|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date:16th July 2010 |
Compiled by: M Sathya Kumar |
|
The Sarbanes-Oxley Act of 2002 (SOX)
authorized the Public Company Accounting Oversight Board (PCAOB) to establish
auditing and related practice standards to be used by public accounting
firms. PCAOB Auditing Standard 2 (AS 2; An Audit of Internal Control over
Financial Reporting Performed in Conjunction with an Audit of Financial
Statements) mandates that management is responsible for the effectiveness of
a company’s internal control over financial reporting. AS 2 also requires
that the audit of internal controls over financial reporting should be
integrated with the audit of the financial statements. The 2005 CSI/FBI
Computer Crime and Security Survey indicated that SOX has had an impact on
information security in several industries. ComAir’s system crash on
December 24, 2004, was just one example showing that the availability of data
and system operations is essential to ensure business continuity. Due to
resource constraints, organizations cannot implement unlimited controls to
protect their systems. Instead, they should understand the major threats, and
implement effective controls accordingly. An effective internal control
structure cannot be implemented overnight, and internal control over
financial reporting must be a continuing process. The term “system security threats” refers to
the acts or incidents that can and will affect the integrity of business
systems, which in turn will affect the reliability and privacy of business
data. Most organizations are dependent on computer systems to function, and
thus must deal with systems security threats. Small firms, however, are often
understaffed for basic information technology (IT) functions as well as
system security skills. Nonetheless, to protect a company’s systems and
ensure business continuity, all organizations must designate an individual or
a group with the responsibilities for system security. Outsourcing system
security functions may be a less expensive alternative for small
organizations. Top System Security
Threats and Controls The 2005 CSI/FBI Computer Crime and Security
Survey of 700 computer security practitioners revealed that the frequency of
system security breaches has been steadily decreasing since 1999 in almost
all threats except the abuse of wireless network results in the
financial losses resulting from the threats individually. Note, however, that
the survey report pointed that the implicit losses (e.g., lost sales) are
difficult to measure and might not have been included by survey participants. Viruses A computer virus is a software code that can
multiply and propagate itself. A virus can spread into another computer via
e-mail, downloading files from the Internet, or opening a contaminated file.
It is almost impossible to completely protect a network computer from virus
attacks; the CSI/FBI survey indicated that virus attacks were the most
widespread attack for six straight years since 2000. Viruses are just one of several programmed
threats or malicious codes (malware) in today’s
interconnected system environment. Programmed threats are computer programs
that can create a nuisance, alter or damage data, steal information, or
cripple system functions. Programmed threats include, computer viruses, Trojan
horses, logic bombs, worms, spam, spyware, and adware. According to a recent study by the Spyware is a computer
program that secretly gathers users’ personal information and relays it to
third parties, such as advertisers. Common functionalities of spyware include monitoring keystrokes, scanning files,
snooping on other applications such as chat programs or word processors,
installing other spyware programs, reading cookies,
changing the default homepage on the Web browser, and consistently relaying
information to the spyware home base. Unknowing
users often install spyware as the result of
visiting a website, clicking on a disguised pop-up window, or downloading a
file from the Internet. Adware is a program that
can display advertisements such as pop-up windows or advertising banners on webpages. A growing number of software developers offer
free trials for their software until users pay to register. Free-trial users view sponsored advertisements while the software is
being used. Some adware does more than just present
advertisements, however; it can report users’ habits, preferences, or even
personal information to advertisers or other third parties, similar to spyware. To protect computer systems against viruses
and other programmed threats, companies must have effective access controls
and install and regularly update quarantine software. With effective
protection against unauthorized access and by encouraging staff to become
defensive computer users, virus threats can be reduced. Some viruses can
infect a computer through operating system vulnerabilities. It is critical to
install system security patches as soon as they are available. Furthermore,
effective security policies can be implemented with server operating systems
such as Microsoft Windows XP and Windows Server 2003. Other kinds of software
(e.g., Deep Freeze) can protect and preserve original computer
configurations. Each system restart eradicates all changes, including virus
infections, and resets the computer to its original state. The software
eliminates the need for IT professionals to perform time-consuming and
counterproductive rebuilding, re-imaging, or troubleshooting when a computer
becomes infected. Fighting against programmed threats is an
ongoing and ever-changing battle. Many organizations, especially small ones,
are understaffed and underfunded for system
security. Organizations can use one of a number of effective security suites
(e.g., Norton Internet Security 2005, ZoneAlarm
Security Suite 5.5, McAfee VirusScan) that offer
firewall, anti-virus, anti-spam, anti-spyware, and
parental controls (for home offices) at the desktop level. Firewalls and
routers should also be installed at the network level to eliminate threats
before they reach the desktop. Anti-adware and
anti-spyware software are signature-based, and
companies are advised to install more than one to ensure effective
protection. Installing anti-spam software on the server is important because
increasing spam results in productivity loss and a waste of computing
resources. Important considerations for selecting anti-spam software include
a system’s effectiveness, impact on mail delivery, ease of use, maintenance,
and cost. Many Internet service providers conveniently reduce spam on their
servers before it reaches subscribers. Additionally, companies must maintain
in-house and off-site backup copies of corporate data and software so that
data and software can be quickly restored in the case of a system failure. Insider Abuse of
Internet Access Annual U.S. productivity growth was 2.5%
during the second half of the 1990s, as compared to 1.5% from 1973 to 1995, a
jump that has been attributed to the use of IT (Stephen D. Oliner and Daniel E. Sichel,
“Information Technology and Productivity: Where Are We Now and Where Are We
Going?,” Reserve Bank of Atlanta Economic Review, Third Quarter 2002).
Unfortunately, IT tools can be abused. For example, e-mail and Internet
connections are available in almost all offices to improve productivity, but
employees may use them for personal reasons, such as online shopping, playing
games, and sending instant messages to friends during work hours. The 2005 Electronic Monitoring and
Surveillance Survey conducted by the American
Management Association (AMA) and the ePolicy
Institute revealed that 76% of employers monitor employees’ web connections,
while 50% of employers monitor and store employee computer files. The survey
also revealed that 26% of participating employers have fired workers for
workplace offenses related to the Internet; 25% have fired employees for
misuse of e-mail; and 65% of those surveyed used software to block employee
access to inappropriate websites. Most If an Internet monitoring policy is clearly
stated, companies need not worry about employee privacy concerns; the
Electronic Communications Privacy Act does give companies the right to
monitor electronic communications in the ordinary course of business. Laptop or Because they are relatively expensive,
laptops and PDAs have become the targets of
thieves. Although the percentage has declined steadily since 1999, about half
of network executives indicated that their corporate laptops or PDAs were stolen in 2005 (Network World Technology
Executive Newsletter, 02/21/05). Besides being expensive, they often contain
proprietary corporate data, access codes The following suggestions can help minimize
the chance of theft when outside the office:
Denial of Service A denial of service (DoS) attack is
specifically designed to interrupt normal system functions and affect
legitimate users’ access to the system. Hostile users send a flood of fake
requests to a server, overwhelming it and making a connection between the
server and legitimate clients difficult or impossible to establish. The
distributed denial of service (DDoS) allows the
hacker to launch a massive, coordinated attack from thousands of hijacked
(zombie) computers remotely controlled by the hacker. A massive DDoS attack can paralyze a network system and bring down
giant websites. For example, the 2000 DDoS attacks
brought down websites such as Yahoo! and eBay for hours. Unfortunately, any
computer system can be a hacker’s target as long as it is connected to the
Internet. DoS attacks can result in significant
server downtime and financial loss for many companies, but the controls to
mitigate the risk are very technical. Companies should evaluate their
potential exposure to DoS attacks and determine the
extent of control or protection they can afford. Unauthorized Access to Information To control unauthorized access to information, access controls,
including passwords and a controlled environment, are necessary. Computers
installed in a public area, such as a conference room or reception area, can
create serious threats and should be avoided if possible. Any computer in a
public area must be equipped with a physical protection device to control
access when there is no business need. The LAN should be in a controlled
environment accessed by authorized employees only. Employees should be
allowed to access only the data necessary for them to perform their jobs. Abuse of Wireless Networks Wireless networks offer the advantage of convenience and
flexibility, but system security can be a big issue. Attackers do not need to
have physical access to the network. Attackers can take their time cracking
the passwords and reading the network data without leaving a trace. One
option to prevent an attack is to use one of several encryption standards
that can be built into wireless network devices. One example, wired
equivalent privacy (WEP) encryption, can be effective at stopping amateur
snoopers, but it is not sophisticated enough to foil determined hackers.
Consequently, any sensitive information transmitted over wireless networks
should be encrypted at the data level as if it were being sent over a public
network. System Penetration Hackers penetrate systems illegally to steal information, modify
data, or harm the system. The following factors are related to system
penetration:
According to Symantec, unpatched
operating system (OS) holes are one of the most common ways to break into a
system network; using a worm is also becoming more common. Therefore, the
first step to guard against hackers is to download free patches to fix
security holes when OS vendors release them. Routinely following this step
can dramatically improve network security for many companies. Companies can
use patch-management software to automate the distribution of authentic
patches from multiple software vendors throughout the entire organization.
Not all patches can work flawlessly with existing applications, however, and
sometimes the patches may conflict with a few applications, especially the
older ones. If possible, patches should first be tested in a simulated
environment, and existing systems should be backed up before the patch is
installed. Companies can use software tools or system-penetration testing
to scan the system and assess systems’ susceptibility and the effectiveness
of any countermeasures in place. The testing techniques must be updated
regularly to detect ever-changing threats and vulnerabilities. Other controls
to mitigate system penetration are as follows:
Telecom Fraud In the past, telecom fraud involved fraudulent use of
telecommunication (telephone) facilities. Intruders often hacked into a
company’s private branch exchange (PBX) and administration or maintenance
port for personal gains, including free long-distance calls, stealing
(changing) information in voicemail boxes, diverting calls illegally,
wiretapping, and eavesdropping. As analog and digital data communications have converged, some
companies have utilized the Voice over Internet Protocol (VOIP) to lower
phone bills. The originating and receiving phone numbers are converted to IP
addresses and the PBX is linked to a company’s networked computers, and
hackers can get into systems through PBX or computerized branch exchange
(CBX). In addition, every PBX/CBX system is equipped with a software program
that makes it vulnerable to remote-access fraud, and intruders use
sophisticated software to find an easy target. Once a PBX is hacked, hackers
have the same access to a company’s phone system and computer network as do
the employees. Companies should install software to monitor service usage at
various points on the network, including the VOIP gatekeeper, VOIP media
controller, and broadcast server. The software can monitor the system packet
performance and the router applications on the converged network. The
software can also automatically alert the responsible person if any abnormal
activities have been detected. Theft of Proprietary Information Information is a commodity in the e-commerce era, and there are
always buyers for sensitive information, including customer data, credit card
information, and trade secrets. Data theft by an insider is common when
access controls are not implemented. Outside hackers can also use “Trojan”
viruses to steal information from unprotected systems. Beyond installing
firewall and anti-virus software to secure systems, a company should encrypt
all of its important data. Access privilege and data encryption are good preventive
controls against data theft by unauthorized employees who steal for personal
gain. The access controls include the traditional passwords, smart-card
security, and more-sophisticated biometric security devices. Companies can
implement some appropriate controls, including limiting access to proprietary
information to authorized employees, controlling access where proprietary
information is available, and conducting background checks on employees who
will have access to proprietary information. There will, however, always be
some risk that authorized employees will misuse data they have access to in
the course of their work. Companies can also work with an experienced
intellectual property attorney, and require employees to sign noncompete and nondisclosure agreements. Financial Fraud The nature of financial fraud has changed over the years with
information technology. System-based financial fraud includes scam e-mails, identity
theft, and fraudulent transactions. With spam, con artists can send scam
e-mails to thousands of people in hours. Victims of the so-called 419 scam
are often promised a lottery winning or a large sum of unclaimed money
sitting in an offshore bank account, but they must pay a “fee” first to get
their shares. Anyone who gets this kind of e-mail is recommended to forward a
copy to the U.S. Secret Service. Companies should review bank statements as soon as they arrive
and report any suspicious or unauthorized electronic transactions. Under the
Electronic Fund Transfer Act, if victims notify the bank of an unauthorized
transaction within 60 days of the date the statement is delivered, they are
not liable for any loss. Otherwise, victims could lose all the money in their
account, and the unused portion of the maximum line of credit established for
overdrafts. Phishing is a form of
identity theft. Spam is sent claiming to be from an individual’s bank or
credit union or a reputable e-commerce organization. The e-mail urges the
recipient to click on a link to update their personal data. The link takes
the victim to a fake website designed to elicit personal or financial
information and transmit it to the criminals. User should never give out credit card numbers, PINs, or any personal information in response to
unsolicited e-mail. Instead of clicking a link in a suspicious e-mail, call
the office or use a URL that is legitimate to verify an e-mail that claims to
be from a bank or financial institution. When submitting sensitive financial
and personal information over the Internet, make sure the server uses the
Secure Sockets Layer protocol. Misuse of Public Web Applications The nature of e-commerce—convenience and flexibility—makes Web
applications vulnerable and easily abused. Hackers can circumvent traditional
network firewalls and intrusion-prevention systems and attack web
applications directly. They can inject commands into databases via the web
application user interfaces and surreptitiously steal data, such as customer
and credit card information. User authentication is the foundation of Web application
security, and inadequate authentication may make applications vulnerable.
Companies must install a Web application firewall to ensure that all security
policies are closely followed. The following additional controls can mitigate
Web application abuses:
Website Defacement Website defacement is the sabotage of webpages
by hackers inserting or altering information. The altered webpages
may mislead unknowing users and represent negative publicity that could
affect a company’s image and credibility. Web defacement is in essence a
system attack, and the attackers often take advantage of undisclosed system
vulnerabilities or unpatched systems. Network firewalls cannot guard against all web vulnerabilities.
Companies should install additional Web application security to mitigate the
defacement risk. All known vulnerabilities must be patched to prevent
unauthorized remote command execution and privilege escalation. It is also
important that only a few authorized users are allowed root access to a
website’s contents. Access to different Web server resources, such as
executables, processes, data files, and configuration files, should be
monitored. Commercial website monitoring services are also available. Sabotage According to the 2005 CSI/FBI survey, system security incidents
were committed by insiders about as often as by outsiders. Some of the
controls discussed above can provide protection against the sabotages
committed by outsiders, but no organization is immune from an employee
abusing its trust. For example, Omega Engineering was a thriving defensive
manufacturing firm in the 1990s; it used more than 1,000 programs to produce
various products with 500,000 different designs for their customers,
including NASA and the U.S. Navy. On July 31, 1996, Omega Engineering’s
server crashed and all of the software programs were lost. To make matters
worse, on the same day the backup tape also disappeared. The investigation
quickly revealed that it was a deliberate sabotage by the former system
administrator, Tim Lloyd, who had been terminated 30 days before the
catastrophe. Lloyd designed and planted a time bomb to erase all the programs
on the server. The crash resulted in $10 million in lost revenues and led to
80 layoffs. When it comes to security, companies often pay attention only to
the perimeter of the organization, not the inside. Sabotages by insiders is often orchestrated when employees know their
termination is coming. In some cases, disgruntled employees are still able to
gain access after being terminated. The 2005 insider-threat case study
results by CERT/SEI help identify, assess, and manage sabotage threats
from insiders. Their key findings were as follows:
As indicated by the CERT/SEI study, the convenience of remote
access facilitates the majority of sabotage attacks. Another potential threat
of unauthorized use is when employees quit or are terminated but there is no
coordination between the personnel department and the computer center. In some
cases, employees still have system access and an e-mail account after they
have left an organization. It is also not unusual that employees know the
user IDs and passwords of their colleagues. Companies can adopt some of the
following steps to protect against such threats:
Company Awareness Business operations can be disrupted by many factors, including
system security breaches. System downtime, system penetrations, theft of
computing resources, and lost productivity have quickly become critical
system security issues. The financial loss of these security breaches can be
significant. In addition, system security breaches often taint a company’s
image and may compromise a company’s compliance with applicable laws and
regulations. The key to protecting a company’s accounting information system
against security breaches is to be well prepared for all possible major
threats. A combination of preventive and detective controls can mitigate
security threats. Article by P. Paul Lin, PhD, is an associate
professor of accounting at the Raj Soin College of Business of |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
