Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.

Slides:



Advertisements
Similar presentations
Chapter 19: Network Management Business Data Communications, 5e.
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Computer-Based Information Systems
Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
Lecture 1: Overview modified from slides of Lawrie Brown.
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:
CS-550 (M.Soneru): Recovery [SaS] 1 Recovery. CS-550 (M.Soneru): Recovery [SaS] 2 Recovery Computer system recovery: –Restore the system to a normal operational.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
I/O Systems ◦ Operating Systems ◦ CS550. Note:  Based on Operating Systems Concepts by Silberschatz, Galvin, and Gagne  Strongly recommended to read.
Today’s Lecture application controls audit methodology.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.
Storage Security and Management: Security Framework
© 2013 Pearson Education, Inc. Publishing as Prentice Hall 1 CHAPTER 11: DATA AND DATABASE ADMINISTRATION Modern Database Management 11 th Edition Jeffrey.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Information Systems Security Computer System Life Cycle Security.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Information Systems Security Operational Control for Information Security.
MODULE 12 Control Audit And Security Of Information System 12.1 Controls in Information systems 12.2 Need and methods of auditing Information systems 12.3.
D ATABASE A DMINISTRATION L ECTURE N O 3 Muhammad Abrar.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Chapter 1 Introduction to Databases. 1-2 Chapter Outline   Common uses of database systems   Meaning of basic terms   Database Applications  
Information Security What is Information Security?
G53SEC 1 Reference Monitors Enforcement of Access Control.
Database Security Outline.. Introduction Security requirement Reliability and Integrity Sensitive data Inference Multilevel databases Multilevel security.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Today’s Lecture Covers
Operating System Principles And Multitasking
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
AUDIT IN COMPUTERIZED ENVIRONMENT
Topic 5: Basic Security.
MBA 664 Database Management Dave Salisbury ( )
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Auditing Of Information Systems Systems Analysis And Design © Systems Analysis And Design © V. Rajaraman OBJECTIVES  Ensure computer based financial and.
Chapter 3-Auditing Computer-based Information Systems.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Copyright © 2016 Pearson Education, Inc. CHAPTER 12: DATA AND DATABASE ADMINISTRATION Modern Database Management 12 th Edition Jeff Hoffer, Ramesh Venkataraman,
CS457 Introduction to Information Security Systems
Securing Network Servers
Chap 20. Vulnerability Analysis
Managing the IT Function
Chapter 19: Building Systems with Assurance
EEC 688/788 Secure and Dependable Computing
Systems Design Chapter 6.
Database Security &Threats
Chapter 29: Program Security
DBMS Module III DBMS
Presentation transcript:

Chapter 13 Processing Controls

Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing and use of resources within a computer system There are many cases in which serious losses have occurred through breaches of operating system controls

Some Features of OP Systems Capable of managing resources Good managers vs. bad mangers There is a cost associated with mis- management of op systems –Exposure to risks –Loss of integrity What is an interrupt in op systems? Op systems demand respect by using interrupts.

Nature of a Reliable Operating System 1. Must be protected from user processes 2. Must prevent one user corrupting another user’s processes 3. Must protect users from themselves 4. Must protect itself from corruption of another module or sub-process 5. Must be robust when environmental failures occur

Operating System Integrity Threats Accidental –hardware, software, and environmental failures that cause the operating system to crash or to process erroneously Deliberate –usually aim at unauthorized removal of assets, breaches of data integrity, or disruption of operations

Penetration Techniques Browsing (checking residue) Masquerading Piggybacking (tapping messages) Between-lines entry (inactive users) Spoofing (fooling the user as if op system is interacting) Backdoors/Trapdoors (use it as if you are already in the system) Trojan horse (unknown to user, user runs the penetrator’s program)

Other Penetration Techniques Covert Storage Channels –one process communicates confidential information to another process by changing the values of system state variables Covert Timing Channels –one process communicates confidential information to another process by changing the time period that a system takes to perform some function

Operating System Integrity Flaws Penetrations result when integrity flaws exist in operating systems. These flaws arise for two reasons: 1. The access control policy designed for the operating system is defective 2. Even if a secure access control policy is designed for the operating system, it might be implemented incorrectly in the operating system

Integrity Flaws (no details) Incomplete parameter validation Inconsistent parameter validation Implicit sharing of data Asynchronous validation Inadequate access control Violable limits

Reference Monitors and Kernels A reference monitor is an abstract mechanism that checks each request by a subject to access and use an object to ensure that the request complies with a security policy. A reference monitor is implemented via a security kernel, which is a hardware, software, firmware mechanism

Reference Monitor Abstraction

Validation Checks Primarily ensure that computations performed on numeric fields are authorized, accurate, and complete Processing associated with alphabetic or alphanumeric fields typically is minimal

Rounding Validation Check Process

Other Software Controls Print Run-to-Run Control Totals –provide evidence that all input data has been processed accurately Minimize Human Intervention –because human intervention is error-prone, minimizing it will reduce incorrect processing Use Redundant Calculations –additional calculations can be used as “checks”

Audit Trail Controls Accounting Audit Trail –allows auditors to trace and to replicate the processing performed on a data item Operations Audit Trail –data is often critical to effective management of shared system resources

Operations Audit Trail

Content of the Operations Audit Trail Resource Consumption Data –identifies which user consumed a resource Security-Sensitive Events –creates audit trail entries for all changes to password or access privileges files or failed access attempts Hardware Malfunctions –records processor or memory parity errors User-Specified Events –allows users to write their own programs to collect operations data

Interrogating the Operations Audit Trail 1. Specifying audit objectives 2. Extracting data from the operations audit trail that will allow auditors to meet these objectives 3. Sorting the data extracted into the required order 4. Formatting and presenting the results

Existence Controls Nature of Checkpoint/Restart Controls –allow programs to be reestablished at some prior, valid intermediate point in their processing and restarted form that point –cannot guard against long-term or global failures

Functions of Checkpoint Facilities Processor-based Scheme –when a transient fault occurs, this scheme rolls the processor back a small number of instruction and then restarts the processor Memory-based Scheme –relies on having two memory banks for each address. Successful operations are copied from the first memory bank to the second

Processor-based Checkpoint/Restart facility

Memory-based Checkpoint/Restart facility

Auditors Concerns with Checkpoint/Restart Facilities Information written to a log must be secure Facilities must be effective and efficient Facilities should be well documented Facilities should work reliably

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.