contractors who develop the IT themselves. While the Software An example is the Army's Future Combat systems and software embedded in the Engineering Institute (SEI)1 has provided Systems (FCS)2, a joint Army/Defense weapons. As one Congressional source software developers with various Advanced Research Projects Agency3 aptly described the acquisition of US process improvement models, it is program. The Army's vision is for FCS weapons systems, "It's not about bending generally accepted that if the acquisition to create an integrated "battlespace", metal any more, it's about routing organization is at a low process maturity, where networked information and com- electrons." then the entire program is at risk. munications systems provide a 1 Carnegie Mellon Software Engineering Institute... http://www.sei.cmu.edu/ 2 For more details see... http://www.darpa.mil/tto/PROGRAMS/fcs.html 3 DARPA is at... http://www.darpa.mil 52 I into IT Mature processes are essential for 1995, reduced rework costs from about ensuring that (a) the requirements are 40 percent to about 10 percent of total objectively defined, (b) the right project cost, increased staff productivity management discipline is applied to by 170 percent and reduced defects by contract management, and (c) that the about 75 percent. SEI also reported that software development environment is over an eight year period, a software equally transparent to developer and development contractor had reduced customer. Other tools, such as Earned average estimated schedule deviation Value analysis, will need to be used to from 112 percent to 5 percent, and ensure that the system functions as estimated cost deviation from 87 intended, and that major problems and percent to minus 4 percent. errors are caught well in advance of By 2001, software development units operational testing. within DOD were also showing results from their improvement programs. competitive edge to soldiers in the field and to commanders in the control The History According to one GAO report, each DOD unit with a software process room. At this early stage in the definition improvement (SPI) program reported of requirements, one would be hard Software Development Process positive results on software/systems pressed to estimate the numbers of FCS Improvement quality. For example, the Defense developers in a program in which the In the late 1980s, software developers Finance and Accounting Service extended team consists of one prime began to invest in process improvement reported that its SPI program had contractor, eight major subcontractors by adopting best practice models. Many reduced the overall cost to deliver and 55 other companies under contract. public and private organizations based software by about one-third over According to Congressional sources, their improvement programs on the comparable organizations; a Navy "The FCS is estimated at 32 million total SEI's "Software Capability Maturity software activity reported reduced costs Source Lines Of Code". However, the Model" (SW-CMM)4. Adoption was and improved product quality, and actual number is likely to be far greater, slow at first, but by the mid-90s, achieved a 7:1 return on its SPI for past experience with software companies with improvement programs investment; and an Army activity estimation has shown that we both were showing results. For example, SEI reported that improvements derived underestimate size, and add functionality reported that a major defense from its SPI program had enabled it to as development progresses. contractor who implemented a process almost double its productivity in writing Fielding FCS successfully will require a improvement program in 1988 had, by software for new systems. highly mature acquisition organization, and more mature development and testing approaches than those used in the past on the development of smaller systems. In particular, greater effort will need to be spent on improving processes for managing changes to requirements and for ensuring that information is shared among all stake- holders. Furthermore, program managers will need to exert far greater influence on IT-related issues and obtain more objective "Earned Value" data from contractors. Without properly functioning hardware and software, FCS will be no more than a bunch of "dumb boxes" that sit and collect dust on the battlefield. 4 For SW CMM see…. http://www.sei.cmu.edu/cmm/ into IT I 53 Software Acquisition containing the necessary policy guidance. The author believes that established software acquisition processes and requirements. Process Improvement subsequent DOD inaction in response Section 804 also requires the Assistant to GAO-01-116 played a pivotal role in Many defense and civilian contractors Secretary of Defense for Command, Congress legislating for software who develop software-intensive systems Control, Communications, and acquisition process improvement. have made performance gains through Intelligence (in consultation with the SPI, but those who acquire the same On 2 December 2002, Section 804 of Under Secretary of Defense for systems have lagged behind. Defense Authorization Act of Fiscal Year Acquisition, Technology, and Logistics) Problems occur in situations where low 2003 (or simply "Section 804") was to: process-maturity acquirers contract for enacted. The report accompanying their G Provide applicable improvement software from high process-maturity version of the Defense Authorization for program administration and developers. Matt Fischer, one of the Fiscal Year 2003 spelled out clearly the compliance guidance, and to ensure authors of the SA-CMM, uses this chart Senate's concern about the negative that secretaries of the departments to explain why acquirers must also impact of longstanding software and agencies comply with that improve their process for managing problems on major defense acquisition guidance. software contracts. programs. The Senate stated that Section 804 is designed to implement G Assist departments and agencies For example, acquirers may try to the recommendations set out in GAO with their respective improvement circumvent development and 01-116. programs by ensuring that they use management processes because they applicable source selection criteria feel that following them adversely affects and also have access to a clearing- their ability to meet their goal. "Process Section 804: The Law house for best practice information avoidance" by the acquirer can result in on software development and rework, additional delays, and unexe- Section 804 mandates the improvement acquisition in both the public and cutable cost and schedule quotes; had it of DOD's software acquisition private sectors. been followed, this is exactly what the processes. This legislation directly process was designed to avoid. instructs the secretaries of each military Other problems can occur at the end of department and the heads of relevant Congressional Intent defense agencies to establish software the development process. Where cost acquisition process improvement "Anyone looking at the past Congressional and delivery schedules become more programs - an apparent message of actions and listening to the frustration important to the acquirer than the frustration with the way software expressed in Congressional Hearings will developer's obligation to meet their exit improvement has been handled in the find the fundamental improvements criteria for delivering a quality product, past. mandated in Section 804 come as no the result can be software that contains surprise. The only surprise is that Congress avoidable defects. GAO reviews of Software acquisition process has been as patient as they have been. major weapons systems have uncovered improvement program requirements Now, Congressional patience seems to be consistent problems - such as cost include: turning to impatience; an impatience to increases, schedule delays and G A documented process for software see significant improvement in fixing our performance shortfalls - for which the acquisition planning; requirements perennial problems with cost, schedule, underlying causes include pressure on development and management; and performance - and in addressing the program managers to promise more project management and oversight; underlying drivers that are causing these than they can deliver. and risk management. problems."6 The GAO have recommended5 estab- G Efforts to develop appropriate Congressional sources affirm that "DOD lishing and implementing a DOD-wide metrics for performance is going to have to pay attention from the SPI program based on accepted best measurement and continual process ground up, in other words, at the program practice improvement models. In improvement. manager level, or programs will continue response, DOD tasked two working to get tanked. Congress will remain G A process to ensure that key groups within the Office of the interested and we're not going to let this Secretary of Defense to develop a plan program personnel have an go until DOD significantly improves how it for implementing DOD-wide SPI and to appropriate level of experience or acquires software-intensive systems. The establish a means of sharing SPI lessons training in software acquisition. only way it's going to get fixed is by people and best practice knowledge throughout G A process to ensure that each on the inside - it simply makes no sense DOD. DOD also pointed to a recent military department and defense on any level to continue ignoring it." revision of their regulation 5000.2-R as agency implements and adheres to 5 See report GAO-01-116 (DOD Information Technology: Software and Systems Process Improvement Programs Vary in Use of Best Practices), published in March 2001. 6 Norm Brown, Founder and Former Director of the Software Program Managers Network, and Navy Department Member of the 2000 Defense Science Board Task Force on Defense Software. 54 I into IT DOD Response and Implementation Guideline Highlights of Recent GAO Reports Relating to On 21 March 2003, DOD issued a memorandum to provide the uniform Acquisition Process Improvement implementation guidance that Section GAO report GAO-01-116 (http://www.gao.gov/new.items/d01116.pdf): 804 requires. This memorandum identifies applicability, delineated organi- G Compared and contrasted DOD software and systems engineering zational roles and responsibilities for practices with leading best practices. overseeing implementation, and clarifies G Recommended issuing a DOD-wide policy implementing SPI for software- initial expectations for DOD intensive systems based on SEI best practice improvement models; Component process improvement developing a program to gage compliance to that policy; and developing a programs. It also instructed military means of sharing SPI lessons learned throughout the DOD. departments and those defense agencies that manage major defense acquisition GAO report GAO-02-9 (http://www.gao.gov/new.items/d029.pdf): programs to establish software G Reviewed the quality of the Defense Logistics Agency's processes, its acquisition process improvement application of best practices and opportunities to improve. programs. Requirements for these G Recommended issuing a DLA-wide policy requiring software-intensive programs included defining and applying measures; following applicable methods acquisition projects - both the acquirers and contract developers - based on some structured approach that to achieve a specific level of process maturity based on a combination includes an appraisal method; and of SEI improvement models; and to establish/sustain a software process determining and reporting the status of improvement program. process adherence and performance GAO report GAO-02-701 (http://www.gao.gov/new.items/d02701.pdf): effectiveness. G Assessed the impact of design and manufacturing knowledge on DOD The DOD memorandum also gives the program outcomes, compared best practices to those used by DOD, and Office of the Secretary of Defense analyzed current weapons system acquisition guidance for application of Software Intensive Systems Steering best practices to obtain better program outcomes. Group the role of leading a DOD-wide G Recommended taking steps to close the gaps between the current DOD effort to improve software acquisition processes. This role entails providing acquisition environment and best practices; ensuring that its acquisition program guidance; identifying best processes capture specific design and manufacturing knowledge at key practices; establishing a clearinghouse of junctures; and providing incentives to use knowledge-based processes. information regarding best practices and GAO report GAO-03-476 (http://www.gao.gov/new.items/d03476.pdf): lessons learned in software development G Provided an independent, knowledge-based assessment of 26 major and acquisition; and providing guidance for documenting, performing, and con- defense acquisition programs to gauge projected attainment of program tinuously improving a minimum of eight goals relative to best practices. specific software acquisition processes. G Observed that when programs proceed with less knowledge than suggested by best practices, cost, schedule and performance problems often result; to varying degrees all programs assessed proceeded with Conclusions inadequate knowledge at key junctures and suffered negative consequences. Section 804's mandate for DOD software acquisition process improvement programs is here to stay. It is not one-time legislation with little or no follow-up, but the result of a consistent, well documented and growing need. Congressional sources are already considering actively identifying certain key programs for greater scrutiny to see if they have improvement model is used as a road map improved, it is imperative that DOD adequately implemented the legislation's to achieve the mandated requirements." program managers understand that their requirements. According to GAO Given that the GAO and Congress both efforts will be measured against Section sources, "the outcome is what's feel that the acquisition of systems with 804 requirements. important, and not which best practice major software components needs to be Madhav S. Panwar and Lisa Pracchia into IT I 55 A chilling thought! "There was of course no way of knowing whether you were being watched at any given moment." George Orwell, "1984" Author and wit Quentin Crisp described some days later, Jean announced that casks of various comestibles that euphemisms as "unpleasant truths she was to start work as a "console together gave rise to the characteristic wearing diplomatic cologne"; and on operator". and unforgettable grocery store aroma1. matters concerning cologne, Quentin Gone is the marble-topped counter Console operator? Perhaps I've been was a force to be reckoned with. resplendent with bacon slicer, coffee around IT for too long, for the vision grinder and brass weighing scales, My daughter's social security number that flashed through my mind on hearing crowned by a cash register exhibiting recently dropped through our letterbox, this news was one of watchful similar architectural lines to the Bank of a gentle reminder from the State that technicians confronting a bank of England. Gone also is the apron-clad time had come to commence a lifetime's message-laden screens on the proprietor who, much to my dismay, toil. Although several years of study lie operations bridge of some Big Blue always had time to update my mother ahead, the college vacations now offer installation. Alas, not so. Just as the Head on all the local gossip, and in full and the opportunity - so Jean informed us - Programmer of old has transformed into complete detail! These changes owe to supplement the pittance paid her by the service provider's Chief Software much to Piggly Wiggly.2 her miserly parents. This was excellent Architect; Learning Solution Consultants news indeed, for my daughter has have displaced Trainers; and Public developed a remarkable talent for outlay Relations Officers now style themselves and it was heartening to see her Media Outreach Coordinators, I guess become immersed in the Situations that I shouldn't be surprised to find our Vacant columns of our local rag. Having local supermarket's checkout girls also learned not to play with fire I didn't wearing a discrete splash of diplomatic enquire too closely about her intentions, cologne. After all, when properly but it came as quite a surprise when, considered, "console operator" isn't an entirely misleading description of their role, for what are the innocuous looking The bar code... point-of-sales terminals they attend but consoles, optimised to pour an endless ...a method of automatic identifica- stream of purchase data (yes, even my tion that allows information to be one-horse town has 24 x 7 shopping) Piggly Wiggly® captured quickly and accurately by into the company's ever-churning accounting, supply chain and data mining Piggly Wiggly was the creation of a computer. A bar code symbol Clarence Saunders, an American, who systems? consists of a series of bars and to the grocery trade was what Charles Supermarket retailing has moved a Babbage was to computing, a creative spaces of various thicknesses. world apart from the high street grocery genius with ambition. Whereas These are broken down into groups stores of my youth. Refrigeration and Babbage’s mission was to enhance the of bar/space patterns that represent sleek vacuum packaging have put paid to quality of mathematical tables, Saunders’ human readable characters. the suspended sides of ham and bacon, strove to improve shopping for the whole cheeses, and the sacks and customer and grocer alike. Despite his 1 Visitors to London can still sample that aroma in the Food Hall at Harrods. Well worth a visit. 2 Piggly Wiggly... http://www.pigglywiggly.com/ 56 I into IT later attempts at automation being, like checkout, the customer's tape was run coded to aide identification and tracking. those of Babbage, for another age, through a reader to produce the bill, NASA relies on bar codes to monitor Saunders introduced many successful their groceries being assembled, boxed the thousands of heat tiles that need and startlingly simple innovations, and waiting for collection. No need for replacing after every space shuttle trip. including that which underpins the shopping trolleys while there were Researchers have even placed tiny bar supermarket concept, "self-service". savings in space, in the labour needed to codes on individual bees to track their stock the shelves and in the time mating habits. The ubiquitous bar code In grocery stores of the time, shoppers customers spent queuing at the is truly an icon for today. presented their orders over the counter checkout. Alas, the machinery proved to sales assistants, who then gathered The story began in 1948. A student at unreliable, particularly at busy times and the groceries from the store's shelves. the Drexel Institute of Technology in the resulting delays coupled with a Saunders' idea was that the customer Philadelphia overheard the chief heavy maintenance bill killed Keydoozle. would do this by walking around the executive of a local supermarket chain store with a basket (the supermarket Saunders never fulfilled his dream of asking one of the deans to undertake trolley was a much later innovation). truly automated shopping. At the time research into a system that would auto- And the payoff? Customers received the of his death in l953, he was planning matically read product information at benefits of greater variety, lower prices another automatic store based on a the checkout. The dean wasn't and quicker shopping, but gone forever system he named "Foodelectric". And interested, but Bernard Silver told his was the old high street grocery store Piggly Wiggly? Saunders' reason for friend Joe Woodland about the request with its characteristic aroma, furnishings choosing this intriguing name remains a and they began working on a solution. and personal service. mystery. A story has it that it suggested Their first device used patterns of ink itself when he saw several little pigs Saunders opened his first Piggly Wiggly that glowed under ultraviolet light. It struggling to get under a fence from the store in Memphis in 1916 and it quickly worked, but the patterns were window of a passing train. When asked became popular. Customers entered expensive to print and there were why he chose such an unusual name through turnstiles and with no assistants problems with ink stability. Despite the Saunders' reply was, "So people will ask to shop for them selected their drawbacks, the pair remained convinced that very question". One can't argue groceries from open shelves, paying for they had a workable idea, Woodland with that! them at a "checkout". Piggly Wiggly even giving up teaching to devote more went on to become a group of time to developing a practical system. independent franchises, which by 1929 was the second largest grocery group in An icon for today And the outcome? An application to patent an invention relating "to the art of the US and its creator a millionaire. Visitors to the Smithsonian Institution's article classification ...through the medium Then came the Wall Street Crash National Museum of American History of identifying patterns". followed by a legal dispute with the will not be surprised to find a pack of The patent was issued on 7th October New York Stock Exchange that drove Wrigley's chewing gum displayed among 1952.3 Saunders into bankruptcy. Although other icons of American culture. But this Piggly Wiggly survived - and remains particular pack of gum is more than that; alive and well - Saunders had no further on 26th June, 1974, it became the first connection with the business. bar coded product to be lifted from a Not a man deterred by setbacks, supermarket trolley by a long-forgotten Clarence Saunders went on to customer, and scanned at a checkout. experiment with automated self-service Looking around me I see several items shopping. In his Kedoozle store - a name branded in this way; the case of the CD derived from the phrase "key does all" - I'm listening to, a book, a couple of the merchandise was displayed as single magazines, the covers of some units each within a glass cabinet under document folders lying on my desk which was a keyhole. Customers beneath a can of Coke, all bear entering the store were handed a small prominent bar codes. If I looked in our pistol-like key that they placed in the refrigerator, I'd find more. Back at the keyhole below the goods they wished to office, our electrical and IT equipment is buy, the quantity being determined by bar coded to streamline identification the number of times they pulled the during inventory. Conference delegates key's trigger. This action, recorded on are sometimes asked to wear a bar punched tape, activated back office coded ID badge, as are hospital patients; In their patent ("Fig 10" is an extract), machinery to assemble the order, which airline passengers' luggage, packages sent Woodland and Silver described their bar was then despatched to the checkout through the mail, and just about code as a symbol made up of concentric on a conveyor belt. On reaching the everything sold in a supermarket are bar circles to enable reading from any 3 US patent 2,612,994 can be viewed online at... http://patft.uspto.gov/netahtml/srchnum.htm (you may need to install a Tiff image viewer to display it... http://www.alternatiff.com/) into IT I 57 direction, but they also described their on to develop bar coding further for possible to price any item in the store "symbology" as a pattern of four straight IBM, work recognised in 1992 by the simply by modifying its entry in the white lines on a dark background, the award of the National Medal of central database. Data captured at the first being a datum line from which the Technology by President Bush, he didn't checkout can also be used to track stock positions of the other three were fixed. grow rich from an idea that spawned a levels; to support automatic product re- Information was encoded by the billion dollar business. ordering when stock falls below prede- presence or absence of one or more of termined levels (a job for electronic data the lines, thus allowing up to seven interchange - EDI); to identify fast and different article classifications (excluding The problem with labelling slow moving product lines; and, by using the datum line, binary 111). However, historical data, to predict seasonal fluc- New technologies occasionally converge the inventors noted that by adding more tuations in demand. Furthermore, by with emerging business demands to lines it would be possible to encode cajoling customers into using personal bring about a step-change change in the more classifications (e.g. 10 data lines loyalty cards, sales data can be linked to way that things are done. This was to be enables 1023 classifications). A movie individual customer profiles to the case with bar coding. soundtrack player served as a bar code determine their purchasing habits (and reader, but it was bulky and expensive By the early 1970s, laser scanners and a so into the world of "data mining"). The to install while use of a high power new generation of intelligent cash big drawback is that to devise a labelling register - the electronic point-of-sales scheme for every supermarket chain is (EPOS) terminal - had arrived. These not just expensive; it also hinders supply developments coincided with growing chain integration due to manufacturers competition between the US having to recognise different supermarket numbering schemes. Product labelling is only cost-effective when supermarket chains work cooper- atively with each other and with their suppliers. Back in 1970, this problem soon Equivalent UPC-A & UPC-E bar became apparent. The outcome was an codes. UPC-E is a smaller seven-digit industry committee, set up to formulate Bar code readers contain a light UPC symbology often used for small guidelines on barcode development and source, photo detector and signal retail items. UPC-E compresses a to devise a standard approach. processing circuitry. The light source normal 12-digit UPC-A number into a Some basic principles were to lie at the shines light onto the bar code, is six-digit code by "suppressing" the heart of the Committee's guidelines: reflected back into the scanner and number system digit, trailing zeros in G to make life easier for the cashier, focused onto the photo detector, the manufacturer's code and leading which converts the optical zeros in the product identification part thereby reducing queues at the information into an electrical signal. of the bar code message. A seventh checkout, bar codes needed to be The signal is then "cleaned up" with check digit is encoded into a parity readable from almost any angle and further circuitry and converted to a pattern for the six main digits. UPC-E at a wide range of distances; signal format that will be recognised can thus be uncompressed back into G the labels, which would be by the device to which the bar code a standard UPC-A 12-digit number. reproduced by the millions, needed reader is connected. to be cheap and easy to print; and to supermarket chains that increased be affordable... filament lamp made its operation pressure on their already tight trading G automated checkout systems somewhat hazardous. A further margins. The search was on to cut costs needed to pay for themselves in two problem was that the computers and the most obvious target was the and a half years. needed to process the information checkout, where the EPOS terminal captured by the reader were not readily offered promising possibilities providing The last goal turned out to be quite available in the 1950s. that each grocery product could be plausible. Business consultants McKinley identified uniquely, automatically and, of predicted that by adopting a universal Bar coding was a sound concept, but it labelling system the industry would save course, cheaply. was to be almost 20 years before $150 million a year at 1970 prices. microchip and laser scanning technolo- When a bar coded product is scanned at gies were sufficiently mature to make it the checkout, the bar code reader The Universal Product Code (UPC) a practical proposition. By then, Bernard captures the product's unique reference was to emerge from these deliberations Silver was dead - he died in 1962, at the number, which the EPOS terminal then and from development undertaken by age of thirty-eight - and RCA had uses as a key to enter a central database IBM (who recalled having Joe Woodland acquired the rights to Woodland and to obtain the product's price and on their payroll). Silver's patent. Although Woodland went description. By this means, it becomes 58 I into IT indicates the type of product - zero for a national brand; 2 for variable weight, An icon for tomorrow? such as meat; 4 for price reductions; and Although UPC symbols form the a few other special items. The next five backbone of all things inventory in the are the manufacturer's code, such as grocery trade, the new Radio Frequency "30000" for the Quaker Oats Company. ID (or RFID) tag has superseded optical In the second group, the first five digits scanning. RFID offers the potential for form the unique product code while the 'smarter' more flexible supply chain sixth digit is to verify that all the management. It enables products to be preceding digits are scanned properly. identified, counted and tracked auto- Thus the scanner will read "30000 matically, resulting - so its promoters 06110" as a pound of Quaker's "Cap'n claim - in "near-perfect stock and supply Crunch" cereal, or "30000 01020" as an chain visibility". 18-ounce package of "Old Fashioned MaxiCode is a 2D symbology that can Quaker Oats". To enable scanning in Products are implanted with RFID tags encode about 100 characters of data either direction, hidden cues in the during manufacture. Each tag contains a in an area of one square inch. Within code's structure tell the scanner which microchip on which is stored a unique this small space are two MaxiCode end is which, while printing the bar Electronic Product Code (EPC) and a components: black and white coded reference numbers on product tiny radio antenna. At 400 microns hexagons that pack information in two wrappers during manufacture relieves square - a micron (µm) is one directions, and a target-like central stores from the expensive overhead of thousandth of a millimeter - a tag is pattern that allows the symbol to be having to label every item they stock. smaller than a grain of sand. easily located at high speeds. UPC is not the only bar code symbology As a palette of goods leaves the manu- now in use, there are many others facturer, it passes through a beam of radio waves transmitted by an RFID The Universal Product Code designed for different industries, including the European Article reader. This causes the tags to "wake Introduced in 1973, UPC was the first Numbering system (EAN5 - also up" and begin broadcasting their bar code symbology to be widely developed by Joe Woodland), which individual EPCs. Depending on the radio adopted for product marking, in this includes an extra pair of digits and is on frequency used, RFID systems give a case by the American grocery industry. its way to becoming the world's most range of up to 30 metres, thus removing Some 250,000 companies in 25 major widely used system. The United States the line-of-sight restrictions that apply to industries now use the codes to reduce Department of Defense adopted "Code bar code scanning. supply chain costs and improve business 39" for marking all products sold to the A local application linked to the readers efficiency. US military. POSTNET is the standard then queries an Object Name Service bar code used in the United States for database over the Internet. Acting like a To obtain a company identifier code, a ZIP codes in bulk mailing. reverse telephone directory, the ONS manufacturer registers with the Uniform Code Council4 and then registers each An extension to the single dimensional server matches the EPC to the address product, thereby ensuring that every bar code concept are two-dimensional of a server that holds extensive package scanned at the checkout bears (2D) bar codes that use two axes to information on the product; this links to a unique product reference number. enable information about an item to be and augments similar systems around The code comprises two groups of six encoded in addition to its identifying the world to form a global database. coded digits (the numbers below a bar code. Some 2D codes, such as the Because the reader that sent the query code are translations for human use hexagon-based Maxicode6, do not use is in a known location, the 'system' can only). The first digit in the first group bars at all. identify which manufacturer produced the product, hence, should a product The EPC is defect or tampering incidents arise, the made up of a source of the problem is easily located. header and Back at the supermarket, deliveries three sets of update the store's retail systems auto- data. The matically. What's more, because the header supermarket's shelves are equipped with identifies the EPC's version number to allow for different lengths or types of EPC later integrated readers, they "understand" on. The second part of the number identifies the EPC Manager; most likely the manufac- what stock is being placed on them. turer of the product the EPC is attached to, for example 'The Coca-Cola Company'. The When a customer removes an item, the third, called object class, refers to the exact type of product, most often the Stock Keeping 4 Unit; for example 'Diet Coke 330 ml can, US version. The fourth is the item's unique serial The Uniform Code Council... http://www.uc- number that describes exactly which 330 ml can of Diet Coke is referred to. This makes it council.org 5 possible, for example, to quickly find products that might be nearing their expiry date. EAN International... http://www.ean-ucc.org/ 6 Example of 2D bar coding; Maxicode... http://www.maxicode.com/ into IT I 59 diminished shelf immediately routes a message to the automated replenish- An RFID system typically includes: ment system, which if necessary orders G a tag or label embedded with a further stock. And customer benefits? single chip computer and an A reader built into the store's exit antenna; recognises each item in the shopper's G a radio (much like a wireless LAN trolley by their individual EPCs; a quick swipe of the debit or credit card and the radio) that communicates with the customer's on their way. Gone is the tag. checkout with its "console operator", Unlike bar code-based tracking while in another place, Clive Saunders systems, an RFID system can read the beams with satisfaction.7 Perhaps 'RFID' will become tomorrow's icon? information on a tag without requiring line of sight or a particular orientation. The tag can be programmed to hold And to conclude, a little information such as an item's serial science fiction - or is it? number, color, size, manufacture date and current price, as well as a list of Contrary to George Orwell's grim prediction8, 1984 passed free (overall) all distribution points the item touched from his bleak vision of omnipresent before reaching the store. state security. Nevertheless, one might reflect on events in the aftermath of short - to keep an outwardly benevolent 9/11 and on their implications for the eye on us, its inner role suitably future. For instance, it might concern us shrouded in diplomatic cologne by its to learn that the role of the US media outreach coordinators? Information Awareness Office9 is to Consider a few of the advantages. We "imagine, develop, apply, integrate, always know where our children are or demonstrate, and transition information can find out. Gone are the interminable technologies, components, and prototype queues at airport check-ins, security and closed-loop information systems that will immigration desks; embedded RFID counter asymmetric threats by achieving tags ensure that, on arrival, we and our total information awareness that is useful possessions are automatically scanned, for pre-emption, national security warning, identified and verified by reference to a and national security decision making." global (and, naturally, error-free) Object Buried deep in this bucketful of gob- Name Service database. What about a bledegook, 'total information awareness' 'less-crime', if not a crime-free society? sounds uncannily similar to an objective It's a big disincentive to commit crime touched on earlier in this piece, 'near- when the authorities know where perfect stock and supply chain visibility'. everyone and their possessions are at In the eyes of some, 9/11 nurtured the any given moment. business case for tighter state security, RFID delivers such capabilities on a while the technology necessary to plate; but there's a question to be asked. deliver 'near-perfect stock and supply Where does state security start and chain visibility' is now available. Might finish and the violation of personal business case and enabling technology privacy and civil liberty begin? State again combine to bring about another security ruled OK in Orwell's starkly step change, not in the way we identify painted world. As he described it, "there and track groceries, but people and was of course no way of knowing whether their possesions? Might the time come you were being watched at any given when, in place of a letter informing us of moment". Might the application of RFID our social security number, we're move us in that direction? implanted10 with an Electronic Person A chilling thought! Code (EPC) tag at birth? Might a government department exist - Orwell See diagram overleaf. named it "Ministry of Love", Miniluv for Ian Petticrew 7 9 Store of the future movie... The IAO web site has been withdrawn, but see... http://www.future-store.org/servlet/PB/menu/1000373_l2/1073996191443.html http://en.wikipedia.org/wiki/Information_Awareness_Office 8 10 George Orwell - "1984" online edition... http://www.online-literature.com/orwell/1984/ It's quite feasible! See Kevin Warwick, Professor of Cybernetics... http://www.kevinwarwick.com/ 60 I into IT into IT I 61 Layout and Production by NAO Information Centre | Printed by SLSPrint | DG Ref: 3316RD Printed on Greencoat paper. Greencoat is produced using 80% recycled fibre and 20% virgin TCF pulp from sustainable forests.
Pages to are hidden for
"A Trojan"Please download to view full document