sign in sign up
<<
Home , Microcomputer

.

Microcomputer Security: Audit Problems and Solutions

Frederick Gallegos and Daniel Basica

The use of micros in business is increasing at an to steal. Modular design adds further nsks; for astounding rate as managers, clerks, and office example. a half-height dlsk drive module can workers enter the . Many tasks be hidden in a bnefcase. Many micros have re- that were considered too small to automate on the movable circuit cards and memory clips that company mainhme are now done with micros. could disappear just as easily. Employees may But with computing power at everyone's finger- steal micro components because they have sim- tips, auditors and management must deal with the ilar at home and want compatible risks and exposures of micro use. equipment.

~~ he security problems involved with micros are many, but man- With computing power at agement has audit methods and evetyone's fingertips, auditors tools available to solve them. The and management must deal with first step is to identify audit prob- lems.T after which auditors and management the risks and exposures of micro must implement the necessary counter- me. measures Audit problems with micros A micro used at a single can be secured to the workstation or locked in a cabi- Micros are vulnerable to risks of three major net specifically designed to house a micro Also types: available are rolling, lockable cabinets that al- Physical security of hardware low the unit to be used in different areas Al- Physical security of data and software though these measures do not eliminate the Data integnty possibility of theft. they do reduce nsk. A small To establish a secure micro enwronment. plan- investment in theft deterrence often provldes ners must address each of these problem types adequate protection wth the appropriate strategies and equipment. Damage. Portable micros must be moni- Physical security of hardware tored closely because they are most often used Although micros pose unique hardware se- away from the otfice Users of such equipment cunty problems, their solutions are relatively should be instructed in its proper care Prob- simple, requinng little more than good business lems can stem from heat. vibration. or shock. sense. heat damage, for example, can occur if a micro is stored in the trunk of a car on a hot day. Theft. Micros represent a large investment Some computers have a routine that must be in small, often portable. packages that are easy followed before they can be relocated. This rou- t

1' JOL'R?. AL OF 4CCOL'STING .AhD EDP

tine usually involves moving the read!write tions software stored in unlocked cabinets) head on the fixed disk drive to an unused por- would not be tolerated in a mainframe tion of the disk or loclung it so that it cannot environment. damage the fixed disk dnve or delete data. Another problem with micros is their vul- nerability to fluctuations in line voltage. Power Micros represent a krge expense surges can cause equipment failure as well as in small, often portable, packages data loss. This problem can be remedied through the use of a surge protector, which fil- that are eqto steal. ters the voltage. The micro is plugged into the surge protector, which is then plugged into an Some common sense must be applied when AC wall outlet Most of these devlces are inex- micros are used to process critical or confiden- pensive and effective ual data. Diskettes containing such data should Eating. drinking, or smoking near a micro be kept in locked drawers or in a safe, depend- can cause damage as well. Food and beverages ing on the sensitiwty of the data. In addition, are obLious hazards, but problems caused by various types of data security software are avail- cigarette smoke are not as well known. Diskette able for micros, including password protection, drives are especially vulnerable to damage from encryption/decrypuon schemes, and copy pro- smoke because the space between the read/ tection programs. write head and the disk surface is much smaller than a smoke particle. A smoke particle lodged Password protection. Data files and pro- between the drive head and the disk could ruin grams can be shielded from unauthorized users both. Some users who have smoked near com- by password protection software. Software fea- puters have never experienced problems, but tures include password schemes for single-user the fact remains that smoke can be damagmg. or multiuser stations, multiple password levels, Eating, drinlung. and smoking are prohibited in and audit trails Audit trails record such data as most mainframe facilities; the same rule should user ID, files used, duration of use. rypes of be in effect for micro installations transactions performed, and denied accesses. Password protection is not as critical for Physical security of data and sojiware diskettes because they can be physically se- cured, but if the system includes a disk, pass- The physical security of company data and word protection software is highly desirable. software programs is often overlooked, yet diskettes packed with confidential information Data encryption/decryption. This type of could be camed out of the office by an employ- program scrambles data into meaningless char- ee without detection. Micros are popular in de- acters and symbols. A key must be used to re- partments that perform confidential operations, store encrypted code to a form readable by, hu- and, in the wrong hands, a confidential diskette man beings or by other programs. could do great damage. Company-designed Some packages use a federally approved stan- models are also likely candidates dard while others use their own methods. AI- for theft. The nsk increases when micros are though encrpuon software prevents data from networked or connected to the company being read, encryped data can still be destroy- mainframe. ed or copied. Many firms implement extensive security measures to protect their mainframe computers Copy protection. Copy protection pro- and data. but relatively few safeguard their mi- grams prevent data files and applicatlons soft- cros with similar controls Practices that are ware from being copied. Many different widespread in micro use (e.g.. disks wth no schemes are used. and some are harder to crack password protection, diskettes left on desktops, than others. Some vendors market packages diskettes without proper labeling, and applica- that reputedly bypass copy protection schemes:

50 Winter 1986 i i Microcomputer Secuntv

nevertheless. copy protection programs reduce sofware and hardware can tie into the main- the likelihood that data wll be copied. Copy frame. find the desired information. and protection software is not appropriate for use download that data to a diskette or fixed disk on system software, however. because the copy Users can then do whatever they wsh wth the protection feature could interfere with backup data after logging off the host Thus. anyone procedures. wth access to a properly equipped micro can Many commercially available software pro- obtain mainframe data unless extensive secun- grams are protected by some type of copy pro- ty measures are taken. tection scheme to prevent users from making i1- If a micro is linked to a mainframe, extra se- legal copies. Purchased software programs for cunty steps should be taken to restnct and con- micros are protected by copynght laws. and trol access A common method of connecting a they include documentation defining the legal micro to a mainframe is to use a to dial uses and backup procedures to be followed. the host. A callback device can be installed on Buyers should read the documentation sup- the host that receives the incoming call from plied with the software to determine their legal the modem, breaks the connection, and then rights and obligations. In many cases. programs calls the modem back at a predetermined num- are intended for use on one machine only; pur- ber. Although this prevents outsiders from dial- chasers cannot legally make copies and use ing into the host, the host is snll vulnerable to them on several machines. data theft from inside the organization. Another problem can result with a callback device: most of the communications software packages per- Diskettes packed with confidential mit preprogrammed dial-up number and pass- data could be camed out of the word sequences, and if these sequences are not ofice secured properly. myone using the micro can without detection. call up the comn: Linications program, which wll automatically dial the host and supply the Software development companies have re- necessary password 5. cently filed successful lawsuits against firms The importance of adequate security regard- that have made multiple copies of programs In ing a micro-mainframe link cannot be oversta- one case, management was unaware that lower- ted. Secunty controls placed on the mainframe level employees were making copies for them- are useless if micro access is not properly selves. Management must verify that purchased regulated. software is used according to the legal docu- mentation provided by the manufacturer. Data intern Local area networks. When micros are Assuming that data is physically secure. how connected by means of a local area network can one be sure that it is current. accurate. and (LAN), the security risk increases, and proper complete? A major problem with regulating mi- data security measures must be taken. At a min- cros is that in many cases one person is the imum, password protection and an audit trail programmer, systems analyst. and end user. are necessary to maintain the privacy of confi- The typical separation of duties in mainframe dential files and records. In addition, the LAN systems development does not exist in the should support concurrent processing and the world of micros Moreover. many users are not locking of various levels of files and records. expenenced computer operators.

Micro-mainframe link. Linhng a micro to Data compatibility. To pro\?de the most the company mainframe can be both rewarding effective control of data wth micros, a compa- and devastating. When a terminal is connected ny should decide on a standard hardware and to the host. data can be viewed only on the software configurauon. For example, the data screen, but a micro equipped with the proper produced on the accounting department’s .4p-

Winter 1986 51 jOC'RS.41 OF ACCOC'\TISG AND EDP

ple 111 with a program is not very use- Computer models and user-written pro- ful to the IBM running Lo- grams. End-user programming can lead to tus 1-2-3 in finance. A planning committee data errors that are difficult to detect. For exam- should define organizational requirements and ple, a user may design an excellent spreadsheet then choose the appropriate hardware and soft- model, but incomplete testing could result in a ware. Neglecting to do so results in repetitive program that works only part of the time. Un- data keyed into each of the incompatible aware of the problem, everyone concerned programs. would assume that the data from the spread- sheet program was correct. More than one firm ! Data backup. Many micro users realize the has made major decisions based on incorrect importance of data backup only after disaster micro data. has struck. Data files should be backed up ev- User-written micro programs must be de- ery time the file is used. It is best to keep at signed with the same care as those of main- I least three "generations" of data-grandparent, frame systems. Each program must be thor- parent. and child. In the unlikely event that the oughly tested before it is used and should be parent and child are destroyed, the most recent accompanied by complete documentation, I sets of transactions could be reapplied to the including: grandparent. Ideally, each generation should be All assumptions of the program 1 kept in a different location. It is also advisable A program listing to retain all transaction documents in case a file Sample transactions must be rebuilt. Each generation should be la- A narrative description beled clearly in order to avoid using obsolete Programs should be audited periodically to ver- I data to process current transactions. ify correctness of data. When a program is modified, it must be retested and the documen- i Anyone with access io a properly tation updated. equipped micro can obtain Many micro programs are written in an in- terpreted version of BASIC. This can be danger- I mainframe data unless extensive ous because anyone using the program could I security measures are taken. modify it. It is much safer to use a compiled ! ~~ ~ version of the program and remove the source I New users should be instructed to save their code from the system. In addition, a compiled I work at frequent intervals as a safeguard against program can be executed more quickly than an I power or equipment failure. The effort required interpreted one. The benefits derived from a to save a file every 20 to 30 minutes is a small compiler easily outweigh the cost of purchaslng f price to pay to avoid the frustration of losing an one. entire afternoon's work. Use of current data. All data and program Program backup. Purchased software pro- disks must be labeled clearly to avoid using old grams should be backed up when they are re- data or a superseded version of a program. Care ceived. As discussed earlier, these programs must be taken when generations of backups are supply documentation outlining the buyer's used so that only the most recent data is used. nghts and obligations, as well as backup proce- Old tax tables or outdated inventory pricing dures. In many cases the software company will can cause costly errors. provide a backup copy for a nominal fee; the copy should be stored in a safe place. Auditing tools. The micro market is grow- User-written programs should be backed up ing much faster than audit tools for micros are when completed. and a new backup copy being developed. Currently, few audit packages should be made when any modifications take are available. Most of the software being written place. Any modification to a program must in- for micros is geared to mass marketing, and au- clude updating the documentation. dit utilities offer only a small vertical market. I 52 Winter 1986 Microcomputer Secunty I

Recently, however, some programs have been ating systems to fill the void until more soft- wntten that aid in auditing the formulas in ware 1s available. spreadsheet models. Two of these programs are Micro Decision Systems’ Docucalc and Con- Conclusion sumer Software Inc’s Spreadsheet Auditor, writ- Ready or not, auditors and managers must ten for the Apple and IBM Personal Computer, provide security measures as micros continue respectively . to move into the office. Careful planning and control of micros can lead to increased produc- tiwty and better business decisions. Many micro users realize the The accompanylng box contains a partial importance of data backup only listing of software and hardware available for ajer disaster has struck. micros. Obviously, this list should not be con- sidered comprehensive because new products are constantly being released. For the most part, auditors must make use of the programming tools that are currently Frederick Gallegos is manager, Management Sci- available, including cross-reference, file recov- ence Group, U.S. General Accounting Office, at its ery, disk explorations, sort/merge, file dump, Los Angeles regional o&e. He is also a trustee and other utilities. Fourth-generation languages, for the EDP Auditors Foundation for Education statistical packages, and report writer programs and Research. He earned his bachelor‘s degree in can also be helpful to auditors. Micro versions data processing and his master‘s horn California of some mainframe programs, such as SPSS, State Polytechnic University, Pomona. FOCUS, and SPF, are available; auditors famil- Daniel Basica is a microcomputer support analyst iar with the mainframe versions can use the mi- for Denny’s Inc, La Mirada CA. He earned his BS cro versions with little or no training. Some in computer information systems, specializing in ambitious EDP auditors have even wntten their accounting and auditing, at California State Poly- own programs or extension commands to oper- technic University, Pomona.

Winter 1986 53 Physicd Security Owices

Srrftch Elscurtty, Moddl44 WOK mntrmrptlh power suppr~, . Proteas on/off switch on computer. Locks mwcabin81 and power sw&h, 1360 539.95 no drilling required. 59s Supplles continuous power In caw of SE-KURE Controls Inc Qualtec Data Products Inc powsr faUure, S750 5885 Lncoin Ave 11 16 Olive Branch Y3 pFarc lndusmes lnc Chicago IL 60659 San Jose CAS5120 21 QoveJ~'Sct (312) 7282435 (a) Wmore MD 21207 - (301) hpucIvt ACSk~fg~pmtrctOr (W)-8388098 Loclong cabinet for mcro. wheels for FMers voltage peaks from AC arrent. TWX. (710)234-1900 portability, $595 5147 Smartware Inc Black Box Cataiog sum -lw-or 557 Howard St PoBax12800 EMUFiFl flltarlng, 6 plugs, $2S.s5. San Francisco CA 94105 PmsbuM PA 15241 thgatek Corporetlon (415) 974-1500 (412) 745-2910 2723WButlerDr Phoenix AZ 86021 Computer Security Alarm Damshleld Power Soume, yod.l2ao (602)9858371 Motion detectron device sets off alarm if Provides 30 minutes of ~OIRBI.$340.85 computer is moved. $125 Jamm Electronla, Trutr(mfVdbgl,proncta Smartware Inc 1355 Shoreway Rd 6 outlets. eliminates vdtage spikes. 889 557 Howard St Wmont CA 84002 Erpotek Inc San Francisco CA W105 (415) 592-8097 201 7 Cactus Rd (415) 974-1500 phoenix A2 85022 (W mm secutlty-~art protection - +F

-8.nty SAY (6#m Accew t6 porrs, expendpMe to 128.l.QOO 22 ws.s*pandable to 842M aarma BccB88 des,$21,600 ($1.343 per codes,optw to 2304, m3,m Port) (W5per port) Intemationa( Mobile Machlnes Inc Lee Mah Inc 100NZOthSt 729 fllbert st I Philadelphia PA 19103 San Franclaw CA 94139 (215) 566.1300 (415) 434-3780 unocurd- Or Guwdl.n 9qWtS. too m codes,s1,m 1port,18o~~,modem Western oataccm included, USO. 5083 M&et St TIM- Inc Youngstown OH 44152 505 E Mi- Rd Mountain ViCA 94039 cm .a# - (415)9683700 Burkr fpo~1accesscodesharedbyall. $389 "* - fntemational Anagezi Inc 2914 E Ketdla Ave orange CA 92667 (714)771-725Q Data Encryption DATA-LOK pic mvwy IRE Scrambler Protects single files or groups of files. Available for IBM PC MS-DOS, CPIMgO, Uses FlPS 46 standard, Model SC-12 MS-DOS, $69 and AppleDoS 3.3, $140 1.200 bps, $495 Qualtec Data Products Inc MCTel lndustnal Resource Engineering InC 1116 Olive Branch #3 Three Bala Plaza East Po Box 57 San Jose CA 95120 sui 505 Timonium MD 21083 (408)973-0456 Bala Cynwyd PA 1WO4 (301)561-3155 (215)66WW3 Enerypt4I Watchdog Communic~tionspackage and IBM PC PuMlc Key Encrypiion Menu driven, parttoning of data. for lm expansion board. can use for Use for disks or data transmission. PC and PC XT, $295, quanUty electronic mail. $1.160 choose levels of secunty, $199 discounts available TLC Inc Datamorphics Ud Fischer-lnnis Systems Inc Ellis Sarasota Bank Bldg PO Box 820 4175 Merchantile Ave Sarasota FL 33577 Stittsville. Ontario Naples FL 33942 (800)237-4433 Canada KOA 3G0 (800)237-45 10 (800) 282-8432 (613) 836-3270 (813) 7931500

54 Winter 1986 -8ea##Y MuMlayered %Bc1Hltyt wodm on l6M PC and PC XT, 1RS-M). Appb, and Commodore, price not avaHewe Microcomputer Applicstlons 7805 S Windermere -6 LitWon CO 80120 (303) 922-6410 Pactkrck Protects against WScommand%. $@!3 hdiock ll Disksnes come prorected with "fingerprint" and SeriEllianim. pm% not avaikiwe Qhco Engineering 3920 RiwAve Arlington IL 6ooo4 (312)392-2482 ..-

backup,atRerconf@umbnsavailabhr, pikeis vary according to optkwrs Syssan fnc 47853 Warm Spcings Blvd Fremont CA W639 (415) 49Q8TIo Telex 4990843

TdWHardfib SMB to 70M8 with built-in tape system, backs up enthe drive or individual Rles. 35M8 and backup, $6,746 Tallgrase Technologies Corp 11100 W L12nd 8 Overland Perk KS Wf4 (91s) 4926062 Telex 215406 TBYT UR

Mkrooofl FORl" MS-OOS, based on 1@7?dtandard, WngFor MS-DOS c machines, impie- supports 8087 copmce8mf. $3SO most Unucompatible functions. SMW) Corp Microsaft Corp 10700 Northup Way 10700 Northup Way Box 97200 Box 97200 Bellevue WA 38009 Bellevue WA 98009 (so01 428.8400 ..+- (SOO) 4269400 in WA call (m)8288088, ask tbf In WA call (206) 828-8088,ask for opwatar C6 operator 05 flw- canprk/ca6 Genera- nahiw, rnachind language Basic compiler for CPIM. MPIM. PC object cade, indudes SORT and 00s.MS-DOS. need 2 drives and CHAIN, s750 96K. output relocatable, 80W8086 mbp Software and Systems Technology ObIeCt code. $395 InC Computer lnnovanons Inc 7700 Edgewater Dr See dealer tor more informarion Sulte 360 Oakland CA 94621 (415) 632-1555

I Programming Utilities

SYMD Symbdk Debugger Code Smith46 1.8 Dltk Mechmk IUantlfies programming errors. profiling, Symbolic debugger. pass points and Backup, compares and coples zero for PC DOS or MS-DOS. 1.1 or 2.0. execution path counters, dump to disk, sctors, repalrs damaged dlsk6, atters requires 182K and EO-cdumn display. requires MS-DOS and la,$145 “hidden” status. recovers “erawd” 8126 Visual Age files. requires IBM PC 01 COMPAO D+V systsms 642 N Larchmont Blvd wm 192K. DOS 1 1 and 2 drives. $70 4M)AmherstSt Los Angeles CA 9OOO4 MLI Microsystems Nashua NH 03083 (213) 439-2414 PO Box 825 (603)81 1-7140 Framingham MA 01701 (617) 926-2055 crau~~ Use on ASCII or binary files, produces alphabetic of variables and line numbers. indicates arrays, requires IBM PC,64K and 1 dnve. $24 95 Ensign Software 2912 N Cde Rd suite E Boise ID 83704 (208) 378.8068 PC Verdons of Mainframe Software

SPsWPc SPFIPC FSOPC Features and language compatible with Works like TSOlSPF editor on IBM FulCBCreen editor combines baturea of mainframe SPSS. transfers files manframe. &way scroHlng, epW FSE. SPF, ICCF. and CMS. marhnum W 1-24 dWEII and meen. 240character records. Mock file size 32.767 mcds, hrll ret of wart -. pnce M commands. DOS Utillticw. upload and Mock commands, 1125 download, $149.95 Data Processing Development Carp Command Technology Gorp 909 N Mayfalr Rd 1900 Mountain Blvd Milwaukee WI 53226 Chicago IL 60811 Oakland CA 9461 1 (414) 776-1175 (312) 329-2400 (415) 339-3530 PcRmuE compcapllr with mainframe FOCUS, cc 4t&##@orl;gkrelslrtaand pm&W, mwt&x,-tal WWlpI&.W#i@ daia base, $1.595 I+-€lU~lnc t250 Rmmdvmy New Ywk NY $0001 (21 2) 7364433 Statistical Software =. ELF-- SWltld P.ckr~~ Reads and writes VislCalc. SuperCalc, Multiplan. dBASE 11. and others, performs regression, correlation. factor analysis. probabilities, and more, pnce ‘ not available The Winchendon Group Inc PO Box law9 moo Alexandria VA 2231 0 (703) 980-2587 Micro Audh Tools dFLOW Spreadsheet Audltor The hoflfler For Q8ASE II end dBASE 111 programs. For the IBM PC and PC XT. works wtth Allows performance tuning of programs. locates coding errors, logic VisiCalc 3 and others. produces matnx can select most used modules for mismatches, s50 of formulas. $99 auditing. requries IBM PC. 6dK and 1 w.ltwh hmekitm Inc Consumer Software Inc drNe, 9175 233 Bropctmy 8315 Monterey DWB Associates Sub 869 Gilroy CA PO Box 5777 New Yon NY 10279 (408) 848-3384 Beaverton OR 97006 (212) 4owo26 (503) 629-9645 Compare Mestor DocuC.lc For IBM PC BASIC programs, displays Bruiser adBllster For Apple computers. displays formulas differences between two filer, in report. Bruiser removes REM statements from tor easy verification, price not available $395 BASIC programs, Blister provides Contact dealer for more intormaton N.F Systems Lid documentation fmm soum listing, $25 PO Box 76363 both or $15 each Atlanta GA 30358 Diversified Data System Inc (404)252-3302 5227 Buchanan Fld Delray Beach FL 33445 (305)498-2772

56 Winter 1986