Software Security Development – A White Hat’s Perspective

“If you know the enemy and know yourself you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu[1]

Introduction-

How to know your enemy

Knowing your enemy is vital in fighting him effectively. Security should be learned not just by network defense, but also by using the vulnerability of software and techniques used for malicious intent. As computer attack tools and techniques continue to advance, we will likely see major, life-impacting events in the near future. However, we will create a much more secure world, with risk managed down to an acceptable level. To get there, we have to integrate security into our systems from the start, and conduct thorough security testing throughout the software life cycle of the system. One of the most interesting ways of learning computer security is studying and analyzing from the perspective of the attacker. A hacker or a programming cracker uses various available software applications and tools to analyze and investigate weaknesses in network and software security flaws and exploit them. Exploiting the software is exactly what it sounds like, taking advantage of some bug or flaw and redesigning it to make it work for their advantage.

Similarly, your personal sensitive information could be very useful to criminals. These attackers might be looking for sensitive data to use in identity theft or other fraud, a convenient way to launder money, information useful in their criminal business endeavors, or system access for other nefarious purposes. One of the most important stories of the past couple of years has been the rush of organized crime into the computer attacking business. They make use of business processes to make money in computer attacks. This type of crime can be highly lucrative to those who might steal and sell credit card numbers, commit identity theft, or even extort money from a target under threat of DoS flood. Further, if the attackers cover their tracks carefully, the possibilities of going to jail are far lower for computer crimes than for many types of physical crimes. Finally, by operating from an overseas base, from a country with little or no legal framework regarding computer crime prosecution, attackers can operate with virtual impunity [1].

Current Security

Assessing the vulnerabilities of software is the key to improving the current security within a system or application. Developing such a vulnerability analysis should take into consideration any holes in the software that could carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures. The security we have in place today including firewalls, counterattack software, IP blockers, network analyzers, virus protection and scanning, encryption, user profiles and password keys. Elaborating the attacks on these basic functionalities for the software and the computer system that hosts it is important to making software and systems stronger.

You may have a task which requires a client-host module which, in many instances, is the starting point from which a system is compromised. Also understanding the framework you’re utilizing, which includes the kernel, is imperative for preventing an attack. A stack overflow is a function which is called in a program and accesses the stack to obtain important data such as local variables, arguments for the function, the return address, the order of operations within a structure, and the compiler being used. If you obtain this information you may exploit it to overwrite the input parameters on the stack which is meant to produce a different result. This may be useful to the hacker which wants to obtain any information that may grant them access to a person’s account or for something like an SQL injection into your company’s database. Another way to get the same effect without knowing the size of the buffer is called a heap overflow which utilizes the dynamically allocated buffers that are meant to be used when the size of the data is not known and reserves memory when allocated.

We already know a little bit about integer overflows (or should at least) and so we Integer overflows are basically variables that are prone to overflows by means of inverting the bits to represent a negative value. Although this sounds good, the integers themselves are dramatically changed which could be beneficial to the attackers needs such as causing a denial of service attack. I’m concerned that if engineers and developers do not check for overflows such as these, it could mean errors resulting in overwriting some part of the memory. This would imply that if anything in memory is accessible it could shut down their entire system and leave it vulnerable later down the road.

Format string vulnerabilities are actually the result of poor attention to code from the programmers who write it. If written with the format parameter such as “%x” then it returns the hexadecimal contents of the stack if the programmer decided to leave the parameters as “printf(string);” or something similar. There are many other testing tools and techniques that are utilized in testing the design of frameworks and applications such as “fuzzing” which can prevent these kinds of exploits by seeing where the holes lie.

In order to exploit these software flaws it implies, in almost any case, supplying bad input to the software so it acts in a certain way which it was not intended or predicted to. Bad input can produce many types of returned data and effects in the software logic which can be reproduced by learning the input flaws. In most cases this involves overwriting original values in memory whether it is data handling or code injection. TCP/IP (transfer control protocol/internet protocol) and any related protocols are incredibly flexible and can be used for all kinds of applications. However, the inherent design of TCP/IP offers many opportunities for attackers to undermine the protocol, causing all sorts of problems with our computer systems. By undermining TCP/IP and other ports, attackers can violate the confidentiality of our sensitive data, alter the data to undermine its integrity, pretend to be other users and systems, and even crash our machines with DoS attacks. Many attackers routinely exploit the vulnerabilities of traditional TCP/IP to gain access to sensitive systems around the globe with malicious intent.

Hackers today have come to understand operating frameworks and security vulnerabilities within the operating structure itself. Windows, Linux and UNIX programming has been openly exploited for their flaws by means of viruses, worms or Trojan attacks. After gaining access to a target machine, attackers want to maintain that access. They use Trojan horses, backdoors, and root-kits to achieve this goal. Just because operating environments may be vulnerable to attacks doesn’t mean your system has to be as well. With the new addition of integrated security in operating systems like Windows Vista, or for the open source rule of Linux, you will have no trouble maintaining effective security profiles.

Finally I want discuss what kind of technology were seeing to actually hack the hacker, so to speak. More recently a security professional named Joel Eriksson showcased his application which infiltrates the hackers attack to use against them.

Wired article on the RSA convention with Joel Eriksson:

“Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders’ machines.” [7]

Hackers, particularly in china, use a program called PCShare to hack their victim’s machines and upload’s or downloads files. The program Eriksson developed called RAT (remote administration tools) which infiltrates the programs bug which the writers most likely overlooked or didn’t think to encrypt. This bug is a module that allows the program to display the download time and upload time for files. The hole was enough for Eriksson to write files under the user’s system and even control the server’s autostart directory. Not only can this technique be used on PCShare but also a various number of botnet’s as well. New software like this is coming out everyday and it will be beneficial for your company to know what kinds will help fight the interceptor.

Mitigation Process and Review

Software engineering practices for quality and integrity include the software security framework patterns that will be used. “Confidentiality, integrity, and availability have overlapping concerns, so when you partition security patterns using these concepts as classification parameters, many patterns fall into the overlapping regions” [3]. Among these security domains there are other areas of high pattern density which includes distributive computing, fault tolerance and management, process and organizational structuring. These subject areas are enough to make a complete course on patterns in software design [3].

We must also focus on the context of the application which is where the pattern is applied and the stakeholders view and protocols that they want to serve. The threat models such as CIA model (confidentiality, integrity and availability) will define the problem domain for the threats and classifications behind the patterns used under the CIA model. Such classifications are defined under the Defense in Depth, Minefield and Grey Hats techniques.

The tabular classification scheme in security patterns, defines the classification based on their domain concepts which fails to account for more of the general patterns which span multiple categories. What they tried to do in classifying patterns was to base the problems on what needs to be solved. They partitioned the security pattern problem space using the threat model in particular to distinguish the scope. A classification process based on threat models is more perceptive because it uses the security problems that patterns solve. An example of these threat models is STRIDE. STRIDE is an acronym containing the following concepts:

Spoofing: An attempt to gain access to a system using a forged identity. A compromised system would give an unauthorized user access to sensitive data.

Tampering: Data corruption during network communication, where the data’s integrity is threatened.

Repudiation: A user’s refusal to acknowledge participation in a transaction.

Information Disclosure: The unwanted exposure and loss of private data’s confidentiality.

Denial of service: An attack on system availability.

Elevation of Privilege: An attempt to raise the privilege level by exploiting some vulnerability, where a resource’s confidentiality, integrity, and availability are threatened. [3]

What this threat model covers can be discussed using the following four patterns: Defense in Depth, Minefield, Policy Enforcement Point, and Grey Hats. Despite this all patterns belong to multiple groups one way or another because classifying abstract threats would prove difficult. The IEEE classification in their classification hierarchy is a tree which represents nodes on the basis of domain specific verbatim. Pattern navigation will be easier and more meaningful if you use it in this format. The classification scheme based off of the STRIDE model alone is limited, but only because patterns that address multiple concepts can’t be classified using a two-dimensional schema. The hierarchical scheme shows not only the leaf nodes which display the patterns but also multiple threats that affect them. The internal nodes are in the higher base level which will find multiple threats that all the dependent level is affected by. Threat patterns at the tree’s root apply to multiple contexts which consist of the core, the perimeter, and the exterior. Patterns that are more basic, such as Defense in Depth, reside at the classification hierarchy’s highest level because they apply to all contexts. Using network tools you will be able to find these threat concepts such as spoofing, intrusion tampering, repudiation, DoS, and secure pre-forking, will allow the developer team to pinpoint the areas of security weakness in the areas of core, perimeter and exterior security.

Defense against kernel made root-kits should keep attackers from gaining administrative access in the first place by applying system patches. Tools for Linux, UNIX and Windows look for anomalies introduced on a system by various users and kernel root-kits. But although a perfectly implemented and perfectly installed kernel root-kit can dodge a file integrity checker, reliable scanning tools should be useful because they can find very subtle mistakes made by an attacker that a human might miss. Also Linux software provides useful tools for incident response and forensics. For example some tools returns outputs that you can be trusted more than user and kernel-mode root-kits.

Logs that have been tampered with are less than useless for investigative purposes, and conducting a forensic investigation without logging checks is like cake without the frosting. To harden any system, a high amount of attention will be needed in order to defend a given system’s log which will depend on the sensitivity of the server. Computers on the net that contain sensitive data will require a great amount of care to protect. For some systems on an intranet, logging might be less imperative. However, for vitally important systems containing sensitive information about human resources, legality issues, as well as mergers and acquisitions, the logs would make or break protecting your company’s confidentiality. Detecting an attack and finding evidence that digital forensics use is vital for building a case against the intruder. So encrypt those logs, the better the encryption, the less likely they will ever be tampered with.

Fuzz Protocols

Protocol Fuzzing is a software testing technique that which automatically generates, then submits, random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities. It is more commonly used to discover security weaknesses in applications and protocols which handle data transport to and from the client and host. The basic idea is to attach the inputs of a program to a source of random or unexpected data. If the program fails (for example, by crashing, or by failing in-built code assertions), then there are defects to correct. These kind of fuzzing techniques were first developed by Professor Barton Miller and his associates [5]. It was intended to change the mentality from being too confident of one’s technical knowledge, to actually question the conventional wisdom behind security.

Luiz Edwardo on protocol fuzzing:

“Most of the time, when the perception of security doesn’t match the reality of security, it’s because the perception of the risk does not match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. We don’t correctly assess the magnitude of different risks. A lot of this can be chalked up to bad information or bad mathematics, but there are some general pathology that come up over and over again” [6].

With the mainstream of fuzzing, we have seen numerous bugs in a system which has made national or even international news. Attackers have a list of contacts, a handful of IP addresses for your network, and a list of domain names. Using a variety of scanning techniques, the attackers have now gained valuable information about the target network, including a list of phone numbers with modems (more obsolete but still viable), a group of wireless access points, addresses of live hosts, network topology, open ports, and firewall rule sets. The attacker has even gathered a list of vulnerabilities found on your network, all the while trying to evade detection. At this point, the attackers are poised for the kill, ready to take over systems on your network. This growth in fuzzing has shown that delivering the product/service software using basic testing practices are no longer acceptable. Because the internet provides so many protocol breaking tools, it is very likely that an intruder will break your company’s protocol on all levels of its structure, semantics and protocol states. So in the end, if you do not fuzz it someone else will. Session based, and even state based, fuzzing practices have been used to establish the connections using the state level of a session to find better fault isolation. But the real challenge behind fuzzing is doing these techniques then isolating the fault environment, the bugs, protocols implementation and the monitoring of the environment.

Systems Integrations

There are three levels of systems integration the developer must consider for security. The software developer must consider the entire mitigation review of the software flaw and base it on the design implementation. This includes access control, intrusion detection and the trade-offs for the implementation. Integrating these controls into the system is important in the implementation stage of development. Attacks on these systems may even lead to severe safety and financial effects. Securing computer systems has become a very important part of system development and deployment.

Since we cannot completely take away the threats, we must minimize their impact instead. This can be made possible by creating an understanding of human and technical issues involved in such attacks. This knowledge can allow an engineer or developer make the intruder’s life as hard as possible. This makes the challenge even greater in understanding the attacker’s motivations and skill level. Think of it as infiltrating the hackers head by thinking like them psychologically.

Access Control

Even if you have implemented all of the controls you can think of there are a variety of other security lockdowns that must continually be supplemented to constant attacks against a system. You might apply security patches, use a file integrity checking tool, and have adequate logging, but have you recently looked for unsecured modems, or how about activating security on the ports or on the switches in your critical network segments to prevent the latest sniffing attack? Have you considered implementing non-executable stacks to prevent one of the most common types of attacks today, the stack-based buffer overflow? You should always be ready for kernel-level root-kits with any of these other attacks which imply the attacker has the capability of taking you out of command of your system.

Password attacks are very common in exploiting software authorization protocols. Attackers often try to guess passwords for systems to gain access either by hand or through using scripts that are generated. Password cracking will involve taking the encrypted or hashed passwords from a system cache or registry and using an automated tool to determine the original passwords. Password cracking tools create password guesses, encrypt or hash the guesses, and compare the result with the encrypted or hashed password so long as you have the encryption file to compare the results. The password guesses can come from a dictionary scanner, brute force routines, or hybrid techniques. This is why access controls must protect human, physical and intellectual assets against loss, damage or compromise by permitting or denying entrance into, within and from the protected area. The controls will also deny or grant access rights and the time thereof of the protected area. The access controls are operated by human resources using physical and/or electronic hardware in accordance with the policies. To defend against password attacks, you must have a strong password policy that requires users to have nontrivial passwords. You must make users aware of the policy, employ password filtering software, and periodically crack your own users passwords (with appropriate permission from management) to enforce the policy. You might also want to consider authentication tools stronger than passwords, such as PKI authentication, hardware tokens or auditing software [1].

But despite this, another developer might be interested in authenticating only. This user would first create minimal access points where the authenticator pattern will enforce authentication policies. The subject descriptor will define the data used to grant or deny the authentication decision. A password synchronizer pattern performs distributed password management. Authenticator and password synchronizer are not directly related. The users will need to apply other patterns after authenticator before they could use a password synchronizer.

Intrusion Detection

Intrusion detection is used for monitoring and logging the activity of security risks. A functioning network intrusion detection system should indicate that someone has found the doors, but nobody has actually tried to open them yet. This will inspect inbound and outbound network activity and identify patterns used that may indicate a network or system attack from someone attempting to compromise the system. In detecting the misuse of the system the protocols used, such as scanners, analyzes the information it gathers and compares it to large databases of attack signatures it provides. In essence, the security detection looks for a specific attack that has already been documented. Like a virus detection system, the detection system is only as good as the index of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the normal state of the network’s traffic breakdown, load, protocols, and typical packet size. Anomaly detection of segments is used to compare their current state to the normal state and look for anomalies. Designing the intrusion detection must also put into account, and detect, malicious packets that are meant to be overlooked by a generic firewall’s basic filtering rules. In a host based system, the detection system should examine the activity on each individual computer or host. As long as you are securing the environment and authorizing transactions, then intrusion detection should pick up no activity from a flaw in the system’s data flow.

Trade-Offs

Trade-offs of the implementation must also be taken into consideration when developing these controls and detection software. The developer must also consider the severity of the risk, the probability of the risk, the magnitude of the costs, how effective the countermeasure is at mitigating the risk and how well disparate risks and costs can be analyzed at this level, despite the fact that risks analysis was complete, because actual changes must be considered and the security assessment must be reassessed through this process. The one area that can cause the feeling of security to diverge from the reality of security is the idea of risk itself. If we get the severity of the risk wrong, we’re going to get the trade-off wrong, which cannot happen at a critical level. We can do this to find out the implications in two ways. First, we can underestimate risks, like the risk of an automobile accident on your way to work. Second, we can overestimate some risks, such as the risk of some guy you know, stalking you or your family. When we overestimate and when we underestimate is governed by a few specific heuristics. One heuristic area is the idea that “bad security trade-offs is probability. If we get the probability wrong, we get the trade-off wrong” [6]. These heuristics are not specific to risk, but contribute to bad evaluations of risk. And as humans, our ability to quickly assess and spit out some probability in our brains runs into all sorts of problems. When we organize ourselves to correctly analyze a security issue, it becomes mere statistics. But when it comes down to it, we still need to figure out the threat of the risk which can be found when “listing five areas where perception can diverge from reality:”

-The severity of the risk.

-The probability of the risk.

-The magnitude of the costs.

-How effective the countermeasure is at mitigating the risk.

-The trade-off itself [6].

To think a system is completely secure is absurd and illogical at best unless hardware security was more widespread. Feeling of the word and reality of security are different, but they’re closely related. We try our best security trade-offs considering the perception noted. And what I mean by that is that it gives us genuine security for a reasonable cost and when our actual feeling of security matches the reality of security. It is when the two are out of alignment that we get security wrong. We are also not adept at making coherent security trade-offs, especially in the context of a lot of ancillary information which is designed to persuade us in one direction or another. But when we reach the goal of complete lockdown on security protocol that is when you know the assessment was well worth the effort.

Physical Security

Physical security is any information that may be available, and used in order to gain specific information about company related data which may include documentation, personal information, assets and people susceptible to social engineering.

In its most widely practiced form, social engineering involves an attacker using employees at the target organization on the phone and exploiting them into revealing sensitive information. The most frustrating aspect of social engineering attacks for security professionals is that they are nearly always successful. By pretending to be another employee, a customer, or a supplier, the attacker attempts to manipulate the target person into divulging some of the organization’s secrets. Social engineering is deception, pure and simple. The techniques used by social engineers are often associated with computer attacks, most likely because of the fancy term “social engineering” applied to the techniques when used in computer intrusions. However, scam artists, private investigators, law enforcement, and even determined sales people employ virtually the same techniques every single day.

Use public and private organizations to help with staffed security in and around complex parameters also install alarms on all doors, windows, and ceiling ducts. Make a clear statement to employees about assign clear roles and responsibilities for engineers, employees, and people in building maintenance and staff that they must always have authorization before they can disclose any corporate data information. They must make critical contacts and ongoing communication throughout a software product and disclosure of documentation. Mobile resources must be given to employees that travel and there should be installed on their mobile devices the correct security protocols for communicating back and forth from a web connection. The company must utilize local, state, and remote facilities to backup data or utilize services for extra security and protection of data resources. Such extra security could include surveillance of company waste so it is not susceptible to dumpster diving. Not to say an assailant might be looking for your yesterday’s lunch but will more likely be looking for shredded paper, other important memo’s or company reports you want to keep confidential.

Dumpster diving is a variation on physical break-in that involves rifling through an organization’s trash to look for sensitive information. Attackers use dumpster diving to find discarded paper, CDs, DVDs, floppy disks (more obsolete but still viable), tapes, and hard drives containing sensitive data. In the computer underground, dumpster diving is sometimes referred to as trashing, and it can be a smelly affair. In the massive trash receptacle behind your building, an attacker might discover a complete diagram of your network architecture, or an employee might have carelessly tossed out a sticky note with a user ID and password. Although it may seem disgusting in most respects, a good dumpster diver can often retrieve informational gold from an organization’s waste [1].

Conclusion

Security development involves the careful consideration of company value and trust. With the world as it exists today, we understand that the response to electronic attacks is not as lenient as they should be but none the less unavoidable. Professional criminals, hired guns, and even insiders, to name just a few of the threats we face today, cannot be compared to the pimply teen hacker sitting at his computer ready to launch his/her newest attacks at your system. Their motivations can include revenge, monetary gain, curiosity, or common pettiness to attract attention or to feel accomplished in some way. Their skill levels range from the simple script kiddies using tools that they do not understand, to elite masters who know the technology better than their victims and possibly even the vendors themselves.

The media, in retrospect, has made it a distinct point that the threat of digital terrorism is in the golden age of computer hacking. As we load more of our lives and society onto networked computers, attacks have become more prevalent and damaging. But do not get discouraged by the number and power of computer tools that harm your system, as we also live in the golden age of information security. The defenses implemented and maintained are definitely what you need. Although they are often not easy, they do add a good deal of job security for effective system administrators, network managers, and security personnel. Computer attackers are excellent in sharing and disclosing information with each other about how to attack your specified infrastructure. Their efficiency on information distribution concerning infiltrating their victims can be ruthless and brutal. Implementing and maintaining a comprehensive security program is not trivial. But do not get discouraged, we live in very exciting times, with technologies advancing rapidly, offering great opportunities for learning and growing.

If the technology itself is not exciting enough, just think of the great job security given to system administrators, security analyzers, and network managers who has knowledgeable experience on how to secure their systems properly. But also keep in mind that by staying diligent, you really can defend your information and systems while having a challenging and exciting job to give you more experience. To keep up with the attackers and defend our systems, we must understand their techniques. We must help system administrators, security personnel, and network administrators defend their computer systems against attack. Attackers come from all walks of life and have a variety of motivations and skill levels. Make sure you accurately assess the threat against your organization and deploy defenses that match the threat and the value of the assets you must protect. And we have to all be aware that we should never underestimate the power of the hacker who has enough time, patience and knowhow to accomplish anything they put their minds to. So it is your duty to do the same.

Financial Reform – The Movement Has Begun

Our current financial crisis has spawned an astounding amount of state and federal legislation aimed squarely at the financial services industry. Legislators are determined to prevent us from making the same mistakes twice, and are vowing to protect consumers from what they refer to as “predatory lending”. But how far should these new policies reach? At what point do we consider that government regulation has overstepped the boundaries of private business?

It seems that legislators have tried to tackle all of the financial sector issues at once. From Big bank bailouts, to corporate compensation, to an all out assault on short term lending. No doubt that many of these areas need further regulation and intervention, but it’s important that we write laws that make sense for consumers as well as the entities that serve them. The general public will continue to need access to credit and it is imperative that we write smart policies that encourage responsible lending to responsible individuals.

Consumer Financial Protection Agency (CFPA)

In October we saw this proposed agency clear a major hurdle. Its passage through the US House of Representatives moves it one step closer to becoming the agency that will take financial sector reform head-on. It will be responsible for rules regarding credit cards and other financial services products as well as the pursuit of sweeping changes to the short-term lending industry. But many feel that the agency’s power will be too broad. And with a growing list of exemptions and loopholes, is this new agency truly protecting the consumer or will it cater to special interest groups?

Short Term Lending Changes

A major focus of the CFPA will be the continued regulation and possible elimination of the payday lending industry. This type of short term lending is considered to be “abusive” and “predatory” by many lawmakers and has been cited as a key reason Congress needs to create a separate watchdog for consumer financial products. Additionally, attention is shifting to the regulation of bank overdraft fees and other financial industry charges.

The current financial crisis makes it easy to see that we are in need of substantial industry reform. It will take our best financial minds to devise long-term solutions for our current issues. The only workable fixes are those that create a fair marketplace for both financial institutions and consumers. Above all, lawmakers must focus on the passage of regulations that get credit into the hands of people and organizations that need it.

Computerized Financial Accounting – Methods and Practices – Use of software in Accounting

Complete financial accounting course or tutorial covers a range of following topics. It is being evaluated that how computers have affected traditional accounting methods and practices.

  • Financial Accounting with Double Entry Bookkeeping
  • Principles of Accounting
  • Basic Book of Accounting – Journal
  • Accounting Ledger
  • Accounting Sub Journals – Cash Cook
  • Subsidiary Accounting Books
  • Accounting Verification by Trial Balance
  • Banking Transactions Bank Reconciliation Statement
  • Depreciation
  • Rectification Of Accounting Errors
  • Balance Sheet and Profit and Loss Account
  • Single Entry Bookkeeping Accounting System
  • Non Profit Organization Accounting
  • Capital and Revenue
  • Reserves and Provisions

In a very short span of time, computer has grown from a scientific curiosity to an indispensable tool of modem society. There is hardly any scientific/technical or business activity which is not in one way or the other, affected by modern data processing techniques.

The human mind can handle only a limited number of things at a time. The digital computer, on the other hand, can be programmed to compare, measure, calculate and evaluate thousands of readings in an extremely short period of time.

The computer industry has become the fastest growing industry these days. The sale of mainframe computers is increasing day by day. The computer industry has been further pushed up by the introduction of mini computer and micro computers which are small, cheap, reliable and very light. These are being routinely used for process control, production testing, scientific instrument recording, in store check out systems, in automobile test and evaluating systems, and medical monitoring etc.

Computers are now being used extensively in office administration to perform the routine clerical work. Today, most large and medium sized organizations are almost totally dependent on their computers. Routine uses of computers are given below:

(i) Accounting, Billing, Inventory Control Software with MIS, CRM

Computers are extensively used in accounting and there are multitude of computer software for Accounting, MIS, CRM. HiTech Financial Accounting is one such software which has been customized for users in many segments in business and services.

(ii) Payroll and personnel records.

Payroll accounting was the first commercial area to become widely computerized. The calculation of wages or salaries involves a number of variables which relate to the personal details of each employee, such as gross pay or rate for the job, individual deductions, tax liabilities of the employees and so on. These facts can be retained in the computers and processed every month of produce pay slips for the employees.

(iii) Stock control

The computer helps to exercise the type of stock control needed by the organization. It upto dates the sales and purchases records, determines optimum re-order levels for different items and prints out the stock lists when desired. The system can be so designed that it triggers orders when stock level reaches order point for various material items; tests those item which are slow moving or gives list for over stock items.

(iv) Sale accounts records

Programming can be done for any sales accounting system. The computer will pin point defaulting debtors, determine the right limit for credit for each debtor and maintain stores ledger.

(v) Costing and budgetary control

Costing and budgetary control can be affected through the computer, the computer will point out the variations from the planned performance.

(v) Production control

The computer also helps greatly in production planning and control. It is possible that scheduling of the work may become necessary due to break downs etc. A new critical path may have to be worked out. A critical path is the shortest path to be followed in production to achieve production objectives. The computer helps the management lay down this new critical path.
Advantages and disadvantages of a computer

A computer is surely advantageous because of the high speed of operation and greater accuracy it provides, savings effected by better managerial control, savings in labor because it is fully automatic and finally because of its flexibility in use. However, there is a considerable capital outlay with difficulty of obtaining experienced analysts and programmers, break down and maintenance troubles and finally fear of obsolescence due to rapid development of computers.

Type of other applications in relation to accounting system

WORD PROCESSOR

It is a software package to help in text processing. Words are processed. Processing includes insertion, deletion changing, moving words, paragraphs etc. Word processing is the preparation of type scripts, using computing facilities for the storage and manipulation of text. For example, word processor has ability to merge name and addresses with standard text so as to give impression that the latter is personalized even in case of circular letter.

HiTech Financial Accounting has got features so that you can export its reports to Microsoft Word, a word processing and Mail Merge Program. You can also write letters to various parties and store the details in the program database.

DATA BASE

It is simple collections of information (data) on a particular subject. Data base file allows you to manipulate the data in desired form. So, data base allows us to work on facts and figures to store and manipulate that data in any desired way. For example, from the same basic information trial balance is prepared; trading and profit and loss account may be prepared; list of debtors and creditors may be prepared; purchases and sales forecast may be made and so on. So, an efficient data-base management is needed to provide flexibility in uses of information.
HiTech Financial Accounting uses MS Access and MS SQL server databases for robust database connectivity.

SPREAD SHEET

It is one of the software programs which have increased the utility of computer for accounting purposes. Spread sheet programs help you to draw vertical as well as horizontal columns on a large sized paper. Each .column’s length and breadth can be adjusted according to suitability. Even when columns are once drawn subsequently these can be altered, increased or decreased additional columns can be inserted, existing columns can be deleted. It is very useful for businessmen and professionals. It enables us to study multidimensional data at one sheet and helps in arriving at logical decisions. For example, if profit and loss account has been prepared for the year 1989 and you want a comparison with 1987 figures and 1990 forecast then spread sheet shall enable you to provide two additional columns on each side for inserting 1987 actual figures and 1990 forecast estimates.

HiTech Financial Accounting software can export its report data to Microsoft Excel Worksheet which is an advanced spreadsheet application.

A series of articles are proposed to be written on the topics mentioned in this article.

Should I Consider Online Financial Management Software?

You can use online financial software to manage your personal finances. Use it to do your banking or to pay bills through your bank website. People who have used online banking to pay bills were satisfied with the financial institution with which they do business.

The people who wouldn’t use online banking to pay bills or do other personal business online didn’t wish to do so because of security risks. There is no reason for concern because online banking is very secure. Many online financial software brands such as Mvelopes and others offer a high level of security but not all of them actually do.

Online banking through your financial institution gives you many benefits when using them to pay bills. They will give you better in all together more effective banking knowledge. You can have the advantage of having all of your accounts together at the bank or financial institution or a single website. Experience the perks such as reviewing your loan balances and pay off quotes, and schedule bill payments for future dates.

Through online financial software you can easily do business no matter how far away your bank is located. Physical location is no barrier any longer. Therefore, you have power over which financial institution that you do all of your banking with. This way if you are not pleased with your bank you can choose another one. Online banking offers you account set up for no charge at all and other pluses as well.

The internet offers you the comfort of doing business from your home. You can even compare online banking over the internet. There are sites which offer discussions on choosing which online bank services are better. Use this and other web site information to form an opinion on which institution is better for you.

When you are choosing a password to secure your online financial software data, use a password which is not easily detectable. Choose one which would be difficult for a co worker or even a best friend, who knows certain information about you, cannot manage to figure out. Use a password that you won’t forget, of course. Another thing to remember not to do is to use numbers such as birthdates, social security numbers, or other personal information. The repetition of a password can be damaging in the long run, so never use the same one for more than one purpose. Use a different personal for each unit of information such as each website account, one set of financial records, or any type of data.

Another good use for online financial software is to update your tax software. It will be updating while you are using it. When you see updates happening don’t let it disturb you, it is a normal thing.

So that people can begin their income tax preparation, the tax software makers get their product out early. However, after these products are already out – updates in tax laws are still being passed. So be sure to make updates to your online financial software.

Considerations For Implementing Systems in Financial Service Organizations

INTRODUCTION

The confluence of SOA and SOX has had unexpected consequences, making software development more efficient and system failures rarer.

There are a number of reasons why new systems fail. But thanks to developments in service-oriented architecture (SOA)-which reduces interdependencies between applications-and the implementation of the Sarbanes-Oxley Act (SOX), which has led to more firms outsourcing development to independent software vendors, the likelihood of all-out failure has been reduced.

There are two types of major systems in financial services firms, with vastly different success rates and implementation challenges. The first type-client-facing systems-are outwardly focused. They connect bankers, financial planners, hedge fund managers, stockbrokers, and their ilk with customers. Examples include banking and bill payment, 401(k) management, remote deposits, derivatives trading, and position monitoring. While these systems have many different objectives, they have two overriding commonalities-they link customers and investors with their financial institutions and generate revenue in the process.

Not all systems in a financial firm are client-facing. Organizations’ back-office systems are inwardly focused on internal employees and daily operations. Customers never use or even see these applications. Examples include supply chain management, accounting, human resources, and payroll. Back-office applications-typically called enterprise resource planning (ERP) systems-record sales and purchase transactions, update inventory, and cut employee and vendor paychecks. Invoices, receipts, and reports can also be produced by back-office systems. Unlike their client-facing brethren, back-office systems generate no revenue; they support cost centers.

The different scopes and audiences of these applications result in different rates of success. Client-facing systems fail much less often than back-office applications. By and large, the challenges faced by financial firms with respect to enterprise systems are not materially different than those faced by retail, health care, or government organizations.

Back-office systems support the entire enterprise, not simply one function. ERPs have to handle a number of disparate tasks, the vast majority of which tie back to the general ledger (GL). ERP systems are tightly coupled with one another. A problem in one area will almost always affect another.

On the other hand, client-facing applications can be considered “best of breed” and often do not need to integrate with other applications. They typically are designed to accomplish one or a limited number of specific objectives: transferring funds, buying and selling stocks, and the like. Handling stock trades or dividends, for example, is much less exhaustive than managing an entire supply chain or paying employees in 48 states and seven countries. As a result of this limited integration, their development cycles are much shorter and their failure rates much lower.

SOA AND SOX

Two recent and seemingly unrelated events have coalesced, resulting in more efficient software development and fewer system failures. The first is the advent of SOA, which provides methods for systems development and integration in which systems group functionality around business processes and package these as interoperable services. SOA also describes IT infrastructure that allows different applications to exchange data with one another as they participate in business processes. Service-orientation aims at a loose coupling of services with operating systems, programming languages, and other technologies which underlie applications.

On the regulatory front, due to SOX requirements, many financial firms no longer attempt to create their own internal systems. SOX’s increased audit requirements have resulted in many financial services firms using independent software vendors (ISVs) to build proprietary systems. Firms such as Infosys specialize in making or selling software, designed for mass marketing or for niche markets.

Due to the arrival of both SOA and SOX, many financial firms have abandoned internal application development and now deal almost exclusively with ISVs, who observe the following cardinal rules with regard to software development: Issues found later in an application’s development cycle are exponentially more time-consuming and expensive to fix than issues found at the beginning of the cycle. Unlike off-the-shelf applications, software developers can essentially build anything. Software engineers and coders do best with pristine development specifications, allowing them to accurately build the applications and functionality desired.

This second point is critical. Management at financial firms typically realizes that ISVs require comprehensive development specifications. Equipped with them, ISVs are able more rapidly to build-and modify-applications to better meet the needs of firms and their clients. This minimizes the traditional back-and-forth and decreases the amount of time required for financial firms to realize a return-on-investment (ROI) on their new applications. These successes build upon each other. The bank that successfully rolls out an ISV-created application is encouraged to develop more applications.

From a systems’ development perspective, the cumulative effects of SOA and SOX have been largely positive. Many financial firms that had historically created their own systems often failed for one simple reason. The best programmers and developers tend to work for software companies, not financial firms.

Financial firms that contract ISVs to create specific, client-facing applications typically realize a number of significant benefits.

LESS RISK WITH ISVs

Weinrib Partners, a fictitious hedge fund, wants to create an application allowing its investors to wire money from banks directly to the fund. Weinrib’s managers decide to outsource development to an ISV. The application has one very specific purpose and the managers can very clearly articulate the application’s requirements to an ISV which, in turn, expedites development. Testing should manifest any and all issues because of the application’s singular purpose.

Weinrib launches its application to clients who no longer have to write and mail checks to deposit funds. It is important to note that Weinrib owns the application created by the ISV. As a result, Weinrib can control the application’s customizations and enhancements. If Weinrib’s customers request that the application integrates with QuickBooks and Microsoft Money, for example, then Weinrib can approach its ISV immediately about making this change.

Contrast the system ownership model with traditional ERP purchase and support model. Organizations that utilize SAP or Oracle as an enterprise system have no control over its delivered functionality. End-users can always submit vendor “enhancement requests,” but there is no guarantee that they will be adopted in future releases of the application. What’s more, IT departments that customize ERPs face a number of significant obstacles. For one, customizations typically invalidate vendor support agreements. Second, making a tweak to a general ledger program, for example, may break something else. Enterprise systems are very involved and contain many interdependencies. Finally, even a successfully implemented customization may go by the wayside after an upgrade or service patch.

In April of 2008, PNC completed its acquisition of Sterling Financial Corp. While there were many reasons for the merger, one of the more overlooked ones involved technology. Specifically, Sterling’s internal systems had become antiquated. Its senior management realized that the necessary investment to upgrade them would be cost-prohibitive.

Sterling is not alone in this regard. Many financial institutions have realized that the old maxim applies: “If you can’t beat ’em, join ’em.” Organizations with antiquated client-facing systems cannot re-tool by simply making a few, relatively inexpensive enhancements. More often than not, a complete overhaul is necessary. At a minimum, most financial systems today must comply with SOX requirements, integrate with external banks, offer customers a powerful and user-friendly experience, and ward off increasing security threats. Beyond these requirements, applications often need to do more. Rather than merely transfer funds, many applications offer data mining and business intelligence (BI) capability and allow agents, bankers, and other personnel the ability to customize offerings based on the individual customer’s financial situation. Added to this, organizations’ IT budgets are under a microscope.

CONCLUSION

While there is no secret sauce to building and implementing client-facing systems, financial firms tend to minimize failure rates by utilizing ISVs and extensively documenting business requirements. Seasoned ISVs allow firms to quickly create and roll out custom applications that can increase firm revenue, profitability, and ROI. With respect to enterprise and back office systems, however, financial firms should not try to build from scratch. They realize no competitive advantage from payroll vendors or employees. In this sense, financial firms tend to have many of the same issues as the rest of the corporate world.

Financial Services Security Frauds In India – A Threat Or Just A Myth

What is the attributes of threat?

Recent assay by KPMG says that there is a apostrophe in the Industry attributes which is adverse aegis threats .Some four years aback it was the IT outsourcing industry and retail industry which were a lot of decumbent to abstracts theft. But now the attributes has changed. A lot of of the frauds baldheaded afresh accept been faced by companies ambidextrous in banking services. Banking/Insurance/mutual funds/AMCs are the aboriginal class of aggregation adverse threats. The next is NBFCs, Investment Banks, Venture Capitalists, Private Equity.the added categories mentioned in the assay are – Media/Software, Retail/Consumer products, Foods/Beverages, transportation, Power/energy.

The blackmail acumen of these sectors is about college mainly on annual of the attributes of their businesses and top advance ante accomplished by these sectors in the endure few years.

Why are the Organizations threatened by fraud?

According to a assay abridgement of ethical belief has been articular as one of the capital affidavit for frauds in organizations. Some of the added affidavit can be abounding as follows:

– annoyance a part of employees

– poor centralized controls

– abridgement of ethical values

– bunco amid vendors and employees

– bare accomplishments checks on -to-be employees

management override of control

How were these frauds detected?

Majority of these frauds were detected by a company’s own centralized assay or by a third party. Some of the added means in which an alignment absent its acquirement and it came to ablaze has been through:

– amount accounts

– apocryphal or incorrect information

– claimed use of official assets

– artificial documents

– abstruse commissions / kickbacks

– cheque forgery

– artificial documents

– apocryphal banking statements

– IP infringement

What is the attitude of organizations appear frauds?

Earlier the trend was that the organizations seemed to be added acknowledging if these frauds occurred. But over the years there has been a about-face in the attitude of organizations appear fraud. Now they are acceptable added proactive in their approach.

Most of these companies now accept either a cipher of conduct or an belief action in abode as a proactive admeasurement to abate accident of fraud.

How can the frauds risks be mitigated?

Most of the companies in India are now adventure austere accomplish in ensuring the minimum accident of artifice in outsourcing banking services. Some of them are:

– Pre- appliance accomplishments check

– Regular artifice risks assessment

– Abstracts assay tools

– Artifice administration systems

– Abstracts mining tool

In accession all the alone advisers are now getting provided with able systems to acquaint any affectionate of artifice blackmail at the appropriate earnest. Some of them are:

– Emails

– Direct approach

– Anonymous letter/call

– Hotlines

– Grapevine

What is the aftereffect of the frauds -real as able-bodied as perceived?

Outsourcing to India, China, Russia, etc is absolutely no altered from sending abstracts to what were already alleged account bureaus or what we now alarm appliance account providers. It’s been done for years and the onus has consistently been on the banking casework close to accomplish abiding it does its due activity afore allotment a partner. The aegis threats, these vendors face away are the aforementioned threats balance firms themselves face if abstracts is housed on site. As a result, able firewalls and a academic abstracts aegis action accept to be in abode to anticipate hacking, bacilli or confiscation of data. The primary concern, we begin is that admiral don’t like the abstraction of sending their abstracts to a area area their competitors’ abstracts is aswell getting stored. This is an barefaced concern, but again, it is no altered from sending your back-office abstracts to ADP, which processes a acceptable accord of Industry’s trades, or to Sun Gard for abstracts accumulator and back-up.

The absolute abhorrence revolves about the apprehension of humans and what they ability do with the abstracts -such as affairs it to a competitor. There are absolutely arrant humans everywhere-and absolutely a few in the US balance industry. Anyone can abduct advice or abstracts and advertise it to competitors or use it for their own claimed advantage. However, it’s no added or beneath acceptable to appear overseas. The apropos about outsourcing aegis accept been exaggerated. This affair revolves added about the acrimony of accident American jobs, abhorrence of the unknown, and, unfortunately, slight prejudice.

How is India angry back?

Recent bite operation in UK done by Channel4 has apparent the seamier ancillary of accomplishing outsourcing business with India. However in India there were alloyed reactions.

The Indian outsourcing barter body, Nasscom, and some chief aggregation admiral in India were afraid that the program, and bite operations in past, would accident the country’s acceptability as a area with an abounding accumulation of low-cost, accomplished activity that delivers superior account to across customers. Nasscom said that it had asked the Channel 4 to accommodate data of the allegations but that the appeal had so far been refused. “We are anxious about the verifiability of such stories, abnormally bite operations area budgetary inducements were provided,” said Kiran Karnik, admiral of Nasscom.

Industry admiral in India are suggesting that again bite operations are getting undertaken adjoin the Indian Industry with the accurate ambition of calumniating its reputation. The abhorrence a part of the Indian companies is that western barter will alternate to outsource afterwards India is again projected as an alarming outsourcing destination. Much to its embarrassment the Industry has been hit afresh by a alternation of aegis breaches.

The industry is scrambling to action the acumen of fraud. Companies accept abutting in ambience up a civic abilities registry, an online anthology for industry workers that would accommodate advice about alone worker’s professional, educational and claimed backgrounds. The advice is accurate by an absolute bureau but endemic by an individual. So far, 25000 workers accept registered for absolute checks and biometric identification accustomed beforehand this year.

Whether absolute or perceived no Industry can be absolutely chargeless from fraud. The befalling of outsourcing banking casework to India is tremendous. Next ten years will see an exponential advance in the industry. So don’t let a few cases bedew your alcohol of utilizing the amazing ability of India as an outsourcing destination.

Tablet PC Software Discussions

On the Internet, you will acquisition book PC software discussions with experts on articles and technologies including Windows XP, Windows Adaptable devices, Internet Explorer, Windows Media, agenda photography and security.

Individual PCs crave connected aliment to accumulate them at an adequate akin of performance. The after-effects of bare or no aliment are all too familiar: freeze-ups, deejay errors, and worse.

The aboriginal affairs I install on any new computer ….. Diskeeper 2008 Able represents a breakthrough bound in arrangement performance, enabling you to run your computer at the acme of its potential, 100% of the time, and for the activity of your systems.

Have a attending at PC software discussions on ultra adaptable PC software. You’ll acquisition able software that caters for ink enabled forms, medical, dental, pharmaceuticals, absolute estate, architectural and banking casework software.

The book PC provides all the ability of a accepted Microsoft Windows based anthology computer, added additional appearance that advance mobility, including blow screen, autography and accent recognition.

Technical enthusiasts and added home users are affair on the Internet every day in active online communities to allotment ideas, experience, and ability about the Microsoft book PC and added articles and services.

The Internet is the best abode to apprentice about book PCs. For discussions, forums, FAQs, news, information, bartering announcements and ads on book PC software. Apprentice from others with a book PC at the Book PC Buzz.

You will acquisition book PC software discussions on ultra adaptable PC software on the web. Why not accompany the forums, and apprehend FAQs, and apprentice as abundant as you charge to about this able claimed computer? It ability be absolutely what you’re searching for