how to avoid the high cost of security audits

8/14/2019 How to Avoid the High Cost of Security Audits

1/14

89 Fifth Avenue, 7th Floor

New York, NY 10003

www.TheEdison.com

212.367.7400

WhitePaper

HowtoAvoidtheHighCostofSecurityAudits


2/14

PrintedintheUnitedStatesofAmerica.

Copyright2009EdisonGroup,Inc.NewYork.EdisonGroupoffersnowarrantyeitherexpressedor

impliedontheinformationcontainedhereinandshallbeheldharmlessforerrorsresultingfromitsuse.

Diagramscopyright2009LikewiseSoftware,Inc.Usedbypermission.

Allproductsaretrademarksoftheirrespectiveowners.

FirstPublication:April2009

Producedby: AndrewPodosenin,SeniorAnalyst;BarryCohen,EditorinChief


3/14

TableofContentsExecutiveSummary ..................................................................................................................... 1Introduction .................................................................................................................................. 2SecurityStandards....................................................................................................................... 3PCI............................................................................................................................................... 3SOX.............................................................................................................................................. 3FISMA......................................................................................................................................... 3HIPAA ........................................................................................................................................ 4

CostsofFailedAudits................................................................................................................. 5PCI............................................................................................................................................... 5SOX.............................................................................................................................................. 5FISMA......................................................................................................................................... 5HIPAA ........................................................................................................................................ 5

PassingSecurityAudits .............................................................................................................. 7EnforcementoftheComplianceRequirements.................................................................... 7

Conclusion................................................................................................................................... 11


4/14

Edison:SecurityAuditCostControlWhitePaper Page1

ExecutiveSummaryModerncomputingisgovernedbyanumberofsecurityregulations.Theseparticularly

affectcompaniesofferingservicestothegovernment,processingcreditcardpayments,

orhandlingmedicalorfinancialrecords.Thebirthoftheseregulationsoriginatedwith

legislativeattemptstoperformpostfactoduediligence,whiledumpingthecomplexity

ofimplementationonthecomplyingentities.Inaddition,theregulationsareenforced

withstifffines,suspensionofprivileges,orevenpersonalliabilityforexecutiveofficers

incasesofnoncompliance.

Themajorityoftheseregulationsarecenteredonidentityandpolicymanagement.

WhilesuchmanagementisapartofWindowsenvironment,itsexistenceinthenon

windowsworldisverylimited.Thus,administratorsareattemptingtouseMicrosoftWindowsasacommongroundforstorage,management,andmonitoringofpolicies

governingnonWindowsenvironments.ThiscouldbedonewithOpenSourcetoolsor

professional,scalableandsupportedsolutionssuchasLikewiseEnterprise.Thepresent

paperdiscussestheadvantagesanddisadvantagesofbothapproaches.


5/14


IntroductionOverthepastdecadealargenumberofnetworksecurityandfinancialaccountingfraud

incidentshaveoccurred,resultingingreatlyincreasedfederalandlocalregulationof

manyaspectsofbusinesscomputing.Thiswhitepaperdiscussestherequirementsof

thesesecuritystandardsanddemonstrateshowtheserequirementscanbefulfilledwith

theLikewiseEnterprisesolution.

ThepaperbeginswithahighleveldiscussionofseveraloftodayskeyU.S.security

standards,whattheyare,andhowtheyapplytodifferentbusinesses.Thepaperthen

discussesthecosteffectsoffailedaudits,whetherthroughlegalactionorlossof

business.Thenextsectiondiscussessomeofthecommonattributesofthetechnical

requirementsofregulatorycompliance.ThenextsectiondiscusseshowtechnologiesfromLikewiseSoftwareenableenforcementofcompliancerequirementsin

heterogeneousoperatingsystemcomputernetworks.


6/14


SecurityStandardsDependingonthenatureoftheirbusinessandcustomerrelationships,companiesare

requiredtocomplywithanumberoffairlycomplexsecurityrequirementssuchasPCI,

SOX,FISMA,HIPPA,andseveralothers.Themostwidelyusedrequirementsofthese

regulationsarediscussedbelow.

PCIPCIDSS(PaymentCardIndustryDataSecurityStandard)wasputforwardbythe

PaymentCardIndustrySecurityStandardsCouncil(PCISSC)topreventcreditcard

fraud,hacking,andvariousothersecurityvulnerabilitiesandthreats.Thestandard

applies

to

all

organizations

that

store,

process,

or

transmit

cardholder

data.

Guidance

is

offeredforsoftwaredevelopersandmanufacturersofapplicationsanddevicesusedin

suchtransactions.Thestandardwasrecentlyupgradedtoversion1.2withstricter

requirements.

SOXTheSarbanesOxleyActisaUnitedStatesfederallawenactedonJuly30,2002in

responsetoanumberofmajorcorporateandaccountingscandals,includingthose

affectingEnron,TycoInternational,andWorldCom.Theactisacomplexregulatory

requirementthatestablishesneworenhancedstandardsforallU.S.publiccompany

boards,management,

and

public

accounting

firms.

The

act

provides

for

new

levels

of

auditing,CEO,CFO,andboardaccountability,andincreasedcriminalandcivil

penaltiesforsecuritiesviolations.

FISMATheFederalInformationSecurityManagementActof2002(FISMA)placesrequirements

ongovernmentagenciesandcomponents,withthegoalofimprovingthesecurityof

federalinformationandinformationsystems.ThegoalsofFISMAincludethefollowing:

Protectionofinformationandcomputingsystemsfromunauthorizedaccess,use,disclosure,

disruption,

modification,

or

destruction

to

ensure

integrity,

confidentiality,andavailability.

Managementofrisksininformationsecurity. Mechanismforeffectiveoversightoffederalagencyinformationsecurityprograms.

Amongmanyrequirements,FISMAlawdemandseachfederalagencytodevelop,

document,andimplementanagencywideinformationsecurityprogram,with


7/14


appropriateinformationaccesscontrolmeasuresdesignedtoattainhigherconsistency

levelsregardingworkableassessmentproceduresforsecuritycontrolmeasures.

HIPAATheUnitedStatesHealthInsurancePortabilityandAccountabilityActof1996(HIPAA)

seekstoestablishstandardizedsecuritymeasuresforhealthcareandmedical

information.Itrequirestheestablishmentofnationalstandardsforelectronichealthcare

transactions,security,andconfidentialityofallhealthcarerelateddata.Besidesa

numberofformatstandardizations,theactmandatessecuritymechanismstoensure

confidentialityanddataintegrityforanyinformationthatidentifiesanindividual.

Specifically,HIPPAmandatesthefollowingtechnicalsafeguardsforcomputersystems

access:

Protectionfromelectronicintrusiontothedigitalsystems. Encryptionoftheinformationexchange. Procedurestoensurethatthedatawithinitssystemshasnotbeenchangedorerasedinanunauthorizedmanner.

Dataintegrityservices,includingchecksum,doublekeying,messageauthentication,anddigitalsignature.

Authenticationofdataaccess,including:passwordsystems,two orthreewayhandshakes,telephonecallback,andtokensystems.

Existenceofthedocumentedriskanalysisandriskmanagementprograms.

Inadditiontoimposingfairlycomplexandstringentsetsofrequirements,these

standardsareupdatedonaregularbasisimposingadditionaldemandsonthesecurity

andaudibilityoftheITinfrastructure.Therefore,becomingandstayingcompliantisa

neverendingtaskforthesecurityandsystemsadministrators.


8/14


CostsofFailedAuditsInordertoenforcethesecurityregulations,thepenaltiesimposedonnoncompliant

vendorsarequitestrictandaffecttheoverallcost(oreventheability)ofdoingbusiness.

PCIThepenaltiesandfinesforfailuretocomplywiththerequirementsorrectifyasecurity

issuerangefrom$10,000to$500,000perincident,dependingontheseverityand

magnitudeofthesituation.Inthecaseofasecuritybreach,thecompanymaybealso

liableforthecostofrequiredforensicinvestigations,fraudulentpurchases,andthecost

ofreissuingcreditcards.Finally,inthemostseverecases,thecreditcardacceptance

privilege

can

be

suspended

or

terminated.

SOXDependingonthesectionoftheactthatwasviolated,thepenaltiesrangefromtheloss

ofstockexchangelistingthroughthelossofD&Oinsurancetomultimilliondollarfines

andimprisonment.ACEOorCFOsubmittingawrongcertificationissubjecttoafineof

upto$1millionandimprisonmentforuptotenyears.Shouldthewrongcertificationbe

submitted willfully, thefinecanbeincreasedupto$5millionandtheprisontermcan

beincreaseduptotwentyyears.Indirectcostsofnoncomplianceincludethelackof

investorconfidenceandthecorrespondingdecreaseinbusinessvalueorthe

degradationof

business

operations.

FISMAThoughtherearenoapplicablecriminalsanctions,noncompliancecoststheviolator

badpublicity.U.S.Congressconductsanannualauditoffederalagenciesandpublicly

issuesaninformationsecurityscorecard.Alowscoremeansalossinpublicconfidence

andadditionalgovernmentscrutiny.Additionally,theCIOsoflowperformingagencies

canbeaskedtoexplainbeforeCongresswhytheyscoredpoorly.Incasesofnon

compliance,theOfficeofManagementandBudget(OMB)maydelayorcancelfunding

foragencyprograms.

HIPAAPenaltiesfornoncompliancemaybe:civil,criminal,orfinancial.Thesepenaltiesinclude

thefollowing:

Finesfornoncomplianceashighas$100peroffense,withamaximumof$25,000peryearforanypersonwhoviolatesaprovisionofthispart.


9/14


10/14


PassingSecurityAuditsEachregulatorysecuritystandardincludesspecificrequirementsforcontrollingaccess

tocustomersfinancialormedicalrecords,authenticationofbusinessusers,adequate

accesstomonitoringandauditingfacilities,andmaintenanceofasecurenetwork.The

situationisaggravatedbythebusinessneedtocreateandmaintainidentitiesacrossall

nodesofheterogeneousenvironments,withmultipleoperatingsystemsdealingwith

differentaspectsofcustomerdataontheprocessing,storage,andpresentationlevel.

Althoughthevariousdatahandlingregulationshavedifferentnatures,origins,and

focus,mostofthemsharethesamesetoftechnicalrequirementsfordataprotection.The

differentiatorsarethatforeachregulatoryregime,eachrequirementisdetailedin

voluminousregulatorydocuments,supplementarythirdpartymaterials,andindustrypublications.Therefore,itmakessensetosummarizethecommonaspectsofthese

regulations.Theyincludethefollowing:

Installationandmaintenanceoffirewalltolimitinboundaccesstocomputinghost. Strongpasswordpolicy,includinglength,strength,expirationtime,maximum,numberofretries,andnumberofrememberedoldpasswords.Thisoffersamore

secureaccesstohostandpreventsbruteforceattacksagainstpasswordrepository.

Encryptionofdatatransmissiontoprotectsensitivedataintransit. AssignmentofuniqueIDtoindividualuserstobeabletotrackdownsystemanddataaccessonperindividualbasis.

Implementationandupdateofantivirus/antimalwaresoftwaretoprotectsystemagainstexternalaccesswithTrojansorkeyloggers.

Availabilityofdadaontheneedtoknowbasisanddenialofaccessunlessexplicitlyallowed.Thisistheindustrystandardapproachtograntingaccesspermissions.

Strongaccesscontrolandauditingtoallowreportbased,querybasedandalertbasedcontrolofaccesstosensitivedata.

EnforcementoftheComplianceRequirementsEnforcingcomplianceonasingleplatformisbyfareasierthanacrossmultiple

platforms,includingMacOSX,multipleUnixvariantsandseveralflavorsofLinux.The

complexityisassociatedwithdifferenttools,filelocations,filesformatsandapproaches

fordesktopandpolicymanagement.LikewiseEnterpriseallowscompanieswith

heterogeneouscomputingenvironmentstoeasilycomplywiththeabovediscusseddata

securityrequirements.


11/14


ByjoiningnonWindowscomputerstoActiveDirectory andmigratinguserstoAD

whileretainingtheiridentitiesandpermissions,Likewisetechnologyprovides

administratorswith

astable,

secure,

and

scalable

identity

management

system.

From

thispointonalluserauthentication,authorization,provisioning,andloggingof

domainbasedactivitiesishandledbyasingle,centralized,secure,scalable,andstable

repository.ThisapproacheliminatestheneedtohavemultiplelocaluserIDson

differentUnixsystems,tohaveadministratorstologasrootand/orstrugglewiththe

limitationsofsudo.1UserscanlogonthesystemwithADdomaincredentials,while

havingappropriateUIDsandGIDstocontroluseraccesstospecificresourcesonthe

localnode.

LikewisecelltechnologyprovidescustommappingofauniqueandidentifiableActive

DirectoryusertotheirUIDs(useridentifiers)andGIDs(groupidentifiers):

Afterbeingsecurelyauthenticated,nonWindowsusershaveuniformpoliciesappliedto

theircomputers.ThepoliciesarestoredinActiveDirectory,managedbyeasytouse

Windowstools,andcanbeappliedonattheleveloftheorganizationalunitinthesame

waythatActiveDirectoryappliesgrouppoliciestoWindowssystems:

1Foradefinitionandexplanationofsudo,see:http://en.wikipedia.org/wiki/Sudo


12/14


Altogether,withLikewisetechnology,compliancerequirementsarefulfilledinthe

followingfashion:

Requirement MethodofCompliance

Assignmentof

uniqueIDtoa

uniqueuser

WiththeuseofuseActiveDirectory,administratorscan

provisioneachnonWindowsuserwithauniqueID,which

willworkonallUnix,Linux,andMacsystems.Whenusers

aremigratedfromNISdomainstoActiveDirectory,Likewise

usescelltechnologytopreservetheuserNISinformation.

Encryptionofdata

transfer

Encryptionofallnonconsoleadministrativeaccessis

accomplishedbyswitchingtoprotocolslikeSSH,VPN,or

SSL/TLS(forwebbasedmanagement)withKerberos

authenticationtoLinux,Unix,andMacOSXagainstcredentialsstoredinActiveDirectory.And,unlikeNIS,AD

clientscannotretrievethewholepassworddatabasefor

offlineinspection.

Passwordstrength Passwordstrength,history,lifetime,andlockoutthresholdare

enforcedonallnonWindowsnodesbyglobalpolicy.

Rolebasedaccess

control.Linking

administrative

accesstoindividual

users

RBACisimplementedbymappingADuserstononWindows

resourceswithLikewisecelltechnology.Cellsprovidea

custommappingofADusernamestoUIDsandGIDson

Linuxsystems.Thisestablishesgranularaccesscontroland

limitsuserstothesystemsthattheyneedtoaccessfor

businessreasonsandwithinthesystemtothecommands

thattheyareallowedtoexecutewithsudo.Asaresult,access

tocomputingresourcesandtocustomerdataislimitedona

needtoknowbasis.Inthesamefashion,timebasedaccessto

resourcescanbeimplemented.

Simple

provisioningand

deprovisioning

ThisisimplementedbyassociatingLikewisecellswithAD

OUsforfastandefficientprivilegegranting,rolechange,or

termination.Alluseraccesstoallsystemscanbeeffectively

terminatedbydisablingtheappropriateADaccount.

Computer

lockdownafterpre

setinactivity

interval

Inactivitytimeoutandscreenlockingiscontrolledbythe

screensaverpolicy.

Logrotation Likewisepoliciesallowfinegraincontrolofthelogrotation

daemon.


13/14


Requirement MethodofCompliance

Systemsecurity

hardening

ThisisimplementedbyconfiguringAppArmor,SELinux,or

theMacOSXfirewallbygrouppolicies.Removalofall

unnecessaryartifacts(suchasscripts,driversubsystems,andmore)isimplementedwithgrouppolicies.

Accesstracking LikewiseEnterpriseallowsadministratorstocreatecustom

reportsaboutLinuxandUnixusers,groups,computers,

forests,anddomainswithinActiveDirectory,searchfor

duplicates,andgeneratepermissionoraccessreports.The

Likewisesysloggrouppolicyallowsadministratorsto

configuretheloggingdaemonsonUnixandLinuxnodes.The

Likewiseeventlogsubsystemprovidesadministratorsand

securitymanagerswithaneventviewerthatshowsdenied

authenticationandaccessattempts.Thisimplementsanautomaticaudittrailforallsystemcomponentstoreconstruct

theuserbehaviorincaseofaninvestigation.

Aninactivityreportcanlistunusedorinfrequentlyused

accountsthatcouldbemarkedforpossibledeletion.

Alerting Cronscriptsalertadministratortochangesinfilesorpolicies.


14/14


ConclusionIntodaysinformationsecurityregulatoryenvironment,maintainingcompliancewith

computersrunningamixtureofWindows,Unix,Linux,andMacoperatingsystemscan

becomplex.LikewiseEnterpriseseamlesslyintegratesLinux,Unix,andMaccomputers

withActiveDirectoryandenablesmigrationofnonWindowsuserstoADwhile

maintainingtheiridentitiesandpermissions.ThecombinationofWindowsAD

framework,Windowsmanagement,andmonitoringtoolsalongwithLikewise

technologyallowsadministratorstocomplywithmultipleindustryregulationsondata

protectionwhilealsosimplifyingsystemmanagementandincreasingthesecurity

postureofthenetwork.

how to avoid the high cost of security audits

Documents