Upload
stefan-mcdermott
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
www.cyberlawconsulting.com
Logical IT Security
By Prashant Mali
www.cyberlawconsulting.com
Business Objectives
To retain competitive advantage and to meet basic
business requirements organizations must:
• Ensure the integrity of information stored on their
computer systems
• Preserve the confidentiality of sensitive data
• Ensure the continued availability of their
information systems
• Ensure conformity to laws, regulations, and
standards.
www.cyberlawconsulting.com
Session Agenda
1. Components of a Security Policy
2. Paths of Logical Access
3. Logical Access Issues and Exposures
4. Access Control Software
5. Logical Security Features, Tools, and Procedures
6. Auditing Logical Access
www.cyberlawconsulting.com
Security Policy requirement• Security losses can be costly to business.
• Losses suffered as a result of the failure itself or
costs incurred while recovering from the incident,
followed by more costs to secure the systems and
prevent further failure.
• A well-defined set of security policies and
procedures can prevent losses and save money.
www.cyberlawconsulting.com
Security Policy - Components• Management Support and Commitment
• Access Philosophy
• Compliance with Relevant Regulations
• Access Authorization
• Reviews of Access Authorization
• Security Awareness
• Role of Security Administrator
• Security Committee
www.cyberlawconsulting.com
Paths of Logical AccessLogical Access into the computer can be gained
through several avenues. Each avenue is subject to
appropriate levels of security. Methods of access
include the following:
• Operator Console
• Online Terminals
• Batch Job Processing
• Dial-up Ports
• Telecommunications Network
www.cyberlawconsulting.com
Logical Access ExposuresInadequate logical access controls increase the
potential for losses. These exposures can result in
minor inconveniences or total shutdown of the
computer system.
• Technical Exposures
• Virus Exposures
• Computer Crime Exposures
• Agents of Exposures
www.cyberlawconsulting.com
Access Control SoftwareAccess Control Software is designed to prevent
unauthorized access to data, use of system function
and programs, unauthorized changes to data and to
detect and prevent unauthorized attempts to
access computer resources.
• Access Control Software tasks
• Access Control Software functions
• Access Control Software authorization components
• Decentralized / Remote Processing issues
www.cyberlawconsulting.com
Logical Security Features• Two phase User Identification / Authentication
process
• Logging Computer Access
• Computer features that bypass security
• Data Classification
• Safeguarding Confidential Data on a PC
• Naming conventions for Access Controls
www.cyberlawconsulting.com
Auditing Logical Access• Evaluating Logical Access Controls
• Review Reports from Access Control Software
• Data Ownership Issues
• Bypass Security Controls
www.cyberlawconsulting.com
Management Support
Management Support and Commitment
Management must demonstrate a concern for
security
Management must clearly approve and support
formal security awareness and training.
This may require special management security
training since security is not necessarily a part of
management expertise.
www.cyberlawconsulting.com
Access Philosophy
Access Philosophy
Access to computerized resources and information must be based on a documented “need-to-know, need-to-do” basis only.
“need-not-know” basis ?
www.cyberlawconsulting.com
Compliance
Compliance with Relevant Legislation and
Regulations
The policy should state that compliance is
required with all relevant legislation, such as that
requiring confidentiality of personal information,
or specific regulations relating to particular
industries; e.g. banking or financial institutions.
www.cyberlawconsulting.com
Access Authorization
Access Authorization
The data owner or manager who is responsible for
the accurate use and reporting of the information
should provide written authorization for users to
gain access to computerized information.
The manager should give this documentation
directly to the security administrator so
mishandling or alteration of the authorization
does not occur.
www.cyberlawconsulting.com
Reviews of Access Authorization
Reviews of Access Authorization
Like any other control, access controls should be evaluated regularly to ensure that they are still effective.
Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls.
The security manager, with the assistance of the managers who provide access authorization, should review the access controls.
Any access exceeding the “need-to-know, need-to-do” philosophy should be changed accordingly.
www.cyberlawconsulting.com
Raising Security Awareness Distribution of a written security policy. Training on a regular basis for new employees,
users, and support staff. Non-disclosure statements signed by the
employees Use of newsletter, web page, videos to
promulgate security awareness Visible enforcement of security rules. Simulate security incidents for improving security
procedures. Reward employees who report suspicious events Periodic audits
www.cyberlawconsulting.com
Employee Responsibilities Reading the security policy
Keeping logon-Ids and passwords secret
Reporting suspected violations of security to the security administrator.
Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people.
Conforming to local laws and regulations
Adhering to privacy regulations with regard to confidential information (health, legal, etc)
www.cyberlawconsulting.com
Employee Responsibilities Non-employees with access to company systems
should also be held accountable for security policies and responsibilities.
These include contract employees, vendors, programmers/analysts, maintenance personnel and clients.
www.cyberlawconsulting.com
Role of Security Administrator The security administrator, typically a member of
the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
In large organization, the security administrator is usually a full-time function; in small organizations someone may perform this function with other non-conflicting responsibilities.
www.cyberlawconsulting.com
Role of Security Administrator For proper segregation of duties, the security
administrator should NOT be
responsible for updating application data
an end user
application programmer
computer operator
data entry clerk.
www.cyberlawconsulting.com
Security Committee Security guidelines, policies, and procedures affect
the entire organization and as such should have the support and suggestions of end users, executive management, security administration, IS personnel, and legal counsel.
Individuals representing various management levels should meet as a committee to discuss these issues and establish security practices.
The committee should be formally established with appropriate terms of reference and regular minuted meetings with action items, which are followed up on at each meeting.
www.cyberlawconsulting.com
Operator Console These privileged computer terminals control most
computer operations and functions.
Most operator consoles do not have strong logical access controls and provide a high level of computer system access - a high risk combination.
These terminals should be be placed in a suitably controlled facility so that physical access can only be gained by authorized personnel.
www.cyberlawconsulting.com
Online Terminal Online access to computer systems through
terminals typically requires entry of at least a logon-ID and password.
May also require further entry of authentication or identification data for access to specific application systems.
Personal Computers (PCs) are often used as online access terminals through terminal emulation software.
This poses a particular risk as the PCs can be programmed to store and recall user access codes and passwords.
www.cyberlawconsulting.com
Batch Job Processing This mode of access is indirect since access is
achieved via processing of transactions. It involves accumulating input transactions and
processing them as a batch after a given interval of time or after a certain number of transactions.
Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system)
Additionally, procedures and authorization to manipulate accumulated transactions prior to processing the batch should be carefully controlled.
www.cyberlawconsulting.com
Dial-up Ports Involves hooking a remote terminal or PC to a
telephone line and gaining access to the computer by
dialing a telephone number that is connected to the
computer.
Security is achieved by providing a means of
identifying the remote user to determine authorization
to access.
This may be done by means of a call-back feature, use
of logon-ID and password, use of access control
software, or by requiring a computer operator to verify
the identity of the caller and then provide the
connection to the computer.
www.cyberlawconsulting.com
Telecommunications Network
Involves linking a number of computer terminals
or PCs to the host computer through a network of
telecommunication lines.
The telecommunication lines may be private
(dedicated to one user) or public, such as the
public switched network..
Security should be provided in the same manner
as applied to online terminals.
www.cyberlawconsulting.com
Technical Exposures
Technical Exposures involve unauthorized or
unintentional implementation or modification of
data and software.
Data Diddling - Involves changing data before or
as it is entered into the computer. This is one of
the most common abuses because it requires
limited technical knowledge and occurs before
computer security can protect data.
www.cyberlawconsulting.com
Technical Exposures
Trojan Horses
Involves hiding malicious, fraudulent code in an
authorized computer program
This hidden code will be executed whenever the
authorized program is executed.
A classic case is the Trojan horse in a payroll
calculating program that shaves a barely
noticeable amount off each paycheck and credits
it to the perpetrator’s payroll account.
www.cyberlawconsulting.com
Technical Exposures
Logic Bombs
The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future.
They are very difficult to detect before they blow up; thus of all the computer crime schemes they have the greatest potential for damage.
Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator.
Could also be used in extortion schemes.
www.cyberlawconsulting.com
Technical Exposures
Rounding Down
Involves drawing off small fractions of money from a computerized transaction or account and rerouting this amount to the perpetrator’s account.
Since the amounts are so small, they are rarely noticed.
For example, if a transaction amount were Rs.12,30,456.39, the rounding down technique may round the transaction to Rs. 12,30,456.35
www.cyberlawconsulting.com
Technical Exposures
Salami Techniques
Involves slicing small amounts of money from a computerized transaction or account and is similar to rounding down technique.
For example, if a transaction amount were Rs.12,30,456.39, the Salami technique truncates the last few digits from the transaction amount so that it becomes Rs. 12,30,456.30 or Rs. 12,30,456.00 depending on the calculation built into the program.
www.cyberlawconsulting.com
Technical Exposures
Worms
These are destructive programs that may destroy data or utilize tremendous communication resources but do not replicate like viruses.
These do not change other programs, but can run independently and travel from machine to machine across network connections.
Worms may also have portions of themselves called segments running on different machines.
www.cyberlawconsulting.com
On 2 November 1988, Robert Tappan Morris, a graduate student at Cornell University, unleashed a program which spawned copies of itself and spread throughout the network.
Within hours, the worm had invaded 2,000 to 6,000 computers, about 10% of the Internet at the time. The program also clogged all the systems it hit, dialing virtually every computer it invaded.
When Morris saw the damage that was taking place, he posted a message on the Net with instructions for disabling the worm. However by then the damage was done. On 16 May 1990, Morris was convicted and fined $10,000 and sentenced to 3 years probation.
www.cyberlawconsulting.com
Technical Exposures
Trap Doors
Are exits out of an authorized program that allow for insertion of specific logic, such as program interrupts, to permit a review of data during processing.
These holes also permit insertion of unauthorized logic.
www.cyberlawconsulting.com
Technical Exposures
Asynchronous Attacks
These occur in multiprocessing environments where data moves asynchronously (one character at a time with start and stop bits).
As a result, numerous data transmissions must wait for the line to be free.
Data that are waiting are susceptible to unauthorized access called asynchronous attacks.
These attacks, usually small pin-like insertions into cable, may be committed via hardware and are extremely hard to detect.
www.cyberlawconsulting.com
Technical Exposures
Data Leakage
Involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
www.cyberlawconsulting.com
Technical Exposures Wire-tapping - involves eavesdropping on
information transmitted over transmission lines. Also known as sniffing.
Piggybacking - is an act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link.
www.cyberlawconsulting.com
Technical Exposures
Shut down of the Computer
Can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer.
Only individuals having high-level systems logon-ID can usually initiate the shut down process.
Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
www.cyberlawconsulting.com
Technical Exposures
Denial of Service Attack
This is an attack that disrupts or completely denies service to legitimate users, networks, systems, or other resources.
The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.
www.cyberlawconsulting.com
Viruses
Viruses are the colds and flus of computer
security: ubiquitous, at times impossible to avoid
despite the best efforts, and often very costly to
an organization's productivity.
www.cyberlawconsulting.com
Viruses
Viruses are a significant and a very real logical
access issue.
The term “virus” is a generic term applied to a
variety of malicious computer program code
inserted into other executable code that can self-
replicate and spread from computer to computer.
Traditional viruses attach themselves to other
executable code, infect the user’s computer,
replicate themselves on the user’s hard disk and
then damage data, hard disk or files.
www.cyberlawconsulting.com
How many viruses are there?
By early 2002, there were more than 15,000
computer viruses !
The huge number is explained in part by the ease
with which potential viral writers can get the tools
and actual viral code to work with, either from the
Internet or other channels.
In May 1997, the Digital Hackers’ Alliance
announced the availability of a CD-ROM with over
10,000 viruses. They also offered to give the first
100 customers a collection of 50 virus creation
tools free of charge.
www.cyberlawconsulting.com
Viruses
Viruses usually attack the following parts of the
computer
Executable program files (.exe or .com files) - 85%
of all viruses are program viruses.
File-directory system that tracks the location of all
the computer’s files. (FAT table)
Boot and system areas that are needed to start
the computer. - Michelangelo virus
Macro Viruses (Microsoft Word viruses - Concept,
Wazzu)
www.cyberlawconsulting.com
Viruses
Can a virus infect data files?
• Some viruses (e.g., Frodo, Cinderella) modify non-
executable files.
• However, in order to spread, the virus code must be
executed.
• Therefore "infected" non-executable files cannot be
sources of further infection.
• Such "infections" are usually mistakes, due to bugs
in the virus. However, there is an increasing
possibility of viruses spreading through the sharing
of data files.
www.cyberlawconsulting.com
Viruses
Viruses can spread rapidly via
Removable Drives - 62%
Email - 20%
Downloads - 11%
Web Browsing - 5%
Shrink wrapped software - 2%
www.cyberlawconsulting.com
Anti-Virus Policies
Build any system from original, clean master copies.
Boot only from original diskettes whose write-
protection has always been in place.
Allow no disk to be used until it has been scanned on
a stand-alone machine that is used for no other
purpose and is not connected to the network.
Update virus software scanning definitions regularly.
Write-protect all diskettes with .exe and .com
extensions
Have vendors run demonstrations on their machines
not yours.
www.cyberlawconsulting.com
Anti-Virus Policies
Enforce a rule of not using shareware without first
scanning the shareware thoroughly for a virus.
Insist that field technicians scan their disks on a test
machine before they use any of their disks on the
system.
Ensure that the network administrator uses
workstation and server anti-virus software.
Ensure that all servers are equipped with an
activated current release of the anti-virus software.
Educate users so they will heed these policies.
www.cyberlawconsulting.com
Anti-Virus - Hardware Tactics
Use workstations without floppy drives.
Use boot virus protection (i.e. built-in firmware-
based virus protection)
Use remote booting.
Use a hardware-based password.
Use write-protect tabs on floppy disks.
www.cyberlawconsulting.com
What is the best Anti-virus program?
None!
Different products are more or less appropriate in
different situations, but in general you should
build a cost-effective strategy based on multiple
layers of defence. There are three main kinds of
anti-virus software:
Scanners
Activity Monitoring Programs
Integrity Checkers
www.cyberlawconsulting.com
Anti-Virus Software
Scanners
These look for sequences of bits called signatures
that are typical of virus programs.
Scanners examine memory, disk boot sectors,
executables and command files for bit patterns
that match a known virus.
Scanners therefore need to be updated frequently
to be effective. Examples: FindViru in Dr Solomon's AntiVirus
ToolKit, Frisk Software's F-PROT, McAfee's VirusScan
www.cyberlawconsulting.com
Anti-Virus Software
Activity Monitoring Programs
Interpret DOS and ROM basic input output system (BIOS) calls, looking for virus-like actions such as attempts to write to another executable, reformat the disk, etc.
Activity monitors can be annoying because they cannot distinguish between a user’s request and a program or virus request.
As a result, users are constantly asked to confirm actions like formatting a disk or deleting a file or set of files.
Examples: SECURE and FluShot+
www.cyberlawconsulting.com
Anti-Virus Software
Integrity Checkers
These compute a small checksum or hash value
(usually CRC or cryptographic) for files when they
are presumably uninfected,
and later compare newly calculated values with the
original ones to see if the files have been modified.
This catches unknown viruses as well as known
ones and thus provides “generic” detection.
Examples: ASP Integrity Toolkit (commercial), and
Integrity Master and VDS (shareware)
www.cyberlawconsulting.com
Anti-Virus Software
Integrity checkers are considered to be the
strongest line of defence against computer viruses,
because
they are not virus-specific
and can detect new viruses without being
constantly updated.
However, they should not be considered as an
absolute protection--they have several drawbacks,
cannot identify the particular virus that has
attacked the system, and there are successful
methods of attack against them too.
www.cyberlawconsulting.com
Anti-Virus Software
Modification Detectors
Some modification detectors provide HEURISTIC
DISINFECTION.
Sufficient information is saved for each file so that
it can be restored to its original state in the
case of the great majority of viral infections,
even if the virus is unknown.
Examples: V-Analyst 3 (BRM Technologies, Israel),
the VGUARD module of V-Care and ThunderByte's
TbClean.
www.cyberlawconsulting.com
Anti-Virus Software
www.cyberlawconsulting.com
Anti-Virus Software
Virus Removal
Once a virus has been detected, an eradication
program can be used to wipe the virus from the
hard disk.
Sometimes eradication programs can kill a virus
without having to delete the infected program or
data file, while other times those infected files
must be deleted.
Inoculators are programs which will not allow a
program to be run if it contains a virus.
www.cyberlawconsulting.com
Is Windows a Virus?No, Windows is not a virus. Here's what viruses do:
They replicate quickly - okay, Windows does that.
Viruses use up valuable system resources, thereby slowing
down the system - okay, Windows does that.
Viruses will, from time to time, crash your hard disk - okay,
Windows does that too.
Viruses are usually carried, unknown to the user, along with
valuable programs and systems. Sigh... Windows does that, too.
Viruses will occasionally make the user suspect their system is
too slow and the user will buy new hardware. Yup, that's with
Windows, too.
www.cyberlawconsulting.com
Is Windows a Virus?Until now it seems Windows is a virus but there are
fundamental differences:
Viruses are well supported by their authors,
Run on most systems,
Their program code is fast, compact and efficient
They tend to become more sophisticated as they
mature.
Conclusion : Windows is not a virus. It's a bug !!
www.cyberlawconsulting.com
Computer Crime Exposures
Committing crimes that exploit the computer and
the information it contains can be damaging to
the reputation, morale and very existence of an
organization. Threats to the business include the
following:
Financial Loss - These losses can be direct,
through loss of electronic funds or indirect,
through the costs of correcting the exposure.
www.cyberlawconsulting.com
Computer Crime Exposures
Legal Repercussions
There are numerous privacy and human rights laws
to consider when developing security policies.
Not having proper security measures could expose
the organization to lawsuits from investors and
insurers.
Most companies must also comply with industry-
specific regulatory agencies.
The IS auditor should obtain legal assistance when
reviewing the legal issues associated with computer
security.
www.cyberlawconsulting.com
Computer Crime Exposures
Loss of Credibility or Competitive Edge
Many organizations, especially service firms such
as banks, financial institutions need credibility
and public trust to maintain a competitive edge.
A security violation can severely damage this
credibility resulting in loss of business and
prestige.
www.cyberlawconsulting.com
Computer Crime Exposures
Blackmail / Industrial Espionage
By gaining access to confidential information or
the means to adversely impact computer
operations, a perpetrator can extort payments or
services from an organization by threatening to
exploit the security breach.
Some perpetrators may not be looking for
financial gain. They merely want to cause damage
due to dislike of the organization or for self-
gratification.
www.cyberlawconsulting.com
Agents of Exposures
Hackers
Hackers are typically attempting to test the limits
of access restrictions to prove their ability to
overcome the obstacles. They usually do not
access a computer with the intent of destruction;
however, this is quite often the result.
www.cyberlawconsulting.com
Agents of Exposures
Employees / IS Personnel
These individuals have the easiest access to
computerized information since they are the
custodians of this information.
In addition to logical access controls, good
segregation of duties and supervision help reduce
logical access violations by these individuals.
www.cyberlawconsulting.com
Agents of Exposures
Interested or Educated Outsiders
Competitors
Foreigners
Organized criminals
Crackers (paid hackers working for a third party)
Phreakers (hackers attempting access into the
telephone/communication system)
www.cyberlawconsulting.com
Access Control Software
Generally performs the following tasks:
Verification of the user
Authorization of access to defined resources
Restriction of users to specific terminals
Reports on unauthorized attempts to access
computer resources, data or programs
www.cyberlawconsulting.com
Access Control Software
Provide the following functions of verifying user
authorization:
To sign-on at the network and subsystem level
At the application and transaction level
Within the application
At the field level for changes within a database
Verify subsystem authorization for the user at the
file level.
www.cyberlawconsulting.com
Access Control Software
Authorization Components Logon-IDs and user authentication Limitation to specific terminals for specific logon-IDs Based on predetermined times Specific tasks to be initiated from a predefined
library Establishing rules of access Creation of individual accountability and auditability Logging events Logging user activities Reporting capabilities
www.cyberlawconsulting.com
Access Control Software
Following is a list of computerized files and facilities that should be protected by logical access controls:
System Software
Data
Application software
Telecommunication lines
Libraries
Password library
Tape files
Procedure libraries
www.cyberlawconsulting.com
Access Control Software
Advantages of Decentralized Environment
The security administration is on site at the distributed location
Security issues can be resolved in a more timely manner
Security controls are monitored on a more frequent basis
www.cyberlawconsulting.com
Access Control Software
Risks related to the Decentralized Environment
The possibility that local standards might be implemented rather than those required by the organization.
Levels of security management might be below that which can be maintained by a central administration.
Distributed security administration requires a greater degree of management checks and audit by central administration to ensure standards are maintained.
www.cyberlawconsulting.com
Access Control Software
Issues related to Remote Processing Environment
Software controls over access to the computer, data
files and remote access to the network should be
implemented.
Access from remote locations via modems and laptops
to other computers should be controlled appropriately.
Supervisory controls should be established over terminal
and computer operations at remote locations
When replicated files exist at multiple locations, controls
should ensure that all files used are correct and current.
www.cyberlawconsulting.com
Identification / AuthenticationThe two phase User Identification/Authentication
process consists of the following:
Identification - Users must identify themselves to
the access control software by name or account
number.
Authentication - Users must prove they are who
they claim to be. Authentication is a two way
process where the software must first verify the
validity of the user and then proceed to verify prior
knowledge information.
www.cyberlawconsulting.com
Identification / AuthenticationFor example, users may provide the following:
Remembered information such as name, account
number, and password
Processor objects such as badge, plastic cards and
key.
Personal characteristics such as fingerprint, voice,
and signature.
www.cyberlawconsulting.com
Features of PasswordsA password should be easy for the user to
remember but difficult for the perpetrator to guess.
When the user logs on for the first time, the system
should force a password change
If the wrong logon-ID or password is entered, say
three times, the account should be locked-out.
Passwords should be internally one-way encrypted.
Passwords should be changed regularly.
Passwords should not be shared
www.cyberlawconsulting.com
Syntax of Passwords Ideally, passwords should be 5 to 8 characters in
length
Should be a combination of alphabetic, upper case
and lower case, and numeric characters.
Should allow special characters like &^%$, etc.
Passwords should not be identifiable with the user -
such as first name, spouse’s name, pet’s name etc.
Should not use common names or dictionary terms.
The system should not permit previous passwords
to be used again.
www.cyberlawconsulting.com
Password combinations A 4-digit numeric password could be cracked on a
modest PC in 0.02 seconds - faster than you can
blink your eyes !!
If you increase the length of the password from 4
digits to 6, you find that the time to crack would be
100 times more - or 2 seconds.
Increasing again from 6 to 8 digits, you end up with
just under 4 minutes to crack the password.
www.cyberlawconsulting.com
Password Combinations
Numeric
Single case alpha
Single case alpha, numeric
Single case alpha, numeric, special
Mixed case alpha, numeric, special
Password Combinations (5 - 8 characters)
Tim
e
429.5 yrs
3.7 mins 5.4 mins 24 mons32.2 yrs
www.cyberlawconsulting.com
Real World Scenario L0pht Heavy Industries, a group of hackers who
have turned their expertise into a security
consulting business, claim that during a corporate
audit they performed for a ‘large high technology
company’, they cracked 90% of the passwords in
under 48 hours on a Pentium II/300.
They further state that 18% of the passwords were
cracked under 10 minutes !
www.cyberlawconsulting.com
Password Dilemma The best password is one that can’t be guessed.
If a password can’t be guessed, it is probably
difficult to remember.
If a password is hard to remember, the user will
probably write it down somewhere.
If a password is written down, it is probably no
longer secure.
www.cyberlawconsulting.com
Session Controls Logon-Ids not used for a number of days should be
deactivated to prevent misuse. This can be done
automatically by the system or manually by the
security administrator.
The system should automatically disconnect a
logon session if no activity has occurred for a period
of time. This reduces the risk of misuse of an active
logon session left unattended because the user left
for lunch or for a meeting.
www.cyberlawconsulting.com
Data File Access Read, inquiry, or copy only
Write, create, update, or delete only
Execute
www.cyberlawconsulting.com
Logging Computer AccessComputer access and attempted access violations
can be automatically logged by the computer and
reported. The security administrator should review
the access report and look for:
Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
Violations such as attempting computer file access
that is not authorized and/or use of incorrect
passwords.
www.cyberlawconsulting.com
Access Violations The violation should be referred to the security
administrator. The security administrator should investigate and
determine the severity of the violation. If the violation is serious, executive management should
be notified. They are normally responsible for notifying law enforcement agencies.
Written guidelines should exist that identify various types and levels of violations and how they will be addressed.
Disciplinary action should be a formal process that is consistently applied.
Corrective measures should include review of access rules.
www.cyberlawconsulting.com
Bypassing SecurityGenerally, only system programmers should have access to these features:
Bypass Label Processing (BLP) - BLP bypasses computer reading of the file label. Since most access control rules are based on file names (labels), this can bypass access security.
System Exits - This system software feature permits the user to perform complex system maintenance which may be tailored to a specific environment.
Special System Logon-Ids - These logon-Ids are often provided by the vendor and are the same for all similar systems. The passwords should be changed immediately upon installation.
www.cyberlawconsulting.com
Data ClassificationThe National Institute of Standards and Technology
(NIST) describes the following four classifications:
Sensitive :
Applies to information that requires special
precautions to assure the integrity of the
information, by protecting it from unauthorized
modification or deletion.
It is information that requires a higher than normal
assurance of accuracy and completeness.
For example passwords, encryption parameters, etc.
www.cyberlawconsulting.com
Data ClassificationConfidential
Applies to the most sensitive business information
that is intended strictly for use within an
organization.
Its unauthorized disclosure could seriously and
adversely impact the organization’s image in the
eyes of the public.
For example application program source code,
project documentation, etc.
www.cyberlawconsulting.com
Data ClassificationPrivate
Applies to personal information that is intended for
use within the organization.
Its unauthorized disclosure could seriously and
adversely impact the organization and / or its
customers.
For example customer account data, e-mail
messages, etc.
www.cyberlawconsulting.com
Data ClassificationPublic
Applies to data that can be accessed by the public
but can be updated/modified by authorized people
only.
For example company web pages, monetary
transaction limit data, etc.
www.cyberlawconsulting.com
PC Security Issues Sensitive data should not be stored on a PC. The simplest
and most effective way to secure data and software is to
remove the storage medium, such as disk, cassette or tape
from the machine when it is not in use and lock it in a safe.
Vendors offer lockable enclosures, clamping devices and
cable fastening devices that help prevent equipment theft.
The computer can also be connected to a security system
that sounds an alarm if the equipment is moved.
Passwords can be allocated to individual files to prevent
them from being opened by an unauthorized person.
www.cyberlawconsulting.com
PC Security Issues Preventing the theft of data is virtually impossible. The
medium itself is inexpensive, but the data residing on
disks may be vital to the company. A practical solution
is to record all sensitive data on removable hard drives,
which are more easily secured than fixed or floppy
disks.
Preventive controls such as encryption become more
important for protecting sensitive data in the event the
PC or laptop is lost, stolen, or sold.
Other procedures may require that the PC or laptop
may only be used in a physically-secured area and
must not be taken from that location.
www.cyberlawconsulting.com
Naming Conventions On larger mainframe and minicomputer systems,
access control naming conventions are structures
used to govern user access to the system and user
authority to access or use computer resources.
The owners of the data or application, along with
the help of the security administrator, usually set up
the naming conventions.
It is important to establish naming conventions that
both promote the implementation of efficient access
rules and simplify security administration.
www.cyberlawconsulting.com
Naming Conventions Naming conventions for system resources such as
datasets, volumes, programs, and terminals are an
important perquisite for efficient administration of
security controls.
Naming conventions can be structured so that
resources beginning with the same high-level qualifier
can be governed by one or more generic rules.
This reduces the number of rules required to
adequately protect resources, which, in turn, facilitates
security administration and maintenance efforts.
www.cyberlawconsulting.com
Evaluating Logical AccessWhen evaluating logical access controls, the IS
Auditor should:
Obtain a general understanding of the security risks
facing information processing through a review of
relevant documentation, inquiry, observation, risk
assessment, and evaluation techniques.
Document and evaluate controls over potential
access paths into the system to assess the
adequacy, efficiency, and effectiveness by reviewing
appropriate hardware and software security features
and identifying deficiencies or redundancies.
www.cyberlawconsulting.com
Evaluating Logical Access Test controls over access paths to determine that
they are functioning and effective by applying
appropriate audit techniques.
Evaluate the access control environment to
determine if the control objectives are achieved by
analyzing test results and other audit evidence.
Evaluate the security environment to assess its
adequacy by reviewing written policies, observing
practices and procedures and comparing them with
appropriate security standards and procedures.
www.cyberlawconsulting.com
Evaluating Logical AccessFamiliarizing with the IS Processing Environment:
This is the first step of the audit and involves
obtaining a clear understanding of the technical,
managerial and security environment of the IS
facility.
This typically includes interviews, physical
walkthroughs, review of documents and risk
assessments.
www.cyberlawconsulting.com
Document the Access PathsThe access path is the logical route the end user takes
to access computerized information. Its starts with a
terminal and typically ends with the data being
accessed. The IS Auditor should evaluate each
component for proper implementation and proper
physical and logical access security. A typical sequence
of the components follows:
Terminal
A terminal is used by an end user to sign on. It should
be physically secured, and logon-Id and password
should be subject to conditions outlined in the security
policy.
www.cyberlawconsulting.com
Document the Access PathsTelecommunications Software
It intercepts the logon to direct it down the
appropriate telecommunications link.
The telecom software can restrict terminals to specific
data or application software.
A key audit issue with telecom software is to ensure
all applications have been defined to the software and
the various optional telecom control and processing
features used are appropriate and approved by
management.
This analysis typically requires the help of a system
software analyst.
www.cyberlawconsulting.com
Document the Access PathsTransaction Processing Software
This software routes transactions to the appropriate
application software.
Key audit issues include ensuring proper identification
/ authentication of the user, and authorization of the
user to gain access to the application.
This analysis is performed by reviewing internal tables
that reside in the transaction processing software or in
the system security software.
Access to these should be restricted to the security
administrator.
www.cyberlawconsulting.com
Document the Access PathsApplication Software
The application software processes transactions in
accordance with program logic.
Audit issues include restricting access to the
production software library to only the
implementation coordinator.
www.cyberlawconsulting.com
Document the Access PathsDatabase Management Software
The DBMS software directs access to the
computerized information.
Audit issues include ensuring that all data elements
are identified in the data dictionary, that access to
data dictionary is restricted to the DBA, and that all
data elements are subject to logical access control.
www.cyberlawconsulting.com
Document the Access PathsAccess Control Software
The access control software can wrap logical access
security around all the above components.
This is done via internal security tables.
Audit issues include ensuring all the above
components are defined to the access control
software, providing access control rules that define
who can access what on a need-to-know basis and
restricting access to the security tables to the
security administrator.
www.cyberlawconsulting.com
Conduct ReviewsReports from Access Control Software
The reporting features of Access Control Software
provide the security administrator with the
opportunity to monitor adherence to security policies.
By reviewing a sampling of reports, the IS Auditor can
determine if enough information is provided to
support an investigation and if the security
administrator is performing an effective review of the
report.
Unsuccessful access attempts should be reported and
should identify the time, terminal, logon and file or
data element for which access was attempted.
www.cyberlawconsulting.com
Conduct ReviewsApplication System Operations Manual
The application systems manual should contain
documentation on the programs that are generally
used throughout a data processing installation to
support the development, implementation,
operations, and use of application systems.
This manual should include information about which
platform the application can run on, database
management systems, compilers, interpreters,
telecom monitors and other applications that can
run with the application.
www.cyberlawconsulting.com
Conduct ReviewsWritten Policies, Procedures, and Standards
Policies and procedures provide the framework and
guidelines for maintaining proper operation and
control.
The IS Auditor should review the policies and
procedures to determine if they set the tone for
proper security and provide a means for assigning
responsibility for maintaining a secured computer
processing environment.
www.cyberlawconsulting.com
Conduct ReviewsFormal Security Training
Effective security will always be dependent on people.
Security can only be effective if people know what is
expected of them and what their responsibilities are.
They should know why various security measures,
such as locked doors and the use of logon-Ids, are in
place and the repercussions of violating security.
Employees should be encouraged to identify and
report possible security violations.
Training should start with new employee orientation or
induction and should be an ongoing process.
www.cyberlawconsulting.com
Data OwnershipFormal Security Training
Data ownership refers to the classification of the data elements and allocation of responsibility to ensuring that it is kept confidential, complete, and accurate.
A key point of ownership is that by assigning responsibility for protecting computer data to particular employees, accountability is established.
By interviewing a sampling of data owners, the IS Auditor can determine if they are aware of their data ownership duties.
The IS Auditor should review the classification of data and evaluate its appropriateness.
www.cyberlawconsulting.com
Data OwnershipData Owners
These are generally managers and directors responsible for using information for running and controlling the business.
Their security responsibilities include authorizing
access, ensuring access rules are updated when
personnel changes occur and regularly inventorying
access rules for the data for which they are responsible.
Data Custodians These people are responsible for storing and
safeguarding the data and include IS personnel such as systems analysts and computer operators.
www.cyberlawconsulting.com
Data OwnershipData Users
Often referred to as end users, are the actual users of the computerized data.
Their levels of access should be authorized by data owners and restricted and monitored by the security administrator.
Security Administrator Security administrators are responsible for providing
adequate physical and logical security for IS programs, data, and equipment.
Normally the security policy will provide basic guidelines under which the security administrator will operate.
www.cyberlawconsulting.com
Data OwnershipDocumented Authorizations
Data access should be identified and authorized in
writing. The IS Auditor can review a sample of these
authorizations to determine if the proper level of
written authority was provided.
Access Standards
Access Standards should be reviewed by the IS
Auditor to ensure that they meet organizational
objectives for separating duties, that they prevent
fraud or error and that they meet policy requirements
for minimizing the risk of unauthorized access.
www.cyberlawconsulting.com
Bypass Security FeaturesTypically include
Bypass label processing
Special system maintenance logon-Ids
Operating system exits
Installation utilities
I/O appendages.
www.cyberlawconsulting.com
Bypass Security FeaturesSince bypass security features can be exploited by
technically sophisticated intruders, the IS Auditor
should be interested in compensating features,
including the following:
All uses of these features should be logged,
reported and investigated by the security
administrator or system software manager.
Unnecessary bypass security features should be
deactivated.
If possible, the bypass security features should be
subject to additional logical access controls.
www.cyberlawconsulting.com
Penetration TestingPenetration tests are used by the IS Auditor which
simulate techniques used by a hacker. Typical
components of a penetration test include:
Attempting to guess passwords by using password
cracking tools which generate passwords from
dictionaries, common phrases, or combinations of
letters and numbers.
Searching for programmer back doors into
operations.
Attempting to overload communications software.
Exploiting known vulnerabilities in software.
www.cyberlawconsulting.com
Password AdministrationAccess controls and password administration are
reviewed to determine that:
Procedures exist for adding individuals to the list of
those authorized to have access to computer
resources, changing their access capabilities and
deleting them from the list.
Passwords are of adequate length, cannot be easily
guessed and do not contain repeating characters.
Passwords are changed periodically.
Procedures provide for the suspension of user
accounts, or the disabling of terminals in case of
security violations.
www.cyberlawconsulting.com
www.cyberlawconsulting.com
www.cyberlawconsulting.com
www.cyberlawconsulting.com
www.cyberlawconsulting.com
www.cyberlawconsulting.com
www.cyberlawconsulting.com