CHAPTER 3

SECURITY PART I: AUDITING OPERATING SYSTEMS AND NETWORKS

REVIEW QUESTIONS

1. What are the five control objectives of an operating system?

Response:
a. The operating system must protect itself from users.
b. The operating system must protect users from each other.
c. The operating system must protect users from themselves.
d. The operating system must be protected from itself.
e. The operating system must be protected from its environment.

2. What are the three main tasks the operating system performs?
Response:
a. Translates high-level languages into the machine-level language the computer can
execute.
b. Allocates computer resources to users.
c. Manages the tasks of job scheduling and multiprogramming.

3. What is the purpose of an access control list?

Response: An access control list is assigned to each computer resource such as
directories, files, programs, and printers. These lists contain information that defines the
access privileges for all valid users of the resource. When a user attempts to access a
resource, the system compares his or her ID and privileges contained in the access token
with those contained in the access control list. If there is a match, the user is granted
access.

4. What are the four techniques that a virus could use to infect a system?
Response: The virus program can attach itself to
a. an .EXE or .COM file,
b. an OVL (overlay) program file,
c. the boot sector of a disk, or
d. a device driver program.

5. What is an access token?

Response: At login, the operating system creates an access token that contains key
information about the user, including user ID, password, user group, and privileges
granted to the user. The information in the access token is used to approve all actions
attempted by the user during the session.

6. Explain discretionary access privileges.

Response: In distributed systems, end users may control (own) resources. Resource
owners in this setting may be granted discretionary access control, which allows them to
grant access privileges to other users. For example, the controller, who is the owner of the
general ledger, may grant read-only privileges to a manager in the budgeting department.
The accounts payable manager, however, may be granted both read and write permissions
to the ledger. Any attempt the budgeting manager makes to add, delete, or change the
general ledger will be denied. Discretionary access control needs to be closely supervised
to prevent security breaches resulting from too liberal use.
7. What is event monitoring?
Response: Event monitoring is an audit log that summarizes key activities related to
users, applications, and system resources. Event logs typically record the IDs of all users
accessing the system; the time and duration of a user’s session; programs that were
executed during a session; and the files, databases, printers, and other resources accessed.

8. What is keystroke monitoring?

Response: Keystroke monitoring is the computer equivalent of a telephone wiretap. It is
a log that records both the user’s keystrokes and the system’s responses to them. This
form of log may be used after the fact to reconstruct the details of an event or as a
real-time control to monitor or prevent unauthorized intrusion.

9. What is a vaccine and what are its limitations?

Response: A vaccine is an anti-virus program that detects and removes viruses from
infected programs or data files. Most antiviral programs run in the background on the
host computer and automatically test all files that are uploaded to the host. Its limitation
is that it works only on known viruses and versions of the virus.

10. What are the risks from subversive threats?

Response: The risks from subversive threats include: a computer criminal intercepting a
message transmitted between the sender and the receiver, a computer hacker gaining
unauthorized access to the organization’s network, and a denial-of-service attack from a
remote location of the Internet.

11. What are the risks from equipment failure?

Response: The risks from equipment failure include the fact that they can cause
transmissions between senders and receivers can be disrupted, destroyed, or corrupted.
Equipment failure can also result in the loss of databases and programs stored on the
network server.

12. What is a firewall?

Response: A firewall is a system that enforces access control between two networks.
Firewalls can be used to authenticate an outside user of the network, verify his or her
level of access authority, and then direct the user to the program, data, or service
requested. In addition to insulating the organization’s network from external networks,
firewalls can also be used to insulate portions of the organization’s intranet from internal
access.

13. Distinguish between network-level and application-level firewalls.

Response: A network-level firewall accepts or denies access requests based on filtering
rules, and then directs the incoming calls to the correct internal receiving node.
Network-level firewalls are insecure because they are designed to facilitate the free flow
of information rather than restrict it. A network level firewall does not explicitly
authenticate outside users.
An application-level firewalls provide a higher level of customizable network security,
but they add overhead to connectivity. These systems are configured to run security
applications called proxies that permit routine services such as e-mail to pass through the
firewall, but can perform sophisticated functions such as user authentication for specific
tasks. Application-level firewalls also provide comprehensive transmission logging and
auditing tools for reporting unauthorized activity.
14. What are the most common forms of contra-security behavior?
Response: Forgetting passwords and being locked out of the system.
Failing to change passwords on a frequent basis.
The Post-it syndrome, whereby passwords are written down and displayed for others to
see.
Simplistic passwords that a computer criminal easily anticipates.

15. What can be done to defeat a DDos attack?

Response: As a countermeasure to DDos attacks, many organizations have invested in
intrusion prevention systems (IPS) that employ deep packet inspection (DPI) to determine
when an attack is in progress. DPI uses a variety of analytical and statistical techniques to
evaluate the contents of message packets. It searches the individual packets for protocol
noncompliance and employs predefined criteria to decide if a packet can proceed to its
destination. This is in contrast to the normal packet inspection that simply checks the
header portion of a packet to determine its destination. By going deeper and examining
the payload or body of the packet, DPI can identify and classify malicious packets based
on a database of known attack signatures. Once classified as malicious, the packet can

16. How does public key encryption work?

Response: Public key encryption uses two different keys: one for encoding messages
and the other for decoding them. Each recipient has a private key that is kept secret and a
public key that is published. The sender of a message uses the receiver’s public key to
encrypt the message. The receiver then uses his or her private key to decode the
message. Users never need to share their private keys to decrypt messages, thus reducing
the likelihood that they fall into the hands of a criminal.

17. What is a digital envelope?

Response: DES and RSA encryption are used together in what is called a digital
envelope. The actual message is encrypted using DES to provide the fastest decoding.
The DES private key needed to decrypt the message is encrypted using RSA and
transmitted along with the message. The receiver first decodes the DESK key, which is
then used to decode the message.

18. What is a digital signature?

Response: A digital signature is an electronic authentication that cannot be forged. It
ensures that the message or document transmitted originated with the authorized sender
and that it was not tampered with after the signature was applied. The digital signature is
derived from the computed digest of the document that has been encrypted with the
sender’s private key.

19. Categorize each of the following as either an equipment failure control or an

unauthorized access control:
Response:
a. message authentication: unauthorized access control
b. parity check: equipment failure control
c. call-back device: unauthorized access control
d. echo check: equipment failure control
e. line error: equipment failure control
f. data encryption: unauthorized access control
g. request response technique: unauthorized access control
20. What is DPI?
Response: DPI (deep packet inspection) is a technique that searches individual network
packets for protocol non-compliance to decide if a packet can proceed to its destination.
DPI can identify and classify malicious packets based on a database of known attack
signatures.

21. At what three points in an electronic data interchange transaction and validation
process can authorization and validation be accomplished?
Response:
a. At the VAN level: The vendor logon is validated by comparing vendor passwords and
IDs against a valid master file.
b. Before being converted: The translation software validates the trading partner’s
password and ID against a valid master file.
c. Before processing: the trading partner’s application software references the valid
customer and vendor files to validate the transaction.

22. What is packet switching?

Response: The Internet employs communications technologies based on packet
switching, whereby messages are divided into small packets for transmission. Individual
packets of the same message may take different routes to their destinations. Each packet
contains address and sequencing codes so they can be reassembled into the original
complete message at the receiving end. The choice of transmission path is determined
according to criteria that achieve optimum utilization of the long-distance lines, including
the degree of traffic congestion on the line, the shortest path between the end points

23. What is a VPN?

Response: A virtual private network (VPN) is a private network that exists within a
public network. VPNs are private from the client’s perspective, but
physically share backbone trunks with other users. Maintaining security and privacy in
this setting, however, requires encryption and authentication controls.

24. Name three types of addresses used on the Internet?

Response: The Internet uses three types of addresses for communications:
a. e-mail addresses,
b. Web site (URL) addresses, and
c. the addresses of individual computers attached to a network (IP addresses).

25. Describe the elements of an e-mail address.

Response: The format for an e-mail address is USER_NAME@DOMAIN_NAME.
There are no spaces between any of the letters. A domain name is an organization’s
unique name combined with a top-level domain name, i.e. “com”, “edu”, etc.

26. Networks would be inoperable without protocols. Explain their importance and
what functions they perform.
Response: Network protocols are the rules and standards governing the design of
hardware and software that permit users of networks manufactured by different vendors
to communicate and share data. Without protocols, data transmission between two
incompatible systems would be impossible. Protocols facilitate the physical connection
between the network devices. Protocols also synchronize the transfer of data between
physical devices. They provide a basis for error checking and measuring network
 performance. They promote compatibility among network devices. Lastly, they promote
network designs that are flexible, expandable, and cost-effective.

27. What is the purpose of the TCP portion of TCP/IP?

Response: Transfer Control Protocol (TCP) ensures that the total number of bytes
transmitted is equal to the total number of bytes received.

28. What does the HTTP do?

Response: Hypertext Transfer Protocol (HTTP) controls Web browsers that access the
Web. When the user clicks on a link to a Web page, a connection is established, the Web
page is displayed, then the connection is broken.

29. How do HTTP and HTTP-NG differ?

Response: HTTP-NG is the new generation of the Hypertext Transfer Protocol. It is an
enhanced version of the HTTP protocol that maintains the simplicity of HTTP while
adding important features such as security and authentication.

30. What is a digital certificate? How is it different from a digital signature?

Response: A digital certificate is used to verify the sender’s identity. It is issued by a
trusted third party called a certification authority (CA). A digital certificate is used in
conjunction with a public key encryption system to authenticate the sender of a message.
The process for certification varies depending on the level of certification desired. A
digital signature proves that the message received was indeed sent by the sender, and was
not tampered with during transmission. However, it does not prove that the sender is who
he or she claims to be. The sender could be an impersonator. The digital certificate
proves the identity of the sender.

31. What is a CA (certification authority), and what are the implications for the
accounting profession?
Response: A certification authority is an independent and trusted third party empowered
with responsibility to vouch for the identity of organizations and individuals engaging in
Internet commerce. The question then becomes, who vouches for the CA? How does
one know that the CA who awarded a seal of authenticity to an individual is itself
reputable and was meticulous in establishing his or her identity? These questions hold
specific implication for the accounting profession. Since they enjoy a high degree of
public confidence, public accounting firms are natural candidates for certification
authorities.

DISCUSSION QUESTIONS

1. Why is human behavior considered one of the biggest potential threats to operating
system integrity?
Response: Unfortunately, some computer hackers enjoy the challenge of creating
devices, such as viruses and logic bombs, to damage systems. They gain nothing of
monetary or financial value; they just enjoy knowing they accomplished their goal of
penetrating and affecting an operating system.
2. Why would a systems programmer create a back door if he or she has access to the
program in his or her day-to-day tasks.
Response: A back door is created so that the programmer may gain future access to the
program without needing a user password (in other words after the programmer no longer
has a valid password). The backdoor may be used legitimately to gain easy access to
perform maintenance or it may be used by a programmer who has no legitimate reason to
be accessing the system in that manner or at all.

3. Discuss the issues that need to be considered before implementing keystroke

monitoring.
Response: Keystroke monitoring is the computer equivalent of a telephone wiretap.
Whereas some situations may justify this level of surveillance, keystroke monitoring may
also be regarded as a violation of privacy. Before implementing this type of control,
management and auditors should consider the possible legal, ethical, and behavioral
implications.

4. Explain how an access token and an access control list are used to approve or deny
access.
Response: When a log-on attempt is successful, the operating system creates an access
token that contains key information about the user, including user ID, password, user
group, and privileges granted to the user. The information in the access token is used to
approve all actions the user attempts during the session. An access control list is assigned
to each IT resource (computer directory, data file, program, or printer), which controls
access to the resources. These lists contain information that defines the access privileges
for all valid users of the resource. When a user attempts to access a resource, the system
compares his or her ID and privileges contained in the access token with those contained
in the access control list. If there is a match, the user is granted access.

5. Explain how a Trojan horse may be used to penetrate a system.

Response: A Trojan horse is a program whose purpose is to capture IDs and passwords
from unsuspecting users. These programs are designed to mimic the normal log-on
procedures of the operating system. When the user enters his or her ID and password, the
Trojan horse stores a copy of them in a secret file. At some later date, the author of the
Trojan horse uses these IDs and passwords to access the system and masquerade as an
authorized user.
6. Discuss six ways in which threats from destructive programs can be substantially
reduced through a combination of technology controls and administrative
procedures.
Response: The following examples controls and procedure that can reduce the threat
from destructive programs:
i. Purchase software only from reputable vendors and accept only those products that are
in their original, factory-sealed packages.
ii. Issue an entity-wide policy pertaining to the use of unauthorized software or illegal
(bootleg) copies of copyrighted software.
iii. Examine all upgrades to vendor software for viruses before they are implemented.
iv. Inspect all public-domain software for virus infection before using.
 v. Establish entity-wide procedures for making changes to production programs.
vi. Establish an educational program to raise user awareness regarding threats from
viruses and malicious programs.
vii. Install all new applications on a standalone computer and thoroughly test them with
antiviral software prior to implementing them on the mainframe or LAN server.
vii. Routinely make backup copies of key files stored on mainframes, servers, and
workstations.
ix. Wherever possible, limit users to read and execute rights only.
x. Require protocols that explicitly invoke the operating system’s logon procedures in
order to bypass Trojan horses. Some operating systems allow the user to directly invoke
the operating system logon procedure by entering a key sequence such as CTRL + ALT +
DEL. The user then knows that the logon procedure on the screen is legitimate.
xi. Use antiviral software (also called vaccines) to examine application and operating
system programs for the presence of a virus and remove them from the affected program.

7. Explain the three ways in which audit trails can be used to support security
objectives.
Response: Audit trails can be used to support security objectives in three ways:
i. detecting unauthorized access to the system,
ii. reconstructing events, and
iii. promoting personal accountability.

DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in

real time or after the fact. The primary objective of real-time detection is to protect the
system from outsiders who are attempting to breach system controls. After-the-fact
detection logs can be stored electronically and reviewed periodically or as needed. When
properly designed, they can be used to determine if unauthorized access was
accomplished, or attempted and failed.
RECONSTRUCTING EVENTS. Audit analysis can be used to reconstruct the steps that
led to events such as system failures, security violations by individuals, or application
processing errors. Knowledge of the conditions that existed at the time of a system failure
can be used to assign responsibility and to avoid similar situations in the future.
PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at
the lowest level of detail. This capability is a preventive control that can be used to
influence behavior. Individuals are less likely to violate an organization’s security policy
if they know that their actions are recorded in an audit log. An audit log can also serve as
a detective control to assign personal accountability for actions taken. Serious errors and
the abuse of authority are of particular concern. 8. Explain how poorly designed audit
trail logs can actually be dysfunctional. Response: Audit logs can generate data in
overwhelming detail. Important information can easily get lost among the superfluous
details of daily operation. Protecting exposures with the potential for material financial
loss should drive management’s decision as to which users, applications, or operations to
 monitor, and how much detail to log. As with all controls, the benefits of audit logs must
be balanced against the costs of implementing them.

9. Many authorities believe that the employer does not prosecute 90 percent of all
computer fraud acts. What do you think accounts for this lack of prosecution?
Discuss the importance of the establishment of a formal policy for taking
disciplinary (or legal) action against security violations.
Response: A common belief by management of publicly traded firms is that the public
will perceive fraudulent acts that have taken place as a sign of control weaknesses. The
management teams may prefer to handle the computer fraud by dismissal of the employee
rather than have the stockholders and analysts lose faith in the internal control procedures
of the firm. Unfortunately, this type of behavior by employers sends the wrong message
to potential perpetrators. The message from top management needs to be clear regarding
fraudulent acts-they will not be tolerated and any acts will be prosecuted. The message
means absolutely nothing if the firm does not back up this policy with actions if such
crimes are committed.

10. How can passwords actually circumvent security? What actions can be taken to
minimize this?
Response: Users may share their passwords, write-down their passwords, or use easily
guessed passwords. Protection against these security breaches includes software that
allows only smart passwords and one-time passwords used in conjunction with smart
cards.

11. Explain how the (OTP) one-time password approach works.

Response: Under this approach, the user’s password changes continuously. To access the
operating system, the user must provide both a secret reusable personal identification
number (PIN) and the current one-time only password for that point in time. One
technology employs a credit-card-sized device (smart card) that contains a
microprocessor programmed with an algorithm that generates, and visually displays, a
new and unique password every 60 seconds. The card works in conjunction with special
authentication software located on a mainframe host or network server computer. At any
point in time both the smart card and the network software are generating the same
password for the same user. To access the network, the user enters the PIN followed by
the current password displayed on the card. The password can be used one time only.

12. Explain how smurf attacks and SYN flood attacks can be controlled.

Response: In the case of a smurf attack, the targeted organization can program their
firewall to ignore all communication from the attacking site, once the attackers IP address
is determined. In the case of SYN Flood, two things can be done:
i. Internet hosts can program their firewalls to block outbound message packets that
contain invalid internal IP addresses.
 ii. Security software can scan for half-open connections that have not been followed by
an ACK packet. The clogged ports can then be restored to allow legitimate connections to
use them.

13. Discuss the risks from equipment failure and how they can be controlled.
Response:
Risks: Transmissions between senders and receivers can be disrupted, destroyed, or
corrupted by equipment failures in the communications system. Equipment failure can
also result in the loss of databases and programs stored on the network server. The most
common problem in data communications is data loss due to line error. The bit structure
of the message can be corrupted through noise on the communications lines. Noise is
comprised of random signals that can interfere with the message signal when they reach a
certain level.
Controls:
i. Echo Check. The echo check involves the receiver of the message returning the
message to the sender. The sender compares the returned message with a stored copy of
the original. If there is a discrepancy between the returned message and the original,
suggesting a transmission error, the message is retransmitted.
ii. Parity Check. The parity check incorporates an extra bit (the parity bit) into the
structure of a bit string when it is created or transmitted. The value of the parity bit (1 or
0) is determined by the bit value of the character being transmitted. Parity can be both
vertical and horizontal (longitudinal). When the message is received, the parity is
checked again. A discrepancy in the parity bit value that is recalculated at the receiving
end indicates that a bit value in the character was changed during transmission.
iii. Network Backup. Data backup in networks is accomplished in several different ways
depending on the network’s complexity.

14. Does every organization that has a LAN need a firewall?

Response: Firewalls can provide protection against unauthorized access by both internal
and external intruders depending on the type of firewall. An organization with a LAN
with NO connections to ANY external networks may be safe without firewalls, but some
sort of network security is necessary for multiple users.

15. Describe three ways in which IPS can be used to protect against DDos attacks.
Response:
i. IPS can work inline with a firewall at the perimeter of the network to act as a filer that
removes malicious packets from the flow before they can affect servers and networks.
ii. IPS may be used behind the firewall to protect specific network segments and servers.
iii. IPS can be employed to protect an organization from becoming part of a botnet by
inspecting outbound packets and blocking malicious traffic before it reaches the Internet.

16. What problem is common to all private key encryption techniques?

Response: The more individuals who need to know the private key, the greater the
probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she
can intercept and decipher coded messages.
17. What is RSA encryption?
Response: RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography
method. This method is, however, computationally intensive and much slower than
standard DES encryption. Sometimes, both DES and RSA are used together in what is
called a digital envelope. The actual message is encrypted using DES to provide the
fastest decoding. The DES private key needed to decrypt the message is encrypted using
RSA and transmitted along with the message. The receiver first decodes the DES key,
which is then used to decode the message.

18. Explain the triple-DES encryption techniques known as EEE3 and EDE3.
Response: EEE3 uses three different keys to encrypt the message three times. EDE3
uses one key to encrypt the message. A second key is used to decode it. The resulting
message is garbled because the key used for decoding is different from the one that
encrypted it. Finally, a third key is used to encrypt the garbled message. The use of
multiple keys greatly reduces the chances of breaking the cipher. Triple DES encryption
is thought to be very secure and is used by major banks to transmit transactions.
Unfortunately, it is also very slow.

19. Distinguish between a digital signature and a digital certificate.

Response: A digital signature is electronic authentication that cannot be forged. It
ensures that the message or document transmitted originated with the authorized sender
and that it was not tampered with after the signature was applied. The digital signature is
a derived from the computed digest of the document that has been encrypted with the
sender’s private key. This process proves that the message received was indeed sent by
the sender and was not tampered with during transmission. However, it does not prove
that the sender is who he or she claims to be. The sender could be an impersonator.
A digital certificate, which is issued by a trusted third-party called a certification
authority (CA). is used to verify the sender’s identity. A digital certificate is used in
conjunction with a public key encryption system to authenticate the sender of a message.
The process for certification varies depending on the level of certification desired. It
involves establishing one’s identity with formal documents such as a driver’s license,
notarization, and fingerprints and proving one’s ownership of the public key. After
verifying the owner’s identity the CA creates the certification, which is the owner’s
public key and other data that has been digitally signed by the CA.

20. Describe a digest within the context of a digital signature.

Response: A digest is a mathematical value calculated from the text content of a
message. The sender uses a one-way hashing algorithm to calculate a digest of the text
message. The digest is then encrypted using the sender’s private key to produce the
digital signature.

21. What is a digital envelope?

Response: Sometimes DES and RSA are used together to create a digital envelope that is
 both more secure and faster than using RSA encryption alone. The actual message is
encrypted using DES to provide the fastest decoding. The DES private key needed to
decrypt the message is encrypted using RSA and transmitted along with the message.
The receiver first decodes the DES key, which is then used to decode the message.
22. Why is inadequate segregation of duties a problem in the personal computer
environment?
Response: An employee may have access to multiple applications that process
incompatible transactions. For example, a single individual may be responsible for
entering all transaction data, including sales orders, cash receipts, invoices, and
disbursements. This degree of authority would be similar, in a manual system, to
assigning accounts receivable, accounts payable, cash receipts, cash disbursement, and
general ledger responsibility to the same person. The exposure is compounded when the
operator is also responsible for the development (programming) of the applications that
he or she runs.

23. Why is the request-response technique important? Discuss the reasons an intruder
may wish to prevent or delay the receipt of a message.
Response: This method is important in order to prevent intruders from preventing or
delaying messages. An intruder might intercept data such as credit card numbers and
expiration dates or bank debit cards and personal identification numbers in order to use
this data to commit crimes. Another possibility is that sales orders could be intercepted
and destroyed in a malicious attempt to sever customer-supplier relations.

24. Discuss how the widespread use of laptop and notebook computers is making data
encryption standards more easily penetrable.
Response: Business travelers with laptop and notebook computers are just beginning to
realize how carefully they should safeguard their computers while traveling on subways,
planes, cars, and staying in hotels. Theft of these computers is becoming a serious
problem. These computers are being stolen just as often for the information contained on
the hard drives as they are for the resale values. Unfortunately, these stolen computers
often have the DES keys contained on floppy diskettes, which are stored in the carrying
cases. The carrying cases are usually also stolen, or the encryption keys may be on the
hard drive. Thus, the thief gains access to the key and can decode messages.

25. Discuss the unique control problems EDI creates.

Response: One problem is ensuring that transactions are authorized and valid. Both the
customer and supplier must establish that the transaction being processed is with a valid
trading partner and is an authorized transaction. Another problem is that, in most
situations, the trading partners must agree to give their trading partner access to files,
which previously were entirely internal documents, such as inventory files. Prior to EDI,
firms did not exchange inventory file data. Thus, the accuracy of these files AT ALL
TIMES is crucial. Further, these files should not be allowed to be altered, in any fashion,
by the trading partner’s computer. Only the organizations application programs should be
allowed to process inventory records.
26. “In and EDI system, only the customer needs to verify that the order being placed
is from a valid supplier and not vice versa.” Do you agree with this statement?
Why or why not?
Response: No. The supplier needs to verify that the purchaser is a valid purchaser and
has authorization to scan the inventory file.

27. Discuss how EDI creates an environment in which sensitive information, such as
inventory amounts and price data, is no longer private. What potential dangers
exist if the proper controls are not in place? Give an example.
Response: In an EDI environment, the selling firm opens up previously considered
private files, such as inventory and in some cases the master production schedule, to the
customer’s order system so that the inventory status can be checked. If the proper
controls are not in place, a perpetrator could alter these records so that inventory is shown
to be lower than it actually is, and the organization could lose orders as the customer
contacts another vendor. If this situation went undetected for a length of time, the
organization could have such a decline in sales and loss in customer base that it could be
forced out of business.

28. What purpose do protocols serve?

Response: Protocols serve network functions in several ways.
First, they facilitate the physical connection between the network devices. Through
protocols, devices are able to identify themselves to other devices as legitimate network
entities, and thus initiate (or terminate) a communications session.
Second, protocols synchronize the transfer of data between physical devices. This
involves defining the rules for initiating a message, determining the data transfer rate
between devices, and acknowledging message receipt.
Third, protocols provide a basis for error checking and measuring network performance.
This is done by comparing measured results against expectations. For example,
performance measures pertaining to storage device access times, data transmission rates,
and modulation frequencies are critical to controlling the network’s function. The
identification and correction of errors thus depends on protocol standards that define
acceptable performance.
Fourth, protocols promote compatibility among network devices. To successfully transmit
and receive data, the various devices involved in a particular session must conform to a
mutually acceptable mode of operation, such as synchronous or asynchronous and duplex
or half-duplex. Without protocols to provide such conformity, messages sent between
devices will be distorted and garbled.
Finally, protocols promote network designs that are flexible, expandable, and
cost-effective. Users are free to change and enhance their systems by selecting from the
best offerings of a variety of vendors. Manufacturers must, of course, construct these
products in accordance with established protocols.

29. Explain the purpose of the two elements of TCP/IP.

Response: The TCP portion of the TCP/IP protocol supports the transport function of the
 OSI model. This ensures that the total number of data bytes transmitted was received.
The IP component provides the routing mechanism. Every server and computer in a
TCP/IP network requires an IP address, which is either permanently assigned or
dynamically assigned at startup. The IP part of the TCP/IP protocol supports the network
layer of the OSI model. It contains a network address and is used to route messages to
different networks. IP receives message packets from the transport protocol and delivers
them to the data link layer.

30. Distinguish between the FTP and TELNET protocols.

Response: FTP (File Transfer Protocol) is used to transfer text files, programs,
spreadsheets, and databases across the Internet. TELNET is a terminal emulation protocol
used on TCP/IP-based networks. It allows users to run programs and review data from a
remote terminal or computer. Telnet is an inherent part of the TCP/IP communications
protocol. While both protocols deal with data transfer, FTP is useful for downloading
entire files from the Internet; TELNET is useful for perusing a file of data as if the user
were actually at the remote site.

31. Distinguish between a network-level firewall and an application-level firewall.

Response: Network-level firewalls provide efficient but low-security access control. This
type of firewall consists of a screening router that examines the source and destination
addresses that are attached to incoming message packets. The firewall accepts or denies
access requests based on filtering rules that have been programmed into it. The firewall
directs incoming calls to the correct internal receiving node. Network-level firewalls are
insecure because they are designed to facilitate the free flow of information rather than
restrict it. This method does not explicitly authenticate outside users.
Application-level firewalls provide a higher level of customizable network security, but
they add overhead to connectivity. These systems are configured to run security
applications called proxies that permit routine services such as e-mail to pass through the
firewall, but can perform sophisticated functions such as user authentication for specific
tasks. Application-level firewalls also provide comprehensive transmission logging and
auditing tools for reporting unauthorized activity.

32. What is a certification authority, and what are the implications for the accounting
profession?
Response: A certification authority is an independent and trusted third party empowered
with responsibility to vouch for the identity of organizations and individuals engaging in
Internet commerce. The question then becomes, who vouches for the CA? How does
one know that the CA who awarded a seal of authenticity to an individual is itself
reputable and was meticulous in establishing his or her identity? These questions hold
specific implication for the accounting profession. Since they enjoy a high degree of
public confidence, public accounting firms are natural candidates for certification
authorities.
33. Discuss the key aspects of the following five seal-granting organizations: BBB,
TRUSTe, Veri-Sign, Inc., ICSA, and AICPA/CICA WebTrust.
Response:
Better Business Bureau. The Better Business Bureau (BBB) is a non-profit organization
that has been promoting ethical business practices through self-regulation since 1912.
BBB has extended its mission to the Internet through a wholly owned subsidiary called
BBBOnline, Inc. To qualify for the BBBOnline seal an organization must:
● Become a member of BBB.
● Provide information about the company’s ownership, management, address, and
phone number. This is verified by a physical visit to the company’s premises.
● Be in business for at least one year.
● Promptly respond to customer complaints.
● Agree to binding arbitration for unresolved disputes with customers.
The assurance provided by BBBOnline relates primarily to concerns about business
policies, ethical advertising, and consumer privacy. BBBOnline does not verify controls
over transaction-processing integrity and data-security issues.
TRUSTe. Founded in 1996, TRUSTe is a non-profit organization dedicated to improving
consumer privacy practices among Internet businesses and Web sites. To qualify to
display the TRUSTe seal the organization must:
● Agree to follow TRUSTe privacy policies and disclosure standards.
● Post a privacy statement on the Web site disclosing the type of information being
collected, the purpose for collecting information, and with whom it is shared.
● Promptly respond to customer complaints.
● Agree to site-compliance reviews by TRUSTe or an independent third party.
TRUSTe addresses consumer privacy concerns exclusively and provides a mechanism for
posting consumer complaints against its members. If a member-organization is found to
be out of compliance with TRUSTe standards, its right to display the trust seal may be
revoked.
Veri-Sign, Inc. Veri-Sign, Inc. was established as a for-profit organization in 1995.
Veri-Sign, Inc. provides assurance regarding the security of transmitted data. The
organization does not verify security of stored data or address concerns related to
business policies, business processes, or privacy. Its mission is to “provide digital
certificate solutions that enable trusted commerce and communications.” Its products
allow customers to transmit encrypted data and verify the source and destination of
transmissions. Veri-Sign, Inc. issues three classes of certificates to individuals,
businesses, and organizations. To qualify for class-three certification the individual,
business, or organization must provide a third-party confirmation of name, address,
telephone number, and Web site domain name.
ICSA. The International Computer Security Association (ICSA) established its Web
Certification Program in 1996. ICSA certification addresses data security and privacy
concerns. It does not deal with concerns about business policy and business processes.
Organizations that qualify to display the ICSA seal have undergone an extensive review
of firewall security from outside hackers. Organizations must be recertified on an annual
basis and undergo at least two surprise checks each year.
AICPA/CICA WebTrust. The AICPA and CICA established the WebTrust program in
1997. To display the AICPA/CICA WebTrust seal the organization must undergo an
examination according to the AICPA’s Standards for Attestation Engagements, No. 1, by
 a specially Web-certified CPA or CA. The examination focuses on the areas of business
practices (policies), transaction integrity (business process), and information protection
(data security). The seal must be renewed every 90 days.

34. Differentiate between a LAN and a WAN. Do you have either or both at your
university or college?
Response: The primary difference between LANs and WANs is the geographic area
coverage. LANs are typically confined to a single room, floor, or building. WANs are
used to connect various LANs and computing centers that are geographically dispersed
across distances that range from less than a mile to transcontinental.

MULTIPLE-CHOICE QUESTIONS

1. b
2. a
3. e
4. d
5. e
6. c
7. b
8. e
9. a
10. c

PROBLEMS
1. Network Access Control
Ajax Automotive services retail automotive centers the east coast by supplying them with
quality car and truck parts such as brake pads, oil filters, water pumps, etc. The
company’s 123 sales representatives work exclusively in the field visiting client company
locations and submitting sales orders from laptop computers via an internet connection to
the corporate offices in Delaware. All of Ajax’s sales orders are received in this manner.
Customer account, sales history, inventory, and cash receipts records are stored on a
central server at the corporate site. Customers are billed digitally from the corporate
office on a net 30 basis.
Required;
Outline the access controls that would be appropriate for this situation. Explain why these
controls are necessary.
 Response:
Data encryption techniques should be in place for the transmitting sales order and other
sensitive sales data from customer locations to the corporate computer center. Since the
organization has many sales representatives, a public key encryption approach would
work best.
To preserve the integrity of sales orders a digital signature control may be used. Any
tampering with, or alterations to, the original sales order would be detected as a
discrepancy in the digest.
Confidential data stored at the corporate offices, particularly customer data, should also
be encrypted to protect against intrusion attempts.
A onetime password system would increase security by preventing a hacker from
capturing the password and accessing the system
Since the Ajax organization processes all is sales transactions via remote access, it is
vulnerable to denial of sales attacks. These risks are reduced through firewalls, intrusion
prevention software, and deep packet inspection of data entering the system.
Virus Protection software should be installed on the lap tops of sales representatives.
Policies should be in place to ensure that the software is kept current.
Various other network control devises would preserve the integrity of transmitted data.
These include: message sequence numbering, message transaction log, request-response
techniques, and a call-back device.

2. Network System Controls

Three years ago the Triumph Manufacturing implemented a networked transaction

processing system to link their various departments and allow data sharing. Prior to then,
Triumph employed a system based on stand-alone PCs. When the new system was
implemented each employee was given a user ID and assigned a four digit password to
permit access to the system. Once in the system, they had the option of changing their
passwords or keeping the one originally assigned. Since everyone in the organization
was new to the system, the operating philosophy adopted by Triumph was to establish an
open system that would facilitate efficient processing with minimal inconvenience.
Towards this end, employee access privileges to data and processes were assigned based
on functional affiliation. For example sales staff had access to all processes and data
pertaining to sales transactions such as order entry procedures, inventory control, credit
checking, customer credit files, sales invoices, inventory records, etc. Similarly, all
accounting staff were granted access to such processes as updating accounts receivable,
accounts payable, cash receipts and all journals, subsidiary ledgers, and general ledger
accounts related to these tasks.
Recently, the internal auditor identified material errors and possible irregularities in the
financial statements. She is concerned about the lack of security and the potential for
fraud and unauthorized access from internet hackers.
Required:
Outline the control procedures and policies that would reduce these risks and explain your
solution.
 Response:

Implement as password control policy.

● To improve access control, management should require that passwords be changed
regularly and disallow weak passwords.
● Employ password software that automatically scans password files and notifies
users that their passwords have expired and need to be changed.
Assign Network Access Privileges
● Network access privileges are a digital segregation of duties. The network
administrator needs to assign privileges in a manner that separate incompatible
functions.
● Assign access privileges consistent with job descriptions and verify that job
descriptions are consistent with the task to be performed. The current method of
assigning access privileges according to functional affiliation allows individuals to
access data beyond their need to know and to possibly perpetrate a fraud.
Security Clearance and Confidentiality Policy
● If one does not already exist, establish a security clearance policy and ensure that all
privileged employees undergo an adequately intensive security clearance check.
● Ensure that all system users have formally acknowledged their responsibility to
maintain the confidentiality of company data.
Security Software
● Virus Protection software should be installed on the system and policies should be in
place to ensure that the software is kept current.
● Internet risks are reduced through firewalls, intrusion prevention software, and deep
packet inspection of data entering the system.
3. System Access Control and Fraud
Charles Hart, an accounts payable clerk, is an hourly employee. He never works a minute
past 5 P.M. unless the overtime has been approved. Charles has recently found himself
faced with some severe financial difficulties. He has been accessing the system from his
home during the evening and setting up an embezzlement scheme. As his boss, what
control technique(s) discussed in this chapter could you use to help detect this type of
fraud?
Required: What control technique(s) discussed in this chapter could you use to help
detect this type of fraud?
Response: If the company uses a call back device, Charles Hart’s home phone should not
be on the approved phone list. Since Charles is an hourly worker, he should not be
expected to take work home with him. Further, a transaction log listing time of data input
and user ID would be informative to Charles’ boss. If Charles has not been approved for
overtime during the past month, and Charles’ supervisor notices that Charles has entered
some transactions into the system late in the evening, then Charles’ supervisor should
investigate these actions. A message transaction, which contains a log of users on the
system by login time, would also be useful.

4. Internal Control and Fraud

John Martin, a highly skilled computer technician with a masters degree in computer
science took a low profile evening job as a janitor at Kent Manufacturing Company.
Since the position was low level no security clearance or background check was
necessary. While working at nights, John snooped through offices for confidential
information regarding system operations, internal controls, and the financial thresholds
for transaction that would trigger special reviews. He observed employees who were
working late type in their passwords and managed to install a Trojan Horse virus onto the
system to capture the IDs and passwords of other employees. During the course of
several weeks John obtained the necessary IDs and passwords to set himself up in the
system as a supplier, a customer, and systems administrator, which gave him access to
most of the accounting system’s functions.
As a customer, John ordered inventory which was shipped to a rented building and later
sold. As system administrator he approved his credit sales orders and falsified his
customer payment records to make it appear that the goods had been paid for. He also
generated purchase orders to himself and created false receiving reports and supplier
invoices as part of a vendor fraud scheme. He was thus able to fool the system into
setting up accounts payable to himself and writing checks in payment of inventory items
that the company never received.
John was careful to ensure that all his transaction fell below the financial thresholds that
triggered special reviews. Nevertheless, his fraud schemes cost Kent Manufacturing
approximately $100,000 per month and went undetected for 1 ½ years. John, however,
became over confident and careless in his life style. Working late one evening, the
internal auditor observed John arriving for work in an expensive sports car that seemed
out of place for a poorly paid janitor. The auditor initiated an investigation that exposed
john’s activities. He was arrested and charged with computer fraud.
Required:
 a. What controls weaknesses allowed John to perpetrate these frauds?

b. Explain the controls that should be in places to reduce the risk of

fraud.

Weakness: Lack of Background Check. Kent manufacturing incorrectly assumed that

low level positions in the organization pose no security threat and do not require
background checks on employees filling such positions. While this may be generally
true, janitors have unrestricted access to all many or all areas of the organization.
● Control: An appropriate level background check should be performed on all new
employees. In the case of John, it would have revealed any previous criminal
activity. Even if Alogna had a clean record, his masters in computer science would
have been discovered, which should have raise a red flag in his application for a
janitor position.

Weakness: Security Over Confidential Material. John was able to learn about the
system’s key operational features, controls, and control trigger points by browsing
information located in employee offices.
● Control: Confidential information should be secured in safes or other appropriate
storage facilities.
● A security policy should be implemented to ensure that all employees recognize
potential security threats and comply with the security policy in place for
confidential material.

Weakness: Lack of Adequate Password Control. Kent manufacturing uses a reusable

password system. Once John obtained the necessary passwords he was able to access the
system and play many roles to perpetrate his frauds.
● Control: Implement a password control system that requires passwords to be
changed regularly and which disallows weak passwords.
● Employ password software that automatically scans password files and notifies
users that their passwords have expired and need to be changed.
● The use of a one-time password system would have prevented John from obtaining
employee passwords. Even if he observed a password being entered of captured it
via a Trojan Horse, the password could not be reused to enter the system.

Weakness: Lack of Adequate Application Control. By keeping transactions under the

thresholds that trigger additional reviews, John was able to perpetrate $100, 000 in
frauds each month that went undetected for 1 ½ years.
 ● Control: Review the appropriateness of financial materiality thresholds. Kent may
have these set too high for adequate control.
● Internal audit reviews of frequent and recurring transaction that fall just below the
materiality level.

Weakness: Lack of Security Software. John was able to successfully install a Trojan Horse
virus that went undetected.

● Control: Install virus protection software on the system.

● Implement policies to ensure that the software is kept current.

5. Network Security Controls

ISC is an international manufacturing company with over 100 subsidiaries
worldwide. ISC prepares consolidated monthly financial statement based on data
provided by the subsidiaries. Currently the subsidiaries send their monthly reports to the
ISC Corporate offices in Phoenix as pdf or spreadsheet attachments to e-mail files. The
financial data are then transcribed by data processing clerks and entered into the
corporate database from which consolidated statements are prepared. Because the data
need to be reentered manually into the corporate system the process takes three to four
days to enter all the data into the database. Also, the process is prone to transcription
errors and other forms of clerical errors. After the data are loaded into the system,
verification programs check footings, cross-statement consistency, and dollar range
limits. Any errors in the data are traced and corrected. The reporting subsidiaries are
notified of all errors via e-mail.
The company has decided to upgrade its computer communications network with
a new system that will support more timely receipt of data at corporate
headquarters. The systems department at corporate headquarters is responsible for
the overall design and implementation of the new system. The system will consist
of a central server at the corporate offices connected to distributed terminals at
each of the subsidiary sites.
The new system will allow clerks at the subsidiary sites to send financial data to
the corporate office via the Internet. The system will automatically load the
financial data into the corporate database thus eliminating the error-prone data
entry operation.
The company’s controller is pleased with the prospects of the new system, which
should shorten the reporting period by three days. He is, however, concerned
about security and data integrity during the transmission. He has scheduled a
meeting with key personnel from the systems department to discuss these
concerns.
 Required:
a. Describe the data security and integrity problems that could occur when transmitting data

between the subsidiaries and the corporate office.

b. For each problem identified, describe a control procedure that could be employed to

minimize or eliminate the problem.

Problem Identification Control Procedure and Explanation

Establish access privileges based on need
Unauthorized access to the reporting Implement Password control and password management
system procedures to prevent weak passwords to ensure they are
changed on a regular basis
Encrypt password file
Use one-time password technique for data transmissions
Unauthorized access to corporate Establish database authority table based on need
reporting database
Encrypt financial data in the database
System intrusion from the internet, Implement an application-level firewall
including denial of service attack
Encrypt financial data in the database
Implement intrusion prevention system with deep packet
inspection and security software to identify open
connections that indicate a SYN flood attack
Use security techniques such as request-response and
call-back
Employ antiviral software
Corruption of transmitted data due to The system should have built-in controls including echo
line errors. check and parity check to correct line errors.
Use message sequence numbering
Interception and alteration of Use public key encryption
Transmitted Data
Use digital signatures to identify any changes to the
digest.
6. Preventive Controls
Listed here are five scenarios. For each scenario, discuss the possible damages that can
occur. Suggest a preventive control.
a. An intruder taps into a telecommunications device and retrieves the
identifying codes and personal identification numbers for ATM cardholders. (The
user subsequently codes this information onto a magnetic coding device and
places this strip on a blank bank card.)
b. Because of occasional noise on a transmission line, electronic messages
received are extremely garbled.
c. Because of occasional noise on a transmission line, data being transferred
is lost or garbled.
d. An intruder is temporarily delaying important strategic messages over the
telecommunications lines.
e. An intruder is altering electronic messages before the user receives them.

Required: For each scenario, discuss the possible damages that can occur. Suggest a
preventive control.

Responses:
a. The intruder can then withdraw money from the ATM cardholder accounts.
(This actually happened in California; the intruder was a systems consultant
who had helped to set up the communication system.) Digital encoding of
data with the algorithm being changed periodically, especially after the
systems consultants have completed their jobs, and the system is in use.
b. Noise on the line may be causing line errors, which can result in data loss.
Echo checks and parity checks can help to detect and correct such errors.
c. If data is being lost, echo checks and parity checks should also help; however,
the problem may be that an intruder is intercepting messages and tampering
with them. Message sequence numbering will help to determine if messages
are being lost, and if they are perhaps a request-response technique should be
implemented that makes it difficult for intruders to circumvent.
d. If messages are being delayed, an important customer order or other
information could be missed. As in item c, message sequence numbering and
request-response techniques should be used.
e. Messages altered by intruders can have a very negative impact on
customer-supplier relations if orders are being altered. In this case, data
encryption is necessary to prevent the intruder from reading and modifying
the data. Also, a digital signature will reveal if the message has been altered.

7. Operating System Risks and Controls

Listed here are four scenarios. For each scenario, discuss the potential consequences and
 give a prevention technique.
A) A company has recently installed a new computer network. The operating
philosophy adopted by new network administrator was to establish an open
system that would foster work group data sharing, flexible access, and minimal
inconvenience to the network users. To accomplish this objective the data
administrator assigned employee access privileges to data based on department
and functional affiliation rather than specific tasks.
B) Mary is a system programmer who was told she would be terminated in three
weeks due to poor performance and was asked to conclude all of her projects
during that three week period. Two weeks later Mary created a logic bomb
designed to activate three months after her departure. Subsequently, the bomb
destroyed hundreds of records in her previous employer’s accounts receivable
invoice file.
C. Robert discovered a new sensitivity analysis public-domain program on the
Internet. He downloaded the software to his laptop at home, which he also used at
his office when connecting to the company’s network. The program contained a
virus that spread to the company’s mainframe.
D. Murray, a trusted employee and a systems engineer, had access to both the network
access control list and user passwords. The firm’s competitor recently hired him
for a large increase in salary. After leaving, Murray continued to browse through
his old employer’s data, such as price lists, customer lists, bids on jobs, and so on.
He passed this information on to his new employer.

Required: For each scenario, discuss the potential consequences and give a prevention
technique.
Responses:
A. Network access privileges allow for proper segregation of duties in a shared data
environment. The current method of assigning access privileges (according to
functional affiliation) allows individuals to access data beyond their need to know.
An individual who is granted access to data that are not related to his or her specific
task may be in a position to perpetrate a fraud or cover up serious errors. The
network administrator should, therefore, assign privileges in a manner that separates
incompatible functions and is consistent with job descriptions.

B. Employees with access to critical systems, data, or key processes who have been
terminated should also have their access privileges terminated immediately and should
not be allowed to continue working for the company. This policy should be followed
even for employees who leave on good terms and of their own volition. They should
receive their contractual severance pay, but not remain on the company’s premises.

C. Personal laptop computers are a common source of network viruses, which can be
destructive to corporate databases and applications. Because they are portable, laptops
are subject virus infections from outside of the secure corporate environment.
Antivirus software should be in place on the network server to prevent any files from
being uploaded before they are checked for viruses. Also, an antiviral program should
routinely scan the network server for viruses. Many organizations have policies and
 controls in place to prevent personal computers from connecting to corporate
networks.

D. Upon Murray’s announcement

that he is leaving, his access privileges should have been revoked and he should have
been escorted from the premises. Further, since he had access to all other users’
passwords, a message should immediately be sent to all users requiring them to
change their passwords immediately or have their account locked until they do make
the change.

8. Encryption
The coded message that follows is an encrypted message from Brutus to the
Roman Senate. It was produced using the Caesar cipher method, in which each
letter is shifted by a fixed number of places (determined by the key value).
OHWV GR MXOLXV RQ PRQGDB PDUFK 48 GUHVV: WRJD FDVXDO
(EBRG)
Required:
Determine the key used to produce the coded message and decode it.

Response: Key = +3, Decoded message:

LETS DO JULIUS ON MONDAY MARCH 15
DRESS: TOGA CASUAL (Bring Your Own Dagger)

9. Encryption
a. Develop a Caesar cipher-type encryption algorithm with a little more
complexity in it. For example, the algorithm could alternatively shift the
cleartext letters positive and negative by the amount of the key value.
Variations on this are limitless.
f. Select a single-digit key.
g. Code a short message using the algorithm and key.
h. Give your instructor the algorithm, key, clear text, and cipher text.
Optional: Your instructor will randomly redistribute to the class the cipher text
messages completed in part d. You are to decode the message you receive as an
`additional assignment

Response: Answers will vary among the class. This is a fun assignment that results in
interesting coding schemes.

10-13. Problems 10 through 13 will result in varying answers.