Page 32 - DCAP516_COMPUTER_SECURITY
P. 32
Computer Security
Notes conflict of interest. The system management staff may have little incentive to say that the
computer system was poorly designed or is sloppily operated. On the other hand, they may be
motivated by a strong desire to improve the security of the system. In addition, they are
knowledgeable about the system and may be able to find hidden problems.
The independent auditor, by contrast, should have no professional stake in the system.
Independent audit may be performed by a professional audit staff in accordance with generally
accepted auditing standards.
There are many methods and tools, some of which are described here, that can be used to audit
a system. Several of them overlap.
Automated Tools
Even for small multiuser computer systems, it is a big job to manually review security features.
Automated tools make it feasible to review even large computer systems for a variety of security
flaws.
There are two types of automated tools: (1) active tools, which find vulnerabilities by trying to
exploit them, and (2) passive tests, which only examine the system and infer the existence of
problems from the state of the system.
Automated tools can be used to help find a variety of threats and vulnerabilities, such as improper
access controls or access control configurations, weak passwords, lack of integrity of the system
software, or not using all relevant software updates and patches. These tools are often very
successful at finding vulnerabilities and are sometimes used by hackers to break into systems.
Not taking advantage of these tools puts system administrators at a disadvantage. Many of the
tools are simple to use; however, some programs (such as access-control auditing tools for large
mainframe systems) require specialized skill to use and interpret.
Internal Controls Audit
An auditor can review controls in place and determine whether they are effective. The auditor
will often analyze both computer and non-computer-based controls. Techniques used include
inquiry, observation, and testing (of both the controls themselves and the data). The audit can
also detect illegal acts, errors, irregularities, or a lack of compliance with laws and regulations.
Security checklists and penetration testing, discussed below, may be used.
Security Checklists
Within the government, the computer security plan provides a checklist against which the
system can be audited. One advantage of using a computer security plan is that it reflects the
unique security environment of the system, rather than a generic list of controls. Other checklists
can be developed, which include national or organizational security policies and practices (often
referred to as baselines). Lists of “generally accepted security practices” (GSSPs) can also be used.
Care needs to be taken so that deviations from the list are not automatically considered wrong,
since they may be appropriate for the system’s particular environment or technical constraints.
Checklists can also be used to verify that changes to the system have been reviewed from a
security point of view. A common audit examines the system’s configuration to see if major
changes (such as connecting to the Internet) have occurred that have not yet been analyzed from
a security point of view.
26 LOVELY PROFESSIONAL UNIVERSITY
