how to avoid the high cost of security audits
TRANSCRIPT
-
8/14/2019 How to Avoid the High Cost of Security Audits
1/14
89 Fifth Avenue, 7th Floor
New York, NY 10003
www.TheEdison.com
212.367.7400
WhitePaper
HowtoAvoidtheHighCostofSecurityAudits
-
8/14/2019 How to Avoid the High Cost of Security Audits
2/14
PrintedintheUnitedStatesofAmerica.
Copyright2009EdisonGroup,Inc.NewYork.EdisonGroupoffersnowarrantyeitherexpressedor
impliedontheinformationcontainedhereinandshallbeheldharmlessforerrorsresultingfromitsuse.
Diagramscopyright2009LikewiseSoftware,Inc.Usedbypermission.
Allproductsaretrademarksoftheirrespectiveowners.
FirstPublication:April2009
Producedby: AndrewPodosenin,SeniorAnalyst;BarryCohen,EditorinChief
-
8/14/2019 How to Avoid the High Cost of Security Audits
3/14
TableofContentsExecutiveSummary ..................................................................................................................... 1Introduction .................................................................................................................................. 2SecurityStandards....................................................................................................................... 3PCI............................................................................................................................................... 3SOX.............................................................................................................................................. 3FISMA......................................................................................................................................... 3HIPAA ........................................................................................................................................ 4
CostsofFailedAudits................................................................................................................. 5PCI............................................................................................................................................... 5SOX.............................................................................................................................................. 5FISMA......................................................................................................................................... 5HIPAA ........................................................................................................................................ 5
PassingSecurityAudits .............................................................................................................. 7EnforcementoftheComplianceRequirements.................................................................... 7
Conclusion................................................................................................................................... 11
-
8/14/2019 How to Avoid the High Cost of Security Audits
4/14
Edison:SecurityAuditCostControlWhitePaper Page1
ExecutiveSummaryModerncomputingisgovernedbyanumberofsecurityregulations.Theseparticularly
affectcompaniesofferingservicestothegovernment,processingcreditcardpayments,
orhandlingmedicalorfinancialrecords.Thebirthoftheseregulationsoriginatedwith
legislativeattemptstoperformpostfactoduediligence,whiledumpingthecomplexity
ofimplementationonthecomplyingentities.Inaddition,theregulationsareenforced
withstifffines,suspensionofprivileges,orevenpersonalliabilityforexecutiveofficers
incasesofnoncompliance.
Themajorityoftheseregulationsarecenteredonidentityandpolicymanagement.
WhilesuchmanagementisapartofWindowsenvironment,itsexistenceinthenon
windowsworldisverylimited.Thus,administratorsareattemptingtouseMicrosoftWindowsasacommongroundforstorage,management,andmonitoringofpolicies
governingnonWindowsenvironments.ThiscouldbedonewithOpenSourcetoolsor
professional,scalableandsupportedsolutionssuchasLikewiseEnterprise.Thepresent
paperdiscussestheadvantagesanddisadvantagesofbothapproaches.
-
8/14/2019 How to Avoid the High Cost of Security Audits
5/14
Edison:SecurityAuditCostControlWhitePaper Page2
IntroductionOverthepastdecadealargenumberofnetworksecurityandfinancialaccountingfraud
incidentshaveoccurred,resultingingreatlyincreasedfederalandlocalregulationof
manyaspectsofbusinesscomputing.Thiswhitepaperdiscussestherequirementsof
thesesecuritystandardsanddemonstrateshowtheserequirementscanbefulfilledwith
theLikewiseEnterprisesolution.
ThepaperbeginswithahighleveldiscussionofseveraloftodayskeyU.S.security
standards,whattheyare,andhowtheyapplytodifferentbusinesses.Thepaperthen
discussesthecosteffectsoffailedaudits,whetherthroughlegalactionorlossof
business.Thenextsectiondiscussessomeofthecommonattributesofthetechnical
requirementsofregulatorycompliance.ThenextsectiondiscusseshowtechnologiesfromLikewiseSoftwareenableenforcementofcompliancerequirementsin
heterogeneousoperatingsystemcomputernetworks.
-
8/14/2019 How to Avoid the High Cost of Security Audits
6/14
Edison:SecurityAuditCostControlWhitePaper Page3
SecurityStandardsDependingonthenatureoftheirbusinessandcustomerrelationships,companiesare
requiredtocomplywithanumberoffairlycomplexsecurityrequirementssuchasPCI,
SOX,FISMA,HIPPA,andseveralothers.Themostwidelyusedrequirementsofthese
regulationsarediscussedbelow.
PCIPCIDSS(PaymentCardIndustryDataSecurityStandard)wasputforwardbythe
PaymentCardIndustrySecurityStandardsCouncil(PCISSC)topreventcreditcard
fraud,hacking,andvariousothersecurityvulnerabilitiesandthreats.Thestandard
applies
to
all
organizations
that
store,
process,
or
transmit
cardholder
data.
Guidance
is
offeredforsoftwaredevelopersandmanufacturersofapplicationsanddevicesusedin
suchtransactions.Thestandardwasrecentlyupgradedtoversion1.2withstricter
requirements.
SOXTheSarbanesOxleyActisaUnitedStatesfederallawenactedonJuly30,2002in
responsetoanumberofmajorcorporateandaccountingscandals,includingthose
affectingEnron,TycoInternational,andWorldCom.Theactisacomplexregulatory
requirementthatestablishesneworenhancedstandardsforallU.S.publiccompany
boards,management,
and
public
accounting
firms.
The
act
provides
for
new
levels
of
auditing,CEO,CFO,andboardaccountability,andincreasedcriminalandcivil
penaltiesforsecuritiesviolations.
FISMATheFederalInformationSecurityManagementActof2002(FISMA)placesrequirements
ongovernmentagenciesandcomponents,withthegoalofimprovingthesecurityof
federalinformationandinformationsystems.ThegoalsofFISMAincludethefollowing:
Protectionofinformationandcomputingsystemsfromunauthorizedaccess,use,disclosure,
disruption,
modification,
or
destruction
to
ensure
integrity,
confidentiality,andavailability.
Managementofrisksininformationsecurity. Mechanismforeffectiveoversightoffederalagencyinformationsecurityprograms.
Amongmanyrequirements,FISMAlawdemandseachfederalagencytodevelop,
document,andimplementanagencywideinformationsecurityprogram,with
-
8/14/2019 How to Avoid the High Cost of Security Audits
7/14
Edison:SecurityAuditCostControlWhitePaper Page4
appropriateinformationaccesscontrolmeasuresdesignedtoattainhigherconsistency
levelsregardingworkableassessmentproceduresforsecuritycontrolmeasures.
HIPAATheUnitedStatesHealthInsurancePortabilityandAccountabilityActof1996(HIPAA)
seekstoestablishstandardizedsecuritymeasuresforhealthcareandmedical
information.Itrequirestheestablishmentofnationalstandardsforelectronichealthcare
transactions,security,andconfidentialityofallhealthcarerelateddata.Besidesa
numberofformatstandardizations,theactmandatessecuritymechanismstoensure
confidentialityanddataintegrityforanyinformationthatidentifiesanindividual.
Specifically,HIPPAmandatesthefollowingtechnicalsafeguardsforcomputersystems
access:
Protectionfromelectronicintrusiontothedigitalsystems. Encryptionoftheinformationexchange. Procedurestoensurethatthedatawithinitssystemshasnotbeenchangedorerasedinanunauthorizedmanner.
Dataintegrityservices,includingchecksum,doublekeying,messageauthentication,anddigitalsignature.
Authenticationofdataaccess,including:passwordsystems,two orthreewayhandshakes,telephonecallback,andtokensystems.
Existenceofthedocumentedriskanalysisandriskmanagementprograms.
Inadditiontoimposingfairlycomplexandstringentsetsofrequirements,these
standardsareupdatedonaregularbasisimposingadditionaldemandsonthesecurity
andaudibilityoftheITinfrastructure.Therefore,becomingandstayingcompliantisa
neverendingtaskforthesecurityandsystemsadministrators.
-
8/14/2019 How to Avoid the High Cost of Security Audits
8/14
Edison:SecurityAuditCostControlWhitePaper Page5
CostsofFailedAuditsInordertoenforcethesecurityregulations,thepenaltiesimposedonnoncompliant
vendorsarequitestrictandaffecttheoverallcost(oreventheability)ofdoingbusiness.
PCIThepenaltiesandfinesforfailuretocomplywiththerequirementsorrectifyasecurity
issuerangefrom$10,000to$500,000perincident,dependingontheseverityand
magnitudeofthesituation.Inthecaseofasecuritybreach,thecompanymaybealso
liableforthecostofrequiredforensicinvestigations,fraudulentpurchases,andthecost
ofreissuingcreditcards.Finally,inthemostseverecases,thecreditcardacceptance
privilege
can
be
suspended
or
terminated.
SOXDependingonthesectionoftheactthatwasviolated,thepenaltiesrangefromtheloss
ofstockexchangelistingthroughthelossofD&Oinsurancetomultimilliondollarfines
andimprisonment.ACEOorCFOsubmittingawrongcertificationissubjecttoafineof
upto$1millionandimprisonmentforuptotenyears.Shouldthewrongcertificationbe
submitted willfully, thefinecanbeincreasedupto$5millionandtheprisontermcan
beincreaseduptotwentyyears.Indirectcostsofnoncomplianceincludethelackof
investorconfidenceandthecorrespondingdecreaseinbusinessvalueorthe
degradationof
business
operations.
FISMAThoughtherearenoapplicablecriminalsanctions,noncompliancecoststheviolator
badpublicity.U.S.Congressconductsanannualauditoffederalagenciesandpublicly
issuesaninformationsecurityscorecard.Alowscoremeansalossinpublicconfidence
andadditionalgovernmentscrutiny.Additionally,theCIOsoflowperformingagencies
canbeaskedtoexplainbeforeCongresswhytheyscoredpoorly.Incasesofnon
compliance,theOfficeofManagementandBudget(OMB)maydelayorcancelfunding
foragencyprograms.
HIPAAPenaltiesfornoncompliancemaybe:civil,criminal,orfinancial.Thesepenaltiesinclude
thefollowing:
Finesfornoncomplianceashighas$100peroffense,withamaximumof$25,000peryearforanypersonwhoviolatesaprovisionofthispart.
-
8/14/2019 How to Avoid the High Cost of Security Audits
9/14
-
8/14/2019 How to Avoid the High Cost of Security Audits
10/14
Edison:SecurityAuditCostControlWhitePaper Page7
PassingSecurityAuditsEachregulatorysecuritystandardincludesspecificrequirementsforcontrollingaccess
tocustomersfinancialormedicalrecords,authenticationofbusinessusers,adequate
accesstomonitoringandauditingfacilities,andmaintenanceofasecurenetwork.The
situationisaggravatedbythebusinessneedtocreateandmaintainidentitiesacrossall
nodesofheterogeneousenvironments,withmultipleoperatingsystemsdealingwith
differentaspectsofcustomerdataontheprocessing,storage,andpresentationlevel.
Althoughthevariousdatahandlingregulationshavedifferentnatures,origins,and
focus,mostofthemsharethesamesetoftechnicalrequirementsfordataprotection.The
differentiatorsarethatforeachregulatoryregime,eachrequirementisdetailedin
voluminousregulatorydocuments,supplementarythirdpartymaterials,andindustrypublications.Therefore,itmakessensetosummarizethecommonaspectsofthese
regulations.Theyincludethefollowing:
Installationandmaintenanceoffirewalltolimitinboundaccesstocomputinghost. Strongpasswordpolicy,includinglength,strength,expirationtime,maximum,numberofretries,andnumberofrememberedoldpasswords.Thisoffersamore
secureaccesstohostandpreventsbruteforceattacksagainstpasswordrepository.
Encryptionofdatatransmissiontoprotectsensitivedataintransit. AssignmentofuniqueIDtoindividualuserstobeabletotrackdownsystemanddataaccessonperindividualbasis.
Implementationandupdateofantivirus/antimalwaresoftwaretoprotectsystemagainstexternalaccesswithTrojansorkeyloggers.
Availabilityofdadaontheneedtoknowbasisanddenialofaccessunlessexplicitlyallowed.Thisistheindustrystandardapproachtograntingaccesspermissions.
Strongaccesscontrolandauditingtoallowreportbased,querybasedandalertbasedcontrolofaccesstosensitivedata.
EnforcementoftheComplianceRequirementsEnforcingcomplianceonasingleplatformisbyfareasierthanacrossmultiple
platforms,includingMacOSX,multipleUnixvariantsandseveralflavorsofLinux.The
complexityisassociatedwithdifferenttools,filelocations,filesformatsandapproaches
fordesktopandpolicymanagement.LikewiseEnterpriseallowscompanieswith
heterogeneouscomputingenvironmentstoeasilycomplywiththeabovediscusseddata
securityrequirements.
-
8/14/2019 How to Avoid the High Cost of Security Audits
11/14
Edison:SecurityAuditCostControlWhitePaper Page8
ByjoiningnonWindowscomputerstoActiveDirectory andmigratinguserstoAD
whileretainingtheiridentitiesandpermissions,Likewisetechnologyprovides
administratorswith
astable,
secure,
and
scalable
identity
management
system.
From
thispointonalluserauthentication,authorization,provisioning,andloggingof
domainbasedactivitiesishandledbyasingle,centralized,secure,scalable,andstable
repository.ThisapproacheliminatestheneedtohavemultiplelocaluserIDson
differentUnixsystems,tohaveadministratorstologasrootand/orstrugglewiththe
limitationsofsudo.1UserscanlogonthesystemwithADdomaincredentials,while
havingappropriateUIDsandGIDstocontroluseraccesstospecificresourcesonthe
localnode.
LikewisecelltechnologyprovidescustommappingofauniqueandidentifiableActive
DirectoryusertotheirUIDs(useridentifiers)andGIDs(groupidentifiers):
Afterbeingsecurelyauthenticated,nonWindowsusershaveuniformpoliciesappliedto
theircomputers.ThepoliciesarestoredinActiveDirectory,managedbyeasytouse
Windowstools,andcanbeappliedonattheleveloftheorganizationalunitinthesame
waythatActiveDirectoryappliesgrouppoliciestoWindowssystems:
1Foradefinitionandexplanationofsudo,see:http://en.wikipedia.org/wiki/Sudo
-
8/14/2019 How to Avoid the High Cost of Security Audits
12/14
Edison:SecurityAuditCostControlWhitePaper Page9
Altogether,withLikewisetechnology,compliancerequirementsarefulfilledinthe
followingfashion:
Requirement MethodofCompliance
Assignmentof
uniqueIDtoa
uniqueuser
WiththeuseofuseActiveDirectory,administratorscan
provisioneachnonWindowsuserwithauniqueID,which
willworkonallUnix,Linux,andMacsystems.Whenusers
aremigratedfromNISdomainstoActiveDirectory,Likewise
usescelltechnologytopreservetheuserNISinformation.
Encryptionofdata
transfer
Encryptionofallnonconsoleadministrativeaccessis
accomplishedbyswitchingtoprotocolslikeSSH,VPN,or
SSL/TLS(forwebbasedmanagement)withKerberos
authenticationtoLinux,Unix,andMacOSXagainstcredentialsstoredinActiveDirectory.And,unlikeNIS,AD
clientscannotretrievethewholepassworddatabasefor
offlineinspection.
Passwordstrength Passwordstrength,history,lifetime,andlockoutthresholdare
enforcedonallnonWindowsnodesbyglobalpolicy.
Rolebasedaccess
control.Linking
administrative
accesstoindividual
users
RBACisimplementedbymappingADuserstononWindows
resourceswithLikewisecelltechnology.Cellsprovidea
custommappingofADusernamestoUIDsandGIDson
Linuxsystems.Thisestablishesgranularaccesscontroland
limitsuserstothesystemsthattheyneedtoaccessfor
businessreasonsandwithinthesystemtothecommands
thattheyareallowedtoexecutewithsudo.Asaresult,access
tocomputingresourcesandtocustomerdataislimitedona
needtoknowbasis.Inthesamefashion,timebasedaccessto
resourcescanbeimplemented.
Simple
provisioningand
deprovisioning
ThisisimplementedbyassociatingLikewisecellswithAD
OUsforfastandefficientprivilegegranting,rolechange,or
termination.Alluseraccesstoallsystemscanbeeffectively
terminatedbydisablingtheappropriateADaccount.
Computer
lockdownafterpre
setinactivity
interval
Inactivitytimeoutandscreenlockingiscontrolledbythe
screensaverpolicy.
Logrotation Likewisepoliciesallowfinegraincontrolofthelogrotation
daemon.
-
8/14/2019 How to Avoid the High Cost of Security Audits
13/14
Edison:SecurityAuditCostControlWhitePaper Page10
Requirement MethodofCompliance
Systemsecurity
hardening
ThisisimplementedbyconfiguringAppArmor,SELinux,or
theMacOSXfirewallbygrouppolicies.Removalofall
unnecessaryartifacts(suchasscripts,driversubsystems,andmore)isimplementedwithgrouppolicies.
Accesstracking LikewiseEnterpriseallowsadministratorstocreatecustom
reportsaboutLinuxandUnixusers,groups,computers,
forests,anddomainswithinActiveDirectory,searchfor
duplicates,andgeneratepermissionoraccessreports.The
Likewisesysloggrouppolicyallowsadministratorsto
configuretheloggingdaemonsonUnixandLinuxnodes.The
Likewiseeventlogsubsystemprovidesadministratorsand
securitymanagerswithaneventviewerthatshowsdenied
authenticationandaccessattempts.Thisimplementsanautomaticaudittrailforallsystemcomponentstoreconstruct
theuserbehaviorincaseofaninvestigation.
Aninactivityreportcanlistunusedorinfrequentlyused
accountsthatcouldbemarkedforpossibledeletion.
Alerting Cronscriptsalertadministratortochangesinfilesorpolicies.
-
8/14/2019 How to Avoid the High Cost of Security Audits
14/14
Edison:SecurityAuditCostControlWhitePaper Page11
ConclusionIntodaysinformationsecurityregulatoryenvironment,maintainingcompliancewith
computersrunningamixtureofWindows,Unix,Linux,andMacoperatingsystemscan
becomplex.LikewiseEnterpriseseamlesslyintegratesLinux,Unix,andMaccomputers
withActiveDirectoryandenablesmigrationofnonWindowsuserstoADwhile
maintainingtheiridentitiesandpermissions.ThecombinationofWindowsAD
framework,Windowsmanagement,andmonitoringtoolsalongwithLikewise
technologyallowsadministratorstocomplywithmultipleindustryregulationsondata
protectionwhilealsosimplifyingsystemmanagementandincreasingthesecurity
postureofthenetwork.