Auditing E-Commerce Web Sites

 < Day Day Up > 



Using the Internet for E-commerce is not an obscure concept; it is a matter of good business sense. However, if retail organizations ignore the malicious abilities of attackers, they are selling themselves short. There are dozens of Web sites, and an equal number of news groups and chat rooms, dedicated to verifying stolen credit card information so they can use it to commit fraud or sell it to someone else who would commit fraud in the future.

There are a number of entities involved in online credit card transactions:

  • Credit card holder. The person or organization to which a credit card has been issued.

  • Issuing financial institution. The financial institution that issues the credit card to the credit card holder, also known as the "issuer."

  • Acquiring financial institution. This institution contracts with merchants to accept and process their credit card transactions. It is possible for acquirers to contract with third-party processors to provide these services. Acquiring financial institutions are also known as "merchant banks" and the organizations' accounts are known as "merchant accounts."

  • Payment gateway. This is a service allowing an E-commerce merchant to connect to the acquirer or its merchant processor to complete a credit card transaction in real-time.

  • Service provider. Includes any third-party support entity, e.g., shopping carts, Web servers, payment processors, fulfillment houses, etc. This term is also used to describe a payment gateway alliance.

Of course, online credit card transactions not only include the entities above, but they also include three essential processing actions:

  1. Authorization. This action takes place at the time a credit card transaction occurs. It is the process by which an issuer approves, or declines, a credit card transaction.

  2. Authentication. This process involves the verification of the cardholder and the credit card. At the time of authorization, the E-commerce merchant should use fraud prevention controls and tools to validate the credit cardholder's identity and the credit card being used to make a purchase.

  3. Settlement. When a product has been purchased by a cardholder, the E-commerce merchant can initiate the settlement of a transaction through an acquirer and initiate the transfer of funds from the issuer to the merchant account.

This is an example of a real-time processing for an online credit card transaction. It is not as complicated as many people think. Processing events may vary slightly depending on the acquirer relationship, business requirements, and systems used, but they generally follow the credit card authorization process:

  • The cardholder orders items from an E-commerce merchant by entering the credit card number, identifying information, and any shipping information.

  • The information transmission is transmitted through the Internet to the merchant server. The payment gateway receives the information from the merchant server; the information is formatted, and transmitted to the acquirer.

  • The acquirer electronically sends the authorization to the issuer, who approves or declines the transaction.

Credit Card Authentication

It is the responsibility of the E-commerce merchant to apply tools and controls in verifying the cardholder's identity and validity of the transaction and avoid fraud. These are a few generally accepted tools and controls in avoiding fraud:

  • Address Verification Service (AVS). This service allows the E-commerce merchant to check a cardholder's billing address with the issuer. AVS provides online merchants with a key indicator verifying whether the transaction is valid or not.

  • Credit Card Verification Value 2 (CVV2). This is a three digit number printed on the signature panel of the credit card helping to validate that a customer has a genuine card in her possession and that the credit card account is valid. CVV2 numbers are present on most major credit cards.

  • Advanced fraud screens. These fraud-detection services examine the transactions generated by online E-commerce sites. These services calculate in realtime the level of risk associated with each transaction and provide the merchant with risk scores. These scores permit merchants to identify potentially fraudulent orders and behavior patterns.

Settlement

This process is the operation by which money flows from the issuer to the acquirer. Once the goods or services have been delivered, the E-commerce merchant captures and batches the related transactions for settlement. The batch is electronically submitted to the various acquirers for processing.

The acquirer electronically submits the transaction to issuer for payment. The issuer transmits the payment to the acquirer who credits the E-commerce merchant's account.

Chargeback Issues

With literally millions of credit card transactions, it is inevitable that there will be chargebacks. Chargebacks are transactions that are returned to the acquirer, to the issuer, then to the merchant. There are many reasons for chargebacks:

  • Customer disputed transactions

  • Fraud

  • Authorization issues

  • Inaccurate or incomplete transaction information

  • Transaction processing errors

The majority of chargebacks are initiated when the cardholder reviews her bank statement and notifies the issuer that there is a problem with a transaction. When this happens, the issuer usually requests an explanation of the problem from the card-holder. If the issuer determines there is a basis for a chargeback, then the matter is referred to the acquirer who debits the merchant's account. It is generally the responsibility of the merchant to resolve the chargeback.

Audit Program Items

E-commerce merchants must take all possible steps to reduce and treat risk. Auditors can play a significant role in this arena and should include audit program items that tip the scales in the E-commerce merchant's favor.

  • Record all key elements of fraudulent transactions, names, addresses, shipping addresses, e-mail, credit card numbers, and items purchased. Auditors should verify the existence and currency of a database containing this information.

  • Document that all fraud database items are used for comparison before any transactions are processed by the merchant.

  • Establish internal transaction controls to identify high-risk transactions prior to authorization. These controls should include:

    • Setting review limits based on the number and dollar amount of transactions approved within a specified number of days. Adjust these limits to fit prior cardholder purchasing patterns.

    • Setting review limits based on a single transaction amount.

    • Ensuring that velocity limits, frequency by which the credit card number and associated information, are checked across multiple characteristics, including shipping address, telephone number, and e-mail address. The term "velocity" in this context is degree of frequency that a credit card is used at an E-commerce Web site. It can also mean the number, within a given time period, that credit cards are submitted from a single IP address. Is there a mechanism prescribed by policy that requires contact with customers who exceed these control limits in an effort to determine whether the cardholder's activity is authorized and legitimate?

  • In the Web server interface, does it require the cardholder to input the card type, e.g., MasterCard, American Express, etc.? Does it also require the customer to input the card number and CVV2? Does the merchant's Web site verify that the card type and numerical sequence identifying the card type coincide?

  • Does the merchant's Web site require the cardholder to enter the card's expiration date and is there a mechanism to verify that the credit card number, name imprinted on it, and the expiration date coincide?

  • Does the merchant's Web site require a customer to enter a legitimate e-mail address?

  • Does the merchant's Web site require a customer to enter a legitimate CVV2 number and are these numbers verified with the credit card's other pertinent information?

  • Has the merchant implemented AVS verification?

Implementing Fraud Screening to Identify High-Risk Transactions

In the E-commerce world, the greatest risk is that of fraud committed by customers. There are a variety of tools and techniques that will help identify and deal with online fraud.

  • Implement fraud screening tools to identify high-risk credit card transactions. This can include online transactions:

    • Matching credit card data stored in the organization's internal negative files.

    • Exceed velocity limits and internal controls.

    • Identify the persons, potential credit card attackers, who are submitting Authorize-Only transactions that are never captured or settled.

    • Identify the persons, potential credit card attackers, who are submitting transactions of low amounts, less than $5, to a Web site in an attempt to merely verify the credit card number and cardholder's information.

    • Notification of an AVS mismatch.

  • Develop and implement an effective manual transaction review procedure to investigate high-risk credit card transactions. The purpose of this activity is to significantly reduce online fraud as a percentage of revenue, thereby minimizing the impact on legitimate sales.

  • Treat anonymous e-mail addresses as high-risk. It is important to note that many online merchants have discovered that anonymous e-mail addresses have a substantially higher fraud rate than e-mail accounts with well-known Internet Service Providers. Organizations should take more steps requiring these types of e-mail addresses to pass additional verification requirements before permitting them to transact online credit card business.

  • Identify and screen high-risk shipping addresses. Fraud can be reduced by comparing the client's shipping address to high-risk shipping in third-party databases and in the organization's own negative files. Of particular note is the shipping address located in a different mail-code than the billing address's mail-code. Particular attention should be paid to mail drops, prisons (of particular note in a prison address is the inclusion of the inmate number), hospitals, and addresses of known fraudulent activity.

  • Organizations should develop and implement policies and procedures addressing shipping addresses different from the billing address.

  • Organizations should treat addresses outside the merchant's country as being high-risk. Transactions involving cards issued outside the merchant's country of origin and having foreign shipping and billing addresses should be regarded as high-risk. Organizations must be careful the AVS will not likely be useful in such cases. Organizations should require higher transaction scrutiny and customer verification for international online transactions. Controls should be enforced regarding transaction velocity thresholds for these transactions. Internal policies and procedures must address cases where there is not third-party AVS available, where billing and shipping addresses differ, and the client uses an anonymous e-mail address.

  • Organizations must assess risks based on the purchase of merchandise that is easily remarketed, for example electronic products or jewelry.

  • Organizations should have a policy regarding contacting the credit card issuer to confirm cardholder's information prior to shipping goods related to a high-risk transaction.

Signs of Possible Online Credit Card Fraud

These are some of the possible indicators that attackers are attempting to commit fraud at the E-commerce Web site. Organizations need to be mindful of these signs and take appropriate steps to avoid becoming a victim of fraud. Auditors should include these signs as being addressed by the organization's policies and procedures in their audit programs.

  • Multiple credit cards being used from a single IP address. Multiple (more than two) cards are a good indication a fraud scheme is afoot.

  • Orders consisting of several of the same item. Having multiples of the same item increases the fraudster's chances of success.

  • Orders composed of "big-ticket" items with rushed shipping. These are usually items identified as having maximum resale value with little regard for shipping costs increasing the profit potential for the criminal.

  • Orders shipped to a single receiving address but purchased on multiple cards. These transactions could also be characteristic of account numbers generated by special software or stolen.

  • Multiple transactions on one card or similar cards with a single billing address or a single card with multiple shipping addresses. This activity represents an organized fraudulent activity rather than one individual at work.

If an online transaction is approved by the credit card issuer, the organization should consider sending a confirming e-mail to the customer before completing and sending the order. If the transaction is declined, the organization should have policies and procedures that specify the means by which the organization handles such transaction declinations.

Auditors should review the method by which the company handles declined transactions. Consideration should be given to having customer service employees review online transaction authorizations declined by issuers and obtain corrected information or an alternate payment that allows the organization to safely proceed. These employees must be mindful of transactions containing incorrect card expiration dates, incorrect billing addresses, incorrect name spelling, incorrect mailing addresses, or incorrect CVV2 information. Incorrect information should be retained as part of the organization's negative information database that is used for comparison with future transaction attempts.

Attackers can gain access to a business' online Web site through shopping carts or payment gateway processor systems. Attackers are also very adept at finding security holes in weak or default passwords. With an attacker invading an E-commerce site, it is possible for the attacker to emulate the merchant and begin processing debits and credits without the merchant's knowledge. It is a fraudulent practice for attackers to offset the deposit credits with debits, thereby attempting to avoid detection by deposit-volume monitoring by the true merchant's bank.

Here is a short checklist for merchants to monitor online authorizations and transactions:

  • On a daily basis, organizations must review their transaction logs for Authorize-only transactions and small amount transactions (less than $5). An unusually high number will likely indicate attackers testing the merchant's system.

  • On a daily basis, organizations must review their transactions for an unusually high amount or volume of credits. This could indicate fraud.

  • On a daily basis, organizations must review their transactions for identical transaction amounts.

  • On a daily basis, organizations must review their transactions for multiple transactions from a single IP address.

  • Organizations must thoroughly review their online transactions before they are settled. This affords the opportunity to void potentially fraudulent or erroneous transactions before they are submitted for settlement.

  • All pertinent passwords must be at least ten characters in length, with a combination of special characters, numbers, and capital letters. These passwords must be changed at least every 30 days or less.

  • All credit card numbers and related cardholder information must be stored on a secure server inside a guarded interior system and away from the DMZ where the Web site is located.

Auditing Workstations

Auditing workstations is one of the most invasive things an auditor can do to an employee. It must be approached with thoughtful consideration and professional demeanor. Auditors must respect the privacy of employees who are not violating policies and procedures. Exercising good judgment by ensuring the auditors have mature attitudes generally goes a long way in workstation audits.

The unannounced workstation audit is an activity that must be predicated on legal and sound policies and procedures. If an organization is going to undertake the workstation assessment process, employees must understand and acknowledge that they do not have a reasonable expectation to privacy for any of their activities conducted on the company's systems.

Audit teams must ensure that they have full concurrence and cooperation of senior managers before engaging in these types of audit practices. Prudent audit team managers will make certain that the organization's legal department is regularly consulted to determine if there have been any recent legislative changes affecting employee privacy before beginning workstation audits. Workstation auditing should not be restricted to stationary desktop systems, but should include all mobile devices including laptop, handheld, wireless, and cellular devices used on the job.

Since Microsoft created its first operating system for Intel processors, there has been an increasing market share for their products. As a result of this rapid and ever-increasing expansion, most offices use Microsoft products and mobile environments. Consequently, this section will concentrate on auditing workstations with Windows operating system environments.

First Steps

Begin at the beginning. Workstation audits must include employee work areas.

  • Are there policies and procedures requiring the proper treatment of paper trash? How often does the employee dispose of her trash?

  • Where does the employee print her jobs? Is there waste paper present at the printer?

  • Does the organization have policies and procedures regarding the shredding or burning of trash?

Auditors should take a careful look at the areas surrounding the workstation. Are passwords written and hidden beneath mouse pads or keyboards? What sensitive materials are left unattended on desk areas?

With a physical review of the work area completed, the first step that should be taken by workstation auditors is the process of "unhiding" files. By clicking the My Computer icon, and selecting View and then Folder Options, the auditor may select the tab for View. Within this pane will be a selection for showing all files. Auditors should select this option to reveal any files the users may have hidden.

Experience Note 

An auditor was referred an e-mail for review to determine its compliance with company policy regarding official use. Once received, the auditor opened the e-mail and its obscene attachment in the form of a Microsoft Word document. She started her analysis. She opened the e-mail text in a simple hex editor allowing her to view the hexadecimal coding of the document. She easily located the MAC (Media Access Code) address of the sender. Checking with the inventory control specialist, she located the workstation of the alleged sender. She opened the Word document attachment in a text editor, Notepad, and began looking for the GUID (Globally Unique Identifier). This information is an essential component of Microsoft Word's architecture and is useful in determining the origin of the attachment. After comparing the MAC of the workstation and the GUID, the auditor determined they were the same person, and identified that the attachment had been composed in a copy of Word personally registered to that particular employee. It was composed outside the organization's office space, as all software products are registered in the company's name and not the name of any employee. She began the workstation audit, and located the MAC in the browser cookie file. It was found in a cookie marked, "microsoft.txt." It was the same as the workstation's ethernet card. This went a long way to showing the MAC had not been spoofed. After reviewing obscene attachment text as a final step, the auditor provided a written report to the human resources unit for their action.

Organizing and Searching File Systems

It is important for auditors to be able to organize, search, and display files lodged on media contained within the target workstation or server.

Wilbur

There is a simple, free application known as Wilbur that easily accomplishes the task of organizing a disks files available at www.redtree.com. It is a freeware Windows-based utility that creates an index of the target media, hard drives, floppies, or CDRs. Wilbur will search every file on the target media by the type of file, for example, spreadsheet, word processing, images, html, zipped files, etc. This is very useful if the auditor is looking for images with the extension of jpeg or gif. Having an index of image files will provide the auditor with additional insight into the user's Internet browsing practices. This is particularly useful if the auditor is looking for browsing outside the organizations stated policies. This application can also look into the content of files for specific words displaying the file and the text. Wilbur permits descriptions to contain wild card searches and logical expressions facilitating the auditor's efforts to find the specific files. Searches can be constrained by combinations of, file names, contents, folder names, file size, attributes, and file modification dates (Exhibit 30 and Exhibit 31).

Exhibit 30: Wilbur Configuration

start example

click to expand

end example

Exhibit 31: Wilbur Options

start example

click to expand

end example

Little Images

In most cases, reviewing hundreds of images is tedious and somewhat tiresome for auditors. In many cases, large organizations have frequent complaints dealing with employees who engage in unauthorized pornographic Web site browsing. In other cases, employees may be engaged in stealing intellectual property or other sensitive information. Using a simple application known as ThumbsPlus, auditors can create a catalog of image files. ThumbsPlus is available at www.cerious.com. Auditors using this program can select the workstation's drive unit, or directory and the program creates an image catalog displaying all image files. Conscientious auditors can quickly scan the images produced in small aspect and determine if any are offensive.

Unformatting and Undeleting

Many users believe that once the file has been deleted, it is gone forever and cannot be restored to a useable state. Further, users may also believe that once a drive has been reformatted, the information previously contained there is gone. Information may be recovered from deleted files and reformatted disks by using simple utilities. Norton Utilities, currently owned and distributed by Symantec (www.symantec.com), provides applications that will unerase deleted files and unformat media that have been formatted. Norton's is not the only software suite that has these utilities. Auditors can easily locate other suitable programs on the Internet.

It is not practical for auditors to restore all deleted files within the hard drive's multi-gigabyte structure; nevertheless, if auditors identify suspicious files, they have the option of restoring them and possibly recovering their contents. Using unerase and unformat programs are fairly easy and are usually well documented in the help file or literature accompanying the program.

Windows Registry Investigations

The Windows Registry is a database containing information about every program installed on the workstation. Wise auditors will not go idly poking around in the workstation's registry without some degree of expertise, as this is one sure way to make the machine completely unusable if you do not know what you are doing. In essence, the registry contains information about the workstation's users and their configuration preferences.

The Windows operating system registry consists of at least two files: System.dat and User.dat. If the workstation has been configured for multiple users, each user will have their own copies of these files in the Windows\Profiles\user name file. Auditors can boot the workstation into DOS and type scanreg/restore from the DOS prompt launching the DOS version of the registry checker. This will provide a list of existing registry backups and their effective dates. Highlighting the one selected to deliver the restoration and follow the prompts after that.

The best way to view the registry is with the editor provided by Microsoft and already found in Windows. If the auditor is reviewing Windows 9X or ME, it is a matter of going to the Run selection from Start, and entering regedit. In the case of NT, regedit32 is entered. It is a good idea to create a backup of the registry in the event something goes wrong. While in the Registry menu, select Export Registry file. This will prompt for a file name. Saving this file will provide a copy of the Registry.

Operating within the Registry Editor is similar to exploring files in the Windows Explorer. Registry entries are arranged like file system trees. Located on the left side of the are folders indicated by icons. These are called "keys." Keys contain other keys or values and values may be of three types: binary, string, or DWORD (double word 32 bit). If there is a plus (+) sign next to a folder, clicking on it opens other folders and drops down the list of subkeys.

There can be a host of information stored in the Registry; for example, locate the HKEY-CURRENT-USER key, and expand it to find the Software key; expand it, locate the Current Version key, and finally select the DocFindSpecMRU. In the right window pane, you can see the contents of this folder. Reviewing the contents of this file will provide the search history of the workstation. This can also be confirmed by reviewing the search terms contained in the file search utility found in the start, find, and folders utility. Basically, looking at this Registry entry shows where the workstation users have used the Find function and what their search parameters were. Reviewing the search function will reveal if the user has forgotten where she concealed files in the operating system's file system. For example, Alice is engaged in periodically siphoning money from accounts payable and later makes credit entries that offset these debits. She has concealed a small spreadsheet where she tracks the stolen amounts being careful not to take too much too frequently. This spreadsheet is hidden within her workstation's file system. After a three-week vacation, she returns to work and has forgotten where she has hidden the spreadsheet. She clicks on the Find function and begins searching for her spreadsheet. By performing this search, her search parameters are logged in the Registry and can be retrieved by others.

The Explorer/RunMRU is another registry key worth reviewing as it contains information about user activities. This window will display the most recent commands launched from the Run function that is accessible from the Start button. The Run history will show those commands entered by the users. This information is also available from the Run function and clicking on the little box to the right of the entry box. This information is useful in determining if users were running unauthorized software or if they were mapping the interior network using utilities found in the Windows operating system such as Ping, Netstat, Tracert, and Nbtstat. These networking routines are used by Windows to perform its networking function, and if used manually, will provide a very good map of the architecture and naming conventions used in the organization's system. Ping is used to verify connections to hosts; Netstat displays protocol statistics and current TCP/IP connections to the workstation; Tracert determines the route taken to a network destination; and Nbtstat displays protocol statistics and current TCP/IP connections using NetBIOS over TCP/IP. Auditors should be mindful there are very few reasons that employees, outside of those having direct system responsibilities, should be routinely using these commands. It is important to note that these network commands may be run from the DOS prompt function within Windows and these commands will not be recorded in the Registry. Employees interested in the organization's system architecture would likely use these commands to discover details in order to facilitate an attack. Auditors should be mindful that an employee using these commands might just be curious about the system. If there are tools present on the workstation or stored elsewhere in the system, they should be located before making any recommendations.

Another Registry area worth the time for an auditor to investigate is one that records the URLs entered by the user during Web browsing sessions. Remember that this will only be useful if Microsoft's Internet Explorer is operating as the default Web browser. The keys pertinent to this folder are located in the Microsoft Registry under the key named TypedURLs. It also reveals the user's Web browser Startpage. In this folder is a list of all the URLs the user typed into the Internet Explorer's Address field. As an auditing tool, this resource is very useful as it provides a partial record of the Web sites visited by the workstation user. The importance of this investigation is it reveals that the user intentionally typed the URL into the address blank calling the Web page to view.

The HKEY_LOCAL_MACHINE key records information about the individual workstation and the network. The Network/Logon key contains the last user name used to log onto the network and is a good place to look if the auditor is attempting to correlate the workstation's user with workstation activity.

E-Mail Sent by Employees

E-mail is a reasonable place for a workstation audit. It is often the source insight into the employee's daily activities. It is likely that the organization has a policy relating to employees using only the internal system's e-mail services. In this fashion, e-mail content may be examined for inappropriate use and the possibility that users may be using e-mail to transmit sensitive or intellectual property outside the company.

At times, a suspicious e-mail is the first indication that an employee is outside of organizational policies and might be guilty of other things. Auditors may think of e-mail as the database of the employee and their contacts while on duty. Individual messages are often stored in the folders that were installed as a matter of application default or in the folders the employee created. Auditors should investigate the default folder structure within the e-mail client. Looking at the Sent, Outbox, Drafts, Inbox, and Deleted folders may provide some insight into the employee's e-mail activities.

Auditors should note that just because a workstation has an e-mail client, such as "Eudora" or "Outlook" installed, does not necessarily mean all the e-mail activity of the user is recorded. Web-based e-mail has distinct advantages for employees. By not using the e-mail server of the organization's network, the employee can bypass any backup and recording of e-mail being sent. Employees may transmit and receive e-mail without any concern their traffic is going to be examined later from inside the company.

Web-based e-mail allows users to send, receive, and store e-mail from multiple computers and from a wide variety of locations. Because the e-mail is stored on a server with Internet access, the user is free to conduct her e-mail business from any computer having Internet access.

Interested workstation auditors may wish to access the browser's History file and look for the dates and times the user accessed their Web-based e-mail service. Viewing the History file will provide the URL and date the Web site was visited by the user. Auditors may also wish to look into the browser's Favorites or Bookmarks file where the user may have bookmarked those Web sites she wishes to visit again. Having bookmarked a Web site is a fair indication the user intended to visit it again. Frequently, users will not delete the History file, and auditors will discover that the user has at least visited an Internet e-mail site.

Auditors may wish to visit the Cookies file easily located by the Windows Find function. Often, Cookies are deposited on the user's workstation by Internet e-mail sites to facilitate user recognition and logon. By examining this file, auditors may see if the user has visited Internet e-mail or other sites.

This is another more subtle purpose for Internet e-mail use: the users wishing to visit Web sites and avoid being detected by the interior gateway filter. By visiting an Internet e-mail site and sending URLs for prohibited Web sites to herself, an employee may circumvent content filters located on the interior network. She merely visits the Internet e-mail site, sends herself URLs for Web sites that are going to be filtered by the company's system, and clicks on them through the Internet e-mail site.

Looking in all the Right Places

Auditors performing workstation audits should be mindful of areas that generally retain information providing useful insight into the workstation user's day. Before attempting to perform an audit on the target workstation, auditors should visit the business' Help Desk Unit and inquire about recent requests for assistance made by the users of the workstation they are going to audit. Employees requesting efficient file transfer applications such as FTP, file transfer protocol, should have their workstations carefully screened. Unless an employee is engaged in system or Web page development, there is not a legitimate reason to have FTP software.

Experience Note 

Auditors suspecting an employee was using unauthorized software performed an audit on her workstation after normal work hours. They did not discover any unauthorized applications on her workstation. However, using the Find feature of Windows, auditors found an interesting file called ""."//.old." The file's extension was not conventional, so the auditors opened the file and looking at the Properties of the file determined that the extension of the file should have been exe. Changing the extension of the file to exe opened an FTP client containing an IP address located on the Internet and password. Perusing the transfer log revealed the employee had been transferring proprietary information outside the company including soon-to-be-released products, suppliers, price lists, and client lists. The employee was subsequently prosecuted and convicted. Additionally, she and her partners were sued for damages with monies recovered by her former employer.

Experience Note 

Reviewing the Internet activity logs is another logical place to start the workstation audit. Auditors should coordinate their efforts with appropriate levels of system administrators in obtaining and sorting the employee's Internet activity logs. Auditors should be looking for Web sites that are contrary to organization policy and Web sites that "just don't look right."

Reviewing the contents of the Windows Recycle folder will give the auditor an idea of the discarded items no longer wanted by the user. Looking in this folder will often disclose discarded items from Web pages and any other discarded items. Reviewing the Recycle folder may possibly disclose if the user had attempted to install unauthorized software. Auditors should be mindful that reviewing the Add/Remove Software function located in the Control Panel/Systems folder generally reveals if the user has installed unauthorized software. If the user is not careful, there can be hardware device conflicts that have not been resolved that can reveal any attempts to install hardware. Reviewing the Device Manager will generally disclose if the user has installed or attempted to install unauthorized hardware.

Auditors should be mindful that most browsers have a History file containing the Internet browsing history of the user. This file may be located by the Find function of Windows and may be accessed by clicking on one of the entries. Generally, the entries are cataloged by the week they were accessed. For example, there will be headings such as "54 Weeks Ago," indicating that these were the Internet Web sites visited 54 weeks ago from the time of the current date. Because the listed Web sites are identified only by their URLs, it is a wise auditor who takes a representative sample for examination.

Directories that can provide the auditor with valuable information are Temp and Temp Internet. These directories hold items that are meant to be discarded in the future. For example in the case of Temp downloaded applications or applications needing a temporary file for installation are going to be found here. Frequently, users frequently ignore this file when they delete the program not realizing a copy was deposited on their hard drive. In the case of the Temp Internet file, this file acts as a depository for a variety of Internet-related items, including downloaded images, Web pages, and cookies. Searching through these items can provide information about the user's Internet browsing habits. Depending on the browser, sometimes there are Cache files that serve essentially the same purpose as Temp or Temp Internet. Browser Cache files may be accessed and reviewed for the same purposes as any other "temp" file.

Most Windows systems keep many of the images relative to visited Web pages. These images can be easily displayed by using an application such as ThumbsPlus or they can be found using their extensions. Auditors may input gif or jpeg in the Find function of Windows and the lower pane will display the image files.

Telling the Tale with Cookies

Cookies are text files useful in holding the user's name, password, and other information pertinent to a specific Web site. Sometimes cookies contain custom settings for a given Web site and other data the Web site uses in tracking the user's visit.

From an auditing perspective, cookies may hold information relative to Web sites, as they contain information for the browser's preferred configuration of the site. For example, they may contain preferences for Web site viewing without music or with a particular background color. Cookies do not indicate whether the user intentionally went to the Web site or not. They merely indicate that the viewer was at the Web site for the cookie to be deposited at the browser's cookie file.

Because cookies are text files, they can easily be viewed in a text editor such as Windows Notepad. When viewed in the Windows pane, they will appear similar to the following example: aliceandbob@adlinks[1].txt or alice@yahoo[2].txt. When viewed in the text editor, they will appear similar to the following example: Uid0oxd823903.0x17d7rr0ads.adlinks.com/0o02375044590230*0. Looking at the text will reveal the visited Web site: adlinks.com.

There are no formal requirements for cookies, so it is sometimes difficult to obtain consistently useful information from them other than to see the Web site's URL.

It may be sufficient for auditors to know the URLs visited by the user and correlate this information with the properties of the images contained on the user's workstation. If auditors will right-click on the cookie, they will view the properties of the cookie including the date it was created and the day it was last modified. Because it is being viewed by the auditor, the date it was last accessed will be the date it was viewed by the auditor.

Auditing Windows NT and XP

An integral part of these Windows operating systems is the feature of activity logging or auditing. As a matter of policy and procedure, organizations are advised that operating systems having the ability to enable auditing are strongly recommended. When enabled and correctly configured, auditing causes entries to be made to an event log. Event logs are divided into sections: System Messages, Application Messages, Security Logs, and Iexplore.

The event viewer function is used at "administrator" privilege level to view logs. The time that the event log is retained depends on the configuration settings, telling the workstation when to overwrite the oldest entries. The success auditors have in viewing logs depends on the implementation of policies and procedures relating to proper operating system configurations.

It is important for auditors to have a fair sample of user-activity on which they may draw their assessment sample. If too small, the sample will not reflect the user's activity and if too large, the sample contains too much information to be useful. Default configuration settings will generally overwrite logs in a few days or a week at most. Often the purpose supporting logs is that of debugging systems, not monitoring user-activity. Auditors should be mindful that if suspicious user activity has triggered an audit, it might be advised to have the security manager activate and configure the target workstation's logging feature to capture a larger number of events with greater granularity before actually performing the audit.

Keystroke Monitors

Auditors must be mindful there are hardware and software solutions that provide for the capture of every keystroke made on a given keyboard by the user. It is possible to configure them to either retain all the keystroke information on the workstation's hard drive or send the information via e-mail to the intended recipient. Other versions take snapshots of the target's monitor. Such keystroke software applications are available from www.spectorsoft.com.

Auditors should know these programs are not one hundred percent accurate, but provide a significant degree of insight about what the user is doing on her workstation. Keystroke monitors are generally invisible to the user, but if a user is very computer-savvy he can be discovered with a degree of effort. These users provide an important tool to auditors who are actively looking for illicit or unlawful activity. Because there are legal issues when using keystroke monitors, consult with legal counsel before installing them.



 < Day Day Up > 



Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net