A Trojan by ps94506


									                                                                            issue 19 ! February 2004

A Trojan
can seriously
damage your

                Why not visit the INTOSAI website, www.intosaiitaudit.org
 into IT editorial
                                          New legislation before the U.S. House of                  A recent prime-time UK television
                                          Representatives requires all publicly                     programme featured real-time burglary.
                                          quoted companies to conduct                               An ex (so we were told) professional
                                          independent, computer security                            burglar was hired by the programme
                                          assessments and report the results in                     producers to break into the homes of
                                          their annual reports. The Corporate                       volunteers and 'borrow' their valuables.
                                          Information Security Accountability Act                   It was disturbing to witness the ease
                                          of 2003, if approved, requires companies                  with which our resident expert generally
                                          "to assess the risk and magnitude of the                  accomplished his task. Truly, "penetration
IntoIT is the journal of the INTOSAI
                                          harm that could result from the unautho-                  testing" in the raw.
Standing Committee on IT Audit.           rized access, use, disclosure, disruption,
                                                                                                    Entertainment aside, there was much to
The journal is normally published         modification, or destruction of such
                                                                                                    learn from the ensuing debate, which
twice a year, and aims to provide an      information or information systems," and
                                                                                                    considered the vulnerabilities uncovered
interesting mix of news, views and        "determine the levels of information
                                                                                                    and the countermeasures that ought to
                                          security appropriate to protect such
comments on the audit of ICT and its                                                                have been in place1. Door and window
                                          information and information systems".
use in Supreme Audit Institutions                                                                   locks, security lights and their
(SAIs).                                   The Act requires companies to hire an                     positioning, intruder alarms, and a host
                                          independent auditor to assess existing                    of other techniques were examined and
Material in the journal is not            information security controls and ensure                  discussed. Household security was then
copyrighted for members of                that they meet basic standards that the                   strengthened and retested, and while the
INTOSAI. Articles from intoIT can be      U.S. Securities and Exchange                              improvements did not always withstand
                                          Commission has yet to determine.                          further attack, an important point
copied freely for distribution within
                                          It will be interesting to see whether                     emerged. Potential intruders are deterred
SAIs, reproduced in internal
                                          the standards will also extend to the                     by effective countermeasures because
magazines and used on training            independent auditor's qualifications and                  their penetration is time-consuming and
courses.                                  experience for reaching a meaningful and                  likely to attract unwelcome attention.
                                          reliable conclusion. Is the auditor likely                The trade much prefers soft targets
The Editor welcomes unsolicited
                                          to be a thoroughgoing, information                        from which, it seems, there are plenty
articles on relevant topics, preferably   security professional, or a financial                     to choose.
accompanied by a photograph and           auditor who has completed the (5-day,
                                                                                                    Although this scenario relates to the real
short biography of the author, and        or whatever) course? Will the audit
                                                                                                    world, it maps easily onto cyberspace,
short news items for inclusion in         merely confirm the existence of the right
                                                                                                    where network administrators have daily
future issues.
                                          documents - suitably dated and
                                                                                                    to pit their wits against increasingly
                                          authorised - that say the right sorts of
                                                                                                    sophisticated intrusion techniques. As IT
The views expressed by contributors       things? Or will the auditor be required to
                                                                                                    systems become increasingly intercon-
to this journal are not necessarily       conduct more searching tests to assess
                                                                                                    nected, more national and global
those of the editor or publisher.
                                          whether the documentation is a façade
                                                                                                    networks are emerging, and while this
                                          that, in good 'cowboy town' tradition, is
                                                                                                    opens up unprecedented opportunities
                                          propped up by nothing more than a few
                                                                                                    and benefits for both citizens and state
editorial address                         scaffolding poles? And will organisations
                                                                                                    alike, it presents the criminal with new
                                          who, having acquired the auditor's seal of
Contributions should be sent to:                                                                    opportunities. Systems connected to the
                                          approval, rest complacently on their
                                                                                                    Internet and to other networks become
The Editor of intoIT
                                          laurels for the next 12 months? We await
                                                                                                    potential targets and the high level of
                                          developments with interest.
National Audit Office,                                                                              attacks against commercial and
157-197 Buckingham Palace Road,                                                                     government systems, as well as
United Kingdom                                See…. http://www.bbc.co.uk/crime/prevention/yourhome.shtml

E-mail intoit@nao.gsi.gov.uk
Web site www.intosaiitaudit.org
                                                                                                                       contents           Co u n t r y Fo c u s :
                                                                                                                                         Th e U K N a t i o n a l
                                                                                                                                              Au d i t O f f i ce        2
individuals, continually demonstrate the
skill and determination of cyber criminals
to exploit technical vulnerabilities and                                                                                             Not Knowing What
human naivety. There can be no doubt                                                                                                  Yo u D o N o t K n o w
that, as more business is transacted on-

line, the potential for cyber crime and its
incidence will increase. Although most                                                                                                             State of
network administrators take sensible                                                                                                        Nor th Carolina
precautions, they have other responsibil-

ities and cannot always be blamed if they
are not abreast of the latest, often highly
ingenious, technical exploits that facilitate                                                                                         Tr o j a n H o r s e s a n d
cyber crime. This is work for the                                                                                                       Ke r n e l R o o t K i t s
                                                                  out of the internal network, but growing
specialist, and it is here that well planned
                                                                  recognition of the risk of attack from

and conducted penetration testing can
                                                                  within and the advent of e-mail as a
expose serious vulnerabilities.
                                                                  vehicle for planting a Trojan in the                           Intrusion Detection V
In this edition we highlight some of the                          system has changed the picture.                                 I n t r u s i o n P r eve n t i o n
technical and procedural countermea-                              Our next three articles develop this

sures for protecting networked                                    theme. Written by staff at the UK's
information systems, including                                    National Infrastructure Security
penetration testing, a technique that                             Coordination Centre2 they provide an                                     Email Spoofing
despite its risks is becoming a more                              overview of recent developments in
widely accepted strategy for protecting                           intrusion detection systems; of e-mail

online information and services.                                  spoofing, a technique sometimes used by
                                                                  hackers to obtain system passwords; and                        A State Auditor's Network
Our first theme article provides a                                                                                                     Security Case Study
                                                                  of Trojan horse software. And believe
layman's guide to hacking. For the
                                                                  me, a Trojan can seriously damage your
benefit of readers who are unfamiliar

with the subject, N. Nagarajan of the
Office of the Comptroller and Auditor                             To round off this edition's theme of                            Risk Based Sampling
General of India explains some of the                             hacking, we have received an excellent                                  Us i n g CO B I T
approaches to computer hacking and the                            article from the Auditor of Public

terminology that often crops up in                                Accounts of the Commonwealth of
connection with it.                                               Kentucky, USA. Ed Hatchett takes a
                                                                  robust stance on the subject of network                                Going Electronic
Our second theme article describes a
                                                                  security, commissioning detailed
penetration-testing project that was

                                                                  technical appraisals of state departments'
planned and supervised by the Office of
                                                                  controls and not being shy about
the Auditor General for North Carolina.                                                                                                          Fr e e d o m o f
                                                                  publishing his findings. In his article, Ed
The article is interesting both for its                                                                                                         Information
                                                                  describes the results of an audit of the
description of the outcome (21 of the 22
                                                                  Transportation Cabinet network in which

target systems were penetrated success-
                                                                  his team uncovered both hackers at
fully, most in less than 30 minutes) and
                                                                  work and criminal activity. And yet top
for the approach to the task.                                                                                                          D i g t h e S p a ce d i r t
                                                                  of his recommendations is the simple
The focus of network security used to                             expedient of applying a good standard of

be at the perimeter, where firewalls                              password management.
were positioned to keep uninvited guests
                                                                                                                                              G AO Wo r k i n g
                                                                                                                                             w i t h Co n g r e s s
    NISCC's role is to co-ordinate and develop the UK critical national infrastructure's defences against electronic attack...


                                                                                                                                   A C h i l l i n g Th o u g h t !
2   I   into IT

                  Country Focus:
                         The UK: some facts and figures
                         UK: 244,820 sq km - approximately
                         the size of the U.S. state of Oregon or
                         the African country of Guinea -
                         comprises England, Wales,
                         Scotland and Northern Ireland, plus
                         many surrounding islands but
                         excluding the dependencies of the
                         Isle of Man and the Channel
                         Islands. No part is more than 75
                         miles from the sea.
                         Population: 60M
                         Ethnic groups: English 81.5%,
                         Scottish 9.6%, Irish 2.4%, Welsh
                         1.9%, Ulster 1.8%, West Indian,
                         Indian, Pakistani, and other 2.8%
                         Languages: English and Welsh, but
                         Gaelic, Urdu, Hindi, Punjabi and
                         other languages are spoken.
                         Religions: Anglican and Roman
                         Catholic 40 million, Muslim 1.5
                         million, Presbyterian 800,000,
                         Methodist 760,000, Sikh 500,000,
                         Hindu 500,000, Jewish 350,00
                         Government: parliamentary
                         monarchy and part of the European
                         Union. Everyone over the age of 18
                         can vote.
                         Legal system: common law with
                         early Roman and modern
                         continental influences. Judicial
                         review of Acts of Parliament under
                         the Human Rights Act of 1998.
                         The UK does not have a written
                                                                                                                      into IT   I   3

National Audit Office
The UK: historical                                               were to use the same strategy to
                                                                 subdue the Scottish clans during the
background                                                       18th century).
                                                                 Following the collapse of the Roman

              hat scant knowledge we
              have of Britain before the                         Empire early in the fourth century,
              Roman conquest comes                               urban life in Britain declined and we
mainly from archaeology, which provides                          sank again into an age of intellectual
clues about our early culture and                                darkness and barbarity that was to
economic development but rarely                                  continue for 600 years. Christianity and
identifies personalities, motives, or exact                      the use of money ceased for some two
dates. Julius Caesar left us his                                 centuries, while the physical character of
impressions of Britain at the time of his                        our people, language, and institutions
brief visits in 55 & 54BC, which is the                          changed. Germanic tribes from Europe
earliest coherent account we have. Even                          replaced a significant part of our lowland
in later Roman times, Britain was                                population, their dialects replaced Latin
considered to lie at the periphery of the                        and Celtic (later giving rise to the English
civilised world, and Roman historians left                       spoken today), and loosely knit and
us little more than a framework in                               feuding hereditary kingships replaced
which to slot the results of archaeologi-                        the centrally governed Roman
cal research.                                                    provinces. Among these illiterate and
                                                                 pagan tribes were the Angles and the
The Roman invasion of Britain began in                           Saxons, and Britain came to be called
43AD. While many British tribes made                             "England" after the former (a derivation
political deals with the invaders, they                          of "Engla-lond" or "land of the Angles").
also encountered stout resistance.                               Although the Anglo-Saxons were not as
Indeed, the Romans never fully occupied                          sophisticated as their Roman predeces-
Britain, concluding that Scotland wasn't                         sors, within a few centuries they had
worth the effort. Roman Britain's                                built a hierarchical, regulated society in
northern border was eventually                                   which agriculture and trade flourished.
stabilised on a heavily fortified wall in
northern England, slightly south of the                          Later in the millennium, the Anglo-
existing border. Much of "Hadrian's Wall"                        Saxons found themselves invaded from
still exists and is a popular tourist                            Scandinavia by the "Vikings". Sometimes
attraction.                                                      the Vikings were beaten back, at other
                                                                 times not. Eventually they were granted
For over three centuries, Roman life                             parts of the country where their own
prospered in what is now England. The                            laws prevailed, although by 1066 - a
local tribes became integrated into an                           highly significant year in our history - an
urban, governmental system, and grew                             Anglo-Saxon king was in control.
accustomed to a peaceful, ordered way
of life. Roman towns had properly                                Reliable written evidence from the first
drained and metalled streets, water                              millennium is limited1, but archaeology
supplies, forums and other public                                provides many clues about Roman,
buildings. But perhaps the Roman's                               Anglo-Saxon and Viking settlements and
greatest achievement was their system                            daily life, and all of these peoples left us
of magnificently engineered roads, built                         examples of beautiful jewellery, pottery,
to allow the swift movement of troops,                           sculpture, and metalwork. The study of
munitions, and supplies from one                                 names and language shows more
strategic centre to another (the English                         enduring effects, while in the case of the
                                                                 Vikings DNA analysis provides some
                                                                 insight into their effects on our genetic
    For anyone interested in delving deeper, there is a good source is at... http://www.britannia.com/history/docs/
4   I   into IT

                                                                                        In 1066, our neighbours, the Norman
                                                                                        French, successfully invaded England;
                                                                                        they were the last to do so. Since then,
                                                                                        despite occasional periods of civil war,
                                                                                        England has remained a unified entity.
                                                                                        Under the Normans, government was
                                                                                        again centralised, a bureaucracy built up,
                                                                                        and written records maintained. The
                                                                                        roots of the English "common law" legal
                                                                                        system date from this period.
                                                                                        Wales and Scotland, originally
                                                                                        independent kingdoms, both strongly
                                                                                        resisted English rule. King Edward I
                                                                                        conquered Wales in 1282 and an Act of
                                                                                        1536 completed the political and admin-
                                                                                        istrative union of the two countries;
Carew Castle                                                                            1707 saw the union of Scotland and
                                                                                        England and our adoption of the name
The English built a fine set of castles in Wales to help encourage the indigenous
                                                                                        "Great Britain".
population to toe the line. Many remain and are worth visiting.
                                                                                        As for, Ireland, invasion by the Anglo-
                                                                                        Normans in 1170 was to lead to
                                                                                        centuries of strife, with successive
                                                                                        English monarchs (and Oliver
                                                                                        Cromwell) seeking to gain control, with
                                                                                        varying degrees of success. To cut short
                                                                                        a painful story, the Anglo-Irish treaty of
                                                                                        1921 formalised a partition of Ireland.
                                                                                        The six counties that constitute "Ulster"
                                                                                        maintain their constitutional links with
                                                                                        Great Britain, while the other 26
                                                                                        counties became the "Irish Free State"
                                                                                        (and in 1949 the "Republic of Ireland").
                                                                                        In 1927, we adopted the name "United
                                                                                        Kingdom of Great Britain and Northern
                                                                                        Ireland", usually abbreviated to 'United
                                                                                        Kingdom' or 'UK'.

                                                                                        The British Empire
                                                                                        The British Empire began to grow at
                                                                                        the beginning of the 17th century,
                                                                                        eventually expanding over much of the
                                                                                        globe, particularly in North America and
                                                                                        India. It was built on colonial trade,
Giant's Causeway                                                                        which originally went hand in hand with
When the giant Finn McCool fell in love with a lady giant on Staffa, an island in the   slavery; slaves bought in West Africa
Hebrides, he built this wide commodius highway to bring her across to Ulster.           were shipped to the Americas where
                                                                                                                       into IT   I   5

                                                                                                  Stonehenge, Wiltshire, England
                                                               Erected in stages between 3000 and 1500 BC, no one really knows why.

they were sold to plantation owners in
exchange for produce, which was then
                                            producing about 60% of our food needs
                                            with only 1% of the labour force. We
                                                                                           About the NAO:
shipped back to Britain. Later came the     have significant coal, natural gas, and oil    the early years
Industrial Revolution, which was to         reserves, primary energy production
dominate 19th century British history.      accounting for 10% of GDP one of the
                                                                          ,                The National Audit Office has existed in
Queen Victoria's reign in particular saw    highest shares of any industrial nation. A     its present form since 1983, but the
the products of our engineering             decline in our manufacturing industry          public audit function in central
expertise together with our commerce,       has been offset by our expanding service       government has a long history.
language, and systems of law and            sector - particularly in banking,              The earliest surviving mention of a
government spread throughout the            insurance and business services - which        public official charged with auditing
Empire, which at its zenith                 accounts for by far the largest                government expenditure is a reference
encompassed roughly one-fifth of the        proportion of our GDP    .                     to the Auditor of the Exchequer in 1314.
globe.                                                                                     The Auditors of the Imprest were
                                            Our long-established pariamentary
The heyday of Empire ended in 1914.         system is currently the subject of             established under Queen Elizabeth I in
During the following decades, our           reform. Herediatary membership of our          1559 with formal responsibility for
economic strength was devastated by         upper legislative assembly, The House of       auditing Exchequer payments. This
two World Wars. The post-war years          Lords, is being abandoned in favour of         system gradually lapsed and in 1780,
saw the rapid dismantling of our Empire     politically appointed representatives.         Commissioners for Auditing the Public
and our transition to a European nation.    Scotland and Wales now have National           Accounts were appointed by statute.
                                            Assemblies with varying degrees of             From 1834, the Commissioners worked
                                            power, and further assemblies for the          in tandem with the Comptroller of the
The UK today                                English regions seem likely.                   Exchequer, who was charged with
                                                                                           controlling the issue of funds to the
The UK today is a leading trading power     The UK's role as a major world financial       government. However, Parliament's role
and financial centre, and one of the four   centre, our strong ties with the               in this process was limited.
'trillion dollar' Western Europe            Commonwealth, and a permanent seat
economies. Our agriculture is highly        on the UN Security Council help us             Parliament had for several centuries
efficient by European standards,            continue to exert significant influence in     been responsible for raising revenue and
                                            world affairs.                                 authorising expenditure (the English
6    I   into IT

    Forth Railway Bridge, Scotland

Civil War had been fought largely on this    issue of funds, and accounts were            legislation, the Exchequer and Audit
issue) but their control and scrutiny of     produced by departments and audited          Departments Act 1921, addressed this
public spending was weak. It was not         by the Comptroller and Auditor               by allowing the C&AG to rely in part on
until the 1860s that the first major steps   General. The results of the C&AG's           departmental systems of control and
were taken towards proper financial          investigations were considered by a          thus examine only a sample of transac-
accountability to Parliament.                dedicated Parliamentary committee, the       tions. This Act also required the C&AG
                                             Committee of Public Accounts (PAC).          to report to Parliament that money had
                                             From the 1870s, the PAC took evidence        been spent in accordance with
Parliamentary audit                          from senior officials, normally Heads of     Parliament's wishes.
                                             Departments, who were designated as
The Exchequer and Audit Departments
                                             "Accounting Officers" by the Treasury.
Act of 1866 established a cycle of
                                             Initially, the C&AG and his staff were
accountability for public funds in which
The House of Commons authorised              required to examine every transaction,       Pressure for the reform of the public
expenditure, the Comptroller and             but this became unrealistic as the level     audit system again grew from the 1960s,
Auditor General (C&AG) controlled the        of government activity expanded, partic-     following concerns expressed by
                                             ularly during the First World War. New

Is Comptroller a misspelling?                  The Cycle of Accountability
Should it not read Controller?
                                               Once public money has been spent by a central government body, the C&AG is
"Comptroller" first appeared around            free to report to Parliament on the regularity, propriety, and value for money
1500 and is thought to be a misspelling        with which this has been done.
of "controller". This embodied an older
                                               The Committee of Public Accounts can take evidence on this report from the
error arising from the false
                                               most senior official in that public body and can then make recommendations to
presumption that the responsibilities
                                               which the Government must respond within two months. The C&AG and/or the
involved were somehow connected
                                               PAC can decide to conduct a follow up investigation into the issues raised.
with "accompt" or account, the
controller being the "contrarolutator",        We are also willing to assist Parliament in whatever way we can. Each year, we
one who kept a counter-roll as a               respond to over 400 queries from Members of Parliament on issues affecting
double check on transactions.                  public spending.
                                                                                                                                      into IT   I   7

Parliamentarians and academics that the
scope of public audit needed to be
                                                                "The Committee of Public
                                                                                                           Gladstone's reforms
modernised to reflect the significant
changes in the role of government over
                                                                 Accounts would not get                    Champion of reform, William Ewart
the course of the twentieth century. In                         very far as a bunch of 15                  Gladstone, was Chancellor of the
                                                                                                           Exchequer from 1859-1866 (and, for
particular, it was argued that there was a
need for a specific power to allow the                          Members of Parliament,                     good measure, four times Prime
C&AG to report to Parliament at his                                                                        Minister - 1868-74, 1880-85, 1886,
own discretion on the value for money                          unless we had the quality                   and 1892-94).
achieved by government departments.
Reformers also argued that more robust
                                                                  and depth of research                    As Chancellor, Gladstone initiated
                                                                                                           major reforms of public finance and
arrangements should be put in place to
ensure the independence of public
                                                                contained in the reports                   Parliamentary accountability. His
                                                                                                           1866 Exchequer and Audit
auditors from government.                                      we receive from the NAO."                   Departments Act required all
                                                                                                           departments, for the first time, to
These changes were reflected in the
                                                                                                           produce annual accounts, known as
National Audit Act 1983, under which                                  Rt Hon Alan Williams MP, Chairman,   appropriation accounts. The Act also
the C&AG formally became an "Officer
of the House of Commons" with the
                                                                       The Public Accounts Commission      established the position of
                                                                                                           Comptroller and Auditor General and
express power to report to Parliament
                                                                                                           an Exchequer and Audit
at his own discretion on the economy,
                                                                                                           Department to provide supporting
efficiency, and effectiveness with which                      The development of audit                     staff from within the civil service.
government bodies have used public
funds. The Act also established the                           The work of successive C&AG's had            The C&AG was given two main
National Audit Office (NAO) - which                           reflected changes in the nature of           functions; to authorise the issue of
replaced the Exchequer and Audit                              government over the years.                   public money to government from
Department - to support the C&AG in                                                                        the Bank of England, having
                                                              In the later years of the nineteenth         satisfied himself that this was within
discharging his role.
                                                              century, much audit work concentrated        the limits Parliament had voted, and
Further important changes have                                on issues of propriety, with the C&AG        to audit the accounts of all
occurred in recent years. Following                           repeatedly reporting to Parliament on        Government departments and report
devolution, new Auditors General have                         irregular payments and practices by          to Parliament accordingly.
been appointed in Scotland and Wales to                       Government departments. The
                                                                                                           Gladstone also created the Public
audit the expenditure of the new                              expansion of government in the
                                                                                                           Accounts Committee.
Parliament and Assembly. In Scotland,                         twentieth century led to substantial
the Auditor General is supported by a                         changes in the C&AG's work, with
new body, Audit Scotland2, which                              reports to Parliament concerning large
oversees local government audit. The                          budgets, such as those for old age
NAO in Cardiff provides audit services                        pensions, hospital construction
to the Auditor General for Wales3.                            programmes, and payments to universi-
There has been a separate C&AG for                            ties.
Northern Ireland since the foundation of
                                                              Over time, the focus of our work has
the state in 1921. He heads the
                                                              shifted from reporting simply on the
Northern Ireland Audit Office4 and
                                                              details of expenditure to consideration
reports to the Northern Ireland
                                                              of the value for money achieved by
                                                              government expenditure, a process that
The introduction of resource accounting                       was accelerated greatly by the passing of
and budgeting is another important                            the 1983 National Audit Act.
development for the NAO, involving a
change from a 'cash' to an 'accruals'
based system of planning and accounting
for expenditure.
                                                                                                           William Ewart Gladstone

2 Audit Scotland... http://www.audit-scotland.gov.uk/
3 Auditor General for Wales... http://www.agw.wales.gov.uk/
4 Northern Ireland Audit Office... http://www.niauditoffice.gov.uk/
8   I   into IT

                                             opinion where material misstatements           We support the development of
    The Three E's                            are identified, but where this is not the      Information Age Government through
    Under the 1983 Act, the C&AG             case, may still report to Parliament on        our examinations of the implementation
    can examine and report on the            other significant matters. Even where no       of IT projects and of the reliability of IT
    economy, efficiency, and effective-      report is made, we often write to our          systems. Here, our work has revealed
    ness of public spending. We use          clients suggesting ways they could             that complex IT projects often
    the following definitions for the        improve their systems; such                    encounter serious problems, resulting in
    'three Es':                              "management letters" often lead to             delays and the disruption of e-
                                             significant changes.                           Government services. We have sought
    I   Economy: minimising the cost                                                        to promote improvements by drawing
        of resources used or required        In addition to financial audit, the C&AG
                                                                                            out the lessons learned so that poor
        - spending less;                     presents around 50 reports to
                                                                                            performance is not repeated.
                                             Parliament each year on the value for
    I   Efficiency: the relationship         money obtained by Government                   Other subjects that our IT-related value
        between the output from              departments and other public bodies. In        for money reports have touched on
        goods or services and the            the last 3 years, savings resulting from       include information security
        resources to produce them -          our work have amounted to £1.46                management; software licensing;
        spending well;                       billion, £487 million each year.               identifying and tracking livestock
    I   Effectiveness: the relation-                                                        (essentially about information
                                             Our value for money work covers a
        ship between the intended                                                           management); and on-line learning
                                             wide range of topics, ranging from
        and actual results of public                                                        (essentially about fraud control).
                                             examining the entire operation of the
        spending - spending wisely.          criminal justice system to major defence
                                             procurement projects and the adminis-
                                             tration of agricultural schemes funded by
                                                                                            Information and
Our current role                             the European Union. We identify the            communications
                                             topics for examination by carefully
Under the law, the C&AG and the NAO          monitoring and analysing the risks to          technology in support
are responsible for auditing the accounts    value for money across the full range of
                                                                                            The 1970s saw us getting to grips with
of all Government departments and            our responsibilities, and in undertaking
                                                                                            the technical aspects of computers.
agencies, and reporting the results to       reviews, we use staff with a wide range
                                                                                            Some of our more adventurous
Parliament. The C&AG also audits over        of professional expertise, including
                                                                                            colleagues acquired the skills necessary
half of the 'arms-length' public bodies      external consultants where necessary.
                                                                                            to extract information from the payroll,
(also known as non-Departmental public                                                      bill paying and stores inventory systems
bodies), all National Loans Fund
accounts, and several international
                                             Auditing information                           that were then emerging during our
                                                                                            government's first wave of computerisa-
clients, who we win in open                  technology                                     tion. This was the punched
competition against other auditors.                                                         card/mainframe era, and extracting
Currently, we audit over 600 accounts        IT provides many opportunities to              information from these early systems
covering some £298 billion of                deliver better services to citizens. It also   required a good knowledge of data
expenditure; £29 billion of income; £336     has considerable potential to improve          storage techniques, programming skills
billion in tax revenue; fixed assets worth   the efficiency of government organisa-         (that often extended to a need for
£203 billion; and long-term liabilities of   tions in all aspects of their business.        assembly language), much ingenuity -
£37 billion.                                 Achieving Information Age Government           and hours of card-punching!
                                             is central to the UK's modernisation
The C&AG is required to form an                                                             Things remained much at this level until
                                             programme, but for this to become a
opinion as to whether audited accounts                                                      the 1990s, when the first of the
                                             reality, citizens must have confidence in
are free from material misstatements                                                        powerful and truly portable (rather than
                                             departments' IT systems in terms of
and that the transactions they contain                                                      'transportable') PCs - plus software tools
                                             their reliability and the protection of
have appropriate Parliamentary                                                              to match - arrived to lift audit computing
                                             personal information.
authority. He will issue a qualified                                                        out of the realm of the technical
                                                                                                                           into IT     I   9

                                              Many of the value for money reports we publish focus on government's use of
                                              IT. Recent examples include:
                                              e-Accessibility: older people are major users of public services but, as a section of
                                              society, are far less likely to access those services electronically. However, these e-
                                              services are potentially a great boon to older people, many of whom have mobility
specialist and place it firmly within         problems, have difficulty in gaining access to sources of information, live alone or want
everyone's grasp. Today, all our profes-      to remain independent and involved. If government is to take full advantage of the
sional staff are allocated a modern           potential of technology, it must make sure its e-services are accessible to all and work
laptop PC with which to access our            to avoid a 'digital divide'...
corporate systems - remotely if
necessary - to exchange e-mail and
other documents, and to search the            The Libra Project: described by the Chairman of the Public Accounts Committee as
World Wide Web. We continue to                "one of the worst IT projects ever seen", Libra was intended to provide our magistrates'
maintain technical support teams to           courts with a standard computer support system. By 2003, the initial project budget,
support our financial and value for           set at £146M in 1998, had rocketed to £318M with reduced functionality...
money auditors in the more difficult                   ...http://www.nao.gov.uk/publications/nao_reports/02-03/0203327.pdf
tasks, but audit computing now lives          Tax Credits: the Inland Revenue introduced new tax credits, but the systems did not
very much on the auditor's laptop.            work as intended, causing major problems for claimants, employers and the
Good software can make an important           Department. There were serious problems with system performance, which affected
contribution to the various stages of         stability (staff could not complete the processing of claims and had to start again);
audit, particularly in collecting, sorting,   speed (staff had to wait too long to access information and records); and availability
analysing and interpreting data, and in       (significant time in the working day was lost when the system was closed down to
presenting the results. Each of our           clear internal queues)...
laptops carries a comprehensive                        ...http://www.nao.gov.uk/publications/nao_reports/02-03/02031072.pdf
software toolkit comprising Microsoft         Government Communications Headquarters: houses one of Europe's largest computer
Office XP IDEA and TeamMate, and              complexes and its new accommodation exhibits radical differences from most office
staff receive in-house training in their      building projects. To sustain the flow of vital intelligence to the Government, GCHQ
use. In addition, our technical support       retained responsibility for moving its technical capability into the new building. In
teams are equipped with specialist            doing so, GCHQ failed initially to consider all the implications of the move. As a result
software packages for designing ques-         estimates for the technical move increased more than ten fold from £40M to £450M...
tionnaires, analysing survey results,
providing statistical analysis, etc.
                                              Government Call Centres: can provide services and information in a way that is
The 1990s saw our original local area         convenient and cost effective. Most of the public tell us that they are willing to use
network, which provided internal e-           them and are mostly satisfied with the service received. However, there is room for
mail, text-based word-processing and          improvement. In particular, call centres need to collect full and reliable information
spreadsheet, and rudimentary search           about their services, and departments need to ensure that efficiency and quality are
facilities. Our second-generation             delivered...
Intranet system, "Merlin", began to roll
out in 1998, and what an improvement
it was! Merlin provides us with access to      You can find information about our work in progress, including contact details on our
our internal databases, with external e-                                           website at...
mail, with access to information held on                   http://www.nao.gov.uk/publications/workinprogress/index.htm
the UK Government Intranet and, via
the Internet, to information held on the
World Wide Web. Merlin is an object
lesson on how a business can come to
depend on good information and com-
munications technology - we would be
lost without it! For this reason we
devote considerable resources to IT
service management, where we model
our management processes on BS
10   I    into IT

                                              IDEA is a comprehensive file interrogation tool for auditors
 Teamate                                      that can be used to...
 .. is an electronic documentation            I    Import data from a wide range of file types
 package marketed by
 PriceWaterhouse Coopers. It's easily         I    Perform analyses of data including comprehensive statistics, profiles,
 customised to individual needs and                summaries and ageing
 does not prescribe a particular way          I    Conduct exception tests of unusual or strange items using simple or
 of performing an audit. Its main                  complex criteria. IDEA has 103 built-in special functions as well as normal
 benefits are that it:                             arithmetic capabilities
 I       stores and references audit          I    Perform calculations
         working papers electronically;
                                              I    Test for missing or duplicate items
 I       makes for easier and more
         timely review of audit work.         I    Select samples using systematic, random or monetary unit techniques
         The package highlights               I    Match or compare different data sources
         important issues, and their
         review does not have to wait
         until the paper file is in your    Helping the nation spend wisely
         hand. Many staff can work on
                                            The UK National Audit Office scrutinises public spending on behalf of Parliament.
         the audit at the same time and
         at different locations;            The Comptroller and Auditor General, Sir John Bourn, is an Officer of the House of
                                            Commons. He is the head of the National Audit Office, which is based in London
 I       generates reports easily and
                                            (with regional offices in Cardiff, Newcastle, and Blackpool) and employs some 800
         quickly, and allows them to be
                                            staff. He, and the National Audit Office, are totally independent of Government. He
         customised to meet individual
                                            certifies the accounts of all Government departments and a wide range of other
         client requirements;
                                            public sector bodies; and he has statutory authority to report to Parliament on the
 I       makes for better management        economy, efficiency, and effectiveness with which departments and other bodies
         of audits by identifying           have used their resources.
         completed tests (and also
                                            Our work saves the taxpayer millions of pounds every year.
         those that should be
                                            At least £8 for every £1 spent running the Office.
         complete, but are not!);
         following audit by rolling
         forward one year's audit to       150005, and to the management of                               information by staff and more efficient
         the next.                         information security. And under the                            administrative support. Our medium
                                           latter heading, we are currently using                         term (3-5 year) vision is to enable staff
 TeamMate also provides the                government-approved specialists to                             to work efficiently at client sites for
 opportunity to embed and enhance          carry out "penetration testing" of our                         much longer periods, with access to the
 underlying methodologies, thus            network to provide positive evidence of                        full range of resources available to staff
 providing consistent minimum              effective security.                                            at NAO offices. Currently we use dial-
 standards across all audit work.                                                                         up for remote access, but are looking to
                                           Our IT Strategy will continue to evolve
                                                                                                          exploit broadband technology further as
                                           with technological development. The
                                                                                                          it becomes more widely available.
                                           main thrust of future developments is to
                                           improve audit efficiency through                               Overall, ICT has come to play a vital
                                           improved audit support tools, remote                           support role in achieving our corporate
                                           working, and knowledge management,                             vision of "Helping the Nation Spend
                                           and to providing wider access to                               Wisely".

                                           5 BS 15000 is the first worldwide standard specifically aimed at IT Service Management. It describes an integrated set
                                             of management processes for the effective delivery of services to the business and its customers.
                                                                                                                              into IT   I    11


   NTOSAI celebrated its 50th
   anniversary last year. It has grown
   from a small group of 34 supreme
audit institutions (SAIs) that met in Cuba
in 1953 to become the voice of the
                                                                                               SIR JOHN BOURN
worldwide SAI community. Its nearly                                                            COMPTROLLER AND AUDITOR GENERAL
190 members represent a wide                                                                   NATIONAL AUDIT OFFICE OF THE UNITED KINGDOM
spectrum of audit institutions working in
many different ways to provide their         Sir John Bourn has been Comptroller and Auditor General of the United Kingdom since 1988
parliaments and citizens with an             and, as well, Auditor General of Wales since 1999. He was educated at the London School of
effective audit of public finances.          Economics, where he took the BSc (Economics) degree and a PhD. He has worked in
INTOSAI, as an apolitical international      several government departments, including the Treasury, the Northern Ireland Office and at
institution working for the mutual           the Civil Service College. Before his present appointment, he was Deputy Under Secretary of
                                             State for Defence Procurement at the Ministry of Defence. Sir John sits on the Financial
The International Training                   Reporting Council of the United Kingdom, is a member of the UK's Financial Review Panel
Course                                       and a Member of the Panel of External Auditors of the United Nations.

Since 1993 the National Audit Office         Sir John is a Visiting Professor at the London School of Economics.
(NAO) has offered staff from overseas
                                             exchange of ideas on best practice, is           The UK NAO plays an enthusiastic role
SAIs the opportunity to participate in
                                             without parallel anywhere else in the            in these activities. We host the INTOSAI
an annual audit training course in
                                             public sector.                                   IT Audit Committee web site
London (usually in September). To date
                                                                                              (http://www.intosaiitaudit.org), which
staff from many countries have partici-      Recent years have seen a substantial
                                                                                              offers both our members and the world
pated in the course, which includes          growth in bilateral and multilateral
                                                                                              at large a range of training and guidance
intensive training in the National Audit     cooperation among SAIs. Increasingly,
                                                                                              material on various aspects of IT audit,
Office's methodologies for both              SAIs recognise the need to learn from
                                                                                              while other areas of the site catalogue
Financial audit and Value for Money          each other if they are to keep pace with
                                                                                              material useful to the IT auditor that can
work. The training approach is               the rapid changes in public sector
                                                                                              be found on SAI's, state auditor's, and
classroom based but both modules             management, accounting and auditing
                                                                                              government web sites. The UK is also a
include practical illustrations, examples    standards, and expectations of the role
                                                                                              member of the INTOSAI Governing
and case studies drawn from accounts         of public auditors. Many formal and
                                                                                              Board and chairs the INTOSAI working
audited and value for money studies          informal structures have been
                                                                                              group on the audit of privatisation and
carried out by the NAO. The course           developed by SAIs to identify and
                                                                                              regulation. Oh! - we also publish this
aims to be interactive and participants      promote good practice and to tackle
are encouraged to question and               issues that cross national boundaries.
introduce elements from their own            Among these, the INTOSAI IT Audit                  During 2003, 600 representatives
experience. Extensive course notes,          Committee is extremely active, with a              from 70 countries visited our office.
booklets and reference materials are         regular programme of liaison meetings              In turn, we sent more than 50
provided for the participants retention      and IT seminars hosted by member                   NAO staff abroad on short-term
and future reference.                        countries. Members also collaborate in             assignments ranging from a few
                                             the development of training and                    days to several months. We often
Course applications are available on
                                             guidance material, our current                     enrich our projects with expertise
our web site...
                                             programme including the development                drawn from across the UK and
http://www.nao.gov.uk/conferences/int        of a range of guidance on auditing                 beyond.
ernational_training_application.pdf          electronic government and on electronic
                                             records management.                                                            Ian Petticrew
12   I   into IT

 You can manage what you know about; it's what you don't
 know about that creeps up and stabs you. For the IT       The hacker
 manager, computer hacking is one such sword of            Technically, a "hacker" is someone who is
                                                           enthusiastic about computer
                                                           programming and all things computer
 Damocles for which sensible preventive                    related, and is motivated by curiosity to
                                                           reverse engineer software and to explore.
 and detective measures have become
 essential. And in common with other
 disasters in waiting, infiltration should
 feature in contingency planning.

 For the benefit of those readers
 unfamiliar with computer
 hacking, N. Nagarajan of the
 Office of the Comptroller
 and Auditor General of
 India gives an overview
 and explains some of
 the terms associated
 with it.

The basics of protecting against computer hacking
                                                                                                                         into IT   I   13

The term "cracker", on the other hand,
describes those who apply hacking skills
                                                 Computer hacking                                the area of fraud. However, other
                                                                                                 motives include espionage (both
to gain unauthorised access to a                 Hacking is in some ways the online              governmental and commercial
computer facility, often with sinister           equivalent to burglary; in other words          secrets) and the obtaining of
motives. But "cracking" never really             breaking into premises against the              personally sensitive information that
caught on, perhaps due to the grey               wishes of the lawful owner - in some            might be used for tracing people,
area that exists between the two                 jurisdictions a crime in itself - from          deception and blackmail;
activities and to the media's widespread         which other criminal acts such as theft     G   alteration or deletion of data
use of "hacking" as a term synonymous            and/or damage generally result.                 and code: most organisations now
with computer crime. I will not
                                                 Computer hacking refers to gaining              depend to some extent on comput-
therefore try to buck the trend in this
                                                 unauthorised access to, and hence some          erised information systems, and any
                                                 measure of control over, a computer             act resulting in significant corruption
                                                 facility, and most countries now have           or deletion of corporate data could
                                                 specific legislation in place to deter          have serious implications on their
                                                 those who might wish to practice this           ability to transact business;
                                                 art and science. In some jurisdictions,     G   degradation or cessation of
                                                 unauthorised access alone constitutes a         service: acts that result in systems
                                                 criminal offence, even if the hacker            being unable to carry their
                                                 attempts nothing further. However, in           workload or that fail altogether,
                                                 practice, hackers generally have a              could also have serious business
                                                 particular target in mind, so their unau-       implications;
                                                 thorised access leads to further acts,
                                                 which national law might also define as     G   use of computer resources:
                                                 criminal activities. These can be               this impact is really inherent in the
                                                 summarised under the headings of                previous three, but it's worth
                                                 unauthorised:                                   mentioning separately because an
                                                                                                 emerging problem is the use by
                                                 G   obtaining of confidential                   hackers of other people's systems
                                                     information: perhaps the major              (extending to home PCs) to store
                                                     growth area in computer crime is            illegally obtained data or to mount
                                                     "identity theft", in other words the        attacks on other systems. There are
                                                     obtaining of personal information           documented cases of systems
                                                     that can then be used to commit             hacked in this way - sometimes
                                                     other serious offences, usually in          referred to as "zombies" because
                                                                                                 they are no longer in the full control
        The Ten Immutable Laws of Security                                                       of their unsuspecting owners -
                                                                                                 being used to store child
        1    If a bad guy can persuade you to run his program on your computer, it's             pornography and material that
             not your computer anymore.                                                          breaches copyright law (e.g.
        2    If a bad guy can alter the operating system on your computer, it's not your         copyrighted music files), to mount
             computer anymore.                                                                   distributed denial of service attacks
        3    If a bad guy has unrestricted physical access to your computer, it's not            on other systems, and to distribute
             your computer anymore.                                                              spam e-mail.
        4    If you allow a bad guy to upload programs to your web site, it's not your       Finally, it's worth emphasising that the
             web site any more.                                                              term "hacker" applies both to outsiders
        5    Weak passwords trump strong security.                                           and to otherwise authorised personnel
        6    A machine is only as secure as the administrator is trustworthy.
                                                                                             who misuse their system privileges, or
                                                                                             who impersonate higher privileged
        7    Encrypted data is only as secure as the decryption key.
                                                                                             users. This sad fact needs to be
        8    An out of date virus scanner is only marginally better than no virus            recognised when formulating corporate
             scanner at all.                                                                 security policy.
        9    Absolute anonymity isn't practical, in real life or on the web.
        10   Technology is not a panacea.
        Source - www.microsoft.com/technet
14   I   into IT

                                                                                                             dential waste can prove fruitful.
 Just another security update for Microsoft Internet Explorer                                                Perhaps the quickest and easiest way to
 Are You on a Network?                                                                                       gain physical access to an organisation's
                                                                                                             computer facilities is to join the
 If your computer is part of a managed network, contact your organization's system
                                                                                                             contract cleaning force, which often
 administrator before making changes to your computer.
                                                                                                             works unsupervised and outside normal
 Why We Are Issuing This Update
                                                                                                             office hours.
 A number of security issues have been identified in Microsoft® Internet Explorer that
                                                                                                             Password attacks: obtain a valid
 could allow an attacker to compromise a Microsoft Windows®-based system and then
                                                                                                             password to the system and you
 take a variety of actions. For example, an attacker could run programs on a computer
                                                                                                             become just another legitimate user.
 used to view the attacker's Web site. This vulnerability affects computers that have
                                                                                                             This is particularly dangerous where
 Internet Explorer installed. (You do not have to be using Internet Explorer as your Web
                                                                                                             the hacked account has special
 browser to be affected by this issue.) You can help protect your computer by installing
                                                                                                             privileges assigned to it that permit
 this update from Microsoft.
                                                                                                             wide-ranging system access and use.
 Source - Microsoft Security Bulletin MS03-032                                                               A successful password attack is both
                                                                                                             difficult to detect and difficult to
Approaches to hacking                            weaknesses) in infrastructure software
                                                 and communications protocols offer
                                                                                                             prevent because password security
                                                                                                             depends largely on the user. Keystroke
There are several basic strategies for           seemingly endless tactical possibilities,                   loggers and social engineering (see
hacking a computer facility: physical            as is evidenced in the never-ending                         terminology below) are methods of
intrusion; password attacks; network             stream of security updates (see                             capturing passwords, while people
access; web server attacks; and e-mail           example).                                                   often share their personal passwords
attacks, but there are a multitude of            Physical intrusion: an attacker's work                      with others, write them on notes that
tactics that can be used to implement            is made easier by gaining physical                          they attach to their terminals, and fail
them. For example, security flaws (or            access to a machine's keyboard or to                        to change them periodically. Password
                             design              network junction boxes. Physical access                     cracking programs perform an
                                                     opens up such possibilities as                          elaborate process of guessing 'weak'
                                                                    installing a keystroke                   passwords by trial and error, using
                                                                        logger1; installing                  combinations of words from different
                                                                         unauthorised                        languages, names (places, people,
                                                                        hardware devices                     characters in books), jargon, slang, and
                                                                       (e.g. linking a                       acronyms. These are tried backwards,
                                                                      modem that                             in two-word combinations, in combina-
                                                                     bypasses the                            tions with numbers substituted for
                                                                   corporate firewalls to                    letters, etc. Vendors often ship infra-
                                                                  the network); tapping                      structure software with the administra-
                                                                 junction boxes through                      tor account passwords set to default
                                                                which network traffic                        values; because these are widely
                                                               might be analysed; gaining                    known in the hacking community, they
                                                              access to system docu-                         provide an easy route into a computer
                                                              mentation, printouts and                       facility if left unchanged.
                                                             to written notes of their                       Network Access and Web Server
                                                             passwords left by reckless                      Attacks: computers forming part of a
                                                            users. Even access to confi-                     local area network that is in turn

                                                                 Hardware or software than captures the user's keystrokes, including their passwords.
                                                                                                                                              into IT   I   15

connected to the Internet are exposed
to a range of potential logical access
                                                                Managing common                                  G   systems administrators occupy
                                                                                                                     positions of extreme trust; it
risks. A network's primary purpose is                           vulnerabilities                                      follows that they should themselves
to permit users to access resources                                                                                  be trustworthy. Be very careful
and exchange information, but hackers                           A compromised system can be a self-                  who you permit to have system
can also use the network for the same                           inflicted injury due simply to the basic             administrator-level access to your
purpose. There are different ways to                            precautions having being ignored:                    network particularly when hiring
achieve unauthorised access under this                          G   ensure that your computer has                    new staff or appointing people to
heading, many being technically sophis-                             good physical security, consistent               cover for absences. Consider
ticated. One set of approaches exploits                             with both its value in terms of                  implementing a policy of "least
features of networking software that                                replacement cost and the conse-                  privilege"3 and review periodically
make it accessible from outside the                                 quences that could stem from its                 the privileges that have been
network. Another set exploits                                       data being disclosed or destroyed.               allocated, to whom and for what
browsers; for example, browsers                                     Secure sensitive areas; manage                   purpose;
maintain or have access to information                              access keys; consider installing             G   infrastructure software - in
about the user and computer that a                                  intruder alarms. Ensure communica-               particular the operating system and
hacker can exploit. A hacker could also                             tions junction boxes are secured                 firewalls - generates logs that
cause a browser to launch an "applet"                               and inspect them periodically for                record who is using (or attempting
(a program that runs in conjunction                                 signs of tampering - network admin-              to use) the system, for what
with the browser) to hack the                                       istration packages can detect unau-              purpose and when. This
computer or network, or to send back                                thorised physical devices connected              information can prove vital in
information that is not normally                                    to the network. Provide a secure                 detecting unauthorised activity - for
accessible from outside. Once access is                             waste disposal service for computer              example, attempted access to par-
gained, "island hopping" through the                                printouts and removable media;                   ticularly sensitive accounts or files -
network is sometimes possible by
                                                                G   formulate a sensible password                    and system use at unusual times.
exploiting trusted relationships
                                                                    policy for authenticating users and              Logs should be reviewed frequently
between interconnected computers -
                                                                    enforce it. Consider the need to                 - it may be necessary to develop or
the fact is that a network of computers
                                                                    strengthen password authentication               purchase a log monitoring and
that trust each other is only as secure as
                                                                    with tokens or biometrics. Disable               analysis package to enable key
its weakest link.
                                                                    unnecessary services and accounts                system messages to be detected
The basic solutions to this family of                               promptly;                                        quickly. An unplanned increase in
security risks are to keep abreast of
vendor security updates - such as the
Microsoft example illustrated - and to                           Autorooter
maintain an effective "firewall"2.                               ...a Trojan horse, potentially spread by e-mail, which exploits a Windows vulnerability to
                                                                 allow a hacker to gain control of infected computers.
Email Attacks: e-mail is a major route
into networked computers. Typically, a                           This DCOM-RPC exploit only affects Windows XP/2000 Pro/NT computers, which can
Trojan horse program is buried within                            use Remote Procedure Call. As the Trojan is incapable of spreading by itself, the file
an innocuous-looking attachment to an                            reaches computers through infected e-mail messages, inside files downloaded from the
e-mail message (see the Autorooter                               Internet or even on floppy disks.
example). The Trojan is launched when                            When run, Autorooter creates files, including RPC.EXE, which exploit the operating
the attachment is opened (or                                     system vulnerability by opening communication port 57005 and logging on with the
sometimes viewed) and covertly passes                            same privileges as the computer's user. It also downloads a file called LOLX.EXE,
control of the computer to the hacker.                           which opens a backdoor in the computer. After that, the infected computer is at the
                                                                 mercy of the hacker who can gain remote control through the port created.
2                                                                Because it doesn't show any messages or warnings that may indicate that it has
    A combination of hardware and software that limits
                                                                 reached the computer, Autorooter is difficult to recognise.
    external access to networked computers and resource.
    The least level of privilege consistent with performing a
    particular role.
16   I   into IT

     disc storage, slower than expected                                                   successfully tested) disaster recovery
     network performance and                    It's vital to appreciate that:            arrangements in place may find it com-
     suspicious-looking outbound                G    security consists of both            paratively easy to transfer their key
     connections can be other indicators             technology and policy; that is,      operations to a disaster recovery site
     that you have a cuckoo in the nest;             it's the combination of the          while they thoroughly investigate and
                                                     technology and how you use it        sanitise their home site.
G    make sure that your system files
     (including the Registry) are well               that ultimately determines how       You should consider the extent to
     protected from unauthorised                     secure your systems are;             which you back up your firewall and
     change. Apply the principle of least       G    security is journey, not a           other significant logs. Assuming the vul-
     privilege to limit what users are able          destination. It's not a problem      nerability that gave rise to the attack is
     to do. Implement a change control               that can be "solved" once and for    not apparent, you may need to look
     procedure to ensure at least two                all, but a continual series of       back, perhaps weeks, to identify when
     people are involved in important                moves and countermoves               and how the intrusion occurred
     system changes and that all changes             between the good guys and the        (another plus in favour of frequent log
     are recorded. Periodically audit                bad guys;                            reviews). Furthermore, should events
     your system software for unautho-          G    the key is to ensure that you        finish up in the hands of the police, the
     rised executables;                              have good security awareness,        police are likely to need the evidence
                                                     appropriate security policies        contained in your logs to support a
G    never run or download software
                                                     (that you enforce), and that you     prosecution.
     from an untrusted source (the
     source from which it was obtained               exercise sound judgment.             You will also need to consider who to
     might not be the same as the                                                         inform when you discover the
     developer). If you run a web site,
     you should control closely what
                                              Planning for hacking                        problem. This will involve striking a
                                                                                          balance between those who need to be
     visitors can do; in particular, you      incidents                                   involved in the investigation, top
     should only permit programs on the                                                   management - but only when you have
     site that you obtained from a            So, you discover that your system has       concrete proposals to make to them -
     trusted developer;                       been hacked. What next? Well, first it's    and everyone else, at least until the
                                              necessary to backtrack and consider         evidence has been preserved.
G    typically, a new virus or Trojan does    planning for this possibility. Sit down
     the greatest amount of damage            with colleagues and write down a            Investigation needs to be thorough;
     early in its life when few people are    strategy to guide your response,            focusing on a single vulnerability before
     able to detect it. Thus, an out of       exactly as you would for any other          restoring service might overlook the
     date virus scanner is only marginally    aspect of contingency planning. Who         existence of backdoors that the hacker
     better than no virus scanner. New        will form your incident response team?      has inserted to enable easy re-entry
     viruses and Trojans are created          What are your goals going to be and in      later. A thorough investigation will
     virtually every day, so it's vital to    what order of priority? In most cases       involve advanced networking
     keep your scanner's signature file up    they are likely to be first, to prevent     techniques, adeptness with software
     to date - virtually every vendor         further intrusion, then to identify the     tools, system administration,
     provides a means to obtain free          vulnerabilities that led to the attack,     data/system recovery, technical skills
     updated signature files from their       assess the damage and consider what         that might not be at your immediate
     web site.                                remedial action needs to be taken (e.g.     disposal. Thus, it might be prudent in
When you're satisfied that the basics         what would you do were you to
are both in place and operating, why          suspect identity theft?). Will you assign     The hackers' hit parade
not consider hiring a reputable firm of       resources to identifying the intruder?
                                                                                            Security firm Qualys produces a
security specialists to undertake a           Will you involve the police?
                                                                                            real-time index of the vulnerabilities
"penetration testing" programme to            One of the first points to consider is        that are the current favourites of the
assess the extent to which your               whether to disconnect from your               Internet's computer hacking
scheme of control rests on solid              external networks to limit damage and         community. You can obtain details of
foundations rather than on sand?              prevent further infiltration to other         each vulnerability by clicking on each
                                              trusted networks. Assuming the attack         entry in the 'ID' column of the vulner-
                                              is external, remaining connected may          ability table.
                                              leave the hacker able to observe and          http://www.qualys.com/services/threa
                                              negate the response team's actions.           ts/current.html.
                                              Organisations that have reliable (i.e.
                                                                                                                    into IT   I   17

  Responding to intrusions                  Conclusion                                  Firewall - the online equivalent of the
                                                                                        'man on the door' who, when a visitor
  G    understand the extent and            In the context of computer hacking,         arrives in the foyer, asks for proof of
       source of an intrusion;              knowing what you do not know is             identity, checks the appointments book,
  G    protect sensitive data contained     manageable, hence the importance of         contacts the host, issues a temporary
       on systems;                          good preventive and detective               pass and perhaps inspects the visitor's
                                            measures, such as log review and            baggage before permitting - or denying
  G    protect the systems, the
                                            intrusion detection systems. The less       - entry.
       networks and their ability to
                                            fortunate are those who remain in self-     A network firewall sits at the junction
       continue operating as intended;
                                            inflicted ignorance - maybe for weeks       point or gateway between two
  G    recover systems;
                                            or months - that their system has been      networks - usually a private network
  G    collect information to better        infiltrated and their business is being     and a public network such as the
       understand what happened.            damaged.                                    Internet - its purpose being to reduce
       Without such information, you
                                            Regardless of the strength of your          the risk to networked computers of
       may inadvertently take actions
                                            preventive and detective measures, be       intrusion. It may be a hardware device
       that can further damage your
                                            prepared for hacking incidents, particu-    or software running on a secure host
                                            larly if your organisation relies heavily   computer. In either case, a firewall has
  G    support legal investigations.                                                    at least two network interfaces, one for
                                            on networks (the Internet, WANs and
  Source: www.cert.org                      LANs) for its operations and customer       the network it is protecting and one for
                                            services. Should you fall victim, a         the untrusted network to which it is
your planning to identify reputable         thorough investigation of a                 exposed. Because firewalls cannot
security specialists well versed in         compromised system - while                  decide for themselves whether traffic is
penetration testing that might be called    disruptive, time-consuming, expensive,      hostile or benign, they must be
upon to assist with sanitising and          and tedious - is essential. The             programmed with rules (a "security
rebuilding your systems.                    temptation is to give in to pressure to     policy") that govern the types of traffic
                                            resume operations quickly by closing        to allow or deny.
In addition to identifying the system
                                            the obvious vulnerabilities and trusting    In addition to guarding external
vulnerabilities exploited by the hacker,
                                            to luck that the system is clean. That      connections, firewalls are also
a critical review and reconciliation of
                                            could easily be a false economy.            sometimes used internally to provide
activated accounts (particularly those of
guests, supposedly disabled accounts                                                    additional security by segregating sub-
                                                                                        network that give access to highly
and those whose presence can't be
explained) and their associated system
                                            Some terminology                            sensitive applications.
privileges, while tedious, could reveal     Buffer overflows - are due partly to a      Honey Pots - decoy servers or
other unused entry points the hacker        characteristic of some programming          systems designed to gather information
has set up against a rainy day; likewise,   languages, such as C, which poor            about attackers. A honey pot, which is
you should confirm the status of all        programming practices then                  set up to be easier prey for attackers
interconnected 'trusted' systems.           exacerbate. An overflow occurs when a       than genuine production systems,
                                            program attempts to store more data         incorporates modifications that enable
Scan the system for Trojans. These are
                                            in temporary storage area, or "buffer",     intruders' activities to be logged and
typically identified by antivirus
                                            than it can hold. Since buffers are of      traced. The theory is that when an
packages, but their scan engines have
                                            finite size, the extra information          intruder breaks into a system, they will
varying degrees of success, particularly
                                            overflows into adjacent buffers thereby     return. During subsequent visits,
if not up-to-date, so scan using (up-to-
                                            corrupting or overwriting the valid data    additional information can be gathered
date versions of) several packages.
                                            held in them. This would normally           and additional attempts at file, security,
Note: there is more information on          cause a program failure or even a           and system access on the Honey Pot
incident response at...                     system crash, but a skilfully crafted       can be monitored and saved. Most
http://www.cert.org/security-               overflow can also be exploited as a         firewalls can be configured to alert
improvement/modules/m06.html                form of security attack. The attacker       system administrators when they
                                            can gain control by creating an             detect traffic entering or leaving a
                                            overflow containing code designed to        honey pot.
                                            send new instructions to the attacked
                                            computer, hence the relevance of            Identity theft - involves taking over an
                                            buffer overflows to hacking.                individual's identity by stealing critical
                                                                                        private information, such as the Social
                                                                                        Security number, driver's license
18   I   into IT

                                           resources and activities and, using        compromise the system, or be used in
 Example of a buffer overflow              information gathered from these            a social engineering attack. For
 vulnerability                             sources, alerts system administrators      example, a keylogger will reveal the
                                           on identifying possible intrusion.         contents of all e-mail composed by the
 The Phone Book Service that runs on
                                                                                      user. Keylogger programs are
 Internet Information Services (IIS) 5.0   Firewalls (see above) work only at a
                                                                                      commonly included in rootkits and
 has an unchecked buffer (a                network's point of entry with packets
                                                                                      remote administration Trojans. A
 temporary data storage area that has      as they enter and leave the network.
                                                                                      keystroke logger can also take the form
 a limited capacity but no specification   An attacker that has breached the
                                                                                      of a hardware device, independent of
 for the amount of information that can    firewall can roam at will through a
                                                                                      the operating system, which plugs in
 be written into it) in the code that      network - this is where an ID system
                                                                                      between the keyboard and the main
 processes requests for phone book         becomes important.
                                                                                      system (for PCs). They simply record
 updates. A specifically malformed
                                           Intrusion Prevention - systems             what is typed at the keyboard; the
 HTTP request from a malicious user
                                           monitor for suspicious activity with the   hacker can later retrieve the device
 can cause a buffer overflow in the
                                           aim of proactively blocking potential      and examine its contents.
 Phone Book Service, which might
                                           attacks. Typically, an IP system
 allow the malicious user to run unau-                                                Phishing - occurs when a consumer
                                           comprises a software agent that resides
 thorized code on the server, or cause                                                receives a deceptively legitimate
                                           near to the host's operating system
 the service to fail.                                                                 looking e-mail from what appears to be
                                           kernel, which monitors system calls
 Source: extract from a Microsoft                                                     a reputable company (see Spoofing).
                                           before they reach the kernel using a
 security update.                                                                     The e-mail might ask a recipient to, for
                                           rules engine to identify potentially
                                                                                      example, update their credit card
                                           suspicious activity. This can then be
                                                                                      information, and/or provide other
number, address, credit card number,       halted, or the systems administrator
                                                                                      personal details to avoid their account
or bank account number. The identity       alerted. A drawback is that IP systems
                                                                                      being terminated. Another approach is
thief can then use the stolen              can respond to legitimate activities and
                                                                                      for the sender of the message to offer
information to obtain loans or credit      generate false alarms. Defining
                                                                                      a service, for example to protect their
lines to buy goods and services under      exceptions can reduce such false alarms,
                                                                                      credit cards from possible fraud. Those
the stolen name. Identity thieves          but there are pros and cons to this.
                                                                                      stung by phishing are victims of
typically change the consumer's mailing    Keystroke logger (or keylogger) - is       "identity theft" (see above).
address to hide their activities.          a program that runs in the background
Intrusion detection - the art and          recording all keystrokes. Once logged,
science of detecting when a computer       the keystrokes are returned to the
                                           hacker who peruses them carefully to
                                                                                        Attempted identity theft
or network is being used inappropri-
ately or without authority. An ID          identify passwords and other useful          National Australia Bank customers
system monitors system and network         information that could be used to            became targets for an e-mail fraud in
                                                                                        which they were sent (grammatically
                                                                                        incorrect) requests, purportedly from
                                                                                        the bank, requesting them to connect
                                                                                        to the NAB web site.
                                                                                        "Dear valued customer," it read, "Our
                                                                                        new security system will help you to
                                                                                        avoid frequently fraud transactions
                                                                                        and to keep your investments in
                                                                                        safety." The e-mail encouraged
                                                                                        recipients to click a link in the body of
                                                                                        the message, which then connected
                                                                                        them to a site that mimicked the NAB
                                                                                        Web site but that had been set up to
                                                                                        capture their login and password
                                                                                        The scam used a message previously
                                                                                        used to targeted other banks'
                                                                                                                     into IT   I   19

Rootkit - a collection of tools and          Spoofing - in essence a technique that      Trojan horse - a name derived from
utilities that a hacker can use to hide      depends on forging the identity of          the classic Trojan horse in Homer's
their presence and gather data to help       someone or something else ("mas-            Iliad. After spending many months
them further infiltrate a network.           querading"), the aim being to alter the     unsuccessfully besieging the fortified
Typically, a rootkit includes tools to log   trust relationship between the parties      city of Troy, the Greeks evolved a
keystrokes (see keylogger above),            to a transaction.                           strategy. They departed leaving behind
create secret backdoor entrances to                                                      them as a gift a large wooden horse,
                                             In the online world, there are different
the system, monitor packets on the                                                       which the citizens of Troy brought into
                                             flavours of spoofing. A hacker might
network to gain information, and alter                                                   town. Unknown to them the horse
                                             employ sophisticated e-mail spoofing to
system log files and administrative tools                                                contained Greek warriors, who at night
                                             make it appear that an e-mail requiring
to prevent detection.                                                                    jumped out and opened the city gates
                                             the victim to confirm their account
                                                                                         letting in the Greek army who had
Social engineering - in his book, The        details, including such information as
                                                                                         been in hiding.
Art of Deception: Controlling the Human      their logon ID and password, has been
Element of Security4, arch hacker Kevin      sent by a reputable person or organisa-     In the IT environment - and setting
Mitnick poses the question: why bother       tion (see "phishing" and "social            aside the legitimate use of network
attacking technology when the weakest        engineering" above).                        administration tools - Trojans are
link lies not in the computer hardware                                                   generally considered a class of
                                             IP spoofing is another common form of
or software, but in humans who can be                                                    "malware" that, like their predecessor,
                                             online camouflage, in which a hacker
tricked into giving up their passwords                                                   contain covert functionality. They act as
                                             attempts to gain unauthorised access to
and other secrets? Mitnick goes on to                                                    a means of entering a target computer
                                             a computer or network by making it
state that social engineering "uses                                                      undetected and then allowing a remote
                                             appear that a packet has come from a
influence and persuasion to deceive                                                      hacker unrestricted access and control.
                                             trusted machine by spoofing its unique
people by convincing them that the social                                                They generally
                                             Internet IP address. A countermeasure
engineer is someone he is not, or by                                                     incorporate a rootkit
                                             is to use of a Virtual Private Network
manipulation. The social engineer is able                                                (see above).
                                             (VPN) protocol, a method that involves
to take advantage of people to obtain
                                             encrypting the data in each packet as
information with or without the use of
                                             well as the source address using
                                             encryption keys that a potential attacker
4                                            doesn't have. The VPN software or
    Wiley, ISBN 0-471-23712-4                firmware decrypts the packet and
                                             source address, and performs a
                                                                                                        About the author
                                             checksum. The packet is discarded if         N. Nagarajan CISA joined the Office
                                              either the data or the source address       of the Comptroller and Auditor
                                                  has been tampered with.                 General of India in 1989, and is
                                                                                          presently employed as Senior Deputy
                                                                                          Accountant General in Mumbai. In
                                                                                          addition to his wide experience in
                                                                                          auditing IT (particularly in the field of
                                                                                          Electronic Data Interchange) and in
                                                                                          training staff in IT audit skills,
                                                                                          Nararajan has also worked as a
                                                                                          developer of pensions systems.
                                                                                          Nagarajan's international work
                                                                                          includes audit assignments at the
                                                                                          United Nations in New York, and a
                                                                                          two year secondment to the Office of
                                                                                          the Auditor General of Mauritius
                                                                                          where he was involved in training
                                                                                          staff and in the audit of EDI systems
                                                                                          operated by the Customs
                                                                                          department. Nagarajan has been
                                                                                          published in a number of international
20   I   into IT

State of
North Carolina
Office of the State Auditor:

The State Auditor of North Carolina supervised a penetration test on 22 of the state's
network security systems - in 21 cases the test team were able to take control of the
target computers using programs that are readily available to hackers and the public.

This article describes the approach to testing taken by the Office of the State Auditor.
The full audit report can be downloaded from the State Auditor's web site at...

Overview                                    that security engineers gained control of
                                            computers in 21 of the target systems
                                                                                         Phase I - preliminary
                                            using programs that are readily available    state-wide assessment
   n a series of projects to evaluate the
   network and computer security in         to hackers and the public.
   place within selected areas of state                                                  Our assessment determined that the
                                            To further assist agencies achieve a "best   State's systems were at high risk for
government, contractors employed by         practice" level of information security
the Office of the State Auditor (OSA)                                                    Internet-based attacks. We subjected
                                            over their internal systems, data and        the twenty two agencies that hosted the
attempted to penetrate the network          assets, we performed a comprehensive
security systems at 22 of the State's                                                    critical information systems for the
                                            information security assessment at the       Executive, Legislative, and Judicial
computer systems. The outcome was           Dept of Revenue, Dept of Treasurer,          branches of state government to an
                                            Office of the State Controller, and Dept     External Network Penetration Test. This
                                            of Health and Human Services. While          was broken down into four separate
                                            our assessments identified well-defined      phases:
                                            and effective security controls, we also
                                            identified several areas that posed          Phase 1 - intelligence gathering:
                                            extreme security risks and exposed the       using common communications
                                            agency concerned to possible internal or     protocols and applications, our security
                                            external attack. We classified control       engineers determined what information
                                            weaknesses as High, Medium, or Low in        was available to the general public
                                            relation to the level of risk, and on this   regarding the State's network. This
                                            basis concluded that the overall risk that   information was then reviewed to
                                            the agency or state network could be         determine whether it offered potential
                                            compromised was High.                        intruders an adequate view of the
                                                                                         network infrastructure from which they
"Capitol Building, Raleigh"                                                              could develop a network blueprint.
                                                                                                                          into IT   I   21

       North Carolina Office of the State Auditor
       The State Auditor is a member of the Council of State and is elected by the voters of North Carolina every four years.
       Under the State's Constitution and General Statutes the State Auditor is responsible for conducting and coordinating
       audits of state agencies and programs supported by state funds. The audits conducted by the Office of the State
       Auditor include financial and compliance audits on state agencies including community colleges, the Clerks of Superior
       Court, and the Smart Start partnerships; performance audits to evaluate the effectiveness and efficiency of state
       agencies and programs; information systems audits on the state's data processing systems; and special reviews to
       investigate allegations of fraud, waste, or abuse in the state supported agencies or programs.

Phase 2 - active reconnaissance: our           control of proprietary agency                  and exploited being on a device owned
security engineers used a combination of       information. It also provided an               by a different agency, our security
"hacker" utilities along with the              additional buffer for service restoration;     engineers were unable to complete the
contractor's internally developed audit        should a target machine break down             attack in the 1 hour and 30 minutes
tools to identify specific hosts and           during an attack the responsible               allowed them.
services that were accessible from the         individuals could be notified immediately.
Internet. This resulted in a partial list of
accessible hosts and a list of possible
                                               Our security engineers succeeded in
                                               penetrating 21 of the 22 agencies
services offered.
                                               identified as part of this test. In almost     At the time of our testing the security
Phase 3 - attack and toehold: the              every case they gained full control of an      posture of the State's network offered
object of this phase was to gain user          agency computer or device in                   little protection from hacker attacks via
level access to (at least) one host in each    30 minutes or less, and in some cases          the Internet and was therefore at high
agency. Using a combination of "hacker"        were able to monitor work being                risk of compromise. Our testing enabled
utilities and internally developed auditing    carried out while having complete              us to provide each agency and
tools our security engineers tested the        control over the computer. After gaining       Information Technology Services with
vulnerability of popular services offered      control they were able to monitor              detailed reports describing the
on various hosts to undetected, unau-          network traffic, capture other user ids        weaknesses we had identified and our
thorised access to the State's network.        and passwords, and launch other attacks        recommendations for corrective action.
In cases where automated scanners did          that went undetected. However, in one          These security enhancements have been
not determine the nature of a specific         case, due to the vulnerability identified      acted on.
service, the engineers connected
directly to the service to verify the
security issues.                                 This comprehensive information security assessment focused on five key
Phase 4 - privilege escalation: our
security engineers manually demonstrat-          G    Security Policy Assessment, which evaluates the implementation of security
ed their ability to increase their                    policies and procedures.
privileges on host sites managed by each         G    Network Architecture Assessment, which is a detailed review of a network
Agency in the presence of the Agency                  design.
Head (or Chief Deputy) and the                   G    Network Vulnerability Assessment, which provides a thorough understanding of
Information Systems Director. This                    security-related weaknesses and exposures in networks.
technique provided a real-time
                                                 G    Host Vulnerability Assessment, which reviews the current security configuration
perspective for agency representatives
                                                      of mainframes and operating systems.
regarding the amount of time required
to penetrate their networks and gain             G    Secure Build Review (one agency only), which is a security analysis in a non-
                                                      production environment for the build procedure for a desktop client computer.
22   I    into IT

Agency         Security Policy     Network        Network            Host          Secure Build    Network Vulnerability Assessment:
                Assessment       Architecture    Vulnerability    Vulnerability      Review        having gained an understanding of the
                                 Assessment      Assessment       Assessment                       network architecture, we assessed
                                                                                                   network vulnerabilities. We examined
Dept of                                                                                            the configuration of network devices,
Revenue              ✗                ✗               ✗                 ✗               ✗
                                                                                                   firewalls, and public web servers to
Dept of                                                                                            provide a current view of vulnerabilities
the State                                                                                          and threats. Our assessment consisted
                     ✗                ✗               ✗                 ✗
Treasurer                                                                                          of a review of devices owned and
                                                                                                   maintained by each agency and devices
Office of                                                                                          owned and maintained by Information
the State            ✗                ✗               ✗                 ✗
                                                                                                   Technology Services.
                                                                                                   Host Vulnerability Assessment: the
Dept of                                                                                            aim in this stage was to provide a
Health and                                            ✗                 ✗                          current view of threats and vulnerabili-
Human                                                                                              ties. Our assessment covered the
Services                                                                                           agency's client services and supporting
                                                                                                   infrastructure, and consisted of a review
                                                                                                   of a number of hosts owned and
Risk Levels          Dept of         Dept of State          Office of the         Dept of Health   maintained by the agency.
                     Revenue          Treasurer           State Controller         and Human       Secure Build Review (Dept of
                                                                                     Services      Revenue Only): During the Secure
                                                                                                   Build Review we examined the build
                                                                                                   process created by the Information
High                     7                  5                    4                     23
                                                                                                   Technology group (within the
Medium                   7                  6                    2                      6          Department of Revenue) for building
Low                      5                  2                    1                      3          desktop client computers.
Overall             Moderate              High               Moderate                 High

                                                                                                   Our testing uncovered a number of
                                                                                                   weaknesses at each of the agencies,
Phase II - comprehensive                              reviewing security policy and
                                                      associated procedures for complete-
                                                                                                   some being sufficient to permit unautho-
                                                                                                   rised access, data manipulation, or data
vulnerability assessment                              ness, accuracy, and appropriateness.
                                                                                                   destruction. We classified each
                                                      We also reviewed current incident
                                                                                                   weakness according to its relative risk
Following Phase I, four agencies                      response policies and procedures;
                                                                                                   using the following definitions:
volunteered to be subjected to a more
comprehensive assessment of their                 G   provide recommendations based
                                                                                                   High-level Risk: defined as a vulnerabil-
production networks. Phase II                         on best practices and knowledge of
                                                                                                   ity that could cause grave consequences
addressed five key areas: Security Policy             the client's business objectives and
                                                                                                   if not addressed and remedied
Assessment, Network Architecture                      organisational infrastructure.
                                                                                                   immediately. This type of vulnerability is
Assessment, Network Vulnerability                 Network Architecture Assessment:                 evident within the most sensitive
Assessment, Host Vulnerability                    in this stage we focused on the internal         portions of the network, as identified by
Assessment, and Secure Build Review               network infrastructure, Wide Area                the data owner. This vulnerability could
(Dept of Revenue only).                           Network (WAN) connections to                     cause network functionality to cease or
                                                  remote locations, and Internet connec-           control of the network to be gained by
The table shows the tests we carried
                                                  tivity through the North Carolina                an intruder;
out at each agency. These can be
summarised as follows (further details            Integrated Information Network. We
                                                                                                   Medium-level Risk: defined as a vul-
are set out in the Annex):                        examined the business and technical
                                                                                                   nerability that should be addressed
                                                  requirements of the current network
                                                                                                   within the near future. There is urgency
Security Policy Assessment: our                   infrastructure to ensure a proper
                                                                                                   in correcting this type of vulnerability;
objectives here were to:                          balance between functionality, cost, and
                                                                                                   however; this may be either a more
G    evaluate current security policies           security.
                                                                                                   difficult exploit to perform or of lesser
     and practices: this involved                                                                  concern to the data owner;
                                                                                                                                into IT   I     23

Low-level Risk: defined as a vulnerabil-     Further details of our test objectives during "Phase II - Comprehensive
ity that should be fixed; however, it is     Vulnerability Assessment" are as follows:
unlikely that this vulnerability alone
would allow the network to be                Network Architecture                               G   analyse the perimeter firewall's rule set;
exploited and/or it is of little             Assessment                                         G   assess the configuration and architecture
consequence to the data owner.                                                                      of directory services;
                                             This assessment was divided into the following
We provided each agency with a                                                                  G   assess the mainframe environment's
                                             key areas:
detailed report that set out the specific                                                           security configuration;
vulnerabilities we had identified            G   Network Overview;
                                                                                                G   identify and validate vulnerabilities in
together with our recommendations for        G   Segmentation Model;                                network components, and overall archi-
corrective action. In each of the four       G   IP Routing;                                        tecture;
agency assessments we also identified
                                             G   Redundancy;                                    G   identify quick fixes for vulnerabilities;
vulnerabilities affecting devices
controlled by Information Technology         G   Encryption;                                    G   develop long-term recommendations to
Services, and we disclosed these to ITS      G   Remote Access;                                     enhance security.
for corrective action.                       G   Network Management;
                                                                                                Host vulnerability assessment
The vulnerability assessment performed       G   Anti-Virus;
at the Department of Health and                                                                 The key objectives of this assessment were to:
                                             G   Intrusion Detection Systems;
Human Services covered nine of the                                                              G   assess server configuration (domain
                                             G   Backups;
Department's divisions. Although the                                                                controllers, web servers, application
                                             G   Firewalls.                                         servers, database servers) for vulnerabili-
results have been consolidated for this
article, we evaluated and reported on        Our key objectives were to:                            ties or insecure configurations;
each division separately.                    G   interview business and technical repre-        G   identify and validate vulnerabilities in
                                                 sentatives to gain a solid understanding of        network and server components, and
                                                                                                    overall architecture;
Next Steps                                       business objectives and requirements;
                                                                                                G   identify quick fixes for vulnerabilities;
                                             G   review technical requirements for the
The four agencies that volunteered to            network;                                       G   develop long-term recommendations to
participate in this vulnerability            G   review required data flows;                        enhance security.
assessment should be commended for
                                             G   assess security zones and access controls;
their concern for information systems                                                           Secure Build Review (Department
security. The results of these tests will    G   review at a high level the host and            of Revenue Only)
assist both them and ITS to strengthen           network management strategy;
                                                                                                The key objectives of this review were to:
network security. However, every state       G   review at a high level the enterprise
                                                                                                G interview technical and business rep-
government agency should be subject to           backup strategy;
a thorough vulnerability assessment,                                                               resentatives to gain a solid under-
                                             G   review at a high level the enterprise virus
with regular follow-ups.                                                                           standing of the demands placed upon
                                                                                                   the system and how they impact the
Our participation in these assessments       G   identify applicable industry best practices;      host;
helped the Office of the State Auditor's     G   identify and validate security issues of       G review the intended use of the
Information Systems Audit Division to            immediate consequence;                            platform to understand requirements
develop the skills and testing expertise
                                             G   develop long-term recommendations to              and tailor recommendations;
to perform these tests in the future. To
                                                 enhance security;                              G establish secure build methodology
be successful in these efforts, OSA must
acquire the testing software necessary       G   transfer knowledge.                               for evaluating the build;
to analyse networks for vulnerabilities,                                                        G examine existing hosts in the
establish testing facilities, and continue   Network vulnerability assessment                      production environment for the
to receive specialised training in the       Our key objectives in this stage were to:             application of patches and upgrades;
latest advances in networks and the          G   develop a picture of the network,              G assess operating system configura-
related vulnerabilities.                         including topology, devices and hosts, and        tion, including: insecure services,
                 North Carolina Office           services for correlation against provided         permissions, and registry settings as
                  of the State Auditor           information and documentation;                    well as unnecessary services and
                                             G   assess network device configuration for
                                                 vulnerabilities or insecure configurations;    G identify and validate security issues of
                                                                                                   immediate consequence;
                                             G   use active probing to assess network
                                                 security features such as firewall configu-    G develop recommendations to

                                                 ration, intrusion detection systems (IDS),        enhance security.
                                                 and virtual private networks for vulnera-
                                                 bilities or insecure configuration;
24    I    into IT

Trojan Horses and
A Trojan horse program -"Trojan" for short - is a piece of computer
software that provides intentionally hidden or covert functionality.

        his definition includes a wide                          made. A variation on the traditional
        range of malicious software,                            rootkit replaces some system library
        such as keystroke loggers1 and                          functions with Trojan versions, thereby
logic bombs2. However, the commonest                            avoiding detection by a system adminis-
types of Trojans are those that, once                           trator who was using checksum and file
executed, enable attackers to bypass                            integrity checking software to identify
existing security measures to access a                          changes to key programs. However,
computer. Among these, the most                                 changes to library files are also likely to
effective incorporate a "rootkit" program                       be detected by integrity checking
designed to conceal their presence.                             software, although the system adminis-
                                                                trator may ignore the warning because
Trojans are usually network applications
                                                                new programs might at any rate require
that typically comprise a server installed
                                                                updated libraries.
on the victim's computer and a client on
the attacker's computer. The server                             The most sophisticated type of Trojan
listens for commands sent from the                              modifies some objects or processes that
client and responds by returning data to                        run with system privilege. Some
the client. It is also possible for Trojans                     techniques used by hackers are to:
to be "peer-to-peer" applications, such
                                                                G   modify the system kernel executable
as file sharing software or Internet Relay
                                                                    file and its integrity checking;
Chat (IRC). Although these types of
applications may be installed by                                G   install a device driver, loadable
attackers on compromised machines,                                  kernel module or other program
they are not Trojans in themselves.                                 running at system level, and use it to
                                                                    modify the code executed by
Trojans, which are continually evolving,
                                                                    another system process;
can undermine the central pillars of
information security; confidentiality,                          G   patch system memory or running
integrity, and availability. For "stealthi-                         processes.
ness" reasons, they have an increasing
                                                                Each of these techniques requires
tendency to make their network traffic
                                                                administrator access to load a system
appear as existing services in order to
                                                                level executable or to patch a system
obscure their presence. For example,
                                                                file, while writing an effective rootkit of
Setiri, a recent proof-of-concept Trojan,
                                                                this kind also requires a good
bypasses network intrusion detection
                                                                knowledge of system programming.
devices and firewalls by using commands
                                                                There are, however, kernel rootkits
embedded in web traffic to
                                                                available for both Windows (for
                                                                example, NT Rootkit) and UNIX
Rootkits designed to hide Trojans fall                          systems (for example, Adore/ava) and a
into three types: file system rootkits,                         number of do-it-yourself guides. It's
library rootkits and kernel rootkits.                           important to appreciate that because
                                                                kernel rootkits undermine the trusted
                                                                                                               "Trojans, trust not the
Traditional rootkits simply modify
common user programs so that the
                                                                computing base, they represent the              horse. Whatever it be,
                                                                most serious way in which a computer
Trojan is invisible to the system adminis-
trator when file and process listings are
                                                                can be compromised.                            I fear the Greeks, even
                                                                                                                 when bringing gifts."
1                                                                                                                 Virgil (70-19BC) - Aeneid, Book II
    Keystroke loggers - software that covertly monitors what is typed at the keyboard (including passwords).
    Logic bombs - software that can be triggered to damage data on your computer system.
                                                                                                                                         into IT   I   25

                                Kernel Rootkits            v
                                                ...an anti-virus or Trojan detection program might detect
                                                   malicious software on your system, but it might not,
                                                  especially if the system kernel has been compromised.

                                      Common examples of Trojans - which should be detected by your organisation's firewall -
                                      are Subseven, Back Orifice 2000 (BO2K), Netbus and distributed denial of service tools such as
                                      Trinoo and Stacheldraht. They provide a rich set of functionality, including:
                                      G   logging the victim's keystrokes (including passwords);
                                      G   representing the victim's screen on the attacker's computer;
                                      G   monitoring network traffic on the victim's network;
                                      G   hijacking TCP sessions involving the victim's computer;
                                      G   recording conversations via the victim computer's microphone or controlling a webcam;
                                      G   sending files from the victim's computer to the attacker;
                                      G   using the computer as a platform for attacks on other computers (denial of service, for example);
                                      G   using the compromised host for email, chat and file storage;
                                      G   modifying data on the victim's computer.

              With a kernel rootkit installed                    perimeter, or at the very least             malicious software on your system, but
              a computer becomes totally                         ensure that they are digitally signed       it might not, especially if the system
              untrustworthy and might not                        by a trusted party;                         kernel has been compromised. In
               implement any of the                                                                          general you will need to employ
                                                             G   ensure that the security permissions
                 security measures that the                                                                  specialist analysis tools, perhaps through
                                                                 of all users reflect least privilege (for
                  standard operating system                                                                  a specialist security consultant.
                                                                 example, restricting installation
                                                                 privileges to a sensible number of          N.I.S.C.C. (http://www.niscc.gov.uk)
                A key message to                                 system administrators);
                                                                                                             Editor: the major anti-virus software
                conclude this brief
                                                             G   follow the vendor's best practice           suppliers provide good descriptions of
                 overview of Trojans
                                                                 security advice for operating system        many Trojans (and viruses and worms) on
                 and rootkits is that
                                                                 and application configuration;              their web sites. For example:
                 prevention is far
                better than cure.                            G   use an appropriate virus/Trojan             Sophos... http://www.sophos.com/virus
               Fortunately there are a                           scanner on a regular basis.                 info/analyses/
             number of steps that you
                                                             Least privilege can be hard to enforce,         Symantec...
      can use to reduce the chances of
                                                             but system administrators should ensure         http://securityresponse.symantec.com/a
system compromise by a Trojan:
                                                             that users have appropriate read, write         vcenter/vinfodb.html/
G     follow good network security                           and execute permissions on system
                                                                                                             Network Associates...
      practice3;                                             objects, including keys in the Microsoft
                                                             Windows registry.
G     because e-mail is a common way for                                                                     glossary.asp
      a Trojan to be sent to a victim's                      If you suspect that your system has been
                                                                                                             MessageLabs (managed service)...
      computer, block all executable mail                    compromised, an anti-virus or Trojan
      attachments at the network                             detection program might detect
    See NISCC Technical Note 01/02... http://www.uniras.gov.uk (see Alerts & Briefings for 2002)
26   I   into IT

Intrusion Detection Systems are the burglar alarms of                                    IDSs come in two main flavours,
                                                                                         Network-based IDS (or NIDS) and
the network security world, while Intrusion Prevention                                   Host-based IDS (or HIDS). As their
                                                                                         names imply, NIDS systems examine
                                                                                         data on the Network link being
Systems can additionally be programmed to respond to                                     monitored for signs of attack, whilst
                                                                                         HIDS reside on a Host machine (for
an attack. This article describes the concepts behind                                    example a file server or a web server)
                                                                                         and examine transactions with that
both IDS and IPS technologies, and compares and                                          particular Host for signs of malicious
                                                                                         activity (this may be achieved using data
contrasts their different approaches.                                                    passed to the application or logs
                                                                                         generated by the application or server).
Introduction                                 you recognise the significance on the       IDSs are generally 'passive' - they
                                             sixth occasion or just ignore it?           observe and report on potentially

      irewalls have long been the            Alternatively, the response may depend      malicious activity rather than actively
      mainstay of network security.          on the availability of someone with the     responding to stop an attack.
      Their role is to control access to     right experience to analyse the event       There are three main mechanisms by
network components or services in            and take appropriate action.                which IDSs attempt to identify attacks:
accordance with the policy defined by
the system owner. They achieve this by       Intrusion Prevention systems (IPS) also     G   Rule based: in this architecture
examining the headers of IP packets and      aim to detect indications of an attack in       the IDS contains a library of
making decisions accordingly. However,       progress, but they can respond                  'signatures' that correspond to
this does leave the host system              automatically and in a predefined               known attack vectors. For
potentially vulnerable to attacks against    manner to prevent an attack from                example, a signature for detecting
its permitted services - such as exploits    impacting the target system. This ability       the actions of the Code Red worm
against a publicly-accessible web server -   to respond means an IPS offers the              may involve detecting a request for
because in general no account is taken       potential to enable a system to remain                                   .
                                                                                             'default.ida' over HTTP Each data
of the content of the packet, only that it   on-line despite being under attack.             item - for example, a packet that
corresponds to a permitted service.                                                          passes 'on the wire' (i.e. in transit
                                             Intrusion Detection Systems                     on the network) or data that
Intrusion Detection systems (IDS) are
                                             This article only summarises the                arrives at a particular host - is
the 'burglar alarms' of network security,
                                             principles of IDS, but interested reader        compared to the signature library
designed to go off when activated by a
                                             may wish to refer for further                   and an alert or log entry is
particular trigger. In common with
                                             information to the NISCC Technical              generated as appropriate.
burglar alarms, the response then often
depends on past experience - if your         Note 05/02: Understanding Intrusion         G   Anomaly detection: this category
neighbour's house alarm has gone off by      Detection Systems, which is available on        of IDS attempts to determine the
mistake five times in the last week, do      our web site (http://www.uniras.gov.uk).        presence of an attack based on the
                                                                                                                    into IT   I   27

    presence of data items or activities     Anomaly detection engines are
                                                                                           Fig 1a   Possible deployment architecture
    that fall outside the 'normal'           designed to detect attacks through
    pattern of behaviour. For these to       comparison with a baseline of the                      for NIDS
    be effective, the system needs           normal system behaviour. This approach
    'training' to learn what constitutes     will always be more prone to 'false
    normal behaviour.                        positives' because a statistical metric is
                                             used to determine 'good' and 'bad'; thus
    Protocol Analysis: attempts to
                                             benign traffic from an application that
    detect protocol elements that do
                                             wasn't in the 'training set' of the IDS
    not conform to the appropriate
                                             could be flagged as anomalous and raise
    standard, anomalies that may
                                             an alert.
    indicate an attempted attack.
Of these differing modes of operation,       Intrusion Prevention Systems
the signature based approach to IDS is
                                             IPSs, which are relatively new to the
the more mature technology, and most
                                             market, respond in a proactive manner
commercially available IDS systems fall
                                             when they detect a potential attack.
into this category.
                                             The response may take a number of
NIDS systems are usually deployed            different forms, such as:
where they can view the most traffic, or     G   logging the event (like a standard
at least the traffic on those segments
that are considered most important. On
a segmented network, they can be             G   blocking the transit of the data;
connected to a monitoring port on a          G   resetting the connection between
switch, although data aggregation can
                                                 source and destination;
result in problems for the IDS. HIDS
would normally be deployed on the            G   limiting the rate of connection
more important servers within a                  between source and destination;
network. Figure 1a shows an example          G   re-writing firewall rules for
of a deployment architecture, the idea                                                     Fig1b    Possible deployment architecture
                                                 particular conditions.
being that IDSs are transparent to the                                                              for IPS
end user and do not add any processing       IPSs are designed to sit 'in-line' with the
overhead to the data passing between         target system (see figure 1b), effectively
the end points of a transaction.             acting as a 'bridge' between the internal
                                             systems requiring protection and the
Signature based IDS systems are              rest of the network. In this architecture
very good at detecting known attacks,        all traffic must pass through the IPS
but they are not so at detecting 'new'       device, which inspects all the data for
attacks due to the time delay between a      signs of attack (against the signatures it
new vulnerability or attack being            has been configured to use).
discovered, and a vendor releasing a
signature to detect it. Ideally, the IDS     An immediate issue with this type of
should provide an interface by which         architecture is the potential
administrators can define their own          consequence of the IPS crashing, which
signatures relevant to local conditions.     may effectively cut off the target system
                                             from the rest of the network.
When discussing IDS, it is impossible to     Depending on the nature of the
avoid considering 'false positives', which   business, it may be preferable for the
are alerts generated by an IDS due to        system to fail 'open' thereby providing
benign activity. Signature based IDSs are    continued availability of the network
prone to generating false positives,         services at the cost of removing the
though a good understanding of the           additional layer of security provided by
network being monitored and a period         the IPS.
of 'training' should ensure that these are
28    I   into IT

     IPS systems do have the potential to form a valuable tool
        for network security, and they provide a means for
        reducing the amount of attack traffic reaching vital
                    systems within a network.

The different types of IPS system that
are available commercially include:
                                                    definition may indicate an attack, the
                                                    IPS then responding in the manner in
                                                    which it has been configured.               IDSs and IPSs are useful tools in the
     Network (or Gateway IPS): sit in
     the network line, monitoring all           G   Anomaly Detection: similar to IDS,          system administrator's armoury for
     network traffic for malicious activity,        uses techniques to determine                helping to ensure the security of their
     and are able to block packets that             anomalous traffic and then respond.         networks. The choice of which system
     are designated as attacks;                                                                 to deploy will depend on a number of
                                                Issues with detection of attacks within         local considerations, such as:
G    Web server shields: sit on the web         IPSs are similar to those within IDSs -
                                                                                                G   cost;
     server, effectively 'wrappering' the       the time delay between new attacks and
     server software. Attacks are               signature availability, false positive rates,   G   which parts of the network are to
     detected by monitoring the activity        etc. However, in this instance the conse-           be protected by the deployed
     undertaken by the web server               quences of 'false positives' may be more            system;
     account;                                   serious, especially if the IPS is configured
                                                                                                G   availability of resource to administer
                                                to block traffic from a source in the
     Web application firewalls: sit in                                                              the system;
                                                event of an 'attack' being detected.
     the network path and inspect the
                                                                                                G   requirement for alerts or a system
     contents of packets destined for any       IPS systems have the potential to form a
     web server or web application for          valuable tool for network security, and             making proactive defence responses;
     signs of attack.                           for providing a means of reducing the           G   availability of resource to investigate
                                                amount of attack traffic reaching vital             the causes of alerts generated by IDS
Trusted operating systems can also be
                                                systems within a network. Their use to              systems;
considered to be a form of IPS because
                                                filter out traffic corresponding to known
they implement access control function-                                                         G   applicability of detection techniques
                                                worms (such as CodeRed and Nimda)
ality and enforce user privilege restric-                                                           to local network services; and…….
                                                may, for example, greatly reduce the
                                                load on a web server. However, this             G   the degree of tolerance to loss of
Attack detection within the IPS can be          must be offset against the risk of                  service.
achieved in several ways, including:            misidentification of attacks on service
                                                'availability'. In common with an IDS,          Neither type of system can be
G    Signature Detection: the IPS holds
                                                implementing an IPS is not a 'set and           considered to be 'set and forget'. Each
     a library of signatures (similar to IDS)                                                   requires monitoring to ensure that it
                                                forget' task. Careful performance
     corresponding to known attacks that                                                        meets its objectives; that signature
                                                monitoring is necessary both to ensure
     it compares with data on the wire.                                                         libraries remain up to date and accurate;
                                                that an IPS is meeting it's objectives, and
     Ideally, the administrator should have                                                     and that administrators are aware of
                                                that the administrators remain aware of
     the capacity to define additional                                                          what is happening in their networks.
                                                what is happening in their networks.
     signatures relevant to local                                                               Where an IPS is used to respond to an
     conditions.                                                                                attack proactively, administrators must
G    Protocol Analysis: here the IPS                                                            be aware of any configuration changes
     compares the elements of the data                                                          made by the IPS (such as addition/modi-
     on the wire with protocol definitions                                                      fication of firewall rules) to their
     that it understands. Any deviations                                                        network.
     from the accepted protocol                                                                 N.I.S.C.C.      (http://www.niscc.gov.uk)
                                                                                                                    into IT   I   29

Email spoofing is a technique frequently used by
perpetrators of all manner of email hoaxes to hide

their identities and point the blame at somebody
else. It is a favourite with spammers and also used
by hackers. Spoofing received some media

coverage recently when a 12-year-old was able to
demonstrate how he apparently sent an email
purporting to come from the UK Prime Minister
to the Chancellor of the Exchequer.

The sending of spoof email is usually
carried out for the purposes of causing
embarrassment or the misinterpretation
of the individual or organisation whose
address has been spoofed.
Consequences could include recipients
of the email divulging information to
those not entitled to have it. The
information may then be used in a
manner detrimental to the victim of the
spoof. For example, interference with
customer records, with a resultant
impact on the customer. In the UK, the
sending of spoof email is, in itself, not
illegal although there is scope for legal
action where personal information is
obtained by deception or the email has
threatening content.

Sending spoof email is very simple. Most
email software displays the "date             Email spoofing - the threat
received", "from" and "subject" fields.
The email header containing address           Any IT literate individual or group could use simple email spoofing. The effects
and routing information is generally          which they can achieve with such attacks are limited only by their imagination and
hidden from view to prevent cluttering        ability to write a convincing bogus content. The following scenarios could be
the screen and confusing the user.            imagined:
Consequently a user can be deceived if        G   Producing spoof press releases from a company or Government department
the sender simply changes the "from"              to cause embarrassment.
field. The address is not normally
                                              G   Causing disruption and wasted time by feeding misinformation to critical
checked at any stage in the process of
sending an email and does not even                national infrastructure organisations.
have to be a valid address. There is little   G   Encouraging users to switch off IT security features or passwords by
                                                  spoofing emails from a security department.
30   I   into IT

that can be done at the server end to
stop this, the only available options
                                              Identification                              Other indicators may include:
                                                                                          G   The grammar, language or style of
being:                                        Once an email has been received, there          writing is not consistent with the
G    to make employees aware of the           is likely to be little about it that            email address the email claims to
     email spoofing risk;                     immediately identifies it as spoofed. The       come from.
                                              only technical indicators, to be found in
G    to require all email addresses to                                                    G   The email may be missing the
                                              the "internet" or full email header are:
     contain a valid domain name. This                                                        standard 'signature' the apparent
                                              G   Instead of being marked as "From:"
     is currently being done, but even                                                        sender may use.
     though the domain names can be               the email is marked as "Apparently-
                                                                                          G   The email claims to be from an
     checked, the email addresses                 From:". This usually indicates a
                                                  hand-built email and as such the            individual who doesn't exist within
     themselves cannot;
                                                  address is likely to be false.              the organisation in question.
G    for internal mail servers to require                                                 G   If email purports to come from a
                                              G   The "Message-ID:" header and the
     all source email addresses to
                                                  "Received" header immediately               government site, but does not bear
     contain the organisation's domain,
                                                  above it in the internet headers list       a government address.
     unless the email is coming from an
     external mail server;                        contain different domain names.         With all of the above, the common
                                                  This usually indicates that the         requirement is that users should be both
G    to provide some form of digital              headers have been faked.                aware of and alert to what indicators
     signature, as per Public Key
                                              G   The "Message-ID" header contains        they should be looking out for.
     Infrastructure (PKI). This is the only
     real countermeasure, but even this           a domain that differs from the          If the sender desired further
     is not perfect;                              domain in the "From:" address.          concealment, they could use an open
                                                  However, this does not guarantee        email relay server. These are poorly
G    authentication on the mail server            that the email is spoofed.              secured servers that allow anybody on
     (SMTP AUTH), which can provide
                                              G   The domain in the first "Received:"     the Internet to connect to them and
     assistance in tracking down internal
                                                  header is different from that in the    send email out. In this case, investigators
     staff who create spoofed email, as
                                                  "From:" address. Again, this does       examining the header of the email
     can the use of the IDENT protocol,
                                                  not guarantee that the email is         would only be able to trace back as far
     which may provide the username
                                                  spoofed.                                as the open mail relay, and not to the
     of the sender.
                                                                                          true originator.
Various domain name checks, such as
allowing the recipient server to check
the existence of the source domain as                                                     Conclusion
well as that of the recipient, can be
                                                                                          The effects of email spoofing can be
done, but this will depend on the
                                                                                          limited by the appropriate configuration
software being used.
                                                                                          of email servers and improved user
                                                                                          awareness of the problem. Currently,
        Sending spoof email is very simple... Once an email                               the only real countermeasure is the use
                                                                                          of digitally signed messages that allow a
    has been received, there is likely to be little about it that                         recipient to authenticate the identity of
                                                                                          the sender.
              immediately identifies it as spoofed.                                       N.I.S.C.C.      (http://www.niscc.gov.uk)
                                                                                                  into IT   I   31

            a state auditor's                                       Vulnerability
                  network security case                             Assessment becomes
                                                                    Incident Handling in
                                  study                             Kentucky's
                                                                    The Commonwealth of Kentucky's
                                                                    Auditor of Public Accounts began
                                                                    performing network vulnerability
                                                                    assessments in state agencies in June
                                                                    2000. One such assessment performed
                                                                    in July 2003 revealed a significant, long-
                                                                    term intrusion during which hackers
                                                                    with French addresses broke into
                                                                    Kentucky's Transportation Cabinet
                                                                    network and used it to:
                                                                    G   Store and distribute pirated
                                                                        recently-released movies, music
                                                                        CDs and DVDs, TV shows, and
                                                                        new computer games;
                                                                    G   Post and distribute copyrighted
                                                                        French medical textbooks;
                                                                    G   Host an Internet chat room.
                                                                    In addition, auditors found that Cabinet
                                                                    computers had been used to visit and
                                                                    view thousands of pornographic
                                                                    websites or images.
                                                                    Auditors provided detailed evidence of
                                                                    the intrusion and misuse to
                                                                    Transportation Cabinet officials and state
                                                                    and federal law enforcement, highlight-
                                                                    ing for network administrators seven
Capitol Building, Frankfort                                         security issues, to wit:
                                                                    G   Persistent null passwords;
    The first vulnerability assessment performed by Kentucky's      G   Vulnerable administrative accounts;
        Auditor of Public Accounts tested the security of the       G   Compromised data;
   Commonwealth's accounting and reporting system in June 2000.     G   Password harvesting by hackers;

      Within minutes, auditors were able to gain administrator      G   Hacker-installed tools;

                 control over 14 of 17 system servers.              G   Pirated copyrighted materials on
   Thus began three years of random, surprise vulnerability tests   G   Widespread viewing of porno-
            in 16 state government cabinets and agencies.               graphic sites by system users.
32     I   into IT

Auditors recommended a variety of                              assessments and publicized embarrass-                          to system weaknesses. As random
measures designed to strengthen user                           ing findings to motivate government IT                         testing continued, however, frustrating
passwords, fortify firewalls, remove                           managers to give network security the                          similarities emerged to reveal a
compromised machines from the                                  priority it must have. Experience shows                        government-wide inattention or indiffer-
network, assume tainted application and                        that if you exclude the element of                             ence to network security. The Auditor
data back-ups, rebuild compromised                             surprise and the specter of adverse                            of Public Accounts reluctantly concluded
machines from the ground up, refer                             publicity, network insecurity may go                           that raising public interest in the subject
forensic evidence to proper authorities,                       undetected and important findings may                          was essential to strengthening network
notify business partners and the public,                       be unaddressed, leaving systems                                security in government, and the office
and anticipate retaliatory attacks.                            unprotected.                                                   shifted toward making a public example
                                                                                                                              of those agencies found to have
Network security weaknesses threaten
                                                                                                                              disturbing weaknesses.
taxpayer dollars and facilitate identity
theft. Three years of performing vul-
                                                                Common among the findings of                                  Common among the findings of the vul-
nerability assessments leads Kentucky's                         the vulnerability assessments                                 nerability assessments was an institu-
Auditor of Public Accounts to conclude
that (1) a universal formula such as
                                                                was an institutional failure to                               tional failure to observe basic security
                                                                                                                              principles. Perhaps the most basic
ICAMP1 for quantifying the economic                                 observe basic security                                    security measure, the use of passwords,
cost of insecure government networks                                                                                          was frequently ignored or ineffective. In
must be adopted, (2) accountability for                          principles. Perhaps the most                                 agency after agency, auditors found
network security is largely absent in
Kentucky state government agencies,
                                                                 basic security measure, the                                  computers and servers with no
                                                                                                                              password protection. Many administra-
and (3) auditors must perform surprise                              use of passwords, was                                     tor accounts were discovered to have
vulnerability assessments and publicize
their findings in order to have the
                                                                     frequently ignored or                                    null or weak passwords.
                                                                                                                              Another issue brought to light by the
greatest impact upon network security.                                    ineffective.                                        vulnerability assessments is the
                                                                                                                              widespread belief by state government
                                                               The first vulnerability assessment
Introduction                                                   performed by Kentucky's Auditor of
                                                                                                                              employees that network security is a
                                                                                                                              responsibility reserved for the highest
                                                               Public Accounts tested the security of
While auditors have performed                                                                                                 level of administrators. There is a
                                                               the Commonwealth's accounting and
information systems audits for many                                                                                           mindset that network security is not a
                                                               reporting system in June 2000. Within
years, it was the Y2K alarum that fore-                                                                                       universal component in the job
                                                               minutes, auditors were able to gain
shadowed a more systematic, focused                                                                                           description of every network user. This
                                                               administrator control over 14 of 17
inquiry on network security. Insecure                                                                                         rejection by network users of personal
                                                               system servers. Following weeks of
government networks place taxpayer                                                                                            accountability for security has been
                                                               extensive consultations with network
dollars at risk of cyber-theft and loss                                                                                       fostered by the tendency of state
                                                               administrators, the assessment was re-
through network downtime. They also
                                                               performed in December 2000, revealing
jeopardize the security of the unique
identifiers like social security numbers
                                                               a significant strengthening of system                               The failure to implement
and other confidential financial
                                                                                                                               internal controls is too costly
                                                               Thus began three years of random,
information of which government
agencies are the repositories.                                 surprise vulnerability tests in 16 state                            not to implement, as was
Moreover, hackers may exploit insecure                         government cabinets and agencies.                              demonstrated in 1996 when the
systems in the commission of other                             Each assessment produced both a
crimes. Known variously as ethical                             written report of findings and recom-                          failure to properly employ and
hacking, penetration testing, and vulner-
ability assessments, the procedures
                                                               mendations for agency managers and
                                                               contributed to a rising sense of alarm at
                                                                                                                                manage passwords allowed a
applied by auditors at every level of                          the weak network security discovered                              five million dollar embezzle-
                                                               throughout state government. During
government have revealed alarming
weaknesses, indifferent network                                the first two years, the Auditor of Public                     ment in the Kentucky Revenue
managerial attitudes, and costly                               Accounts refrained from publicizing                                          Cabinet.
intrusions. Kentucky's Auditor of Public                       assessment findings so as not to
Accounts has performed surprise                                imprudently alert opportunistic hackers

    Incident Cost & Analysis Modeling Projects... www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/archive/Report/ICAMP.shtml
                                                                                                                          into IT     I   33

government systems managers to seek
rational explanations, and make excuses,
                                              The Kentucky Auditor of Public
                                              Accounts' vulnerability assessments
                                                                                              Case Report
for insecure systems.                         during the last three years included two        The Kentucky Transportation Cabinet's
                                              highly publicized findings that resulted in     system is a centrally managed,
One such excuse refers to the
                                              the issuing of separate Auditor Alerts to       enterprise class network, serving
democratic, open culture of
                                              all state and local government agencies.        thousands of users at hundreds of
government. Government's information
                                              In one such assessment, a randomly              remote sites, and interfaces with other
systems are therefore logically open and
                                              tested surplus agency computer was              state and federal networks. The system
accessible. Polemics aside, it is disingen-
                                              found, without password protection, to          is used to manage massive road con-
uous to assert that prudent security
                                              contain in clear text significant               struction and maintenance projects,
measures should be compromised by
                                              components of Kentucky's STD and                warehouse vehicle registration records,
fidelity to open government and trans-
                                              AIDS database, including identities of          and house the personal, confidential
                                              those tested, their test results, and their     information of licensees. It is directly
Cost is the most frequently cited             sexual partners. An Auditor Alert               linked to the Commonwealth's
impediment to network security, and to        advising effective methods of scrubbing         accounting and reporting system. The
be sure, the latest architectural advance-    the hard drives of surplus machines was         Transportation Cabinet's system uses
ments in network security may require         issued.                                         industry standard rather than
significant investment. Unfortunately,                                                        proprietary hardware and software.
                                              In another assessment, a series of
tight state budgets characteristically
                                              penetration tests was performed on              As part of the audit of the
leave few, if any, dollars for security.
                                              agency wireless networks by "war                Commonwealth's Comprehensive
Still, there are fundamental security
                                              driving." The ease of penetration led to        Annual Financial Report, the Auditor of
measures and attitudes absent from
                                              issuance of an Auditor Alert discussing the     Public Accounts performed a risk
Kentucky government agencies that
                                              special challenges posed to network             assessment of the Transportation
require few additional resources beyond
                                              security by wireless networks, including        Cabinet's information system. This
a commitment of reasonable diligence.
                                              the widespread failure of network               assessment consisted of two activities:
For example, the Auditor of Public
                                              administrators to enable the security           scanning and enumeration.
Accounts' work revealed a widespread
                                              components of such systems. One
failure of agency administrators to timely                                                    During the scanning phase, auditors
                                              unexpected collateral finding of this
apply free downloadable system                                                                used fscan.exe, nmap.exe, and
                                              work was the absence of an effective
patches, resulting in significant, costly                                                     superscan.exe to identify potential vul-
                                              firewall separating Kentucky's state
downtime when assorted viruses and                                                            nerabilities among the Transportation
                                              government network from the
worms attacked. Furthermore, auditors                                                         computers and servers providing
                                              University of Kentucky's network.
are quite accustomed to effectively                                                           exploitable services such as web, telnet,
rebutting the argument that internal          Tempered by this body of work, the              and Microsoft shares.
controls are too costly to implement.         Auditor of Public Accounts undertook a
The failure to implement internal             vulnerability assessment of the
controls is too costly not to implement,      information systems in the Kentucky
as was demonstrated in 1996 when the          Transportation Cabinet in July 2003.
failure to properly employ and manage
passwords allowed a five million dollar
embezzlement in the Kentucky Revenue
Government managers seem surprisingly             Auditor analysis... led to the discovery of a malicious, on-going intrusion. This
oblivious to the cost of insecure                 discovery transformed the auditors' vulnerability assessment into an incident-
networks. It has been difficult,                  handling project where criminal activity was observed…..
therefore, to get their attention. System         G   Hacker installed applications and services operating in stealth mode;
crashes, downtime, and labor-intensive
                                                  G   A list of cracked administrative passwords;
triage for compromised networks take a
verifiable and meaningful economic toll,          G   Gigabytes of data in daily transport;
but network managers are often
                                                  G   Harmful software stored on the system, e.g., netcat for creating covert
conflicted about revealing such
problems and agency heads have no                     backdoors, pwdump for extracting passwords, regedit for altering a
accepted formulae for calculating the                 system's registry, and prockill, for terminating procedures.
34   I   into IT

                                                                                          G   We wish you a pleasant stay on this
                                                                                          G   Thank you has all those which
                                                                                              make live the French scene.
                                                                                          Among the hacker configuration files
                                                                                          and logs, auditors observed 25 IP
                                                                                          addresses of intruders. Using McAfee's
                                                                                          neotrace program, auditors traced
                                                                                          these addresses to their geographic
                                                                                          points of origin in France, Croatia, and
                                                                                          Canada. They also found that a remote
                                                                                          Internet relay chat room was being
                                                                                          controlled by eggdrop, a hacker
                                                                                          program residing on a Transportation
                                                                                          Cabinet server. This allowed the
                                                                                          hackers to control admittance to the
                                                                                          chat room and to exploit the anonymity
                                                                                          it provided.
         Kentucky Senate Chamber                                                          Unrelated to the intrusion noted above,
                                                                                          auditors discovered web proxy logs
                                                                                          detailing the browsing habits of system
During the enumeration phase, auditors           prockill, for terminating                users. A cursory examination of these
used enum.exe, net.exe, and                      procedures.                              logs revealed that several hundred
nbtdump.exe to analyze vulnerabilities                                                    computers were used to visit several
                                             Auditors acquired irrefutable evidence
identified by the scans. This                                                             hundred unique, pornographic websites
                                             that these programs, and several others,
enumeration highlighted (1) the                                                           in violation of the Commonwealth's
                                             had been used. They observed hackers
existence of devices and user accounts                                                    acceptable use policies governing
                                             actively managing their ownership of the
lacking passwords, (2) version numbers                                                    information technology systems. The
                                             system, and unauthorized persons
of running programs, (3) user names and                                                   auditors chose to focus on pornographic
                                             uploading and downloading pirated
groups, including assigned privileges, and                                                site browsing because such sites are
                                             multimedia software. This material
(4) unprotected Microsoft shares                                                          known to be a disproportionately large
                                             included (1) pirated new release movies,
allowing privileged access to file systems                                                source of malware, software intended
                                             music CDs, DVDs, TV shows, and new
of many computers.                                                                        to compromise a visitor's computer or
                                             computer games, and (2) newly
Auditor analysis of one of the first vul-    copyrighted French medical textbooks.        system. Such attacks go largely
nerabilities that came to light during                                                    unreported by victims because they are
                                             Included in the hacker configuration files
enumeration led to the discovery of a                                                     self-incriminating.
                                             and documentation was the following
malicious, on-going intrusion. This                                                       Later, more detailed analyses of the web
                                             statement, in clear text French.
discovery transformed the auditors' vul-                                                  proxy logs indicated the intentional,
                                             Auditors used bablefish.altavista.com to
nerability assessment into an incident-                                                   persistent browsing of websites
                                             produce the following translation:
handling project where criminal activity                                                  displaying pornographic images of
was observed.                                G   This server was hacké by SuBy on
                                                                                          children. Some 34 computers were
                                                 request of a person. SuBy declines
The following hacker exploits were                                                        found to have been used to search for
                                                 any responsibility towards this
observed:                                                                                 and access child pornographic material.
                                                 person and could not be held for
                                                                                          The findings were promptly referred to
G    Hacker installed applications and           person in charge for though it is;
                                                                                          state and federal law enforcement.
     services operating in stealth mode;     G   This server does not exist 2) all this
                                                                                          For two weeks, auditors performed
G    A list of cracked administrative            Of course is legal ;D 3) SuBy rox
                                                                                          their scanning, observing, and evidence
     passwords;                                  4) racism No (ouai C rare I C ;p) 5)
                                                                                          gathering undetected, even though no
                                                 the 1337 are not authorized 6) the
G    Gigabytes of data in daily transport;                                                attempt was made to mask the
                                                 files are has an informative title ;D
     Harmful software stored on the              7) the hackers could not be held
     system, e.g., netcat for creating           for persons in charge! 8) the files
     covert backdoors, pwdump for                must be unobtrusive in the 24
     extracting passwords, regedit for           hours 9) §§§--- IT IS NECESSARY
     altering a system's registry, and           TO OBSERVE the RULES ---§§§;
                                                                                                                                      into IT   I   35

Conclusion                                     adopted, (2) accountability for network
                                               security is largely absent in Kentucky
The Auditor of Pubic Accounts found            state government agencies, and (3)
                                                                                                          The Commonwealth of Kentucky
Kentucky's Transportation Cabinet              auditors must perform surprise vulnera-
network to be inadequately protected           bility assessments and publicize their                     Originally part of Virginia, the land that
and unmonitored. While firewalls,              findings in order to have the greatest                     is now Kentucky became Kentucky
activity auditing software, content            impact upon network security.                              County in 1776 and the fifteenth of the
managing software, and intrusion               Edward B. Hatchett, Jr.,                                   United States in 1792. The use of "com-
detection systems were in place, none          Auditor of Public Accounts,                                monwealth" doesn't have any particular
was being used effectively, and some not       Commonwealth of Kentucky                                   significance, being a term commonly
at all.                                                                                                   used in the eighteenth century meaning
                                               http://www.kyauditor.net                                   the same as "state".
Auditors recommended a variety of              e-mail to... ED.Hatchett@KYAuditor.net
measures designed to recover from the                                                                     Kentucky covers a land area of 40,395
malicious intrusion and establish effective    B.J. Bellamy, SANS GSEC, GCIH, GCFA,                       square miles (104, 623 sq km) and has a
defenses. The detailed findings of the         Chief Information Officer                                  population of just over 4 million people.
vulnerability assessment and its accom-                                                                   The State is divided into 120 counties,
panying recommendations were com-                                                                         its capital Frankfort being in Franklin
municated to the Transportation Cabinet                                                                   County. Kentucky's state constitution
prior to public disclosure. The recom-                                                                    was adopted in 1891. The Governor is
mendations included:                                                                                      elected for a term of four years, the
                                                                                                          General Assembly, or legislature, is
G   Applying strong passwords;                                                                            bicameral, with a senate of 38 members
G   Enabling and fortifying firewalls;                                                                    and a house of representatives of 100
                                                                                                          members. Kentucky is represented in
G   Removing compromised machines
                                                                                                          the U.S. Congress by six representatives
    from the network;
                                                                                                          and two senators, and has eight
G   Working from the assumption that                                                                      electoral votes.
    application programs and data back-
                                                                                                          Within the Commonwealth's
    ups are tainted;
                                                                                                          Constitution, the role of the Auditor of
G   Rebuilding compromised machines                                                                       Public Accounts is to ensure that public
    from the ground up;                                                                                   resources are protected, accurately
                                                                                                          valued, properly accounted for, and
    Quarantine compromised machines
                                                                                                          effectively employed to raise the quality
    and make them available for
                                                                                                          of life of Kentuckians. Within the State
    forensic analysis;
                                                                                                          Audit Office, the Information
G   Notifying business partners and the                                                                   Technology Branch audits government
    public;                                                                                               computer systems and the data they
                                                                                                          generate. The branch also produces
    Anticipating retaliatory attacks;
                                                                                                          auditable information for financial and
G   Installing network sniffers to detect                                                                 performance auditors by extracting,
    traffic to or from previously                                                                         analysing, and reporting data derived
    identified hacker addresses.                                                                          from agency computer systems.
Network security weaknesses threaten                                                                                                            Editor
taxpayer dollars and facilitate identity
theft. Three years of performing vulner-
ability assessments leads Kentucky's
Auditor of Public Accounts to conclude                                                                    Kentucky Legislature Home Page…..
that (1) a universal formula such as                                                                      http://www.lrc.state.ky.us/home.htm
Incident Cost and Analysis Modeling
Projects,                                                                                                 Kentucky Constitution……
(www.cic.uiuc.edu/groups/ITSecurityWo                                                                     http://www.lrc.state.ky.us/Legresou/Consti
rkingGroup/archive/Report/ICAMP      .shtml)                                                              tu/intro.htm
for quantifying the economic cost of             Lincoln Statue, Capitol Rotunda.
insecure government networks must be             Abraham Lincoln was born in Hodgenville, Kentucky,
                                                 and served as the 16th president of the United States.
36   I   into IT

Risk-based Sampling
By Rune Johannessen CISA, CIA, Dip. Internal Audit

In this article, I would like to share some useful experiences that I have gained in my
work with the COBIT (Control Objectives for Information and related Technology)
tool kit. The following is not intended to be a template for the execution of
risk-based audits, but rather a tentative suggestion towards a possible audit method.

           any public and private organi-                                Selection based on targets/processes/resources
           sations now use COBIT, and I
                                              PHASE 1
           am fairly confident that
anyone who has experience of the tool
would confirm that it is highly compre-
hensive and its use quite time
consuming. This is often in stark
contrast to our everyday situation,
where time is a critical factor of which
we often have too little to carry out the     PHASE 2                                      Risk assessment of
tasks that have been assigned to us. It is                                                 selected processes
therefore important that within our
given time frames we select the areas
and processes that are most important
and pose the highest risk, in order that
we provide our client with maximum
added value.
In my opinion, COBIT does not provide
clear guidelines on how to carry out an       PHASE 3
overall (or "high level") audit risk                                                             IT audit
assessment; in other words how to
select the most important areas and/or
                                              Phase 1: Selection based on targets/processes/resources
processes for auditing. I have therefore
chosen to illustrate my solution with a       This phase consists of deciding, at a general level, what to focus on, which may be a
general model for carrying out the            sample of domains, processes, IT resources and/or a sample of information criteria.
auditing cycle. My method, which is           On the basis of the selected priorities the auditor derives a list of processes that it
based on qualitative assessments and          might be relevant to examine in more depth. In the following example I have tried to
allows considerable flexibility in relation   illustrate this for the domain "Acquisitions and implementation", where the processes
to the audit client, can be represented       "Change management" and "Acquisition and maintenance of software" are identified as
in graphical form thus:                       highly important to the audit client and are therefore selected as relevant to the audit.
                                                                                                                                       into IT   I   37

Phase 2: Risk assessment of selected
As a result of the selections made in
Phase 1, the auditor now has a sample
of processes that have been ascribed
priorities. In the example above, AI2
and AI6 were identified as relevant
within the domain "Acquisitions and
implementation". As a result of restric-
tions on time and resources, it is often
necessary to further limit the amount of
work. In Phase 2 the auditor again
ascribes priorities to the processes
selected in phase 1, and then selects
those with the highest risk. I have tried
to illustrate this in the following
example, where the auditor completes
the following form for each of the
processes that were selected in Phase 1,
in this case AI6:
The table lists a number of control
questions linked to each process - these
have been derived from the points listed
under the title "and takes into consider-
ation" on the first page of each process1.
On the basis of a sample, the auditor
formulates some general control
questions intended to give a 'feel' for the
routines, documentation and processes
in use in this area. The information
required to answer the sample
questions can be gathered through
interviews and by observation of the
routines in use. At this stage, the auditor
does not make any comprehensive
assessments of the content and quality                         The next step involves making an overall     Scale Probability
of the available material.                                     assessment of the probability of there
                                                               being errors, weaknesses or loopholes        H     It is regarded as highly probable
The column for control routines should                                                                            that this process will be
                                                               in a process. This assessment will have
be marked as documented, undocument-                                                                              negatively affected by internal or
                                                               as its starting point a preliminary review
ed or don't know. The following criteria                                                                          external events.
                                                               of the process and, as appropriate, the
may be used to answer the questions:
                                                               auditors' own opinions. The auditor          M     It is regarded as possible that this
                                                               should include internal and external               process will be negatively
Scale                  Control routines                        factors that can adversely affect the              affected by internal or external
Documented             The audited entity has                  process. The results are presented in a            events.
                       a routine, process or                   matrix with the following scale:
                       documentation that                                                                   L     It is not regarded as very
                       deals with the matter.                                                                     probable that this process will be
                                                                                                                  negatively affected by internal or
Undocumented The audited entity                                                                                   external events.
             does not have
             routines, processes or
             documentation that
             deal with the matter.

    See full COBIT documentation set. This can be downloaded from... http://www.isaca.org/
38   I   into IT

The next step is to assess the conse-        Phase 3: IT audit
quences of a negative incident. In
addition to any monetary losses, factors     An IT audit is then carried out on the processes that have been identified as having the
such as reputation and working               highest risk, using the COBIT "Audit Guidelines":
environment should also be taken into
                                             IT process and audit questions              Results of          Recommendation         Ref.
Scale Consequence                                                                  evaluation and testing

H        Negative internal or external       AI6 Change management
         incidents are expected to have
                                                   Has a method been              Observation:              We recommend…
         major consequences for the
                                                   established for prioritisa-
         process.                                                                 Method for changes…
                                                   tion of change recom-
M        Negative internal or external             mendations from users,         There is no procedure
         incidents are expected to have            and if so, is it being used?   for sudden changes …
         medium consequences for the
                                                   Have procedures been           Etc.
                                                   compiled for sudden
L        Negative internal or external             changes, and if so, are
         incidents are expected to have            they being used?               The methodology is
         minor consequences for the                                               incomplete in terms of
                                                   Is there a formal
         process.                                                                 sudden changes…
                                                   procedure for
                                                   monitoring changes, and
In this way, each process is subject to a          if so, is it being used?
risk assessment through probability and
consequences being considered                      Are changes logged in a
together. On the basis of how the                  way that shows whether
process is rated in terms of risk (H high,         they have been carried
M medium, L low), a sample is selected             out in a satisfactory way? The methodology is
to be used in the following IT audit               Etc.                       inadequate...

                                             I hope that these observations and                out using COBIT. I also hope that this
                                             suggestions will contribute to                    article will inspire others to share their
                                             development of a practical approach to            experiences and describe their routines
                                             how a risk-based audit can be carried             when using this tool.

                                                                                                            About the author
                                                Rune Johannessen is a Senior Audit Adviser at the Office of the Auditor General
                                                of Norway, where he is involved in both IT auditing and the development of
                                                methodology. Rune has 7 years experience in the field of internal auditing,
                                                financial auditing, IT auditing and quality assurance in IT projects. Before joining
                                                the Auditor General of Norway, he worked as a senior adviser for
                                                PricewaterhouseCoopers on quality assurance in system development projects
                                                and in IT security.
                                                Rune holds a bachelor of management degree from the Norwegian School of
                                                Management and a higher degree from the University of Oslo, and is certified
                                                CISA and CIA.
                                                                                                                             into IT   I   39

                                                 ability, compliance and reliability), as well   Audit Guidelines: analyse, assess,
                                                 as which IT resources (people, applica-         interpret, react, implement. To achieve
                                                 tions, technology, facilities and data) are     your desired goals and objectives you
                                                 important for the IT processes to fully         must constantly and consistently audit
                                                 support the business objective.                 your procedures. Audit Guidelines
                                                                                                 outlines and suggests actual activities to
                                                 Management Guidelines: to ensure a
                                                                                                 be performed corresponding to each of
                                                 successful enterprise, you must
                                                                                                 the 34 high-level IT control objectives,
COBIT, developed by ISACA, is a                  effectively manage the union between
                                                                                                 while substantiating the risk of control
generally applicable and accepted                business processes and information
                                                                                                 objectives not being met.
standard for good Information                    systems. The new Management
Technology (IT) security and control             Guidelines is composed of Maturity              Implementation Tool Set: an
practices that provides a reference              Models, Critical Success Factors, Key           Implementation Tool Set, which contains
framework for management, users, and             Goal Indicators and Key Performance             Management Awareness and IT Control
IS audit, control and security practition-       Indicators. These Management                    Diagnostics, Implementation Guide,
ers.                                             Guidelines will help answer the questions       frequently asked questions, case studies
                                                 of immediate concern to all those who           from organizations currently using
COBIT comprises the following main               have a stake in enterprise success.             COBIT and slide presentations that can
products:                                                                                        be used to introduce COBIT into organ-
                                                 Detailed Control Objectives: the key
Framework: a successful organisation is                                                          izations. The tool set is designed to
                                                 to maintaining profitability in a techno-
built on a solid framework of data and                                                           facilitate the implementation of COBIT,
                                                 logically changing environment is how
information. The Framework explains                                                              relate lessons learned from organiza-
                                                 well you maintain control. COBIT's
how IT processes deliver the                                                                     tions that quickly and successfully
                                                 Control Objectives provides the critical
information that the business needs to                                                           applied COBIT in their work environ-
                                                 insight needed to delineate a clear policy
achieve its objectives. This delivery is                                                         ments and assist management in
                                                 and good practice for IT controls.
controlled through 34 high-level control                                                         choosing implementation options.
                                                 Included are the statements of desired
objectives, one for each IT process,             results or purposes to be achieved by           COBIT can be downloaded from...
contained in the four domains. The               implementing the 318 specific, detailed         http://www.isaca.org
Framework identifies which of the seven          control objectives throughout the 34
information criteria (effectiveness,             high-level control objectives.
efficiency, confidentiality, integrity, avail-

40   I   into IT

Going electronic
By Andrée Lavigne
                                                       sing information technologies        issues deriving from the use of electronic
                                                       and computer systems to gather,      documents (e-documents) and
and Caroline Émond                                     process, transmit, maintain and      signatures.
                                             present information is nothing new. What
                                                                                            EAE is information created, transmitted,
                                             is new is an added dimension. In the past,
                                                                                            processed, recorded, and/or maintained
                                             automation affected only some aspects of
                                                                                            electronically that supports the content of
                                             information processing. T oday, the
                                                                                            an audit report. The information can only
                                             development and convergence of IT and
                                                                                            be accessed using proper equipment and
                                             the integration of information systems
                                                                                            technologies such as a computer,
                                             allow for the seamless flow of
                                                                                            software, printer, scanner, sensor or
                                             information. An integrated IS
                                                                                            magnetic media. E-documents may take
                                             environment is a paperless environment
                                                                                            such forms as text, images, audio or
                                             where information is exchanged without
                                                                                            video. EAE includes accounting records,
                                             space constraints and transmitted from
                                                                                            source documents and such vouchers as
                                             one application to another, one entity to
                                                                                            electronic contracts, e-documents
                                             another, or one country to another via
                                                                                            pertaining to billing, procurement and
                                             electronic networks.
                                                                                            payment, electronic confirmations and all
                                             Paperless environments are                     other electronic data pertinent to the
                                             commonplace and in this context                audit.
                                             auditors have to gather electronic
                                                                                            EAE differs from traditional audit
                                             information as audit evidence. What is
                                                                                            evidence in several respects. First, it
                                             electronic audit evidence (EAE)? What
                                                                                            consists of information in a digital format
                                             are its attributes? How does it differ from
                                                                                            whose logical structure is independent of
                                             traditional audit evidence? How does it
                                                                                            the information. Second, the
                                             impact the audit approach? What are the
                                                                                            information's origin, destination and sent
                                             risks and the controls that can be applied
                                                                                            and received dates are not an integral
                                             to reduce them? These questions are
                                                                                            part of the e-document, message or
                                             being addressed by a CICA study group,
                                                                                            other information format.
                                             which, at the request of the Assurance
                                             Standards Board and Information                The more integrated the IS, the more
                                             Technology Advisory Committee, is              business transactions will be processed
                                             preparing a report on EAE issues.              and documented solely by electronic
                                                                                            means. Auditors are most likely to use
                                             EAE has an impact on the reliability of
                                                                                            EAE in internal and external integrated IS
                                             evidence and professional competence,
                                                                                            environments - for example in ERP
                                             knowledge of the entity's business, the
                                                                                            systems, e-commerce or e-business envi-
                                             audit approach, detection of misstate-
A study group                                ments and illegal acts and documentation
                                                                                            ronments. Some risks inherent in these
                                                                                            types of environments include the entity's
                                             of audit evidence. The report will set out
examines the issues                          recommendations for assurance
                                                                                            dependence on its own IS and on those
                                                                                            of its partners and third-party service
                                             standards to provide guidance on these
auditors face in                             issues and will deal with the risks of using
                                                                                            providers, together with the risk of failure
                                                                                            at each of these levels. Other risks are
                                             EAE, the controls and technologies that
                                                                                            loss of integrity, non-authentication,
gathering electronic                         may mitigate these risks, and the legal
                                                                                            repudiation and violation of confidentiality
                                                                                            of data, as well as loss of an adequate
information as                                                                              audit trail, and legal uncertainties.

evidence and its
impact on the audit.
This article is reproduced by permission from CAmagazine, published
by the Canadian Institute of Chartered Accountants, Toronto, Canada.
                                                                                                                                    into IT   I   41

                                                                                                        To assess the sufficiency and appropri-
                                     Paper versus electronic                                            ateness of the EAE gathered to support
                                                                                                        the audit report, the auditor should
             Paper audit evidence                             Electronic audit evidence
                                                                                                        consider the specific risks associated
Origin                                                                                                  with the use of such evidence. These
Proof of origin easily established                 Proof of origin difficult to establish solely by     can't be assessed solely by reviewing the
                                                   examining electronic information. It is              documentary evidence, as is usually the
                                                   determined using controls and security               case with paper documents. A printout
                                                   techniques that allow for authentication and         of the electronic information, or
                                                   non-repudiation.                                     onscreen reading, is only one format.
Alteration                                                                                              And it provides no indication of origin
                                                                                                        and authorization, nor does it ensure the
Paper evidence difficult to alter without          Alterations difficult, if not impossible, to
                                                                                                        integrity or completeness of the
detection.                                         detect solely by examining the electronic
                                                                                                        information. Auditors should ensure that
                                                   information. Information integrity depends on
                                                                                                        controls and technologies to create,
                                                   reliable controls and security techniques.
                                                                                                        process, transmit and maintain
Approval                                                                                                electronic information are sufficient to
Paper documents show proof of approval             Approval difficult to establish solely by            guarantee its reliability. The table below
on their face.                                     examining the electronic information. It is          presents the criteria to assess the
                                                   determined using controls and security               reliability of electronic information as
                                                   techniques.                                          audit evidence. The importance of each
Completeness                                                                                            criterion depends on the nature and
                                                                                                        origin of the electronic information and
All relevant terms of a transaction                Relevant terms often contained in several
                                                                                                        its intended use for audit purposes. In
usually included in one same document.             data files.
                                                                                                        addition to assessing reliability of audit
                                                                                                        evidence, the auditor looks into the
No equipment needed.                               Various technologies and equipment needed.           availability of electronic evidence for
Format                                                                                                  audit purposes. Data confidentiality is
Integral part of document.                         Separate from data and can be changed.
                                                                                                        also of interest to the auditor as a
                                                                                                        breach of confidentiality could represent
Availability and accessibility
                                                                                                        a business risk that could impact the
Not usually a constraint during the audit.         Audit trail for electronic data may not be           entity's financial position.
                                                   available at the time of the audit and
                                                   accessing the data may prove more difficult.
                                                                                                        The reliability of electronic information
                                                                                                        depends on the reliability of the IS and
                                                                                                        supporting technologies. Where
Simple matter to sign a paper document             Appropriate technologies are required to             significant information underlying one or
and review the signature.                          issue a reliable electronic signature and            more assertions in financial statements is
                                                   review it.                                           gathered, processed, recorded or
                                                                                                        maintained electronically, it may be
Assessing reliability of electronic information as audit evidence                                       impossible to reduce detection risk to
                                                                                                        an acceptable level by relying solely on
Authentication        The identity of the person or entity that created the information can be          the application of substantive
                      confirmed.                                                                        procedures. In such cases, there is a high
Integrity             The completeness, accuracy, current nature and validity of the                    risk that misstatements in the electronic
                      information. Integrity is the assurance that the information was                  information obtained as audit evidence
                      validated and was not intentionally or accidentally altered or                    may not be detected. The auditor may
                      destroyed when it was created, processed, transmitted, maintained                 need to adopt a combined approach and
                      and/or archived.                                                                  perform tests of controls to get
Authorization         The information was prepared, processed, amended, corrected, sent,                appropriate audit evidence.
                      received and accessed by persons entitled to do so or responsible for             Because signing documents takes on a
                      doing so.                                                                         new dimension in an electronic
Non-repudiation       A party, person or entity having sent or received an information cannot           environment, this issue needs to be
                      deny having taken part in the exchange and repudiate the information              examined closely. A signature primarily
                      content. Depending on whether there is irrefutable proof of origin,               functions as a symbol signifying the
                      receipt or content of the electronic information, there is non-                   signer's intention and authenticating the
                      repudiation of origin, non-repudiation of receipt or non-repudiation of           document. A handwritten signature on a
                      content.                                                                          paper document is affixed by an identifi-
The criteria could be used to assess the reliability of any documentary information, whether in paper   able person and is intended to authenti-
or electronic form.                                                                                     cate the intention inherent in the signed
42   I   into IT

document. In a virtual environment, the
signer cannot be identified visually. That   Reliability criteria for an electronic signature
is why the signature has to be used to       Authentication       G   identification of the signer
confirm consent and to identify the                               G   unique to the user
signer. When a handwritten signature is
                                                                  G   authentication of the signed document
affixed on a paper document, it is
"merged" so to speak with that               Authorization        G   confirmation of consent; the mechanism for incorporating the
document. Since electronic information                                signature is the sole responsibility of the signer
can migrate easily from one medium to        Integrity            G   confirmation of the integrity of the signed document
another, the signature and the document      Non-repudiation      G   confirmation of the link between the document and the signature
are independent of one another. The
                                                                  G   continuation of the link between the document and the signer
signature has to be bound with a specific
                                                                      from the time of signing
document and the document's integrity
needs to be established. The objective is                         G   if need be, confirmation of the origin and destination of the
to reduce the legal uncertainty as to the                             document
electronic signature's admissibility.
Electronic signature is a generic term to    to encrypt or decrypt data. One of the            In cases where the admissibility of an e-
describe a technology-neutral signature      keys is kept secret by its holder, the            document is questioned, it is up to the
in electronic and binary form. It may        other is freely available. The digital            person wanting the document admitted
take various forms and be created in         signature is generated by calculating a           to establish its integrity and authenticity.
different ways. It may be created            message digest and encrypting it with             It is up to the court whether the
without any controls (a name typed at        the signer's private key. The message             evidence is admissible. The best way for
the end of a document); created using        digest is a unique number calculated              an entity to mitigate the legal risks
non-cryptographic security techniques        using a hashing algorithm. This is a              associated with the admissibility of e-
(password, PIN number, biometric ID,         unique way to represent messages of               documents and establish data integrity is
digitized signature); or created using       varying lengths in much smaller format.           to institute and maintain reliable IS and
cryptographic security techniques            If only one character of the original             use appropriate technologies. The
(symmetric or secret key cryptography,       message is changed, the message digest            admissibility of an e-signature is also
asymmetric or public key cryptography        will be changed. If the value of the              subject to certain conditions. The
or a digital signature).                     message digest calculated on the                  technology must allow for the identifica-
                                             message received is identical to the              tion of the signer, and the link between
Relevant controls and technologies must
                                             original message, the authentication,             the signature and the e-document must
be used to obtain a reliable electronic
                                             non-repudiation and integrity of the              be created in such a way that
signature. Non-cryptographic security
                                             message are ensured. However,                     subsequent alterations of the document
techniques, based on a shared secret,
                                             assurance as to the signer's identity             can be detected. In addition, some
help control authentication and authori-
                                             largely depends on the controls                   legislation sets out standards requiring
zation of the electronic document and
                                             implemented to guarantee the security             the use of certain technologies or the
signature. However, these security
                                             of the signer's private key and on the            application of specific procedures.
methods have limitations. Shared-secret
                                             receiver's confidence that the identity
authentication supposes that the parties                                                       Clearly, electronic information raises
                                             associated with the public key is
have already exchanged information to                                                          important issues of interest to
                                             authentic. A public key infrastructure is a
agree on the secret. Moreover, a secret                                                        management, which needs reliable
                                             solution that may ensure sound key
is only effective if it hasn't been                                                            decision-making information, and
                                             management and provide assurance as
forgotten or discovered. Non-crypto-                                                           auditors, who rely on this information to
                                             to the signer's identity.
graphic security techniques offer no                                                           gather sufficient and appropriate audit
security as to the non-repudiation,          Much progress has been made to legally            evidence to support the content of the
integrity or confidentiality of e-           recognize e-documents and signatures              audit report.
documents and signatures.                    as evidential matter. Ottawa and most
Cryptographic security techniques, on
the other hand, offer a secure way to
                                             provinces have passed e-commerce
                                             legislation and have amended evidence
                                                                                                               About the authors
ensure the authentication, non-              acts to recognize e-documents and                       Andrée Lavigne, CA, is a principal
repudiation, integrity and / or confiden-    signatures and establish admissibility                  in the CICA's Research Studies
tiality. Non-cryptographic and               criteria for this evidence. However,                    department.
cryptographic security techniques are        there is still some legal uncertainty about
often used in tandem to deliver a high       e-documents. Major ambiguities persist
level of reliability.                        regarding jurisdiction and laws applicable              Caroline Émond, CA, is partner in
                                             to cyber transactions. Some uncertainty                 global risk management services at
Digital signatures are based on
                                             remains about admissibility conditions                  PricewaterhouseCoopers in
asymmetric or public key cryptography.
                                             for e-documents and signatures under                    Montreal.
This technique involves mathematically
                                             Canadian law.
generating a related key pair and using it
                                                                                                                 into IT   I   43

The Audit Office of New South Wales:
Auditing the implementation of

To comply with the law on Freedom Of Information,
agencies need to impose sound standards of
information management. But as Stephen Horne
explains, there are wider issues to consider, not least
of which is whether decisions on information
disclosure are taken objectively.

What is FOI?
Most democratic societies recognise                               The audit aimed to answer some basic questions...
that Freedom of Information (FOI) is a
fundamental element of government
accountability. Opening government                                1. Do agencies comply with the spirit of the Act?
processes to scrutiny allows the public
to question and better evaluate the                               2. Do agencies help applicants with their requests?
activities the Government carries out on
their behalf.
FOI legislation, introduced in New
                                                                  3. Are fees and charges kept to a minimum?
South Wales (NSW) in 19891, gave
members of the public the legal right to                          4. How thoroughly do agencies search for documents?
access most information in most
government agencies. They may:                                    5. Do agencies provide supporting reasons for their
G     obtain access to information held as
      records by State Government                                    decisions?
      Agencies, a Government Minister,
      local government and other public                           6. Do agencies meet the time requirements?
G     request amendments to records of a                          7. Do agencies conduct reviews of decisions?
      personal nature that are inaccurate;

    More details... http://www.premiers.nsw.gov.au/NSWCommunity/FreedomOfInformation/
44     I   into IT

                                                                  A full copy of the Freedom of Information report,
G     appeal against a decision not to grant
      access to information or to amend

                                                                  on which this article is based, is available on the
      personal records.
It follows that in order to comply with
the Act, departments and agencies need
to manage their information in a manner
                                                                             Auditor General's web site...
that enables them to trace, recover, and
reproduce the information requested                                  http://www.audit.nsw.gov.au/repperf.htm
within the Act's stipulated period
(generally 21 days). Sound information                        In order to test key provisions of the         Independent decision-making
management is therefore essential.                            Act, we focused on requests in which
                                                              access to non-personal information was         We found that standard practice in the
                                                              refused, granted in part, or subject to an     MoT, and in about 25 per cent of the
Background                                                    internal review. We selected FOI               cases we reviewed in the Premier's
                                                                                                             Department, was to refer proposed
                                                              requests for non-personal information
Dealing with FOI requests can be                              because they were more likely to               determinations to the chief executive
difficult for agencies. They may believe                      involve policy-related information and         (CEO) before they were finalised and
that information they provide could be                        offer an insight to government decision-       sent to the applicant. In DET, the
taken 'out of context' and give an unfair                     making (most of the requests we                records suggest that two draft determi-
view of their operations. Releasing                           examined were made by media                    nations were discussed with the then
information about sensitive decisions                         personnel or Members of Parliament).           Minister's Office before being finalised.
they have made may be embarrassing.                           We did not review the basis of these           We have three concerns about the
Senior staff may also be well aware that                      decisions, but whether the agencies had        involvement of CEOs or Ministerial staff
certain information they release could                        acted in accordance with the spirit of         prior to a determination being made:
be used in a political context and create                     FOI legislation; in particular, with Section
difficulties for their Minister.                                                                             G   it opens the possibility for
                                                              5(3) the Act, which requires agencies to
                                                              behave in a manner that furthers its               perceptions of interference, even
The FOI Act recognises that agencies
                                                              objectives to ...facilitate and                    though this may not have been
might be tempted to avoid these
                                                              encourage, promptly and at the                     intended;
potential difficulties, by using the
discretions set out in the Act to limit the                   lowest reasonable cost, the disclosure         G   it may affect an agency's capacity to
information released. This would                              of information [Section 5(3)(b) of the             conduct an unbiased internal review,
frustrate the spirit of the Act, so it                        Act].                                              as it must be undertaken by
specifically requires agencies to apply                       We also focused on the agencies'                   someone who did not "deal with"
FOI laws in a way that favours disclosure                     processes for handling requests; for               the original application and who is
of information. While this audit covered                      example, for providing assistance to               not subordinate to the original
only three agencies, we believe that the                      applicants, assessing costs, locating              decision-maker;
issues and recommendations relate to all                      documents, response times and making           G   it presents efficiency issues, as
bodies that handle FOI requests                               decisions on access to information.                agencies have tight timeframes to
including Ministers, most NSW                                                                                    meet FOI requirements.
government agencies, and local
government.                                                   Audit Findings                                 It may be necessary to contact the office
                                                                                                             of the CEO or the Minister to ascertain
                                                              During the audit we identified a number        the documents that exist and their
Audit scope                                                   of concerns that we subsequently raised        exemption status. This is not where our
                                                              with the appropriate departments; these        concern lies. We also recognise that it is
Against this background, we reviewed                          are described in our full report, which is     appropriate for CEOs and Ministers to
the FOI arrangements within three                             available to download from the Auditor         be informed of decisions. However, we
government agencies2; we also                                 General's web site. I would like to focus      believe this is best done when the
examined 84 FOI requests for non-                             on two of them; independence in                applicant is advised of the determina-
personal information.                                         decision making, which goes to the             tion. This process issue is an important
                                                              heart of an equitable FOI process, and         one in our view, is easily solved, and
                                                              the important administrative role of FOI       would resolve all of our concerns on this
                                                              Coordinators.                                  matter.

    Ministry of Transport (MOT), Premier's Department,Department of Education and Training (DET)
                                                                                                                      into IT   I   45

At least half of the officers we            have lapsed and no determination was         applicant, search unit, any third party,
interviewed in DET and MoT reported         made. The other remained unchanged.          and the decision-maker - and monitor
that, at some stage, Ministerial staff or   In this case, the CEO sought unsuccess-      time limits. They must also be aware of
senior departmental officers sought to      fully to release more information than       the Act's requirements, including any
be involved in the review of determina-     had been proposed. When we discussed         new judgments made by the courts or
tions or participate in the decision-       these cases with him, he indicated that it   the NSW Ombudsman. We found that
making process. Sometimes they              was his policy not to interfere.             FOI Coordinators and their staff
attributed this to particular individuals   However, he believed there were              supported the Act's objectives. A
who misunderstood or were unaware           special circumstances, and his concerns      number of the issues raised above were
of the provisions of the Act. Others        were documented on file to ensure            caused by factors outside their
reported that the situation had             transparency. In DET, agency records         immediate control, for example dealing
improved following a change in              suggest that one draft determination         with uncooperative or uninformed units
managements' attitude or a more             was altered following comments from          elsewhere in the agency.
centralised FOI process.                    staff of the then Minister.
                                                                                         It is important that agencies ensure that
In a small number of the cases we                                                        all staff, not just those directly involved
examined, involvement of this nature
affected the outcome of the determina-
                                            The Role of FOI staff                        in processing requests, are aware of the
                                                                                         Act's aims and key provisions. FOI
tion. The CEO of the former MoT             FOI Coordinators play an important           Coordinators should be at a relatively
suggested that proposed determinations      role in ensuring agencies comply with        senior level in the agency with authority
for two requests be revised or altered.     the spirit of the Act. They manage all       to administer FOI arrangements as
Subsequently, one matter appeared to        the stakeholders in the process - the        required.
46   I   into IT

Overall, we found that FOI
                                             All agencies that handle FOI requests should...
Coordinators and their staff supported
the legislation, but the agencies
examined can do considerably more to
                                             Assist applicants:                            G   ensure that decisions on access to
                                                                                               information are made independent
achieve the intentions of the Act.           G   clarify the scope of FOI requests at          of any undue influence;
                                                 the earliest opportunity, particularly    G   ensure that all staff are aware of the
On the positive side, each agency had
                                                 for large and complex applications;           purpose and key provisions of the
made a number of changes to improve
the effectiveness of their processes for     G   provide applicants with information           Act;
handling FOI requests. In most cases,            on the FOI process and the status of      G   ensure that staff involved in the FOI
they did not charge processing fees, but         their request.                                process have full authority to make
if charged the fees were reasonable.                                                           decisions as required under the Act.
However, we believe that further
improvements should be made to
                                             Fees and charges:
address the following issues:                G   ensure that fees and charges are
                                                                                           Internal reviews:
G    processing fees being charged in            applied consistently.                     G   ensure internal reviews are
     some cases and not others even                                                            conducted by someone other than,
                                                                                               and more senior to, the original
     though a similar amount of work
     had been undertaken;
                                             Searching for documents:                          decision maker, as required by the
                                             G   conduct thorough and complete                 Act;
G    little documented evidence of the
     extent of searching which had been          searches for documents;                   G   introduce formal systems for
     undertaken to locate documents,         G   document the types of searches                reviewing the outcomes of internal
     making subsequent reviews more              undertaken to locate information;             and external reviews of FOI deter-
     difficult;                                                                                minations.
                                             G   ensure that adequate records
G    supporting reasons for refusing             management systems are in place to
     access to information not always            facilitate document searches.             FOI laws:
     being provided to applicants;
                                                                                           Any review of FOI legislation in NSW
     involvement of CEOs or Ministerial
     staff prior to some determinations      Making decisions on                           should consider:
     being finalised, which opens the        access:                                       G   the value of Statements of Affairs and
     possibility for perceptions of inter-                                                     Summaries of Affairs, and whether
     ference and may affect an agency's      G   document the decision-making                  they serve their intended purpose;
     capacity to conduct an unbiased             process, including all deliberations      G   extending timeframes when
     internal review;                            and viewpoints considered;
                                                                                               consulting the applicant or handling
G    no routine or formal analysis of        G   provide supporting reasons for                large multi-faceted requests.
     reviews of decisions to determine           refusing access to information;
     whether changes in practice are
                                             G   identify all relevant documents to
                                                 the applicant;
                                                                                           Review mechanism:
G    timeframes not being achieved.                                                        The Government should consider
                                             G   advise all applicants of their right to
DET advised us that prior to the audit it        appeal.                                   introducing a review mechanism that
had been reviewing its FOI                                                                 routinely oversees FOI arrangements in
performance and was implementing a                                                         NSW government agencies.
number of reforms (developed in con-         Independent
sultation with the NSW Ombudsman)
to improve the effectiveness of its FOI
process. The Premier's Department            G   inform CEOs of the outcome of
and the MoT already have, or plan to             decisions in parallel with, rather than
change various processes to address              prior to, issuing the determination to
the issues we raised.                            applicants;
                                                                                                                        into IT   I   47

                                                                                                          About the author
Stephen Horne is a Director in the Performance Audit Branch of the Audit Office of New South
Wales. He has twenty-five years' experience in a range of organisations in the NSW public sector,
and is a recognised authority in the fields of e-government; corporate governance; fraud control
strategies; corruption prevention, and performance reporting. Stephen has also contributed widely
to public sector improvement in a variety of capacities, including responsibility for over forty major
performance audits.
Stephen Horne, B.Bus (Distinction) UTS, FIIA.
E-mail... stephen.horne@audit.nsw.gov.au Website... http://www.audit.nsw.gov.au

About Us
The New South Wales                              investigates allegations of serious         Empathy – be understanding of others.

Auditor-General...                               and substantial waste of public             Customer Focus – be courteous, profes-
                                                 money                                       sional and add value.
helps the New South Wales
                                              determines whether an agency or                Continuous Improvement – listen, think,
Parliament hold Government
                                             government activity is achieving what it        challenge and work smarter.
accountable for its use of public
                                             set out to do, economically, efficiently
resources; is independent of
                                             and according to the law has 205
Government and reports directly to the
                                             employees.                                      our clients are the Parliament of NSW,
Parliament; operates under the Public
                                                                                             the Government and its agencies, and
Finance and Audit Act 1983.                  Vision...                                       ultimately the public of NSW.
The Audit Office...                          to be recognised as a centre of
                                             excellence in auditing.
supports the Auditor-General in his                                                               Scissors used to open the Sydney
work; reviews more than 400 New                                                                           Harbour Brodge in 1932,
                                             to assist Parliament to improve the
South Wales government agencies                                                                             NSW Parliament House
                                             accountability and performance of the
to:                                          State.
G     give Parliament reasonable             Values...
      certainty that agencies’ financial
                                             Independence – work without fear or
      reports are prepared correctly;
G     confirm that agencies adhere to        Equity – be fair, just and impartial.
      specific laws, regulations and
                                             Integrity – be open, honest and reliable.
      Government directions.

                                                                                                              Sydney Harbour Bridge
48   I   into IT

Dig the
"To fail to plan, is to plan to fail". IEEE 829 is arguably
still the most used software testing standard."
"Why standards? The use of                      measurable?) gains while not adding dis-     IEEE 829 is often thought of as being the
standards simplifies communication,             proportionate overheads. I once              standard for a "High Level Test Plan" or
promotes consistency and                        worked for a large organisation that had     "Master Test Plan" (HLTP or MTP). It is
uniformity, and eliminates the need             an internal (and mandatory) standard for     more than this, as the standard
to invent yet another (often                    almost all documents. It was such that       describes eight documents that can be
different and even incompatible)                its use transformed a document of 200        produced as part of the testing effort.
solution to the same problem.                   real words into 18 pages after all the       These documents are sometimes
Standards, whether 'official' or                necessary parts ('glossary', 'associated     distributed between different categories
merely agreed upon, are especially              documents', etc) were added. Perhaps         and although there is no consensus on
important when we're talking to                 this was counterproductive and               the subdivisions, I find the following par-
customers and suppliers, but it's               unnecessary.                                 titioning helpful:
easy to underestimate their                                                                  G   Test Planning
importance when dealing with
different departments and                       An overview of IEEE 829                               Test Plan
disciplines within our own organisa-                                                         G
                                                There have been diverse document                 Test Specification
tion. They also provide vital
                                                types used in software testing,                       Test design specification
continuity so that we are not
                                                developed in many cases for the needs
forever reinventing the wheel. They                                                                   Test case specification
                                                of a particular organisation. IEEE 829
are a way of preserving proven
                                                (1983) - the Standard for Software                    Test procedure specification
practices above and beyond the
                                                Test Documentation - was an attempt
inevitable staff changes within                                                              G   Test Reporting
                                                to pull sources together and present
organisations." [Ed Kit - Software
                                                some best practice ideas. The standard                Test Item transmittal report
Testing in the Real World]
                                                was revisited and revised in 1998. Please
That paragraph neatly and (quite)               note that the standard applies to any                 Test log
succinctly describes why standards exist.       level of testing that may take place,                 Test incident summary
But how does that affect testing practi-        including acceptance testing, although its
tioners who live, as in the title of Ed Kit's   application in agile development                      Test summary
book, in the real world?                        methodologies may be less obvious. It is     Most of these eight document types are
Anything that promotes better project           usual to have 'a full set' of IEEE 829       well known, but figure 1 (opposite)
communication has to be good for                documents for each testing stage that is     provides a very brief summary.
testers. Standards have, therefore, to be       to be undertaken.
effective and produce recognisable (and
                                                                                                                             into IT   I   49

Test planning revisited                       It is worth noting at this point that the
                                              standard lists as 'deliverables' the seven
                                                                                               it is unnecessary to obtain individual and
                                                                                               departmental sign-off; sign-off is
Test planning is a key activity in any        other document types that perform part           achieved based on what is known at the
software testing project and for that         of the standard. Some organisations add          time. In one organisation, sign-off is
reason many would associate IEEE 829          to this basic list by including key items        achieved by stating that unless this is
only with test planning. The standard         such as 'glossary' and 'references' to           received by a specified (and realistic)
defines 16 items that should be               other documents. I usually keep MTP              date, it will be assumed. It is remarkable
considered for an MTP including the key       documents from previous projects and             how that concentrates the minds of
activities of estimation ('schedule' is one   for projects that I worked on for other          those concerned!
of the 16) and risk, both of which are        organisations, so that I can look back
                                                                                               Two areas that indicate the dynamic
large topics in their own right.              and see what specific details were
                                                                                               nature of the MTP concern schedules
The 16 are given below for complete-                                                           and risks. During the testing phase, good
ness together with a well-known                                                                news and bad news can act to change
mnemonic (SPACEDIRT) for                      MTP is a LIVING document                         priorities. Does this mean that the
                                                                                               original MTP was wrong? No; the MTP
remembering the list; more detail on
each can be found in textbooks and on         This document specifies what is going to         is what its name suggests, just a plan. At
web sites that deal with this subject:        be done and how it is going to be done.          the time, it was based on the best
                                              It needs to be published, to appropriate         available information, incomplete though
S Scope            test items, what to        people, to make others aware of what is          this was. Information will improve as
                   test, what not to test     - and what is not - going to be tested.          testing progresses; for example, what
P People           training, responsibili-    However, don't wait for everything to            was once a critical risk might now have
                   ties, schedule             be completed before the document is              been addressed (e.g. by third-party
                                              circulated for comment and/or review.            security testing). The risk is now
A Approach         the approach that will                                                      answered and will possibly require no
                                              The MTP will change during the life of
                   be taken to testing                                                         further action.
                                              the project, but this does not mean that
C Criteria         entry/exit criteria,
                   n criteria
                                               Figure 1 The eight parts
E Environment test environment
                                               Test Plan                  A high level view of how testing will proceed; WHAT is to be
                                                                          tested, by WHOM, HOW, in what TIME frame, to what
D Deliverables what is being                                              QUALITY level.
               delivered as part of            Test Design Spec           Details the test conditions to be exercised, with the expected
               the test process                                           outcome (in general terms).
I   Incidentals    introduction,               Test Case Spec             Specific data requirements to run tests, based upon the test
                   identification (of the                                 conditions identified.
                   document), approval         Test Procedure Spec        Describes how the tester will physically run the test,
                   authorities                                            including set up procedures. The standard defines ten
R Risks            risks and                                              procedure steps that may be applied when running a test.
                   contingencies               Test Item Transmittal      The recording of when individual items to be tested have
                                                                          been passed from one stage of testing to another. This
T Tasks            the test tasks that are
                                                                          includes where to find such items, what is new about them,
                   involved in the testing
                                                                          and is in effect a warranty of 'fit for test'.
                                               Test Log                   Details of what tests were run, by whom, and whether
                                                                          individual tests passed or failed.
                                               Test Incident Summary      Details of instances where a test 'failed' for a specific reason.
                                               Test Summary               The Test Summary brings together all pertinent information
                                                                          about the testing, including the number of incidents raised
                                                                          and outstanding, and crucially an assessment about the
                                                                          quality of the system. Also recorded for use in future project
                                                                          planning is details of what was done, and how long it took.
                                                                          This document is important in deciding whether the quality
                                                                          of the system is good enough to allow it to proceed to
                                                                          another stage. This assessment is based upon detailed
                                                                          information that was documented in the Test Plan.
50   I   into IT

  Figure 2 Relationship to other standards                                                    Where to learn more
  These are some of the other standards that may be referred to when documenting              Template - Test Plan Template, based
  according to IEEE 829:                                                                      on IEEE 829: Systeme Evolutif web-site:
  IEEE 1008 - Standard for Unit testing                                                       http://www.evolutif.co.uk/
  IEEE 1028 - Standard for Software Reviews
  IEEE 1044 - Standard Classification for Software Anomalies                                  also...
  IEEE 1044-1 - Guide to Classification for Software Anomalies                                http://www.cs.swt.edu/~donshafer/proj
  BSS 7925-1 - Vocabulary of Terms in Software Testing                                        ect_documents/test_plan_template.html
  BSS 7925-2 - Standard for Software Component Testing                                        Sample - SAMPLE Test Plan, again
                                                                                              based on IEEE 829: Systeme Evolutif
                                                                                              web-site: http://www.evolutif.co.uk/tkb/
                                                                                              guidelines/ieee829/ and then select
Review the document                             scriptive feature is to use of the 16 point
                                                "check-list". It is perfectly OK to exclude   Sample MTP
The MTP needs to be reviewed, with              one of the 16 points, so long as the
                                                                                              Worked example -
reviews taking place face-to-face. If it is     reasons for excluding it are listed and
contentious, points of conflict need to         agreed by the MTP's reviewers. The            http://www.luckydogarts.com/dm158/d
be talked through. The MTP is not               MTP also includes risks and                   ocs/System_Test_Plan.doc
solely "owned" by the testing team(s);          assumptions; sometimes the explicit           See also -
developments groups and users can               statement of a risk or assumption
contribute significantly to its clarification   promotes lively discussion, and even          http://www.google.com and search for
and suggest other items to be added.            resolution!                                   "IEEE 829"

What is and what is not to be tested,                                                         All the web sites above were returned
are two key elements in the MTP In.             Conclusion                                    from a 'Google' search. The author has
                                                                                              no commercial or other interest in these
October 2002, I worked on a project
where testing was, as always, pushed for        As a standard, IEEE 829 is not so much        particular sites.
time. The MTP specified that significant        about how to test, but how to
testing would concentrate on the retail
system with respect to '53-week year'
                                                document that you have tested, and
                                                there is interplay between it and other
                                                                                                            About the author
processing (2002 - 2003 was a 53-week           of the project's standards and                  Peter Morgan is a senior practition-
year). The development team failed to           documents.                                      er with e-testing Consultancy
realise the significance of 53-week years,                                                      Ltd, a UK-based company that
                                                Adherence to IEEE 829 is no guarantee           specialises in training in software
but the mere insertion of the testing           that the testing project will be
intention resulted in better code                                                               testing and in consultancy. The
                                                successful. It should not be used blindly       Company provides entry level
(development extended unit test                 as a standard, but appropriately. Testing
coverage, found some problems and                                                               training leading to the internationally
                                                is a service that adds nothing to the           recognised ISEB Foundation
implemented fixes).                             project team's output; a tester does not        Certificate in Software Testing,
It is usual for the detail listed in the MTP    make better software (and testers               details of which can be found at the
to be used as a basis for deciding              should not be allowed to alter code).           British Computer Society web site -
whether the software under test is              We therefore need to slay the myth of           http://www1.bcs.org.uk/ under
suitable for the next stage of testing,         "documentation for documentation's              ISEB, Qualifications, Software
deployment to production, etc. Thus,            sake" and ask ourselves "does the output        Testing.
key individuals need to see and agree           enable the test and/or development
this detail before the crunch implemen-         teams to do a better job; or help them          Peter's testing assignments have
tation meeting!                                 to present the information found during         included large-scale UK government
                                                testing in a clearer way; or demonstrate        infrastructure projects. He can be
                                                to an outside agency (e.g. the auditors)        contacted by e-mail at
Facing Reality                                  that testing has been properly planned          PMorgan@etesting.com and further
                                                and completed?                                  details of the company can be found
The MTP is one place where testing                                                              at http://www.etesting.com.
comes face-to-face with reality.                Merely incorporating IEEE 829 will not
                                                make a success of a project. It can,            This article first appeared in edition
The MTP is not free-standing, but fits          however, help to make a success by              16 of Professional Tester
into the overall Test Strategy. In some         providing guidelines and pointing the           (http://www.professionaltester.com)
ways, it is not a prescriptive approach,        way to better understanding and to              and is reproduced with the Editor's
but a checklist to remind those                 better documentation.                           kind permission.
responsible what should be considered
for inclusion in the MTP Its only pre-
                                                                                                                                        into IT   I   51

GAO Working with Congress to Improve the
Information Technology Acquisition Processes
Without properly functioning hardware and software,
the US Army's "Future Combat Systems" will be no
more than a bunch of dumb boxes that sit and collect
dust on the battlefield. Madhav Panwar and Lisa
                                                                                                             Marine Corp's V-22 -
Pracchia of the General Accounting Office explains why                                                       Software Intensive Weapon System

Congress now places heavy emphasis - backed up by                                                            In a 1998 CrossTalk article, Capers
                                                                                                             Jones of Software Productivity Research,
legislation - on the process for acquiring high quality                                                      Inc. defined a major DOD system as
                                                                                                             having 12.5 million C Statements and a
                                                                                                             development team numbered in the
computer hardware and software for military use.                                                             hundreds. A lack of mature
                                                                                                             development processes and communi-
                                                                                                             cations were

        ecent military operations around                       Software enables a myriad of complex
                                                                                                             known to
        the world demonstrate the                              capabilities ranging from massive data
        superiority of US weapon                               fusion across geographically disparate
                                                                                                             problems on
systems developed by the Department                            large-scale sensor systems; to decision
                                                                                                             such large
of Defense (DOD). Furthermore, an                              systems that automatically select the
                                                                                                             development efforts.
ever increasing percentage of a weapons                        most appropriate weapon and platform
                                                                                                             Configuration control
system's functionality is provided by ever                     to attack a given target; and on to
                                                                                                             and change
more sophisticated and complex                                 autonomous systems that operate
                                                                                                             management were poorly
software. While DOD has risen to the                           without human intervention to destroy
                                                                                                             implemented, and documentation and
challenge, cost overruns and unsatisfac-                       incoming missiles. Software will create
                                                                                                             software rework absorbed the bulk of
tory performance have led the General                          the network-centric operation, the
                                                                                                             development costs. Partly as a result of
Accounting Office (GAO) to designate                           cornerstone of DOD's transformation.
                                                                                                             these weaknesses, Jones estimated that
DOD systems development and mod-
                                                               Other risk factors include the long-          the probability of a major software-
ernization efforts a high-risk area.
                                                               standing "cultural" issues highlighted in     intensive development project being
Significant risk factors include the                           earlier GAO reports. Two of these             terminated were as high as 65%.
enormous size and complexity of the                            remain relevant; the acquisition
                                                                                                             In contrast, today's jointly-developed
software used by these systems.                                community's bias towards hardware and
                                                                                                             large weapons systems, some of which
Furthermore, most DOD acquisition                              their attention to critical software issues
                                                                                                             form an integrated set of systems
organizations (i.e., the program offices                       too late in the acquisition process.
                                                                                                             (sometimes called "system of systems"),
tasked with defining, developing and                           Typically, program managers do not
                                                                                                             are even larger, with software
fielding weapons systems) lack both                            provide adequate oversight of the
                                                                                                             distributed among many subsidiary
disciplined processes for managing                             software phase of an acquisition, relying
software-intensive system acquisitions,                        instead on contractors to manage
and the contractors who develop the IT                         themselves. While the Software                An example is the Army's Future Combat
systems and software embedded in the                           Engineering Institute (SEI)1 has provided     Systems (FCS)2, a joint Army/Defense
weapons. As one Congressional source                           software developers with various              Advanced Research Projects Agency3
aptly described the acquisition of US                          process improvement models, it is             program. The Army's vision is for FCS
weapons systems, "It's not about bending                       generally accepted that if the acquisition    to create an integrated "battlespace",
metal any more, it's about routing                             organization is at a low process maturity,    where networked information and com-
electrons."                                                    then the entire program is at risk.           munications systems provide a
  Carnegie Mellon Software Engineering Institute... http://www.sei.cmu.edu/
  For more details see... http://www.darpa.mil/tto/PROGRAMS/fcs.html
  DARPA is at... http://www.darpa.mil
52   I   into IT

                                              Mature processes are essential for        1995, reduced rework costs from about
                                              ensuring that (a) the requirements are    40 percent to about 10 percent of total
                                              objectively defined, (b) the right        project cost, increased staff productivity
                                              management discipline is applied to       by 170 percent and reduced defects by
                                              contract management, and (c) that the     about 75 percent. SEI also reported that
                                              software development environment is       over an eight year period, a software
                                              equally transparent to developer and      development contractor had reduced
                                              customer. Other tools, such as Earned     average estimated schedule deviation
                                              Value analysis, will need to be used to   from 112 percent to 5 percent, and
                                              ensure that the system functions as       estimated cost deviation from 87
                                              intended, and that major problems and     percent to minus 4 percent.
                                              errors are caught well in advance of
                                                                                        By 2001, software development units
                                              operational testing.
                                                                                        within DOD were also showing results
                                                                                        from their improvement programs.
competitive edge to soldiers in the field
and to commanders in the control              The History                               According to one GAO report, each
                                                                                        DOD unit with a software process
room. At this early stage in the definition
                                                                                        improvement (SPI) program reported
of requirements, one would be hard            Software Development Process
                                                                                        positive results on software/systems
pressed to estimate the numbers of FCS        Improvement                               quality. For example, the Defense
developers in a program in which the
                                              In the late 1980s, software developers    Finance and Accounting Service
extended team consists of one prime
                                              began to invest in process improvement    reported that its SPI program had
contractor, eight major subcontractors
                                              by adopting best practice models. Many    reduced the overall cost to deliver
and 55 other companies under contract.
                                              public and private organizations based    software by about one-third over
According to Congressional sources,
                                              their improvement programs on the         comparable organizations; a Navy
"The FCS is estimated at 32 million total
                                              SEI's "Software Capability Maturity       software activity reported reduced costs
Source Lines Of Code". However, the
                                              Model" (SW-CMM)4. Adoption was            and improved product quality, and
actual number is likely to be far greater,
                                              slow at first, but by the mid-90s,        achieved a 7:1 return on its SPI
for past experience with software
                                              companies with improvement programs       investment; and an Army activity
estimation has shown that we both
                                              were showing results. For example, SEI    reported that improvements derived
underestimate size, and add functionality
                                              reported that a major defense             from its SPI program had enabled it to
as development progresses.
                                              contractor who implemented a process      almost double its productivity in writing
Fielding FCS successfully will require a      improvement program in 1988 had, by       software for new systems.
highly mature acquisition organization,
and more mature development and
testing approaches than those used in
the past on the development of smaller
systems. In particular, greater effort will
need to be spent on improving
processes for managing changes to
requirements and for ensuring that
information is shared among all stake-
holders. Furthermore, program
managers will need to exert far greater
influence on IT-related issues and obtain
more objective "Earned Value" data from
contractors. Without properly
functioning hardware and software, FCS
will be no more than a bunch of "dumb
boxes" that sit and collect dust on the

                                                                                            For SW CMM see…. http://www.sei.cmu.edu/cmm/
                                                                                                                                                               into IT   I   53

Software Acquisition                                          containing the necessary policy
                                                              guidance. The author believes that
                                                                                                                                established software acquisition
                                                                                                                                processes and requirements.
Process Improvement                                           subsequent DOD inaction in response
                                                                                                                           Section 804 also requires the Assistant
                                                              to GAO-01-116 played a pivotal role in
Many defense and civilian contractors                                                                                      Secretary of Defense for Command,
                                                              Congress legislating for software
who develop software-intensive systems                                                                                     Control, Communications, and
                                                              acquisition process improvement.
have made performance gains through                                                                                        Intelligence (in consultation with the
SPI, but those who acquire the same                           On 2 December 2002, Section 804 of                           Under Secretary of Defense for
systems have lagged behind.                                   Defense Authorization Act of Fiscal Year                     Acquisition, Technology, and Logistics)
Problems occur in situations where low                        2003 (or simply "Section 804") was                           to:
process-maturity acquirers contract for                       enacted. The report accompanying their                       G    Provide applicable improvement
software from high process-maturity                           version of the Defense Authorization for
                                                                                                                                program administration and
developers. Matt Fischer, one of the                          Fiscal Year 2003 spelled out clearly the
                                                                                                                                compliance guidance, and to ensure
authors of the SA-CMM, uses this chart                        Senate's concern about the negative
                                                                                                                                that secretaries of the departments
to explain why acquirers must also                            impact of longstanding software
                                                                                                                                and agencies comply with that
improve their process for managing                            problems on major defense acquisition
software contracts.                                           programs. The Senate stated that
                                                              Section 804 is designed to implement                         G    Assist departments and agencies
For example, acquirers may try to                             the recommendations set out in GAO                                with their respective improvement
circumvent development and                                    01-116.                                                           programs by ensuring that they use
management processes because they                                                                                               applicable source selection criteria
feel that following them adversely affects                                                                                      and also have access to a clearing-
their ability to meet their goal. "Process                    Section 804: The Law                                              house for best practice information
avoidance" by the acquirer can result in                                                                                        on software development and
rework, additional delays, and unexe-                         Section 804 mandates the improvement                              acquisition in both the public and
cutable cost and schedule quotes; had it                      of DOD's software acquisition                                     private sectors.
been followed, this is exactly what the                       processes. This legislation directly
process was designed to avoid.                                instructs the secretaries of each military

Other problems can occur at the end of
                                                              department and the heads of relevant                         Congressional Intent
                                                              defense agencies to establish software
the development process. Where cost                           acquisition process improvement                              "Anyone looking at the past Congressional
and delivery schedules become more                            programs - an apparent message of                            actions and listening to the frustration
important to the acquirer than the                            frustration with the way software                            expressed in Congressional Hearings will
developer's obligation to meet their exit                     improvement has been handled in the                          find the fundamental improvements
criteria for delivering a quality product,                    past.                                                        mandated in Section 804 come as no
the result can be software that contains                                                                                   surprise. The only surprise is that Congress
avoidable defects. GAO reviews of                             Software acquisition process
                                                                                                                           has been as patient as they have been.
major weapons systems have uncovered                          improvement program requirements
                                                                                                                           Now, Congressional patience seems to be
consistent problems - such as cost                            include:
                                                                                                                           turning to impatience; an impatience to
increases, schedule delays and                                G    A documented process for software                       see significant improvement in fixing our
performance shortfalls - for which the                             acquisition planning; requirements                      perennial problems with cost, schedule,
underlying causes include pressure on                              development and management;                             and performance - and in addressing the
program managers to promise more                                   project management and oversight;                       underlying drivers that are causing these
than they can deliver.                                             and risk management.                                    problems."6
The GAO have recommended5 estab-                              G    Efforts to develop appropriate                          Congressional sources affirm that "DOD
lishing and implementing a DOD-wide                                metrics for performance                                 is going to have to pay attention from the
SPI program based on accepted best                                 measurement and continual process                       ground up, in other words, at the program
practice improvement models. In                                    improvement.                                            manager level, or programs will continue
response, DOD tasked two working                                                                                           to get tanked. Congress will remain
                                                              G    A process to ensure that key
groups within the Office of the                                                                                            interested and we're not going to let this
Secretary of Defense to develop a plan                             program personnel have an
                                                                                                                           go until DOD significantly improves how it
for implementing DOD-wide SPI and to                               appropriate level of experience or
                                                                                                                           acquires software-intensive systems. The
establish a means of sharing SPI lessons                           training in software acquisition.
                                                                                                                           only way it's going to get fixed is by people
and best practice knowledge throughout                        G    A process to ensure that each                           on the inside - it simply makes no sense
DOD. DOD also pointed to a recent                                  military department and defense                         on any level to continue ignoring it."
revision of their regulation 5000.2-R as                           agency implements and adheres to
    See report GAO-01-116 (DOD Information Technology: Software and Systems Process Improvement Programs Vary in Use of Best Practices), published in March 2001.
    Norm Brown, Founder and Former Director of the Software Program Managers Network, and Navy Department Member of the 2000 Defense Science Board Task Force on Defense Software.
54   I   into IT

DOD Response and
Implementation Guideline
                                                  Highlights of Recent GAO Reports Relating to
On 21 March 2003, DOD issued a
memorandum to provide the uniform                 Acquisition Process Improvement
implementation guidance that Section
                                                  GAO report GAO-01-116 (http://www.gao.gov/new.items/d01116.pdf):
804 requires. This memorandum
identifies applicability, delineated organi-      G   Compared and contrasted DOD software and systems engineering
zational roles and responsibilities for               practices with leading best practices.
overseeing implementation, and clarifies          G   Recommended issuing a DOD-wide policy implementing SPI for software-
initial expectations for DOD                          intensive systems based on SEI best practice improvement models;
Component process improvement                         developing a program to gage compliance to that policy; and developing a
programs. It also instructed military                 means of sharing SPI lessons learned throughout the DOD.
departments and those defense agencies
that manage major defense acquisition             GAO report GAO-02-9 (http://www.gao.gov/new.items/d029.pdf):
programs to establish software                    G   Reviewed the quality of the Defense Logistics Agency's processes, its
acquisition process improvement                       application of best practices and opportunities to improve.
programs. Requirements for these
                                                  G   Recommended issuing a DLA-wide policy requiring software-intensive
programs included defining and applying
measures; following applicable methods                acquisition projects - both the acquirers and contract developers -
based on some structured approach that                to achieve a specific level of process maturity based on a combination
includes an appraisal method; and                     of SEI improvement models; and to establish/sustain a software process
determining and reporting the status of               improvement program.
process adherence and performance                 GAO report GAO-02-701 (http://www.gao.gov/new.items/d02701.pdf):
                                                  G   Assessed the impact of design and manufacturing knowledge on DOD
The DOD memorandum also gives the                     program outcomes, compared best practices to those used by DOD, and
Office of the Secretary of Defense                    analyzed current weapons system acquisition guidance for application of
Software Intensive Systems Steering                   best practices to obtain better program outcomes.
Group the role of leading a DOD-wide
                                                  G   Recommended taking steps to close the gaps between the current DOD
effort to improve software acquisition
processes. This role entails providing                acquisition environment and best practices; ensuring that its acquisition
program guidance; identifying best                    processes capture specific design and manufacturing knowledge at key
practices; establishing a clearinghouse of            junctures; and providing incentives to use knowledge-based processes.
information regarding best practices and          GAO report GAO-03-476 (http://www.gao.gov/new.items/d03476.pdf):
lessons learned in software development
                                                  G   Provided an independent, knowledge-based assessment of 26 major
and acquisition; and providing guidance
for documenting, performing, and con-                 defense acquisition programs to gauge projected attainment of program
tinuously improving a minimum of eight                goals relative to best practices.
specific software acquisition processes.          G   Observed that when programs proceed with less knowledge than
                                                      suggested by best practices, cost, schedule and performance problems
                                                      often result; to varying degrees all programs assessed proceeded with
Conclusions                                           inadequate knowledge at key junctures and suffered negative consequences.
Section 804's mandate for DOD
software acquisition process
improvement programs is here to stay.
It is not one-time legislation with little or
no follow-up, but the result of a
consistent, well documented and
growing need. Congressional sources
are already considering actively
identifying certain key programs for
greater scrutiny to see if they have            improvement model is used as a road map       improved, it is imperative that DOD
adequately implemented the legislation's        to achieve the mandated requirements."        program managers understand that their
requirements. According to GAO                  Given that the GAO and Congress both          efforts will be measured against Section
sources, "the outcome is what's                 feel that the acquisition of systems with     804 requirements.
important, and not which best practice          major software components needs to be
                                                                                              Madhav S. Panwar and Lisa Pracchia
                                                                                                                                                  into IT   I   55

A chilling thought!
"There was of course no way of knowing whether you were being watched at any
given moment."                                                                                                    George Orwell, "1984"
Author and wit Quentin Crisp described      some days later, Jean announced that                             casks of various comestibles that
euphemisms as "unpleasant truths            she was to start work as a "console                              together gave rise to the characteristic
wearing diplomatic cologne"; and on         operator".                                                       and unforgettable grocery store aroma1.
matters concerning cologne, Quentin                                                                          Gone is the marble-topped counter
                                            Console operator? Perhaps I've been
was a force to be reckoned with.                                                                             resplendent with bacon slicer, coffee
                                            around IT for too long, for the vision
                                                                                                             grinder and brass weighing scales,
My daughter's social security number        that flashed through my mind on hearing
                                                                                                             crowned by a cash register exhibiting
recently dropped through our letterbox,     this news was one of watchful
                                                                                                             similar architectural lines to the Bank of
a gentle reminder from the State that       technicians confronting a bank of
                                                                                                             England. Gone also is the apron-clad
time had come to commence a lifetime's      message-laden screens on the
                                                                                                             proprietor who, much to my dismay,
toil. Although several years of study lie   operations bridge of some Big Blue
                                                                                                             always had time to update my mother
ahead, the college vacations now offer      installation. Alas, not so. Just as the Head
                                                                                                             on all the local gossip, and in full and
the opportunity - so Jean informed us -     Programmer of old has transformed into
                                                                                                             complete detail! These changes owe
to supplement the pittance paid her by      the service provider's Chief Software
                                                                                                             much to Piggly Wiggly.2
her miserly parents. This was excellent     Architect; Learning Solution Consultants
news indeed, for my daughter has            have displaced Trainers; and Public
developed a remarkable talent for outlay    Relations Officers now style themselves
and it was heartening to see her            Media Outreach Coordinators, I guess
become immersed in the Situations           that I shouldn't be surprised to find our
Vacant columns of our local rag. Having     local supermarket's checkout girls also
learned not to play with fire I didn't      wearing a discrete splash of diplomatic
enquire too closely about her intentions,   cologne. After all, when properly
but it came as quite a surprise when,       considered, "console operator" isn't an
                                            entirely misleading description of their
                                            role, for what are the innocuous looking
 The bar code...                            point-of-sales terminals they attend but
                                            consoles, optimised to pour an endless
 ...a method of automatic identifica-       stream of purchase data (yes, even my
 tion that allows information to be         one-horse town has 24 x 7 shopping)                              Piggly Wiggly®
 captured quickly and accurately by         into the company's ever-churning
                                            accounting, supply chain and data mining                         Piggly Wiggly was the creation of
 a computer. A bar code symbol                                                                               Clarence Saunders, an American, who
 consists of a series of bars and                                                                            to the grocery trade was what Charles
                                            Supermarket retailing has moved a                                Babbage was to computing, a creative
 spaces of various thicknesses.
                                            world apart from the high street grocery                         genius with ambition. Whereas
 These are broken down into groups          stores of my youth. Refrigeration and                            Babbage’s mission was to enhance the
 of bar/space patterns that represent       sleek vacuum packaging have put paid to                          quality of mathematical tables, Saunders’
 human readable characters.                 the suspended sides of ham and bacon,                            strove to improve shopping for
                                            the whole cheeses, and the sacks and                             customer and grocer alike. Despite his
                                                Visitors to London can still sample that aroma in the Food Hall at Harrods. Well worth a visit.
                                                Piggly Wiggly... http://www.pigglywiggly.com/
56     I   into IT

later attempts at automation being, like                        checkout, the customer's tape was run                           coded to aide identification and tracking.
those of Babbage, for another age,                              through a reader to produce the bill,                           NASA relies on bar codes to monitor
Saunders introduced many successful                             their groceries being assembled, boxed                          the thousands of heat tiles that need
and startlingly simple innovations,                             and waiting for collection. No need for                         replacing after every space shuttle trip.
including that which underpins the                              shopping trolleys while there were                              Researchers have even placed tiny bar
supermarket concept, "self-service".                            savings in space, in the labour needed to                       codes on individual bees to track their
                                                                stock the shelves and in the time                               mating habits. The ubiquitous bar code
In grocery stores of the time, shoppers
                                                                customers spent queuing at the                                  is truly an icon for today.
presented their orders over the counter
                                                                checkout. Alas, the machinery proved
to sales assistants, who then gathered                                                                                          The story began in 1948. A student at
                                                                unreliable, particularly at busy times and
the groceries from the store's shelves.                                                                                         the Drexel Institute of Technology in
                                                                the resulting delays coupled with a
Saunders' idea was that the customer                                                                                            Philadelphia overheard the chief
                                                                heavy maintenance bill killed Keydoozle.
would do this by walking around the                                                                                             executive of a local supermarket chain
store with a basket (the supermarket                            Saunders never fulfilled his dream of                           asking one of the deans to undertake
trolley was a much later innovation).                           truly automated shopping. At the time                           research into a system that would auto-
And the payoff? Customers received the                          of his death in l953, he was planning                           matically read product information at
benefits of greater variety, lower prices                       another automatic store based on a                              the checkout. The dean wasn't
and quicker shopping, but gone forever                          system he named "Foodelectric". And                             interested, but Bernard Silver told his
was the old high street grocery store                           Piggly Wiggly? Saunders' reason for                             friend Joe Woodland about the request
with its characteristic aroma, furnishings                      choosing this intriguing name remains a                         and they began working on a solution.
and personal service.                                           mystery. A story has it that it suggested
                                                                                                                                Their first device used patterns of ink
                                                                itself when he saw several little pigs
Saunders opened his first Piggly Wiggly                                                                                         that glowed under ultraviolet light. It
                                                                struggling to get under a fence from the
store in Memphis in 1916 and it quickly                                                                                         worked, but the patterns were
                                                                window of a passing train. When asked
became popular. Customers entered                                                                                               expensive to print and there were
                                                                why he chose such an unusual name
through turnstiles and with no assistants                                                                                       problems with ink stability. Despite the
                                                                Saunders' reply was, "So people will ask
to shop for them selected their                                                                                                 drawbacks, the pair remained convinced
                                                                that very question". One can't argue
groceries from open shelves, paying for                                                                                         they had a workable idea, Woodland
                                                                with that!
them at a "checkout". Piggly Wiggly                                                                                             even giving up teaching to devote more
went on to become a group of                                                                                                    time to developing a practical system.
independent franchises, which by 1929
was the second largest grocery group in
                                                                An icon for today                                               And the outcome? An application to
                                                                                                                                patent an invention relating "to the art of
the US and its creator a millionaire.                           Visitors to the Smithsonian Institution's                       article classification ...through the medium
Then came the Wall Street Crash                                 National Museum of American History                             of identifying patterns".
followed by a legal dispute with the                            will not be surprised to find a pack of                         The patent was issued on 7th October
New York Stock Exchange that drove                              Wrigley's chewing gum displayed among                           1952.3
Saunders into bankruptcy. Although                              other icons of American culture. But this
Piggly Wiggly survived - and remains                            particular pack of gum is more than that;
alive and well - Saunders had no further                        on 26th June, 1974, it became the first
connection with the business.                                   bar coded product to be lifted from a
Not a man deterred by setbacks,                                 supermarket trolley by a long-forgotten
Clarence Saunders went on to                                    customer, and scanned at a checkout.
experiment with automated self-service                          Looking around me I see several items
shopping. In his Kedoozle store - a name                        branded in this way; the case of the CD
derived from the phrase "key does all" -                        I'm listening to, a book, a couple of
the merchandise was displayed as single                         magazines, the covers of some
units each within a glass cabinet under                         document folders lying on my desk
which was a keyhole. Customers                                  beneath a can of Coke, all bear
entering the store were handed a small                          prominent bar codes. If I looked in our
pistol-like key that they placed in the                         refrigerator, I'd find more. Back at the
keyhole below the goods they wished to                          office, our electrical and IT equipment is
buy, the quantity being determined by                           bar coded to streamline identification
the number of times they pulled the                             during inventory. Conference delegates
key's trigger. This action, recorded on                         are sometimes asked to wear a bar
punched tape, activated back office                             coded ID badge, as are hospital patients;                       In their patent ("Fig 10" is an extract),
machinery to assemble the order, which                          airline passengers' luggage, packages sent                      Woodland and Silver described their bar
was then despatched to the checkout                             through the mail, and just about                                code as a symbol made up of concentric
on a conveyor belt. On reaching the                             everything sold in a supermarket are bar                        circles to enable reading from any

    US patent 2,612,994 can be viewed online at... http://patft.uspto.gov/netahtml/srchnum.htm (you may need to install a Tiff image viewer to display it... http://www.alternatiff.com/)
                                                                                                                        into IT   I   57

direction, but they also described their       on to develop bar coding further for         possible to price any item in the store
"symbology" as a pattern of four straight      IBM, work recognised in 1992 by the          simply by modifying its entry in the
white lines on a dark background, the          award of the National Medal of               central database. Data captured at the
first being a datum line from which the        Technology by President Bush, he didn't      checkout can also be used to track stock
positions of the other three were fixed.       grow rich from an idea that spawned a        levels; to support automatic product re-
Information was encoded by the                 billion dollar business.                     ordering when stock falls below prede-
presence or absence of one or more of                                                       termined levels (a job for electronic data
the lines, thus allowing up to seven                                                        interchange - EDI); to identify fast and
different article classifications (excluding   The problem with labelling                   slow moving product lines; and, by using
the datum line, binary 111). However,                                                       historical data, to predict seasonal fluc-
                                               New technologies occasionally converge
the inventors noted that by adding more                                                     tuations in demand. Furthermore, by
                                               with emerging business demands to
lines it would be possible to encode                                                        cajoling customers into using personal
                                               bring about a step-change change in the
more classifications (e.g. 10 data lines                                                    loyalty cards, sales data can be linked to
                                               way that things are done. This was to be
enables 1023 classifications). A movie                                                      individual customer profiles to
                                               the case with bar coding.
soundtrack player served as a bar code                                                      determine their purchasing habits (and
reader, but it was bulky and expensive         By the early 1970s, laser scanners and a     so into the world of "data mining"). The
to install while use of a high power           new generation of intelligent cash           big drawback is that to devise a labelling
                                               register - the electronic point-of-sales     scheme for every supermarket chain is
                                               (EPOS) terminal - had arrived. These         not just expensive; it also hinders supply
                                               developments coincided with growing          chain integration due to manufacturers
                                               competition between the US                   having to recognise different
                                                                                            supermarket numbering schemes.
                                                                                            Product labelling is only cost-effective
                                                                                            when supermarket chains work cooper-
                                                                                            atively with each other and with their
                                                                                            Back in 1970, this problem soon
                                                Equivalent UPC-A & UPC-E bar
                                                                                            became apparent. The outcome was an
                                                codes. UPC-E is a smaller seven-digit
                                                                                            industry committee, set up to formulate
  Bar code readers contain a light              UPC symbology often used for small
                                                                                            guidelines on barcode development and
  source, photo detector and signal             retail items. UPC-E compresses a
                                                                                            to devise a standard approach.
  processing circuitry. The light source        normal 12-digit UPC-A number into a         Some basic principles were to lie at the
  shines light onto the bar code, is            six-digit code by "suppressing" the         heart of the Committee's guidelines:
  reflected back into the scanner and           number system digit, trailing zeros in
                                                                                            G   to make life easier for the cashier,
  focused onto the photo detector,              the manufacturer's code and leading
  which converts the optical                    zeros in the product identification part
                                                                                                thereby reducing queues at the
  information into an electrical signal.        of the bar code message. A seventh
                                                                                                checkout, bar codes needed to be
  The signal is then "cleaned up" with          check digit is encoded into a parity
                                                                                                readable from almost any angle and
  further circuitry and converted to a          pattern for the six main digits. UPC-E
                                                                                                at a wide range of distances;
  signal format that will be recognised         can thus be uncompressed back into          G   the labels, which would be
  by the device to which the bar code           a standard UPC-A 12-digit number.               reproduced by the millions, needed
  reader is connected.                                                                          to be cheap and easy to print; and to
                                               supermarket chains that increased                be affordable...
filament lamp made its operation               pressure on their already tight trading      G   automated checkout systems
somewhat hazardous. A further                  margins. The search was on to cut costs          needed to pay for themselves in two
problem was that the computers                 and the most obvious target was the              and a half years.
needed to process the information              checkout, where the EPOS terminal
captured by the reader were not readily        offered promising possibilities providing    The last goal turned out to be quite
available in the 1950s.                        that each grocery product could be           plausible. Business consultants McKinley
                                               identified uniquely, automatically and, of   predicted that by adopting a universal
Bar coding was a sound concept, but it                                                      labelling system the industry would save
                                               course, cheaply.
was to be almost 20 years before                                                            $150 million a year at 1970 prices.
microchip and laser scanning technolo-         When a bar coded product is scanned at
gies were sufficiently mature to make it       the checkout, the bar code reader            The Universal Product Code (UPC)
a practical proposition. By then, Bernard      captures the product's unique reference      was to emerge from these deliberations
Silver was dead - he died in 1962, at the      number, which the EPOS terminal then         and from development undertaken by
age of thirty-eight - and RCA had              uses as a key to enter a central database    IBM (who recalled having Joe Woodland
acquired the rights to Woodland and            to obtain the product's price and            on their payroll).
Silver's patent. Although Woodland went        description. By this means, it becomes
58   I   into IT

                                                  indicates the type of product - zero for a
                                                  national brand; 2 for variable weight,
                                                                                                 An icon for tomorrow?
                                                  such as meat; 4 for price reductions; and      Although UPC symbols form the
                                                  a few other special items. The next five       backbone of all things inventory in the
                                                  are the manufacturer's code, such as           grocery trade, the new Radio Frequency
                                                  "30000" for the Quaker Oats Company.           ID (or RFID) tag has superseded optical
                                                  In the second group, the first five digits     scanning. RFID offers the potential for
                                                  form the unique product code while the         'smarter' more flexible supply chain
                                                  sixth digit is to verify that all the          management. It enables products to be
                                                  preceding digits are scanned properly.         identified, counted and tracked auto-
                                                  Thus the scanner will read "30000              matically, resulting - so its promoters
                                                  06110" as a pound of Quaker's "Cap'n           claim - in "near-perfect stock and supply
                                                  Crunch" cereal, or "30000 01020" as an         chain visibility".
                                                  18-ounce package of "Old Fashioned
  MaxiCode is a 2D symbology that can             Quaker Oats". To enable scanning in            Products are implanted with RFID tags
  encode about 100 characters of data             either direction, hidden cues in the           during manufacture. Each tag contains a
  in an area of one square inch. Within           code's structure tell the scanner which        microchip on which is stored a unique
  this small space are two MaxiCode               end is which, while printing the bar           Electronic Product Code (EPC) and a
  components: black and white                     coded reference numbers on product             tiny radio antenna. At 400 microns
  hexagons that pack information in two           wrappers during manufacture relieves           square - a micron (µm) is one
  directions, and a target-like central           stores from the expensive overhead of          thousandth of a millimeter - a tag is
  pattern that allows the symbol to be            having to label every item they stock.         smaller than a grain of sand.
  easily located at high speeds.
                                                  UPC is not the only bar code symbology         As a palette of goods leaves the manu-
                                                  now in use, there are many others              facturer, it passes through a beam of
                                                                                                 radio waves transmitted by an RFID
The Universal Product Code                        designed for different industries,
                                                  including the European Article                 reader. This causes the tags to "wake
Introduced in 1973, UPC was the first             Numbering system (EAN5 - also                  up" and begin broadcasting their
bar code symbology to be widely                   developed by Joe Woodland), which              individual EPCs. Depending on the radio
adopted for product marking, in this              includes an extra pair of digits and is on     frequency used, RFID systems give a
case by the American grocery industry.            its way to becoming the world's most           range of up to 30 metres, thus removing
Some 250,000 companies in 25 major                widely used system. The United States          the line-of-sight restrictions that apply to
industries now use the codes to reduce            Department of Defense adopted "Code            bar code scanning.
supply chain costs and improve business           39" for marking all products sold to the       A local application linked to the readers
efficiency.                                       US military. POSTNET is the standard           then queries an Object Name Service
                                                  bar code used in the United States for         database over the Internet. Acting like a
To obtain a company identifier code, a
                                                  ZIP codes in bulk mailing.                     reverse telephone directory, the ONS
manufacturer registers with the Uniform
Code Council4 and then registers each             An extension to the single dimensional         server matches the EPC to the address
product, thereby ensuring that every              bar code concept are two-dimensional           of a server that holds extensive
package scanned at the checkout bears             (2D) bar codes that use two axes to            information on the product; this links to
a unique product reference number.                enable information about an item to be         and augments similar systems around
The code comprises two groups of six              encoded in addition to its identifying         the world to form a global database.
coded digits (the numbers below a bar             code. Some 2D codes, such as the               Because the reader that sent the query
code are translations for human use               hexagon-based Maxicode6, do not use            is in a known location, the 'system' can
only). The first digit in the first group         bars at all.                                   identify which manufacturer produced
                                                                                                 the product, hence, should a product
                                                                                 The EPC is      defect or tampering incidents arise, the
                                                                                 made up of a    source of the problem is easily located.
                                                                                 header and
                                                                                                 Back at the supermarket, deliveries
                                                                                 three sets of
                                                                                                 update the store's retail systems auto-
                                                                                 data. The
                                                                                                 matically. What's more, because the
                                                                                                 supermarket's shelves are equipped with
 identifies the EPC's version number to allow for different lengths or types of EPC later
                                                                                                 integrated readers, they "understand"
 on. The second part of the number identifies the EPC Manager; most likely the manufac-
                                                                                                 what stock is being placed on them.
 turer of the product the EPC is attached to, for example 'The Coca-Cola Company'. The
                                                                                                 When a customer removes an item, the
 third, called object class, refers to the exact type of product, most often the Stock Keeping
 Unit; for example 'Diet Coke 330 ml can, US version. The fourth is the item's unique serial       The Uniform Code Council... http://www.uc-
 number that describes exactly which 330 ml can of Diet Coke is referred to. This makes it           council.org
 possible, for example, to quickly find products that might be nearing their expiry date.          EAN International... http://www.ean-ucc.org/
                                                                                                   Example of 2D bar coding; Maxicode...
                                                                                                                                                                      into IT   I   59

diminished shelf immediately routes a
message to the automated replenish-                               An RFID system typically includes:
ment system, which if necessary orders                            G a tag or label embedded with a
further stock. And customer benefits?                                  single chip computer and an
A reader built into the store's exit                                   antenna;
recognises each item in the shopper's                             G a radio (much like a wireless LAN
trolley by their individual EPCs; a quick
swipe of the debit or credit card and the                              radio) that communicates with the
customer's on their way. Gone is the                                   tag.
checkout with its "console operator",                             Unlike bar code-based tracking
while in another place, Clive Saunders                            systems, an RFID system can read the
beams with satisfaction.7 Perhaps 'RFID'
will become tomorrow's icon?
                                                                  information on a tag without requiring
                                                                  line of sight or a particular orientation.
                                                                  The tag can be programmed to hold
And to conclude, a little                                         information such as an item's serial
science fiction - or is it?                                       number, color, size, manufacture date
                                                                  and current price, as well as a list of
Contrary to George Orwell's grim
prediction8, 1984 passed free (overall)
                                                                  all distribution points the item touched
from his bleak vision of omnipresent                              before reaching the store.
state security. Nevertheless, one might
reflect on events in the aftermath of                          short - to keep an outwardly benevolent
9/11 and on their implications for the                         eye on us, its inner role suitably
future. For instance, it might concern us                      shrouded in diplomatic cologne by its
to learn that the role of the US                               media outreach coordinators?
Information Awareness Office9 is to
                                                               Consider a few of the advantages. We
"imagine, develop, apply, integrate,
                                                               always know where our children are or
demonstrate, and transition information
                                                               can find out. Gone are the interminable
technologies, components, and prototype
                                                               queues at airport check-ins, security and
closed-loop information systems that will
                                                               immigration desks; embedded RFID
counter asymmetric threats by achieving
                                                               tags ensure that, on arrival, we and our
total information awareness that is useful
                                                               possessions are automatically scanned,
for pre-emption, national security warning,
                                                               identified and verified by reference to a
and national security decision making."
                                                               global (and, naturally, error-free) Object
Buried deep in this bucketful of gob-
                                                               Name Service database. What about a
bledegook, 'total information awareness'
                                                               'less-crime', if not a crime-free society?
sounds uncannily similar to an objective
                                                               It's a big disincentive to commit crime
touched on earlier in this piece, 'near-
                                                               when the authorities know where
perfect stock and supply chain visibility'.
                                                               everyone and their possessions are at
In the eyes of some, 9/11 nurtured the                         any given moment.
business case for tighter state security,
                                                               RFID delivers such capabilities on a
while the technology necessary to
                                                               plate; but there's a question to be asked.
deliver 'near-perfect stock and supply
                                                               Where does state security start and
chain visibility' is now available. Might
                                                               finish and the violation of personal
business case and enabling technology
                                                               privacy and civil liberty begin? State
again combine to bring about another
                                                               security ruled OK in Orwell's starkly
step change, not in the way we identify
                                                               painted world. As he described it, "there
and track groceries, but people and
                                                               was of course no way of knowing whether
their possesions? Might the time come
                                                               you were being watched at any given
when, in place of a letter informing us of
                                                               moment". Might the application of RFID
our social security number, we're
                                                               move us in that direction?
implanted10 with an Electronic Person
                                                               A chilling thought!
Code (EPC) tag at birth? Might a
government department exist - Orwell                           See diagram overleaf.
named it "Ministry of Love", Miniluv for                                                         Ian Petticrew
7                                                                                            9
    Store of the future movie...                                                                The IAO web site has been withdrawn, but see...
    http://www.future-store.org/servlet/PB/menu/1000373_l2/1073996191443.html                   http://en.wikipedia.org/wiki/Information_Awareness_Office
8                                                                                            10
    George Orwell - "1984" online edition... http://www.online-literature.com/orwell/1984/      It's quite feasible! See Kevin Warwick, Professor of Cybernetics...
60   I   into IT
into IT   I   61
Layout and Production by NAO Information Centre | Printed by SLSPrint | DG Ref: 3316RD
Printed on Greencoat paper. Greencoat is produced using 80% recycled fibre and 20% virgin TCF pulp from sustainable forests.

To top