Shedding Light on Key Controls IT AUDITING FOR NON-IT AUDITORS Michelle Workman George Mason...

Shedding Light on Key Controls

IT AUDITING FOR NON-IT AUDITORS

Michelle Workman

George Mason University

Glenn Wilson

Old Dominion University

CUAV 2015 Conference

Account Management

User Account Management

Privileged Account Management

What is it?◦Managing the life-cycle of user accounts:

requesting, approving, administering, and terminating

Why is it important?◦Authorized users may use accounts for

unauthorized purposes◦Unauthorized users may use/exploit accounts for

unauthorized and sometimes malicious purposes


Best Practices:◦Documented account management policy that

formalizes the process for requesting, granting, administering, and terminating accounts

◦Access is granted on the principles of least privilege and separation of duties

◦Limit/Prohibit the use of generic and shared accounts


Best Practices (continued):

◦Require prompt notification when a user account is no longer required or a user’s access level requirements change

◦Periodically review all user accounts and corresponding privileges Avoid privilege creep with user access recertifications Avoid rubber stamping: occurs when business units are

asked to review and approved “cryptic” access privileges


Best Practices (continued):

◦Monitoring account usage to identify:

Dormant accounts

Users who have logged in during unusual hours


Common Misconceptions ◦When determining whether IDs are personal or

generic, do not depend on format alone

◦Don’t only test “front door” access (a user’s access to data through an application)

◦Vendor accounts are required◦Disabling vs. deleting user accounts


Red Flags◦Generic and shared accounts◦Common account management practices that promote

violations of least privilege and separation of duties: Playing the short staffed card: “We have small staff and

therefore have to grant broad access to lots of people” “We have a large staff and people change jobs and tend to

accumulate the sum of all the privileges they’ve ever had” System limitations: “The system doesn’t support granular

enough privileges” Account cloning: “We copy privileges for users in the same role”


What is it?◦An account that is used to perform tasks that an

ordinary user account cannot perform

Why is it important?◦These accounts allow users to perform

elevated/sensitive tasks, often with impunity, because multiple users know the same account ID and password


Best Practices◦Documented policy for the management of

privileged accounts

◦Reduce the complexity of privileged accounts◦Eliminate, where possible, the practice of sharing

privileged account credentials among multiple people

◦Privileged accounts should only be used to perform tasks requiring elevated rights


Best Practices (continued)◦Document the functionality of privileged accounts

◦Consider account “check-out” mechanisms that require an employee to log a request for specific privileged account credentials

◦Consider mechanisms that change the password associated with a privileged account a certain length of time after it has been requested for use by an employee


Best Practices (continued)◦Log the activity of privileged accounts; these logs

should be maintained on a separate server from the one being audited so the privileged user does not have rights to change the stored logs

◦Monitor the use of privileged accounts

◦Have procedures in place to ensure that an employee no longer with the university has access to privileged accounts


Common Misconceptions

◦Privileged accounts are only at risk from attackers outside of the network

Attackers on the inside who have hijacked a legit account for their own needs

Staffers who abuse access for one reason or another

Or - and most likely - a user with too much access who makes a mistake that results in a security incident


Common Misconceptions (continued)


“When you’re in positions of privileged access, like a systems administrator, you’re exposed to a lot more information on a broader scale than the average employee,” says Snowden. “Because of that you see things that may be disturbing. Over the course of a normal person’s career, you’d only see one or two instances, but when you see everything, you see them on a more frequent basis.”


◦Only a few trusted individuals know the passwords for privileged accounts


Red Flags◦Users of privileged accounts do not have a separate,

less privileged account to perform day to day tasks (e.g., checking email)

◦Weak password policy: privileged passwords are frequently not subject to a policy requiring regular password changes or locking the account after so many failed login attempts

◦Passwords for privileged application, service, and batch accounts are often embedded/hard coded and stored in plain text


Resources

◦SANS Critical Security Controls (http://www.sans.org/critical-security-controls/)

Control #16: Account Monitoring and Control Control #12: Controlled Use of Administrative Privileges

◦ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Library/LogicalAccessControlGuideline04_18_2007.pdf)

Account Management

The backup method must ensure the required recovery.

Recovery time objective (RTO) = Statement of duration and service level within which a business function must be restored after a disruption, to avoid unacceptable consequential loss.

Recovery point objective (RPO) = Statement of data loss related to backup points and service recovery time.

Data Backup: What is the Objective?

There odds are strong that you will need them

Hardware failures

Soft failures / data corruption

File and transaction deletions

Failed upgrades

Malicious activity

Data Backup: Why is it Important?

Disk > Tape

Disk > Disk

Disk <> Media

Disk <> Device

Data Backup: Modes

File level backups

Block level backups

Transactional logs

Real-time replication

Virtual snapshots

Disk imaging

Data Backup: Methods

Full

Full + Differential

Full Backup + Incremental Backups

Rotations

-First In, First Out-Grandfather-father-son-Tower of Hanoi

Data Backup: Schemes

Conduct a formal business impact analysisGeographically separate backupsEstablish a lifecycle operations calendarConduct recovery objective testing Classify data to establish required securityDesign a monitoring and remediation workflowConduct tape and file inventory audits Protect the backup database or catalog

Data Backup: Best Practices

Everything is all backed up

Info Technology Services handles it all

Assuming that all backups are secure

We don’t need local backups becausethe vendor can/will provide the data

Data Backup: Misconceptions

No formal communication of recovery objectives

Mismatched recovery objectives and backup methods

Infrequent or absence of full restorative testing

Missing or weak error handling procedures

Missing or weak vaulting or data inventory procedures

Diminished data management and security standards

Missing or weak contractual agreements

Data Backup: Red Flags

• NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

• United States Computer Emergency Readiness Teamhttps://www.us-cert.gov

• Iron Mountainhttp://www.ironmountain.com/Knowledge-Center.aspx

Data Backup: Resources

What is it?◦A set of rules designed to enhance security by

requiring users to employ strong passwords and use them properly

Why is it important?◦Without a strong policy enforcing password

requirements, people continue to choose bad passwords and protection practices

Password Policies

SplashData released its annual list of the 25 most common passwords found on the Internet

Shows that many people continue to put themselves at risk by using weak, easily guessable passwords

Password Policies

Best Practices◦There is no one size fits all password policy –

requirements should be commensurate with the level of risk and sensitivity of the system

◦The password policy should also include human factors (social engineering factors) to ensure the integrity of the user’s password

◦Prohibit the transmission and storage of passwords in clear text

Password Policies

Red Flags◦“Off setting” password parameters

If password history is not set, then password expiration is negated

If minimal password age is set too low, users can change their password repeatedly in the same day until password history is exceeded, and begin reusing their original password

◦(specific to a Windows environment): the “Store passwords using reversible encryption” setting is misleading

◦Forgotten passwords are reissued

Password Policies

Common Misconceptions

◦One size fits all password policy – should be based on the level of risk and sensitivity of the system

◦Balancing the threat of a brute force attack on user passwords vs setting an account lockout threshold

◦The longer and more complex your password is, the stronger and more secure it is

◦You are protected so long as you enforce a strong password policy

Password Policies

Common Misconceptions (continued)◦https://www.youtube.com/watch?v=opRMrEfAIiI

Password Policies

https://www.youtube.com/watch?v=opRMrEfAIiI

Resources

◦ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Library/LogicalAccessControlGuideline04_18_2007.pdf)

◦NIST Special Publication 800-118 (Draft) (http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-

118.pdf)

Password Policies

Virginia Information Technologies Agency Website

Personally Identifiable Information, including information that describes, locates or indexes anything about an individual including financial transactions, Social Security numbers, medical history, ancestry, religion, political ideology, criminal or employment record and photographs.

Proprietary research data

Certain confidential proprietary data

Network diagrams and IP addresses

Server names and configurations

Contract cost estimates

Sensitive Data Storage: Data Types

• Compliance and legal

• Grants and funding

• Organizational reputation

• System / network intrusion

• Theft of organizational assets

• Data integrity

Sensitive Data Storage: Importance

Commonwealth of Virginia ITRM Standard SEC501-09 May 1, 2015

1.10. FAMILY: MEDIA PROTECTION

MP-1-COV Media Protection Prohibit the storage of sensitive data on any non-network storage device or media,

except for backup media, unless the data is encrypted and there is a written exception approved by the Agency Head accepting all residual risks.

MP-4 MEDIA STORAGE Secure storage includes, for example, a locked drawer, desk, or cabinet, or a

controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media.

MP-6 MEDIA SANITIZATION The organization applies nondestructive sanitization techniques to portable storage

devices prior to connecting such devices to the information system under the following circumstances. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks.

Sensitive Data Storage: Best Practices

Identify and classify sensitive data elements in your data Know what policies and standards apply to each data element Know the necessary business uses for the sensitive data

Store sensitive data in the least mobile, most secured locations

Store sensitive data with the least access possible Maintain a secured state as continuously as possible

Utilize strong, standardized full-device or container encryption and employ proper encryption key management

Know why an element of sensitive data is necessary and do not collect sensitive data unless there is an absolute business necessity. Collecting only a portion of sensitive data may be sufficient such as the last four digits of a credit card number or social security number.

Sensitive Data Storage: Best Practices

• Knowing everywhere their sensitive data is stored

• Everyone is aware of data policies and standards

• Drives are as secure as a managed database

• It’s highly secure because its encrypted

• Assuming control strength is essentially the same across a variety of storage media and storage situations.

Sensitive Data Storage: Misconceptions

Failure to systematically classify data

No set policies for data management

User awareness training is absent or informal

Weak or absent technical controls to enforce policies

Business pressure drives control design/implementation

Not encrypting data before uploading to the Cloud

Large volume of data extracts stored in various formatson local drives, network shares and removable media.

Sensitive Data Storage: Red Flags

• National Institute of Standards and Technology NIST SP800-53 Revision 4 Cybersecurity Frameworkhttp://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf

• Virginia Information Technologies Agency Information Security Management Standard SEC 501-09 https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/Information_Security_Standard_SEC501.pdf

• NIST Special Publication 800-11 Guide to StorageEncryption Technologies for End User Deviceshttp://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

Sensitive Data Storage: Resources

What is it?

◦Controls to manage changes, updates, or modifications to hardware, operating systems, applications, and databases

◦It’s the process used to request, review, specify, plan, approve, and implement changes

Production Change Controls

Why is it important?

◦Significant risk that unauthorized, unapproved, or untested changes may be introduced into the production environment

◦Critical system failure/disruption of IT services due to unforeseen technical problems

◦Potential security implications


Best Practices

◦Needs to be appropriate separation of duties between who can request a change, approve a change, develop a change, test the change, and move the change into production


Best Practices (continued)◦Ideally systems should have at least three

separate environments for development, testing and production The test and production environments should be as

similar as possible

If cost prohibits having three environments, testing and development could take place in the same environment; but development activity would need to be closely managed during acceptance testing


Best Practices (continued)

◦As a general principle development and production should always be separate with no crossover

Developers should not have access to production systems

Developers may be granted access to production for emergency changes using pre-established accounts for this purpose at the time of need


Best Practices (continued)◦No code should ever be installed in a production

environment that has not been approved and tested

◦Not only test that the changes are operating as intended, but to verify that only intended and approved changes were made and to assess its impact on operations and security

◦A back-out plan needs to be established for the specific changes that describes how a failed change can be restored to its previous state


Common Misconceptions◦Only changes of a certain size need to be

documented At a minimum a change log should be maintained that

includes a brief functional description of the change; date the change was implemented; who made the change; who authorized the change; and what technical elements were affected by the change

◦We manually log/track all changes, so all changes are known


Red Flags◦Only a production environment exists

◦No mechanism to detect and log changes being moved to production

◦Nothing supporting version control

◦The number of “emergency changes” far exceeds the number of normal changes


COBIT: Build, Acquire and Implement (BAI)06 Manage Changes (through ISACA membership)


• Components of data quality (accuracy, completeness, validity, consistency)

• Accuracy refers to “correctness” of value and format.• Integrity refers to maintaining and assuring accuracy

through prevention of unintentional changes over its entire life-cycle.

• Both are dependent on system design, implementation, operation and usage.

• The successful input of data into a system not meeting the standard for correctness is a data accuracy failure.

• Unintended changes to data resulting from any cause is a failure of data integrity.

Data Accuracy & Integrity: What is it?

Business intelligence

Life critical systems

Record retention and compliance (Clery Act, Sarbanes-Oxley, Do Not Call Registry, HIPAA)

Error propagation through depts. and business functions.

Duplication of records

Erroneous reports and filings

Communication errors

Data Accuracy & Integrity: Importance

• Do not rely solely on system design and operation

• Establish a formal data control function

• Conduct cause and effect analysis on any noted errors, omissions or exceptions

• Develop methods to detect/correct data issues in real time

• Design error checking routines into data interfaces

• Communicate data standards and definitions

• Limit data feeds to the systems of record

• Lock or signature stamp archives and templates

• Audit and test data records and files

Data Accuracy & Integrity: Best Practices

• What should be tested?

−Closed records

−Permanent records

−Fee schedules

−Calculated values

−Spreadsheets

Data Accuracy & Integrity: Testing

• Comparative Tests

−File signatures

−Content based tools

−Source records to extracts


• Rule Based Tests

−Format consistency

−Boundary checks

−Completeness

−Invalid duplication


Overreliance on soft controls

Relying on weak or fuzzy matching algorithms

Relying on default system/application controls

Structural database updates / system conversion

Weak or absent data control function or processes

Unvetted ad hoc reports, update queries and scripts

Instances of workarounds and manual corrections

Data Accuracy & Integrity: Red Flags

• The Practitioner's Guide to Data Quality Improvement by David Loshin http://dataqualitybook.com/

• Experian Data Quality Resource Centerhttps://www.edq.com/resource-center/

Data Accuracy & Integrity: Resources

Michelle Workman Glenn [email protected] [email protected]

Thank You!

Feel free to contact us for any additional information

Shedding Light on Key Controls IT AUDITING FOR NON-IT AUDITORS Michelle Workman George Mason...

Documents

Transcript of Shedding Light on Key Controls IT AUDITING FOR NON-IT AUDITORS Michelle Workman George Mason...