Presentation on theme: "Www.cyberlawconsulting.com Logical IT Security By Prashant Mali."— Presentation transcript:
Logical IT Security By Prashant Mali
Business Objectives To retain competitive advantage and to meet basic business requirements organizations must: Ensure the integrity of information stored on their computer systems Preserve the confidentiality of sensitive data Ensure the continued availability of their information systems Ensure conformity to laws, regulations, and standards.
Session Agenda 1. Components of a Security Policy 2. Paths of Logical Access 3. Logical Access Issues and Exposures 4. Access Control Software 5. Logical Security Features, Tools, and Procedures 6. Auditing Logical Access
Security Policy requirement Security losses can be costly to business. Losses suffered as a result of the failure itself or costs incurred while recovering from the incident, followed by more costs to secure the systems and prevent further failure. A well-defined set of security policies and procedures can prevent losses and save money.
Security Policy - Components Management Support and Commitment Access Philosophy Compliance with Relevant Regulations Access Authorization Reviews of Access Authorization Security Awareness Role of Security Administrator Security Committee
Paths of Logical Access Logical Access into the computer can be gained through several avenues. Each avenue is subject to appropriate levels of security. Methods of access include the following: Operator Console Online Terminals Batch Job Processing Dial-up Ports Telecommunications Network
Logical Access Exposures Inadequate logical access controls increase the potential for losses. These exposures can result in minor inconveniences or total shutdown of the computer system. Technical Exposures Virus Exposures Computer Crime Exposures Agents of Exposures
Access Control Software Access Control Software is designed to prevent unauthorized access to data, use of system function and programs, unauthorized changes to data and to detect and prevent unauthorized attempts to access computer resources. Access Control Software tasks Access Control Software functions Access Control Software authorization components Decentralized / Remote Processing issues
Logical Security Features Two phase User Identification / Authentication process Logging Computer Access Computer features that bypass security Data Classification Safeguarding Confidential Data on a PC Naming conventions for Access Controls
Auditing Logical Access Evaluating Logical Access Controls Review Reports from Access Control Software Data Ownership Issues Bypass Security Controls
Management Support Management Support and Commitment Management must demonstrate a concern for security Management must clearly approve and support formal security awareness and training. This may require special management security training since security is not necessarily a part of management expertise.
Access Philosophy Access to computerized resources and information must be based on a documented need-to-know, need-to-do basis only. need-not-know basis ?
Compliance Compliance with Relevant Legislation and Regulations The policy should state that compliance is required with all relevant legislation, such as that requiring confidentiality of personal information, or specific regulations relating to particular industries; e.g. banking or financial institutions.
Access Authorization The data owner or manager who is responsible for the accurate use and reporting of the information should provide written authorization for users to gain access to computerized information. The manager should give this documentation directly to the security administrator so mishandling or alteration of the authorization does not occur.
Reviews of Access Authorization Like any other control, access controls should be evaluated regularly to ensure that they are still effective. Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls. The security manager, with the assistance of the managers who provide access authorization, should review the access controls. Any access exceeding the need-to-know, need-to-do philosophy should be changed accordingly.
Raising Security Awareness Distribution of a written security policy. Training on a regular basis for new employees, users, and support staff. Non-disclosure statements signed by the employees Use of newsletter, web page, videos to promulgate security awareness Visible enforcement of security rules. Simulate security incidents for improving security procedures. Reward employees who report suspicious events Periodic audits
Employee Responsibilities Reading the security policy Keeping logon-Ids and passwords secret Reporting suspected violations of security to the security administrator. Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people. Conforming to local laws and regulations Adhering to privacy regulations with regard to confidential information (health, legal, etc)
Employee Responsibilities Non-employees with access to company systems should also be held accountable for security policies and responsibilities. These include contract employees, vendors, programmers/analysts, maintenance personnel and clients.
Role of Security Administrator The security administrator, typically a member of the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. In large organization, the security administrator is usually a full-time function; in small organizations someone may perform this function with other non-conflicting responsibilities.
Role of Security Administrator For proper segregation of duties, the security administrator should NOT be responsible for updating application data an end user application programmer computer operator data entry clerk.
Security Committee Security guidelines, policies, and procedures affect the entire organization and as such should have the support and suggestions of end users, executive management, security administration, IS personnel, and legal counsel. Individuals representing various management levels should meet as a committee to discuss these issues and establish security practices. The committee should be formally established with appropriate terms of reference and regular minuted meetings with action items, which are followed up on at each meeting.
Operator Console These privileged computer terminals control most computer operations and functions. Most operator consoles do not have strong logical access controls and provide a high level of computer system access - a high risk combination. These terminals should be be placed in a suitably controlled facility so that physical access can only be gained by authorized personnel.
Online Terminal Online access to computer systems through terminals typically requires entry of at least a logon-ID and password. May also require further entry of authentication or identification data for access to specific application systems. Personal Computers (PCs) are often used as online access terminals through terminal emulation software. This poses a particular risk as the PCs can be programmed to store and recall user access codes and passwords.
Batch Job Processing This mode of access is indirect since access is achieved via processing of transactions. It involves accumulating input transactions and processing them as a batch after a given interval of time or after a certain number of transactions. Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system) Additionally, procedures and authorization to manipulate accumulated transactions prior to processing the batch should be carefully controlled.
Dial-up Ports Involves hooking a remote terminal or PC to a telephone line and gaining access to the computer by dialing a telephone number that is connected to the computer. Security is achieved by providing a means of identifying the remote user to determine authorization to access. This may be done by means of a call-back feature, use of logon-ID and password, use of access control software, or by requiring a computer operator to verify the identity of the caller and then provide the connection to the computer.
Telecommunications Network Involves linking a number of computer terminals or PCs to the host computer through a network of telecommunication lines. The telecommunication lines may be private (dedicated to one user) or public, such as the public switched network.. Security should be provided in the same manner as applied to online terminals.
Technical Exposures Technical Exposures involve unauthorized or unintentional implementation or modification of data and software. Data Diddling - Involves changing data before or as it is entered into the computer. This is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect data.
Technical Exposures Trojan Horses Involves hiding malicious, fraudulent code in an authorized computer program This hidden code will be executed whenever the authorized program is executed. A classic case is the Trojan horse in a payroll calculating program that shaves a barely noticeable amount off each paycheck and credits it to the perpetrators payroll account.
Technical Exposures Logic Bombs The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future. They are very difficult to detect before they blow up; thus of all the computer crime schemes they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. Could also be used in extortion schemes.
Technical Exposures Rounding Down Involves drawing off small fractions of money from a computerized transaction or account and rerouting this amount to the perpetrators account. Since the amounts are so small, they are rarely noticed. For example, if a transaction amount were Rs.12,30,456.39, the rounding down technique may round the transaction to Rs. 12,30,456.35
Technical Exposures Salami Techniques Involves slicing small amounts of money from a computerized transaction or account and is similar to rounding down technique. For example, if a transaction amount were Rs.12,30,456.39, the Salami technique truncates the last few digits from the transaction amount so that it becomes Rs. 12,30, or Rs. 12,30, depending on the calculation built into the program.
Technical Exposures Worms These are destructive programs that may destroy data or utilize tremendous communication resources but do not replicate like viruses. These do not change other programs, but can run independently and travel from machine to machine across network connections. Worms may also have portions of themselves called segments running on different machines.
On 2 November 1988, Robert Tappan Morris, a graduate student at Cornell University, unleashed a program which spawned copies of itself and spread throughout the network. Within hours, the worm had invaded 2,000 to 6,000 computers, about 10% of the Internet at the time. The program also clogged all the systems it hit, dialing virtually every computer it invaded. When Morris saw the damage that was taking place, he posted a message on the Net with instructions for disabling the worm. However by then the damage was done. On 16 May 1990, Morris was convicted and fined $10,000 and sentenced to 3 years probation.
Technical Exposures Trap Doors Are exits out of an authorized program that allow for insertion of specific logic, such as program interrupts, to permit a review of data during processing. These holes also permit insertion of unauthorized logic.
Technical Exposures Asynchronous Attacks These occur in multiprocessing environments where data moves asynchronously (one character at a time with start and stop bits). As a result, numerous data transmissions must wait for the line to be free. Data that are waiting are susceptible to unauthorized access called asynchronous attacks. These attacks, usually small pin-like insertions into cable, may be committed via hardware and are extremely hard to detect.
Technical Exposures Data Leakage Involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
Technical Exposures Wire-tapping - involves eavesdropping on information transmitted over transmission lines. Also known as sniffing. Piggybacking - is an act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link.
Technical Exposures Shut down of the Computer Can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer. Only individuals having high-level systems logon-ID can usually initiate the shut down process. Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
Technical Exposures Denial of Service Attack This is an attack that disrupts or completely denies service to legitimate users, networks, systems, or other resources. The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.
Viruses Viruses are the colds and flus of computer security: ubiquitous, at times impossible to avoid despite the best efforts, and often very costly to an organization's productivity.
Viruses Viruses are a significant and a very real logical access issue. The term virus is a generic term applied to a variety of malicious computer program code inserted into other executable code that can self-replicate and spread from computer to computer. Traditional viruses attach themselves to other executable code, infect the users computer, replicate themselves on the users hard disk and then damage data, hard disk or files.
How many viruses are there? By early 2002, there were more than 15,000 computer viruses ! The huge number is explained in part by the ease with which potential viral writers can get the tools and actual viral code to work with, either from the Internet or other channels. In May 1997, the Digital Hackers Alliance announced the availability of a CD-ROM with over 10,000 viruses. They also offered to give the first 100 customers a collection of 50 virus creation tools free of charge.
Viruses Viruses usually attack the following parts of the computer Executable program files (.exe or.com files) - 85% of all viruses are program viruses. File-directory system that tracks the location of all the computers files. (FAT table) Boot and system areas that are needed to start the computer. - Michelangelo virus Macro Viruses (Microsoft Word viruses - Concept, Wazzu)
Viruses Can a virus infect data files? Some viruses (e.g., Frodo, Cinderella) modify non- executable files. However, in order to spread, the virus code must be executed. Therefore "infected" non-executable files cannot be sources of further infection. Such "infections" are usually mistakes, due to bugs in the virus. However, there is an increasing possibility of viruses spreading through the sharing of data files.
Viruses Viruses can spread rapidly via Removable Drives - 62% - 20% Downloads - 11% Web Browsing - 5% Shrink wrapped software - 2%
Anti-Virus Policies Build any system from original, clean master copies. Boot only from original diskettes whose write-protection has always been in place. Allow no disk to be used until it has been scanned on a stand-alone machine that is used for no other purpose and is not connected to the network. Update virus software scanning definitions regularly. Write-protect all diskettes with.exe and.com extensions Have vendors run demonstrations on their machines not yours.
Anti-Virus Policies Enforce a rule of not using shareware without first scanning the shareware thoroughly for a virus. Insist that field technicians scan their disks on a test machine before they use any of their disks on the system. Ensure that the network administrator uses workstation and server anti-virus software. Ensure that all servers are equipped with an activated current release of the anti-virus software. Educate users so they will heed these policies.
Anti-Virus - Hardware Tactics Use workstations without floppy drives. Use boot virus protection (i.e. built-in firmware-based virus protection) Use remote booting. Use a hardware-based password. Use write-protect tabs on floppy disks.
What is the best Anti-virus program? None! Different products are more or less appropriate in different situations, but in general you should build a cost-effective strategy based on multiple layers of defence. There are three main kinds of anti-virus software: Scanners Activity Monitoring Programs Integrity Checkers
Anti-Virus Software Scanners These look for sequences of bits called signatures that are typical of virus programs. Scanners examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Scanners therefore need to be updated frequently to be effective. Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk Software's F-PROT, McAfee's VirusScan
Anti-Virus Software Activity Monitoring Programs Interpret DOS and ROM basic input output system (BIOS) calls, looking for virus-like actions such as attempts to write to another executable, reformat the disk, etc. Activity monitors can be annoying because they cannot distinguish between a users request and a program or virus request. As a result, users are constantly asked to confirm actions like formatting a disk or deleting a file or set of files. Examples: SECURE and FluShot+
Anti-Virus Software Integrity Checkers These compute a small checksum or hash value (usually CRC or cryptographic) for files when they are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides generic detection. Examples: ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware)
Anti-Virus Software Integrity checkers are considered to be the strongest line of defence against computer viruses, because they are not virus-specific and can detect new viruses without being constantly updated. However, they should not be considered as an absolute protection--they have several drawbacks, cannot identify the particular virus that has attacked the system, and there are successful methods of attack against them too.
Anti-Virus Software Modification Detectors Some modification detectors provide HEURISTIC DISINFECTION. Sufficient information is saved for each file so that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown. Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD module of V-Care and ThunderByte's TbClean.
Anti-Virus Software Virus Removal Once a virus has been detected, an eradication program can be used to wipe the virus from the hard disk. Sometimes eradication programs can kill a virus without having to delete the infected program or data file, while other times those infected files must be deleted. Inoculators are programs which will not allow a program to be run if it contains a virus.
Is Windows a Virus? No, Windows is not a virus. Here's what viruses do: They replicate quickly - okay, Windows does that. Viruses use up valuable system resources, thereby slowing down the system - okay, Windows does that. Viruses will, from time to time, crash your hard disk - okay, Windows does that too. Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too. Viruses will occasionally make the user suspect their system is too slow and the user will buy new hardware. Yup, that's with Windows, too.
Is Windows a Virus? Until now it seems Windows is a virus but there are fundamental differences: Viruses are well supported by their authors, Run on most systems, Their program code is fast, compact and efficient They tend to become more sophisticated as they mature. Conclusion : Windows is not a virus. It's a bug !!
Computer Crime Exposures Committing crimes that exploit the computer and the information it contains can be damaging to the reputation, morale and very existence of an organization. Threats to the business include the following: Financial Loss - These losses can be direct, through loss of electronic funds or indirect, through the costs of correcting the exposure.
Computer Crime Exposures Legal Repercussions There are numerous privacy and human rights laws to consider when developing security policies. Not having proper security measures could expose the organization to lawsuits from investors and insurers. Most companies must also comply with industry-specific regulatory agencies. The IS auditor should obtain legal assistance when reviewing the legal issues associated with computer security.
Computer Crime Exposures Loss of Credibility or Competitive Edge Many organizations, especially service firms such as banks, financial institutions need credibility and public trust to maintain a competitive edge. A security violation can severely damage this credibility resulting in loss of business and prestige.
Computer Crime Exposures Blackmail / Industrial Espionage By gaining access to confidential information or the means to adversely impact computer operations, a perpetrator can extort payments or services from an organization by threatening to exploit the security breach. Some perpetrators may not be looking for financial gain. They merely want to cause damage due to dislike of the organization or for self-gratification.
Agents of Exposures Hackers Hackers are typically attempting to test the limits of access restrictions to prove their ability to overcome the obstacles. They usually do not access a computer with the intent of destruction; however, this is quite often the result.
Agents of Exposures Employees / IS Personnel These individuals have the easiest access to computerized information since they are the custodians of this information. In addition to logical access controls, good segregation of duties and supervision help reduce logical access violations by these individuals.
Agents of Exposures Interested or Educated Outsiders Competitors Foreigners Organized criminals Crackers (paid hackers working for a third party) Phreakers (hackers attempting access into the telephone/communication system)
Access Control Software Generally performs the following tasks: Verification of the user Authorization of access to defined resources Restriction of users to specific terminals Reports on unauthorized attempts to access computer resources, data or programs
Access Control Software Provide the following functions of verifying user authorization: To sign-on at the network and subsystem level At the application and transaction level Within the application At the field level for changes within a database Verify subsystem authorization for the user at the file level.
Access Control Software Authorization Components Logon-IDs and user authentication Limitation to specific terminals for specific logon-IDs Based on predetermined times Specific tasks to be initiated from a predefined library Establishing rules of access Creation of individual accountability and auditability Logging events Logging user activities Reporting capabilities
Access Control Software Following is a list of computerized files and facilities that should be protected by logical access controls: System Software Data Application software Telecommunication lines Libraries Password library Tape files Procedure libraries
Access Control Software Advantages of Decentralized Environment The security administration is on site at the distributed location Security issues can be resolved in a more timely manner Security controls are monitored on a more frequent basis
Access Control Software Risks related to the Decentralized Environment The possibility that local standards might be implemented rather than those required by the organization. Levels of security management might be below that which can be maintained by a central administration. Distributed security administration requires a greater degree of management checks and audit by central administration to ensure standards are maintained.
Access Control Software Issues related to Remote Processing Environment Software controls over access to the computer, data files and remote access to the network should be implemented. Access from remote locations via modems and laptops to other computers should be controlled appropriately. Supervisory controls should be established over terminal and computer operations at remote locations When replicated files exist at multiple locations, controls should ensure that all files used are correct and current.
Identification / Authentication The two phase User Identification/Authentication process consists of the following: Identification - Users must identify themselves to the access control software by name or account number. Authentication - Users must prove they are who they claim to be. Authentication is a two way process where the software must first verify the validity of the user and then proceed to verify prior knowledge information.
Identification / Authentication For example, users may provide the following: Remembered information such as name, account number, and password Processor objects such as badge, plastic cards and key. Personal characteristics such as fingerprint, voice, and signature.
Features of Passwords A password should be easy for the user to remember but difficult for the perpetrator to guess. When the user logs on for the first time, the system should force a password change If the wrong logon-ID or password is entered, say three times, the account should be locked-out. Passwords should be internally one-way encrypted. Passwords should be changed regularly. Passwords should not be shared
Syntax of Passwords Ideally, passwords should be 5 to 8 characters in length Should be a combination of alphabetic, upper case and lower case, and numeric characters. Should allow special characters like &^%$, etc. Passwords should not be identifiable with the user - such as first name, spouses name, pets name etc. Should not use common names or dictionary terms. The system should not permit previous passwords to be used again.
Password combinations A 4-digit numeric password could be cracked on a modest PC in 0.02 seconds - faster than you can blink your eyes !! If you increase the length of the password from 4 digits to 6, you find that the time to crack would be 100 times more - or 2 seconds. Increasing again from 6 to 8 digits, you end up with just under 4 minutes to crack the password.
Password Combinations Numeric Single case alpha Single case alpha, numeric Single case alpha, numeric, special Mixed case alpha, numeric, special Password Combinations (5 - 8 characters) Time yrs 3.7 mins5.4 mins24 mons 32.2 yrs
Real World Scenario L0pht Heavy Industries, a group of hackers who have turned their expertise into a security consulting business, claim that during a corporate audit they performed for a large high technology company, they cracked 90% of the passwords in under 48 hours on a Pentium II/300. They further state that 18% of the passwords were cracked under 10 minutes !
Password Dilemma The best password is one that cant be guessed. If a password cant be guessed, it is probably difficult to remember. If a password is hard to remember, the user will probably write it down somewhere. If a password is written down, it is probably no longer secure.
Session Controls Logon-Ids not used for a number of days should be deactivated to prevent misuse. This can be done automatically by the system or manually by the security administrator. The system should automatically disconnect a logon session if no activity has occurred for a period of time. This reduces the risk of misuse of an active logon session left unattended because the user left for lunch or for a meeting.
Data File Access Read, inquiry, or copy only Write, create, update, or delete only Execute
Logging Computer Access Computer access and attempted access violations can be automatically logged by the computer and reported. The security administrator should review the access report and look for: Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application Violations such as attempting computer file access that is not authorized and/or use of incorrect passwords.
Access Violations The violation should be referred to the security administrator. The security administrator should investigate and determine the severity of the violation. If the violation is serious, executive management should be notified. They are normally responsible for notifying law enforcement agencies. Written guidelines should exist that identify various types and levels of violations and how they will be addressed. Disciplinary action should be a formal process that is consistently applied. Corrective measures should include review of access rules.
Bypassing Security Generally, only system programmers should have access to these features: Bypass Label Processing (BLP) - BLP bypasses computer reading of the file label. Since most access control rules are based on file names (labels), this can bypass access security. System Exits - This system software feature permits the user to perform complex system maintenance which may be tailored to a specific environment. Special System Logon-Ids - These logon-Ids are often provided by the vendor and are the same for all similar systems. The passwords should be changed immediately upon installation.
Data Classification The National Institute of Standards and Technology (NIST) describes the following four classifications: Sensitive : Applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness. For example passwords, encryption parameters, etc.
Data Classification Confidential Applies to the most sensitive business information that is intended strictly for use within an organization. Its unauthorized disclosure could seriously and adversely impact the organizations image in the eyes of the public. For example application program source code, project documentation, etc.
Data Classification Private Applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and / or its customers. For example customer account data, messages, etc.
Data Classification Public Applies to data that can be accessed by the public but can be updated/modified by authorized people only. For example company web pages, monetary transaction limit data, etc.
PC Security Issues Sensitive data should not be stored on a PC. The simplest and most effective way to secure data and software is to remove the storage medium, such as disk, cassette or tape from the machine when it is not in use and lock it in a safe. Vendors offer lockable enclosures, clamping devices and cable fastening devices that help prevent equipment theft. The computer can also be connected to a security system that sounds an alarm if the equipment is moved. Passwords can be allocated to individual files to prevent them from being opened by an unauthorized person.
PC Security Issues Preventing the theft of data is virtually impossible. The medium itself is inexpensive, but the data residing on disks may be vital to the company. A practical solution is to record all sensitive data on removable hard drives, which are more easily secured than fixed or floppy disks. Preventive controls such as encryption become more important for protecting sensitive data in the event the PC or laptop is lost, stolen, or sold. Other procedures may require that the PC or laptop may only be used in a physically-secured area and must not be taken from that location.
Naming Conventions On larger mainframe and minicomputer systems, access control naming conventions are structures used to govern user access to the system and user authority to access or use computer resources. The owners of the data or application, along with the help of the security administrator, usually set up the naming conventions. It is important to establish naming conventions that both promote the implementation of efficient access rules and simplify security administration.
Naming Conventions Naming conventions for system resources such as datasets, volumes, programs, and terminals are an important perquisite for efficient administration of security controls. Naming conventions can be structured so that resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which, in turn, facilitates security administration and maintenance efforts.
Evaluating Logical Access When evaluating logical access controls, the IS Auditor should: Obtain a general understanding of the security risks facing information processing through a review of relevant documentation, inquiry, observation, risk assessment, and evaluation techniques. Document and evaluate controls over potential access paths into the system to assess the adequacy, efficiency, and effectiveness by reviewing appropriate hardware and software security features and identifying deficiencies or redundancies.
Evaluating Logical Access Test controls over access paths to determine that they are functioning and effective by applying appropriate audit techniques. Evaluate the access control environment to determine if the control objectives are achieved by analyzing test results and other audit evidence. Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures and comparing them with appropriate security standards and procedures.
Evaluating Logical Access Familiarizing with the IS Processing Environment: This is the first step of the audit and involves obtaining a clear understanding of the technical, managerial and security environment of the IS facility. This typically includes interviews, physical walkthroughs, review of documents and risk assessments.
Document the Access Paths The access path is the logical route the end user takes to access computerized information. Its starts with a terminal and typically ends with the data being accessed. The IS Auditor should evaluate each component for proper implementation and proper physical and logical access security. A typical sequence of the components follows: Terminal A terminal is used by an end user to sign on. It should be physically secured, and logon-Id and password should be subject to conditions outlined in the security policy.
Document the Access Paths Telecommunications Software It intercepts the logon to direct it down the appropriate telecommunications link. The telecom software can restrict terminals to specific data or application software. A key audit issue with telecom software is to ensure all applications have been defined to the software and the various optional telecom control and processing features used are appropriate and approved by management. This analysis typically requires the help of a system software analyst.
Document the Access Paths Transaction Processing Software This software routes transactions to the appropriate application software. Key audit issues include ensuring proper identification / authentication of the user, and authorization of the user to gain access to the application. This analysis is performed by reviewing internal tables that reside in the transaction processing software or in the system security software. Access to these should be restricted to the security administrator.
Document the Access Paths Application Software The application software processes transactions in accordance with program logic. Audit issues include restricting access to the production software library to only the implementation coordinator.
Document the Access Paths Database Management Software The DBMS software directs access to the computerized information. Audit issues include ensuring that all data elements are identified in the data dictionary, that access to data dictionary is restricted to the DBA, and that all data elements are subject to logical access control.
Document the Access Paths Access Control Software The access control software can wrap logical access security around all the above components. This is done via internal security tables. Audit issues include ensuring all the above components are defined to the access control software, providing access control rules that define who can access what on a need-to- know basis and restricting access to the security tables to the security administrator.
Conduct Reviews Reports from Access Control Software The reporting features of Access Control Software provide the security administrator with the opportunity to monitor adherence to security policies. By reviewing a sampling of reports, the IS Auditor can determine if enough information is provided to support an investigation and if the security administrator is performing an effective review of the report. Unsuccessful access attempts should be reported and should identify the time, terminal, logon and file or data element for which access was attempted.
Conduct Reviews Application System Operations Manual The application systems manual should contain documentation on the programs that are generally used throughout a data processing installation to support the development, implementation, operations, and use of application systems. This manual should include information about which platform the application can run on, database management systems, compilers, interpreters, telecom monitors and other applications that can run with the application.
Conduct Reviews Written Policies, Procedures, and Standards Policies and procedures provide the framework and guidelines for maintaining proper operation and control. The IS Auditor should review the policies and procedures to determine if they set the tone for proper security and provide a means for assigning responsibility for maintaining a secured computer processing environment.
Conduct Reviews Formal Security Training Effective security will always be dependent on people. Security can only be effective if people know what is expected of them and what their responsibilities are. They should know why various security measures, such as locked doors and the use of logon-Ids, are in place and the repercussions of violating security. Employees should be encouraged to identify and report possible security violations. Training should start with new employee orientation or induction and should be an ongoing process.
Data Ownership Formal Security Training Data ownership refers to the classification of the data elements and allocation of responsibility to ensuring that it is kept confidential, complete, and accurate. A key point of ownership is that by assigning responsibility for protecting computer data to particular employees, accountability is established. By interviewing a sampling of data owners, the IS Auditor can determine if they are aware of their data ownership duties. The IS Auditor should review the classification of data and evaluate its appropriateness.
Data Ownership Data Owners These are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring access rules are updated when personnel changes occur and regularly inventorying access rules for the data for which they are responsible. Data Custodians These people are responsible for storing and safeguarding the data and include IS personnel such as systems analysts and computer operators.
Data Ownership Data Users Often referred to as end users, are the actual users of the computerized data. Their levels of access should be authorized by data owners and restricted and monitored by the security administrator. Security Administrator Security administrators are responsible for providing adequate physical and logical security for IS programs, data, and equipment. Normally the security policy will provide basic guidelines under which the security administrator will operate.
Data Ownership Documented Authorizations Data access should be identified and authorized in writing. The IS Auditor can review a sample of these authorizations to determine if the proper level of written authority was provided. Access Standards Access Standards should be reviewed by the IS Auditor to ensure that they meet organizational objectives for separating duties, that they prevent fraud or error and that they meet policy requirements for minimizing the risk of unauthorized access.
Bypass Security Features Typically include Bypass label processing Special system maintenance logon-Ids Operating system exits Installation utilities I/O appendages.
Bypass Security Features Since bypass security features can be exploited by technically sophisticated intruders, the IS Auditor should be interested in compensating features, including the following: All uses of these features should be logged, reported and investigated by the security administrator or system software manager. Unnecessary bypass security features should be deactivated. If possible, the bypass security features should be subject to additional logical access controls.
Penetration Testing Penetration tests are used by the IS Auditor which simulate techniques used by a hacker. Typical components of a penetration test include: Attempting to guess passwords by using password cracking tools which generate passwords from dictionaries, common phrases, or combinations of letters and numbers. Searching for programmer back doors into operations. Attempting to overload communications software. Exploiting known vulnerabilities in software.
Password Administration Access controls and password administration are reviewed to determine that: Procedures exist for adding individuals to the list of those authorized to have access to computer resources, changing their access capabilities and deleting them from the list. Passwords are of adequate length, cannot be easily guessed and do not contain repeating characters. Passwords are changed periodically. Procedures provide for the suspension of user accounts, or the disabling of terminals in case of security violations.