Logical Access

Control System Layers (IT Controls)
Click the card to flip 👆
1 / 63
Terms in this set (63)
Control System Layers (IT Controls)
1) Application Controls (ITAC)
2) General Controls (ITGC)
Application Controls (ITAC)
Apply to specific systems or applications, relevant to access, input, processing, output
General Controls (ITGC)
Essential to ensure that information systems are reliable and that behavior can be predicted, system-wide
Application Control Objectives
-Relevant to the system

•Completeness
•Accuracy
•Validity
•Authorization
•Authentication
•Segregation of duties
•Confidentiality
General Control Objectives
_Relevant to the environment

•Availability
•Reliability
•Integrity
•Confidentiality
Application Control Approaches
•Authentication
•Authorization
•Input controls
•Processing controls
•Output controls
•Logs/Audit trails
General Control Approaches
•Policies & procedures
•Infrastructure & standards
•Identity & access management
•Physical controls
•Environment controls
•DR/BC
•Incident/problem management
•Change management
•User support/training
Organizational standards for identity and access management:
•Identification and authentication of users/systems/devices

•Authorization and access rights

•Procedures for adding, changing, removing users/systems/devices

•Procedures for adding, changing, removing rights
In accordance with (general) logical security some procedural controls to test for are:
•Documentation of user ID administration process including new user ID administration, segregated duties
- One person responsible for administering access
- Another person responsible for approval

•Use of access (user) profiles

•Documented application security configuration
- Limit number of allowable log-on attempts
- Password expiration and re-use ability
- Minimum password length
- Password complexity

•Security monitoring procedures

•Processes for reporting security violations
oKey concepts to evaluate a logical access control mechanism:
1) HR Policies/Procedures
2) Identification
3) Authentication
4) Authorization
5) Monitoring
HR Policies/Procedures:activities related to hiring/firing and relationship to IT resource access provisioningIdentification:How subjects are recognized by the logical access control mechanism (e.g., user name, user ID number)Authentication:How subjects prove they are who they say they are (e.g., password, token, digital certificate)Authorization:How rules are established and evaluated to make an access control decision (e.g., should computer operators be able to change operations logs)Monitoring:What security logging is in place and what capabilities it has (e.g., failed logons, successful access to a file)HR Processes Related to Logical Access1) Hiring process 2) Training process 3)Termination (retirement, resignation, termination)Hiring process•Background checks •Confidentiality agreements •Conflict of interest agreements •Non-compete agreements •Nondisclosure agreementsTraining process•Security policies awareness and training •Acceptable conduct (acceptable use policies, code of conduct) •Job descriptions, employee manuals/handbooks •Training, review processes •Verifications to IT for changesTermination (retirement, resignation, termination)•Return of access keys, ID cards, badges •Deletion/revocation of logons and passwords •Return of equipment (PCs, mobile devices, etc.) •Removal from documentation that identifies them as a current member of the organizationIdentification related to logical access•Each user gets a unique UserID that can be identified by the system. •The format of User IDs is standardized •User ID syntax follows an internal naming rule •Default system accounts, such as Guest, Administrator and Admin, should be renamed/disabled if possible •User IDs automatically deactivated after a predetermined period of time •User ID logon sessions automatically closed if no activity has occurred for a period of time (session timeout)Authentication related to logical access1) Factors/Multi-factor 2) Login IDs 3) Passwords/Passphrase (policy0 4) BiometricsAuthentication: Factors/ Multi-factor•Something you know •Something you have •Something you are / BiometricsAuthentication: Login IDs•Simple naming •Default account IDs •ID sessions, timing, single sign-onAuthentication: Passwords/Passphrase (Policy)•Length •Complexity •Expiration, reuseAuthentication: Passwords•Password provides individual authentication •Passwords should be easy to remember but difficult to guess •Initial passwords •Auto lockout of UserIDs if a wrong password is entered (3 times) •Only a security administrator has privileges to reset forgotten passwords - Only after verifying the user's identification (challenge/response system) - Use of 3rd party for verificationInitial Passwords- Allocated by the security administrator or generated by the system - Users forced to change password on initial login - Initial password assignments randomly generated - UserID and password communicated in a controlled manner - New accounts without an initial password assignment should be suspended.Authentication: Passwords•Passwords not be displayed in any form (masking) •Passwords not visible, written, or stored (hashes, sticky pads) •Passwords changed periodically (30, 60, 90 days) •Passwords should be changed by users at their terminal or work computer •Passwords > 8 characters •Passwords using (3) complexity elements - Alphanumeric - Case - Special characters •Non-word/name passwords •Password reuse restricted •Use of token devices •Password managersAuthentication: Biometrics•Access to IT resource based on physical or behavioral characteristics of the user - Palm - Hand geometry - Iris/Retina - Fingerprint - Face - Signature - Voice •Identification during enrollment •features change over timeAuthentication Risks:•Credentials sniffed or stolen. •Credentials replayed, even if they are encrypted. •Users select poor passwords. •Third-party compromised or untrustworthy.Authentication Controls:•Use of hashed credentials, not credentials themselves. •UserID/password logging, behavior analysis •Encrypted transmission of sensitive information. •Time-stamped transmissions to prevent replay attacks. •Third-party assessment for trustworthiness and security. •Multi-factor authenticationAuthorization Access Control Models1) Mandatory Access Control (MAC) 2) Discretionary Access Control (DAC) 3) Role-Based Access Control (RBAC) 4) Rule-Based Access ControlMandatory Access Control (MAC)•A control mechanisms previously used by the military. It examines the security attributes of a subject (such as a process) accessing an object (such as a file) based on authorization rules, and decides whether the access can take place.In a Mandatory Access Control (MAC)• A System administrator (sysadmin) is responsible for managing access controls -Data classification top secret, confidential, etc -Availability categorizationMandatory Access Control does not allow•End users to override, modify, or transfer controlsMandatory Access control is the•Most restrictive (thus most secure), because all controls are fixed -More planning of the security policies -More system overhead to implement and maintain the policiesDiscretionary Access Control (DAC)•End user has control over any objects (such as data) he/she owns, along with the programs that are associated with those objects •Each object in DAC has an Access Control List (or ACL) specifying what users and groups are permitted to access it. •Levels of access may differ among the users and groups. •More flexible but least restrictive/secure model; default for PCsDiscretionary Access Control (DAC) Weaknesses•It relies on the end-user to set the proper level of security •End user permissions will be "inherited" by any programs that the end user executesUser Account Control (UAC)Operating systems prompt the user for permission whenever software is installedRole-Based Access Control (RBAC)•Also known as Non-Discretionary Access Control •Considered more "real world" than other models •Assign permissions to particular roles, and then users assigned to the roles - Different from ACL, permissions are not assigned to each data object. •End users are assigned to a single role •Suitable for larger organizationsRule-Based Access Control•Automated provisioning •Grant permission to end users based on rules defined by sysadmin •Each IT resource contains a set of access properties based on the rules •Often used for managing user access to one or more systemsAuthorization Risks:•Excessive access or rights to application •Excessive rights within applications •Gain of excessive access by increasing authorization level •Access or rights slow to update upon job change/terminationAuthorization Controls:•Access control lists, ensure different user levels created •Job roles/job descriptions match to ACL •Privileges identified for each job role/description •Enforcement of privileges provided to each job role/description •Application hardening to remove possibility of bypassing authorization mechanisms to elevate user levels •Job change/termination policies and proceduresMonitoring related to logical access•Auditing (On/Off; Successes/Failures; Privilege Escalation) •Access rights to system/access logs (Protect deletion, modification) •Capture, Review, Archive LogsLogical Access Concepts1) Least Privilege 2) Implicit Denial 3) Actions 4) Single Sign-OnLeast privilege•Each user should be given only the minimal amount of privileges necessary to perform his or her job functionImplicit denial•If a condition is not explicitly met, then it is to be rejectedActions•Read, Write, Delete, Modify •Select, Create/Insert, Drop/Delete, Alter/UpdateREADING: Singleton 2012 Evaluating Access Controls Over DataWhat are the two general approaches to accessing data, according to this article?The obvious method of access to data is via the applications that create, edit, maintain and report data; there are other methods through which one can get to data. They include: - network operating system (NOS) - primary server - database (and database administrator [DBA]) - -- operating system (OS)What are the three states of data?Conventional wisdom identifies data as being in one of three states of being: 1) at rest 2) in transit 3) in processGive examples of the rules for access control as related to password, application, server and NOS, firewalls, and DBA.There is some additional text in the article and a really inclusive figure. But the Next few Slides have some answersPasswords• Print or view password policies established on the network, server, applications and/or OS, and review to ensure that users and groups are adhering to the password guidelines mentioned previously. • Pull a sample of terminated employees, and trace removal of access rights. • Verify proper SoD for the password administrator. • Ensure the existence of independent review of password changes. • Obtain evidence of any known failures, breaches, intrusions or abuses. • Determine who monitors the changes and who manages/administers the changes. • Determine appropriate SoD for those individuals who are associated with password managementApplications• Determine and verify logical access controls (restricted access)—independent, inherited or absent. • Verify the use of password procedures (as outlined previously).Server•Verify the enforcement of logical access controls (least-privilege access). • Verify the use of password procedures (as outlined previously). • Verify that there is limited permission on shares, especially of sensitive data files. • Verify the use of standard principles for establishing access to users and groups. • Verify that vendor accounts are evaluated. • Determine whether default settings and accounts have been changed or removed, if necessary. • Verify that there is a limited number of administratorsFirewalls• Verify the enforcement of appropriate access controls to limit external user access. • Determine whether default settings have been changed. • Test patches and updates. • Test change controls. • Verify that is a limited number of administratorsNetwork/NOS• Verify the enforcement of logical access controls (least-privilege access). • Verify the use of password procedures (as outlined previously). • Verify that there is a limited number of administrators.DBA• Verify the enforcement of least-privilege access. • Verify proper SoD. • Verify that there is a limited number of DBAs.READING: Kaur 2011 Identity and Access ManagementWhat is IAM and why is it important to an organization?IAM aids organizations in automating IT tasks, reducing the cost and effort of providing services, and increasing productivity. Additionally, by being able to ensure that individuals can access only the resources to which they are entitled by placing controls so that assets are not compromised or tampered with, security is increased.Why are COBIT and other internal control frameworks important to the SOX Act?The COBIT framework was built out of a need to address IT governance and control requirements; the framework is used by enterprises worldwide for Sarbanes-Oxley compliance. COBIT sets the IT control objectives/goals that should be achieved to ensure that business objectives are met.What IT control objectives with respect to IAM are specified in COBIT 4.1? See Figure 1.- Procedures exist and are followed to authenticate all users of the system (both internal and external) to support the existence of transactions. Deliver and Support (DS) 5.3 - Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms (e.g., regular password changes). DS5.3, DS5.4 - Procedures exist and are followed relating to timely action for requesting, establishing, issuing, suspending and closing user accounts (including procedures for authenticating transactions originating outside the organization). DS5.4 - A control process exists and is followed to periodically review and confirm access rights. DS5.4 - IT security administration monitors and logs security activity at the operating system, application and database levels, and identifies security violations, which are reported to senior management. DS5.5 - Controls relating to appropriate segregation of duties (SoD) over requesting and granting access to systems and data exist and are followed. DS5.3, DS5.4Describe the three stages for an IAM system (Figure 2).1) Provision • Request • Validate • Approve • Create • Communicate 2) Administration • Monitor • Manage passwords • Audit and reconcile • Administer policies • Validate • Log activity 3) Enforcement • Authenticate • AuthorizeGive examples of gaps or security concerns in the IAM framework and best practices to address those concerns. (Figure 3).Should Go Look At Figure 3 For Yourself to see best practices but gaps and security concerns are listed below: - Authorized approval not in place - Privileged access granted without analyzing the need - Group shared access - Authorized approval not in place - User IDs not revoked immediately after termination - Unsecure means to communicate passwords