Hall 5e TB Ch16

Chapter 16—IT Controls Part II: Security and Access

TRUE/FASE

1. In a computerized computerized environm environment, ent, the audit audit trail log log must be printed printed onto paper paper documents. documents. ANS: F 2. Disguising message pacets pacets to loo loo as i! i! the" came !rom another user and to to gain access to the the host#s host#s net$or is called spooling. ANS: F %. Access Access controls controls tae on increased increased importa importance nce in a computeriz computerized ed environmen environmentt because all all o! the records ma" be !ound in one place. ANS: & '. (omputer (omputer viruses viruses usuall" usuall" spread spread throughou throughoutt the s"stem be!ore be!ore being being detected. detected. ANS: & ). A $orm is so!t$are so!t$are program that replicates replicates itsel! in areas o! o! idle memor" memor" until the the s"stem !ails. ANS: & *. +iruses +iruses rarel" attach attach themselve themselvess to eecut eecutable able !iles. !iles. ANS: F -. Subschemas Subschemas are used used to authorize authorize user user access privile privileges ges to speci!ic speci!ic data data elements. elements. ANS: F . A recover" module suspends all all data processing processing $hile $hile the s"stem s"stem reconciles its /ournal !iles against the database. ANS: F 0. &he Databa Database se anagemen anagementt S"stem S"stem controls controls program program !iles. !iles. ANS: F 1. 3perating s"stem s"stem controls controls are o! interest to s"stem pro!essionals pro!essionals but should not concern accountants accountants and auditors. ANS: F 11. 11. &he most most !re4uent !re4uent victims victims o! program program viruses viruses are microcom microcomputer puters. s. ANS: &

12. Access controls controls protect protect databases databases against against destruction, destruction, loss or misuse misuse through unauthorized access. ANS: & 1%. 3perating s"stem s"stem integrit" is not o! concern to accountants accountants because onl" hard$are hard$are riss are involved. ANS: F 1'. Audit trails trails in computerized computerized s"stems s"stems are comprised comprised o! t$o t$o t"pes o! audit logs: detailed detailed logs o! individual e"stroes and event5oriented logs. ANS: & 1). In a telecommunic telecommunicatio ations ns environme environment, nt, line errors errors can be detected detected b" using using an echo chec. chec. ANS: & 1*. Fire$alls Fire$alls are specia speciall materials materials used used to insulate insulate computer computer !acili !acilities ties ANS: F 1-. &he message authentication code is calculated b" the sender and the receiver o! a data transmission. transmission. ANS: & 1. &he re4uest5response re4uest5response techni4ue techni4ue should detect detect i! a data communication transmission has been diverted. ANS: & 10. 6lectronic data interchange interchange translation translation so!t$are so!t$are inter!aces inter!aces $ith the sending sending !irm and the value added added net$or. ANS: F 2. A value added added net$or can detect and re/ect transactions b" unauthorized unauthorized trading trading partners. partners. ANS: & 21. 6lectroni 6lectronicc data interchan interchange ge customers customers ma" be given access access to the vendor7s vendor7s data data !iles. ANS: & 22. &he audit audit trail !or electronic electronic data interchange transactions is stored stored on magnetic media. ANS: & 2%. A !ire$al !ire$alll is a hard$are partitio partition n designed designed to protect protect net$ors net$ors !rom po$er po$er surges. surges. ANS: F 2'. &o preserve audit audit trails in in a (8IS environment, transaction transaction logs logs are permanent permanent records o! transactions. transactions. ANS: &

2). 6amining programmer authorit" authorit" tables tables !or in!ormation about $ho $ho has access to Data De!inition De!inition 9anguage commands $ill provide evidence about $ho is responsible !or creating subschemas. ANS: & !UTIPE C"#ICE

1. &he operati operating ng s"stem s"stem per!orms per!orms all all o! the !ollo$ !ollo$ing ing tass tass ecept ecept a. translates translates third5gen third5generati eration on languag languages es into into machine machine langu language age  b. assigns memor" to applications applications c. auth author oriz izes es user user acce access ss d. sche schedu dule less /ob /ob proc proces essi sing ng ANS: ( 2. hich o! the !ollo$ing !ollo$ing is considered considered an unintentional threat to the integrit" o! the operating s"stem; s"stem; a. a hacer hacer gaining gaining access access to the the s"stem s"stem because because o! o! a securit" securit" !la$ !la$  b. a hard$are !la$ that causes the the s"stem to crash c. a viru viruss that that !ormat !ormatss the the hard hard drive drive d. the s"stems s"stems programmer programmer accessing accessing individu individual al user user !iles !iles ANS: 8 %. A so!t$are program that replicates replicates itsel! in areas o! idle memor" memor" until the s"stem !ails is called a a. &ro/an ho horse rse  b. $orm c. logic bomb d. none none o! the the abo above ve ANS: 8 '. A so!t$are program that allo$s allo$s access to a s"stem $ithout $ithout going going through the normal logon procedures procedures is called a a. logic bomb  b. &ro/an horse horse c. $orm d. bac door  ANS: D ). All o! the !ollo$ !ollo$ing ing $ill $ill reduce the the eposure eposure to computer computer viruse virusess ecept ecept a. inst instal alll antiv antivir irus us so! so!t$ t$ar aree  b. install !actor"5sealed !actor"5sealed application so!t$are so!t$are c. assign assign and contro controll user user pass$ pass$ord ordss d. install install public5d public5domain omain so!t$ so!t$are are !rom reputa reputable ble bulleti bulletin n boards boards ANS: D *. hich bacup bacup techni4 techni4ue ue is most appropr appropriate iate !or se4uentia se4uentiall batch s"stems; s"stems; a. grand! grand!ath ather5 er5!at !ather her5so 5son n approa approach ch  b. staggered bacup approach approach c. direct ba bacup d. remote remote site, site, int interm ermitt ittent ent bacup bacup

ANS: A -. hen creatin creating g and controll controlling ing bacups bacups !or !or a se4uential se4uential batch batch s"stem, s"stem, a. the number number o! bacup bacup versio versions ns retained retained depend dependss on the the amount amount o! data in in the !ile !ile  b. o!!5site bacups bacups are not re4uired c. bacup bacup !ile !iless can neve neverr be used used !or !or scratc scratch h !iles !iles d. the more more signi!ica signi!icant nt the data, data, the the greater greater the number number o! o! bacup bacup versions versions ANS: D .
a direct direct access access !ile !ile s"stem s"stem bacups bacups are created created using using the the grand!ath grand!ather5! er5!ather ather5son 5son approach approach processing a transaction transaction !ile against a maser !ile creates a bacup !ile !iles are baced baced up immedia immediatel" tel" be!ore be!ore an update update run run i! the master master !ile is is destro" destro"ed, ed, it canno cannott be recons reconstruct tructed ed

ANS: ( 1. hich o! the !ollo$ !ollo$ing ing is not not an access access control control in a databa database se s"stem; s"stem; a. anti antivi viru russ so! so!t$ t$ar aree  b. database authorization authorization table c. pass$ords d. voice pr prints ANS: A 11. 11. hich hich is is not not a biome biometri tricc device device;; a. pass$ord  b. retina prints c. voice prints d. sign signat atur uree char charac acte teri rist stic icss ANS: A 12. hich o! o! the !ollo$ing !ollo$ing is is not a basic basic database database bacup bacup and recover" recover" !eature !eature;; a. checpoint  b. bacup database c. tran transsact action ion log log d. data databa base se aut autho hori rit" t" tab table le ANS: D 1%. All o! the !ollo$ !ollo$ing ing are ob/ecti ob/ectives ves o! operatin operating g s"stem s"stem control control ecept ecept a. prot protec ecti ting ng the the 3S 3S !rom !rom use users rs  b. protesting users !rom each each other  c. protec protectin ting g user userss !rom !rom themse themselve lvess d. protec protectin ting g the the enviro environm nment ent !rom !rom user userss

ANS: D 1'. =ass$ords are secret codes that users enter to gain gain access to s"stems. Securit" can be compromised compromised b" all o! the !ollo$ing ecept a. !ailur !ailuree to chang changee pass$o pass$ords rds on on a regular regular basi basiss  b. using obscure pass$ords pass$ords unno$n to others others c. record recording ing pass$o pass$ords rds in obvi obvious ous places places d. selecting selecting pass$ pass$ords ords that that can be be easil" detected detected b" compu computer ter criminals criminals ANS: 8 1). 1). Audit Audit trai trails ls cann cannot ot be be used used to to a. detect detect unauth unauthori orized zed access access to s"ste s"stems ms  b. !acilitate reconstruction reconstruction o! events c. reduc reducee the need need !or !or other other !orms !orms o! o! securi securit" t" d. promo promote te pers persona onall accou accounta ntabi bilit lit" " ANS: ( 1*. hich contr control ol $ill not not reduce the the lielihoo lielihood d o! data loss loss due to a line line error; a. echo chec   b. encr"ption c. vert vertic ical al pari parit" t" bit bit d. hori horizo zont ntal al pari parit" t" bit bit ANS: 8 1-. hich method method $ill $ill render render useless useless data captured captured b" unauthori unauthorized zed receivers receivers;; a. echo chec   b. parit" bit c. publ public ic e" encr" encr"pt ptio ion n d. mess messag agee se4ue se4uenc ncin ing g ANS: ( 1. hich method method is most most liel" liel" to detect detect unauthor unauthorized ized access access to the the s"stem; s"stem; a. mess messag agee tra trans nsac acti tion on log log  b. data encr"ption standard standard c. vert vertic ical al par parit it" " chec chec    d. re4ue re4uest5 st5res respon ponse se techni techni4ue 4ue ANS: A 10. All o! the !ollo$ing !ollo$ing techni4ues techni4ues are are used to validate validate electronic data interchange interchange transactions transactions ecept ecept a. value added added net$ors net$ors can can compare compare pass$ord pass$ordss to a valid custom customer er !ile be!ore be!ore message message transmission  b. prior to converting the the message, the translation translation so!t$are o! the receiving receiving compan" can compare the pass$ord against a validation !ile in the !irm7s database c. the recipien recipient7s t7s applicat application ion so!t$are so!t$are can validat validatee the pass$ord pass$ord prior prior to processing processing d. the recipien recipient7s t7s applicat application ion so!t$are so!t$are can validat validatee the pass$ord pass$ord a!ter the the transaction transaction has been been  processed ANS: D 2. In an electronic electronic data data interchange interchange environm environment, ent, customer customerss routinel" routinel" access access

a.  b. c. d.

the the vend vendor or7s 7s pri price ce lis listt !ile !ile the vendor7s accounts accounts pa"able !ile the vendor vendor7s 7s open open purcha purchase se orde orderr !ile !ile none none o! the the abo above ve

ANS: A 21. All o! the the !ollo$ing !ollo$ing tests o! controls $ill provide provide evidence that ade4uate ade4uate computer virus control control techni4ues are in place and !unctioning ecept a. veri!"ing veri!"ing that that onl" authorized authorized so!t$ so!t$are are is used used on compan" compan" computer computerss  b. revie$ing s"stem maintenance maintenance records c. con!ir con!irmin ming g that that antivi antivirus rus so!t so!t$ar $aree is in use use d. eamining eamining the the pass$ord pass$ord polic" polic" includi including ng a revie$ revie$ o! the authorit" authorit" table table ANS: 8 22. Audit Audit ob/ectives ob/ectives !or !or the database database management management include include all o! the the !ollo$ing !ollo$ing ecept ecept a. veri!"ing veri!"ing that that the securit" securit" group group monitor monitorss and reports reports on !ault !ault tolerance tolerance violati violations ons  b. con!irming that bacup bacup procedures are ade4uate c. ensuring ensuring that that authorized authorized users users access access onl" those those !iles !iles the" need need to per!orm per!orm their their duties duties d. veri!"ing veri!"ing that that unautho unauthorized rized users cannot cannot access access data data !iles !iles ANS: A 2%. All o! the the !ollo$ing !ollo$ing tests o! controls $ill provide provide evidence that access to the data !iles is limited ecept a. inspec inspectin ting g biome biometri tricc contro controls ls  b. reconciling program version version numbers c. comparing comparing /ob /ob descripti descriptions ons $ith $ith access privil privileges eges stored stored in the authori authorit" t" table table d. attemptin attempting g to retrieve retrieve unaut unauthori horized zed data data via in!erenc in!erencee 4ueries 4ueries ANS: 8 2'. Audit Audit ob/ectives ob/ectives !or !or communicatio communications ns controls controls include include all o! the !ollo$i !ollo$ing ng ecept ecept a. detection detection and correct correction ion o! message message loss loss due to to e4uipmen e4uipmentt !ailure !ailure  b. prevention and detection detection o! illegal access to to communication channels channels c. procedures procedures that render render interc intercepted epted messages messages useless useless d. all all o! o! th the abo above ve ANS: D 2). hen auditors auditors eamine eamine and test the call5bac call5bac !eature, !eature, the" are testing testing $hich $hich audit ob/ective ob/ective;; a. incomp incompati atible ble !unc !unctio tions ns have have been segre segregat gated ed  b. application programs programs are protected !rom unauthorized unauthorized access c. ph"sical ph"sical securit" securit" measures measures are ade4uat ade4uatee to protect the the organizati organization on !rom natural natural disaster  disaster  d. illegal illegal access access to the the s"stem s"stem is is prevent prevented ed and and detected detected ANS: D 2*. In an 6lectronic 6lectronic Data Data Interchange Interchange >6DI? >6DI? environme environment, nt, $hen the audito auditorr compares compares the terms o! the trading partner agreement against the access privileges stated in the database authorit" table, the auditor is testing $hich audit ob/ective; a. all 6DI trans transact action ionss are are autho authoriz rized ed  b. unauthorized trading trading partners cannot gain gain access to database records c. authorized authorized trading trading partners partners have access access onl" to to approved approved data d. a comple complete te audit audit trail trail is is mainta maintaine ined d

ANS: ( 2-. Audit ob/ectives ob/ectives in the 6lectronic 6lectronic Data Interchange Interchange >6DI? environment include all o! the !ollo$ing !ollo$ing ecept a. all 6DI trans transact action ionss are are autho authoriz rized ed  b. unauthorized trading trading partners cannot gain gain access to database records c. a complete complete audit audit trail trail o! 6DI transa transactio ctions ns is maintaine maintained d d. bacup bacup procedu procedures res are are in place place and !uncti !unctioning oning properl" properl" ANS: D 2. In determining $hether a s"stem is ade4uatel" protected protected !rom attacs attacs b" computer viruses, viruses, all o! the !ollo$ing policies are relevant ecept a. the polic" polic" on on the purchase purchase o! so!t$are so!t$are onl" onl" !rom reputable reputable vendo vendors rs  b. the polic" that all so!t$are so!t$are upgrades are checed !or viruses viruses be!ore the" are implemented implemented c. the polic" polic" that current current versio versions ns o! antivirus antivirus so!t$a so!t$are re should should be availabl availablee to all users users d. the polic" polic" that that permits permits users to tae tae !iles !iles home home to $or $or on them them ANS: D 20. hich o! the !ollo$ing !ollo$ing is not not a test test o! access access contro controls; ls; a. biom biomet etri ricc con contr trol olss  b. encr"ption controls controls c. bacu acup p cont contro rolls d. in!e in!ere renc ncee cont contro rols ls ANS: ( %. In an electroni electronicc data intercha interchange nge environm environment, ent, custome customers rs routinel" routinel" a. access access the vendor7s vendor7s accounts accounts receiva receivable ble !ile !ile $ith read@$ read@$rite rite authori authorit" t"  b. access the vendor7s price price list !ile $ith read@$rite read@$rite authorit" c. access access the vendor7s vendor7s inven inventor" tor" !ile $ith read5onl" read5onl" autho authorit" rit" d. access access the vendor7s vendor7s open purchase purchase order order !ile !ile $ith read5onl" read5onl" author authorit" it" ANS: ( %1. In an electron electronic ic data data interchang interchangee environme environment, nt, the audit audit trail trail a. is a print printout out o! o! all incoming incoming and and outgoin outgoing g transac transactions tions  b. is an electronic log o! all all transactions received, received, translated, and processed processed b" the s"stem c. is a comp compute uterr resou resource rce auth authori orit" t" tabl tablee d. consists consists o! o! pointers pointers and indee indeess $ithin $ithin the databa database se ANS: 8 %2. All o! the !ollo$in !ollo$ing g are designed designed to control control eposures eposures !rom subver subversive sive threats threats ecept ecept a. !ire$alls  b. one5time pass$ords c. !iel !ield d inte interr rrog ogat atio ion n d. data data encr encr" "ptio ption n ANS: ( %%. an" techni4ues techni4ues eist eist to reduce the lielihood and e!!ects e!!ects o! data communication communication hard$are !ailure. !ailure. 3ne o! these is a. hard hard$a $are re acc acces esss proc proced edur ures es  b. antivirus so!t$are so!t$are

c. parit arit" " chec hecss d. data data encr encr" "ptio ption n ANS: ( %'. hich o! the !ollo$ !ollo$ing ing deal deal $ith transacti transaction on legitimac" legitimac";; a. transa transacti ction on author authoriza izatio tion n and valida validatio tion n  b. access controls c. 6DI aud audiit tra trail il d. all all o! o! th the abo above ve ANS: D %). Fire Fire$ $alls lls are are a. special special materia materials ls used used to insul insulate ate compu computer ter !acil !acilities ities  b. a s"stem that en!orces access control bet$een t$o net$ors net$ors c. specia speciall so!t$a so!t$are re used used to screen screen Inter Internet net acces accesss d. none none o! the the abo above ve ANS: 8 %*. &he database database attribu attributes tes that indivi individual dual users users have permissio permission n to access are de!ined de!ined in a. oper operat atin ing g s"st s"stem em..  b. user manual. c. data databa base se sche schema ma.. d. user vi vie$. e. appl applic icat atio ion n list listin ing. g. ANS: D %-. An integrated integrated group o! o! programs that supports supports the applications applications and !acilitates !acilitates their access access to speci!ied speci!ied resources is called a >an? a. oper operat atin ing g s"st s"stem em..  b. database management s"stem. s"stem. c. utili tilit" t" s"s s"stem tem d. !aci !acili lit" t" s"st s"stem em.. e. ob/ec b/ectt s" s"stem tem. ANS: A S"#RT A$S%ER 

1. 8rie!l 8rie!l" " de!in de!inee an opera operatin ting g s"stem s"stem.. ANS: An integrated group o! programs that supports the applications and !acilitates their access to speci!ied resources. 2. hat hat is a viru virus; s; ANS: A virus is a program that attaches itsel! to another legitimate program in order to penetrate the operating s"stem. %. Describe Describe one one bene!it bene!it o! using using a call5bac call5bac device. device.

ANS: Access to the s"stem is achieved $hen the call5bac device maes contact $ith an authorized user. &his reduces the chance o! an intruder gaining access to the s"stem !rom an unauthorized remote location. '. (ontrast (ontrast the =rivate =rivate 6ncr"ption 6ncr"ption Standard Standard approach approach $ith $ith the =ublic e" 6ncr"ptio 6ncr"ption n approach approach to controlling access to telecommunication messages. ANS: In the =rivate 6ncr"ption Standard approach, both the sender and the receiver use the same e" to encode and decode the message. In the =ublic e" 6ncr"ption approach all senders receive a cop" o! the e" used to send messagesB the receiver is the onl" one $ith access to the e" to decode the message. ). 9ist three three methods methods o! controlling controlling unauthor unauthorized ized access access to telecommunica telecommunication tion messages messages.. ANS: call5bac devices, data encr"ption, message se4uence numbering, message authentication codes, message transaction logs, and re4uest5response techni4ue *. Describe t$o $a"s that pass$ords are used to authorize and and validate messages in the electronic electronic data interchange environment. ANS: value5added net$ors use pass$ords to detect unauthorized transactions transactions be!ore the" are transmitted to recipientsB the recipient o! the message can validate the pass$ord prior to translating the messageB the recipient o! the message can validate the pass$ord prior to processing the transaction -. 6plain 6plain ho$ transacti transactions ons are audited audited in an electron electronic ic data interchan interchange ge environme environment. nt. ANS: Firms using electronic data interchange maintain an electronic log o! each transaction as it moves !rom receipt to translation to communication o! the message. &his transaction log restores the audit trail that $as lost because no source documents eist. +eri!ication +eri!ication o! the entries in the log is part o! the audit  process. . Describe Describe are are some some t"pical t"pical problems problems $ith $ith pass$o pass$ords; rds; ANS: users !ailing to remember pass$ordsB !ailure to change pass$ords !re4uentl"B displa"ing pass$ords $here others can see themB using simple, eas "5to5guess pass$ords pass$ords 0. Discuss Discuss the e" e" !eatures !eatures o! o! the one5tim one5timee pass$ord pass$ord techni4 techni4ue: ue: ANS: &he one5time pass$ord $as designed to overcome the problems associated $ith reusable pass$ords. &he user#s pass$ord changes continuousl". continuousl". &his technolog" emplo"s a credit card5sized smart card that contains a microprocessor programmed $ith an algorithm that generates, and electronicall" displa"s, a ne$ and uni4ue pass$ord ever" * seconds. &he card $ors in con/unction $ith special authentication so!t$are located on a main!rame or net$or  server computer. 6ach user#s card is s"nchronized to the authentication so!t$are, so!t$are, so that at an" point in time both the smart card and the net$or so!t$are are generating the same pass$ord !or the same user.

1. Describe t$o tests o! controls that that $ould provide evidence evidence that the database management s"stem s"stem is  protected against unauthorized unauthorized access attempts. attempts. ANS: compare /ob descriptions $ith authorit" tablesB veri!" that database administration emplo"ees have eclusive responsibilit" responsibilit" !or creating authorit" tables and designing user subschemasB evaluate  biometric and in!erence controls controls 11. 11. hat hat is is even eventt moni monitor toring ing;; ANS: 6vent monitoring summarizes e" activities related to s"stem resources. 6vent logs t"picall" t "picall" record the IDs o! all users accessing the s"stemB the time and duration o! a user#s sessionB programs that $ere eecuted during a sessionB and the !iles, databases, printers, and other resources accessed. 12. hat are are the auditor7 auditor7ss concerns concerns in testin testing g 6DI control controls; s; ANS: hen testing 6DI controls, the auditor7s primar" concerns are related to ascertaining that 6DI transactions are authorized, validated, and in compliance $ith organization polic", polic", that no unauthorized organizations organizations gain access to records, that authorized trading partners have access onl" to approved data, and that ade4uate controls are in place to maintain a complete audit trail. 1%. hat is a databa database se author authorizati ization on table table;; ANS: &he data&ase authori'ation ta&le contains rules that limit the actions a user can tae. 6ach user is granted certain privileges that are coded in the authorit" table, $hich is used to veri!" the user#s action re4uests. 1'. 1'. hat hat is a user user5de 5de!in !ined ed proce procedur dure; e; ANS: A user5de!ined procedure allo$s the user to create a personal securit" program or routine to provide more positive user identi!ication than a pass$ord can. For eample, in addition to a pass$ord, the securit" procedure ass a series o! personal 4uestions >such as the user#s mother#s maiden name?, $hich onl" the legitimate user is liel" to no$. 1). 1). hat hat are are biome biometri tricc devi devices ces;; ANS: 8iometric devices measure various personal characteristics such as !ingerprints, voiceprints, retina  prints, or signature signature characteristics. &hese &hese user characteristics are are digitized and stored permanentl" permanentl" in a database securit" !ile or on an identi!ication card that the user carries. hen an individual attempts to access the database, a special scanning device captures his or her biometric characteristics, $hich it compares $ith the pro!ile data stored internall" or on the I D card. I! the data do not match, access is denied. ESSA(

1. hat are are the three three securit" securit" ob/ecti ob/ectives ves o! audit audit trails trails;; 6plain. 6plain.

ANS: Audit trails support s"stem securit" ob/ectives in three $a"s. 8" detecting unauthorized access  to the s"stem, the audit trail protects the s"stem !rom outsiders tr"ing to breach s"stem controls. 8" monitoring s"stem per!ormance, changes in the s"stem ma" be detected. &he audit trail can also contribute to reconstructing events such events  such as s"stem s "stem !ailures, securit" breaches, and processing errors. In addition, the abilit" to monitor user activit" can support increased  personal accountability accountability.. 2. hat is an operatin operating g s"stem; s"stem; hat does it do; do; hat are operatin operating g s"stem control control ob/ectiv ob/ectives; es; ANS: An operating s"stem is a computer#s control program. It controls user sharing o! applications and resources such as processors, memor", databases, databases, and peripherals such as printers. (ommon =( operating s"stems include indo$s 2, indo$s N&, and 9inu. An operating s"stem carries out three primar" !unctions: translating high level languages into machine language using modules called compilers and interpretersB allocating computer resources to users, $orgroups, and applicationsB and managing /ob scheduling and multiprogramming. 3perating s"stems have !ive basic control ob/ectives: 1. to protect itsel! !rom users, 2. to protect users !rom each other, %. to protect users !rom themselves, '. to protect it !rom itsel!, and ). to protect itsel! !rom its environment. %. Discus Discus three sources sources o! o! eposure eposure >threats >threats?? to the operatin operating g s"stem. s"stem. ANS: 1. =rivileged personnel $ho abuse their authorit". S"stems administrators administrators and s"stems programmers re4uire unlimited access to the operating s"stem to per!orm maintenance and to r ecover !rom s"stem !ailures. Such individuals ma" use this authorit" to access users# programs and data !iles. 2. Individuals both internal and eternal to the organization $ho bro$se the operating s"stem to identi!" and eploit securit" !la$s. %. Individuals $ho intentionall" >or accidentall"? insert computer viruses or other !orms o! destructive  programs into the operating operating s"stem. '. &here are man" man" techni4ues techni4ues !or !or breaching breaching operating operating s"stem s"stem controls controls.. Discuss Discuss three. ANS: 8ro$sing involves searching through areas o! main memor" !or pass$ord in!ormation. as4uerading is a techni4ue $here a user is made to believe that he@she has accessed the operating s"stem and there!ore enters pass$ords, etc., that can later be used !or unauthorized access. A virus is a program that attaches itsel! to legitimate so!t$are to penetrate the operating s"stem. ost are destructive. A $orm is so!t$are that replicates itsel! in memor". A logic bomb is a destructive program triggered b" some ClogicalC conditiona matching date, e.g., ichelangelo7s birthda". birthda". ). A !ormal !ormal log5o log5on n proc procedu edure re is the operating s "stem#s "stem#s !irst line o! de!ense. 6plain this $ors. ANS:

hen the user logs on, he or she is presented $ith a dialog bo re4uesting the user#s ID and pass$ord. &he s"stem compares the ID and pass$ord to a database o! valid users. I! the s"stem !inds a match, then the log5on attempt is authenticated. I!, ho$ever, the pass$ord or ID is entered incorrectl", incorrectl", the log5 on attempt !ails and a message is returned to the user. &he message should not reveal $hether the  pass$ord or the ID caused caused the !ailure. &he s"stem s"stem should allo$ the the user to reenter the log5on in!ormation. A!ter A!ter a speci!ied number o! attempts >usuall" no more than !ive?, the s"stem should loc out the user !rom the s "stem. *. 6plain 6plain the the concept concept o! discretion discretionar" ar" access access privil privileges eges.. ANS: In centralized s"stems s"stem administrator usuall" determines $ho is granted access to speci!ic resources and maintains the access control list. In distributed s"stems, ho$ever, resources ma" be controlled >o$ned? b" end users. Eesource o$ners in this setting ma" be granted discretionar" access  privileges, $hich allo$ allo$ them to grant access privileges privileges to other users. users. For eample, the controller, controller, $ho is the o$ner o! the general ledger, ma" grant read5onl" privileges to a manager in the budgeting department. &he accounts pa"able manager, ho$ever, ma" be granted both read and $rite permissions to the ledger. An" An" attempt b" the budgeting manager to add, delete, or change the general ledger $ill  be denied. &he use o! o! discretionar" access control control needs to be closel" supervised to prevent prevent securit"  breaches because o! its liberal liberal use. -. 3ne purpose purpose o! a database database s"stem s"stem is the the eas" sharing sharing o! data. data. 8ut this this ease o! sharing sharing can can also  /eopardize securit". securit". Discuss at least least three !orms o! access control control designed to reduce this this ris. ANS: an" t"pes o! access control are possible. A user view is view is a subset o! a database that limits a user #s vie$G or access to the database. &he database authorization table  contains rules that limit $hat a user  can do, i.e., read, insert, modi!", delete. A user-defined procedure adds procedure  adds additional 4ueries to user access to prevent others !rom accessing in a speci!ic user#s place. &o protect the data in a database, man" s"stems use data encryption to encryption  to mae it unreadable b" intruders. A ne$er techni4ue uses  to authenticate users. biometric devices to devices . 6plain 6plain ho$ ho$ the the one5time one5time pass$ord pass$ord approa approach ch $ors. $ors. ANS: Hnder this approach, the user#s pass$ord changes continuousl". &o access the operating s"stem, the user must provide both a secret reusable personal identi!ication number >=IN? and the current one5time onl" pass$ord !or that point in time. 3ne technolog" emplo"s a credit5card5sized device >smart card? that contains a microprocessor programmed $ith an algorithm that generates, and visuall" displa"s, a ne$ and uni4ue pass$ord ever" ever " * seconds. &he card $ors in con/unction $ith special authentication so!t$are located on a main!rame host or net$or server computer. At an" point in time both the smart card and the net$or so!t$are are generating the same pass$ord !or the same user. &o access access the net$or, the user enters the =IN ! ollo$ed b" the current pass$ord displa"ed on the card. &he  pass$ord can be used one one time onl". onl". 0. Net$or communication communication poses poses some special special t"pes o! ris !or !or a business. business. hat are the t$o broad areas o! concern; 6plain. ANS: &$o &$o general t"pes t "pes o! ris eist $hen net$ors communicate $ith each otherriss !rom subversive threats and riss !rom e4uipment !ailure.

Subversive threats include interception o! in!ormation transmitted bet$een sender and receiver, computer hacers gaining unauthorized access to the organization#s net$or, net$or, and denial5o!5service attacs !rom remote locations on the Internet. ethods !or controlling these riss include !ire$alls, encr"ption, digital signatures, digital certi!icates, message transaction logs, and call5bac devices. 64uipment !ailure can be the result o! line errors. &he problems can be minimized $ith the help o! echo checs, parit" checs, and good bacup control. 1. hat is is 6DI;