Shedding Light on Key Controls IT AUDITING FOR NON-IT AUDITORS Michelle Workman George Mason...
-
Upload
morris-flynn -
Category
Documents
-
view
216 -
download
0
Transcript of Shedding Light on Key Controls IT AUDITING FOR NON-IT AUDITORS Michelle Workman George Mason...
Shedding Light on Key Controls
IT AUDITING FOR NON-IT AUDITORS
Michelle Workman
George Mason University
Glenn Wilson
Old Dominion University
CUAV 2015 Conference
What is it?◦Managing the life-cycle of user accounts:
requesting, approving, administering, and terminating
Why is it important?◦Authorized users may use accounts for
unauthorized purposes◦Unauthorized users may use/exploit accounts for
unauthorized and sometimes malicious purposes
User Account Management
Best Practices:◦Documented account management policy that
formalizes the process for requesting, granting, administering, and terminating accounts
◦Access is granted on the principles of least privilege and separation of duties
◦Limit/Prohibit the use of generic and shared accounts
User Account Management
Best Practices (continued):
◦Require prompt notification when a user account is no longer required or a user’s access level requirements change
◦Periodically review all user accounts and corresponding privileges Avoid privilege creep with user access recertifications Avoid rubber stamping: occurs when business units are
asked to review and approved “cryptic” access privileges
User Account Management
Best Practices (continued):
◦Monitoring account usage to identify:
Dormant accounts
Users who have logged in during unusual hours
User Account Management
Common Misconceptions ◦When determining whether IDs are personal or
generic, do not depend on format alone
◦Don’t only test “front door” access (a user’s access to data through an application)
◦Vendor accounts are required◦Disabling vs. deleting user accounts
User Account Management
Red Flags◦Generic and shared accounts◦Common account management practices that promote
violations of least privilege and separation of duties: Playing the short staffed card: “We have small staff and
therefore have to grant broad access to lots of people” “We have a large staff and people change jobs and tend to
accumulate the sum of all the privileges they’ve ever had” System limitations: “The system doesn’t support granular
enough privileges” Account cloning: “We copy privileges for users in the same role”
User Account Management
What is it?◦An account that is used to perform tasks that an
ordinary user account cannot perform
Why is it important?◦These accounts allow users to perform
elevated/sensitive tasks, often with impunity, because multiple users know the same account ID and password
Privileged Account Management
Best Practices◦Documented policy for the management of
privileged accounts
◦Reduce the complexity of privileged accounts◦Eliminate, where possible, the practice of sharing
privileged account credentials among multiple people
◦Privileged accounts should only be used to perform tasks requiring elevated rights
Privileged Account Management
Best Practices (continued)◦Document the functionality of privileged accounts
◦Consider account “check-out” mechanisms that require an employee to log a request for specific privileged account credentials
◦Consider mechanisms that change the password associated with a privileged account a certain length of time after it has been requested for use by an employee
Privileged Account Management
Best Practices (continued)◦Log the activity of privileged accounts; these logs
should be maintained on a separate server from the one being audited so the privileged user does not have rights to change the stored logs
◦Monitor the use of privileged accounts
◦Have procedures in place to ensure that an employee no longer with the university has access to privileged accounts
Privileged Account Management
Common Misconceptions
◦Privileged accounts are only at risk from attackers outside of the network
Attackers on the inside who have hijacked a legit account for their own needs
Staffers who abuse access for one reason or another
Or - and most likely - a user with too much access who makes a mistake that results in a security incident
Privileged Account Management
Common Misconceptions (continued)
Privileged Account Management
“When you’re in positions of privileged access, like a systems administrator, you’re exposed to a lot more information on a broader scale than the average employee,” says Snowden. “Because of that you see things that may be disturbing. Over the course of a normal person’s career, you’d only see one or two instances, but when you see everything, you see them on a more frequent basis.”
Common Misconceptions (continued)
◦Only a few trusted individuals know the passwords for privileged accounts
Privileged Account Management
Red Flags◦Users of privileged accounts do not have a separate,
less privileged account to perform day to day tasks (e.g., checking email)
◦Weak password policy: privileged passwords are frequently not subject to a policy requiring regular password changes or locking the account after so many failed login attempts
◦Passwords for privileged application, service, and batch accounts are often embedded/hard coded and stored in plain text
Privileged Account Management
Resources
◦SANS Critical Security Controls (http://www.sans.org/critical-security-controls/)
Control #16: Account Monitoring and Control Control #12: Controlled Use of Administrative Privileges
◦ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Library/LogicalAccessControlGuideline04_18_2007.pdf)
Account Management
The backup method must ensure the required recovery.
Recovery time objective (RTO) = Statement of duration and service level within which a business function must be restored after a disruption, to avoid unacceptable consequential loss.
Recovery point objective (RPO) = Statement of data loss related to backup points and service recovery time.
Data Backup: What is the Objective?
There odds are strong that you will need them
Hardware failures
Soft failures / data corruption
File and transaction deletions
Failed upgrades
Malicious activity
Data Backup: Why is it Important?
File level backups
Block level backups
Transactional logs
Real-time replication
Virtual snapshots
Disk imaging
Data Backup: Methods
Full
Full + Differential
Full Backup + Incremental Backups
Rotations
-First In, First Out-Grandfather-father-son-Tower of Hanoi
Data Backup: Schemes
Conduct a formal business impact analysisGeographically separate backupsEstablish a lifecycle operations calendarConduct recovery objective testing Classify data to establish required securityDesign a monitoring and remediation workflowConduct tape and file inventory audits Protect the backup database or catalog
Data Backup: Best Practices
Everything is all backed up
Info Technology Services handles it all
Assuming that all backups are secure
We don’t need local backups becausethe vendor can/will provide the data
Data Backup: Misconceptions
No formal communication of recovery objectives
Mismatched recovery objectives and backup methods
Infrequent or absence of full restorative testing
Missing or weak error handling procedures
Missing or weak vaulting or data inventory procedures
Diminished data management and security standards
Missing or weak contractual agreements
Data Backup: Red Flags
• NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf
• United States Computer Emergency Readiness Teamhttps://www.us-cert.gov
• Iron Mountainhttp://www.ironmountain.com/Knowledge-Center.aspx
Data Backup: Resources
What is it?◦A set of rules designed to enhance security by
requiring users to employ strong passwords and use them properly
Why is it important?◦Without a strong policy enforcing password
requirements, people continue to choose bad passwords and protection practices
Password Policies
SplashData released its annual list of the 25 most common passwords found on the Internet
Shows that many people continue to put themselves at risk by using weak, easily guessable passwords
Password Policies
Best Practices◦There is no one size fits all password policy –
requirements should be commensurate with the level of risk and sensitivity of the system
◦The password policy should also include human factors (social engineering factors) to ensure the integrity of the user’s password
◦Prohibit the transmission and storage of passwords in clear text
Password Policies
Red Flags◦“Off setting” password parameters
If password history is not set, then password expiration is negated
If minimal password age is set too low, users can change their password repeatedly in the same day until password history is exceeded, and begin reusing their original password
◦(specific to a Windows environment): the “Store passwords using reversible encryption” setting is misleading
◦Forgotten passwords are reissued
Password Policies
Common Misconceptions
◦One size fits all password policy – should be based on the level of risk and sensitivity of the system
◦Balancing the threat of a brute force attack on user passwords vs setting an account lockout threshold
◦The longer and more complex your password is, the stronger and more secure it is
◦You are protected so long as you enforce a strong password policy
Password Policies
Common Misconceptions (continued)◦https://www.youtube.com/watch?v=opRMrEfAIiI
Password Policies
Resources
◦ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Library/LogicalAccessControlGuideline04_18_2007.pdf)
◦NIST Special Publication 800-118 (Draft) (http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-
118.pdf)
Password Policies
Virginia Information Technologies Agency Website
Personally Identifiable Information, including information that describes, locates or indexes anything about an individual including financial transactions, Social Security numbers, medical history, ancestry, religion, political ideology, criminal or employment record and photographs.
Proprietary research data
Certain confidential proprietary data
Network diagrams and IP addresses
Server names and configurations
Contract cost estimates
Sensitive Data Storage: Data Types
• Compliance and legal
• Grants and funding
• Organizational reputation
• System / network intrusion
• Theft of organizational assets
• Data integrity
Sensitive Data Storage: Importance
Commonwealth of Virginia ITRM Standard SEC501-09 May 1, 2015
1.10. FAMILY: MEDIA PROTECTION
MP-1-COV Media Protection Prohibit the storage of sensitive data on any non-network storage device or media,
except for backup media, unless the data is encrypted and there is a written exception approved by the Agency Head accepting all residual risks.
MP-4 MEDIA STORAGE Secure storage includes, for example, a locked drawer, desk, or cabinet, or a
controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media.
MP-6 MEDIA SANITIZATION The organization applies nondestructive sanitization techniques to portable storage
devices prior to connecting such devices to the information system under the following circumstances. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks.
Sensitive Data Storage: Best Practices
Identify and classify sensitive data elements in your data Know what policies and standards apply to each data element Know the necessary business uses for the sensitive data
Store sensitive data in the least mobile, most secured locations
Store sensitive data with the least access possible Maintain a secured state as continuously as possible
Utilize strong, standardized full-device or container encryption and employ proper encryption key management
Know why an element of sensitive data is necessary and do not collect sensitive data unless there is an absolute business necessity. Collecting only a portion of sensitive data may be sufficient such as the last four digits of a credit card number or social security number.
Sensitive Data Storage: Best Practices
• Knowing everywhere their sensitive data is stored
• Everyone is aware of data policies and standards
• Drives are as secure as a managed database
• It’s highly secure because its encrypted
• Assuming control strength is essentially the same across a variety of storage media and storage situations.
Sensitive Data Storage: Misconceptions
Failure to systematically classify data
No set policies for data management
User awareness training is absent or informal
Weak or absent technical controls to enforce policies
Business pressure drives control design/implementation
Not encrypting data before uploading to the Cloud
Large volume of data extracts stored in various formatson local drives, network shares and removable media.
Sensitive Data Storage: Red Flags
• National Institute of Standards and Technology NIST SP800-53 Revision 4 Cybersecurity Frameworkhttp://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf
• Virginia Information Technologies Agency Information Security Management Standard SEC 501-09 https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/Information_Security_Standard_SEC501.pdf
• NIST Special Publication 800-11 Guide to StorageEncryption Technologies for End User Deviceshttp://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
Sensitive Data Storage: Resources
What is it?
◦Controls to manage changes, updates, or modifications to hardware, operating systems, applications, and databases
◦It’s the process used to request, review, specify, plan, approve, and implement changes
Production Change Controls
Why is it important?
◦Significant risk that unauthorized, unapproved, or untested changes may be introduced into the production environment
◦Critical system failure/disruption of IT services due to unforeseen technical problems
◦Potential security implications
Production Change Controls
Best Practices
◦Needs to be appropriate separation of duties between who can request a change, approve a change, develop a change, test the change, and move the change into production
Production Change Controls
Best Practices (continued)◦Ideally systems should have at least three
separate environments for development, testing and production The test and production environments should be as
similar as possible
If cost prohibits having three environments, testing and development could take place in the same environment; but development activity would need to be closely managed during acceptance testing
Production Change Controls
Best Practices (continued)
◦As a general principle development and production should always be separate with no crossover
Developers should not have access to production systems
Developers may be granted access to production for emergency changes using pre-established accounts for this purpose at the time of need
Production Change Controls
Best Practices (continued)◦No code should ever be installed in a production
environment that has not been approved and tested
◦Not only test that the changes are operating as intended, but to verify that only intended and approved changes were made and to assess its impact on operations and security
◦A back-out plan needs to be established for the specific changes that describes how a failed change can be restored to its previous state
Production Change Controls
Common Misconceptions◦Only changes of a certain size need to be
documented At a minimum a change log should be maintained that
includes a brief functional description of the change; date the change was implemented; who made the change; who authorized the change; and what technical elements were affected by the change
◦We manually log/track all changes, so all changes are known
Production Change Controls
Red Flags◦Only a production environment exists
◦No mechanism to detect and log changes being moved to production
◦Nothing supporting version control
◦The number of “emergency changes” far exceeds the number of normal changes
Production Change Controls
COBIT: Build, Acquire and Implement (BAI)06 Manage Changes (through ISACA membership)
Production Change Controls
• Components of data quality (accuracy, completeness, validity, consistency)
• Accuracy refers to “correctness” of value and format.• Integrity refers to maintaining and assuring accuracy
through prevention of unintentional changes over its entire life-cycle.
• Both are dependent on system design, implementation, operation and usage.
• The successful input of data into a system not meeting the standard for correctness is a data accuracy failure.
• Unintended changes to data resulting from any cause is a failure of data integrity.
Data Accuracy & Integrity: What is it?
Business intelligence
Life critical systems
Record retention and compliance (Clery Act, Sarbanes-Oxley, Do Not Call Registry, HIPAA)
Error propagation through depts. and business functions.
Duplication of records
Erroneous reports and filings
Communication errors
Data Accuracy & Integrity: Importance
• Do not rely solely on system design and operation
• Establish a formal data control function
• Conduct cause and effect analysis on any noted errors, omissions or exceptions
• Develop methods to detect/correct data issues in real time
• Design error checking routines into data interfaces
• Communicate data standards and definitions
• Limit data feeds to the systems of record
• Lock or signature stamp archives and templates
• Audit and test data records and files
Data Accuracy & Integrity: Best Practices
• What should be tested?
−Closed records
−Permanent records
−Fee schedules
−Calculated values
−Spreadsheets
Data Accuracy & Integrity: Testing
• Comparative Tests
−File signatures
−Content based tools
−Source records to extracts
Data Accuracy & Integrity: Testing
• Rule Based Tests
−Format consistency
−Boundary checks
−Completeness
−Invalid duplication
Data Accuracy & Integrity: Testing
Overreliance on soft controls
Relying on weak or fuzzy matching algorithms
Relying on default system/application controls
Structural database updates / system conversion
Weak or absent data control function or processes
Unvetted ad hoc reports, update queries and scripts
Instances of workarounds and manual corrections
Data Accuracy & Integrity: Red Flags
• The Practitioner's Guide to Data Quality Improvement by David Loshin http://dataqualitybook.com/
• Experian Data Quality Resource Centerhttps://www.edq.com/resource-center/
Data Accuracy & Integrity: Resources
Michelle Workman Glenn [email protected] [email protected]
Thank You!
Feel free to contact us for any additional information