www.cyberlawconsulting.com logical it security by prashant mali

www.cyberlawconsulting.com

Logical IT Security

By Prashant Mali


Business Objectives

To retain competitive advantage and to meet basic

business requirements organizations must:

• Ensure the integrity of information stored on their

computer systems

• Preserve the confidentiality of sensitive data

• Ensure the continued availability of their

information systems

• Ensure conformity to laws, regulations, and

standards.


Session Agenda

1. Components of a Security Policy

2. Paths of Logical Access

3. Logical Access Issues and Exposures

4. Access Control Software

5. Logical Security Features, Tools, and Procedures

6. Auditing Logical Access


Security Policy requirement• Security losses can be costly to business.

• Losses suffered as a result of the failure itself or

costs incurred while recovering from the incident,

followed by more costs to secure the systems and

prevent further failure.

• A well-defined set of security policies and

procedures can prevent losses and save money.


Security Policy - Components• Management Support and Commitment

• Access Philosophy

• Compliance with Relevant Regulations

• Access Authorization

• Reviews of Access Authorization

• Security Awareness

• Role of Security Administrator

• Security Committee


Paths of Logical AccessLogical Access into the computer can be gained

through several avenues. Each avenue is subject to

appropriate levels of security. Methods of access

include the following:

• Operator Console

• Online Terminals

• Batch Job Processing

• Dial-up Ports

• Telecommunications Network


Logical Access ExposuresInadequate logical access controls increase the

potential for losses. These exposures can result in

minor inconveniences or total shutdown of the

computer system.

• Technical Exposures

• Virus Exposures

• Computer Crime Exposures

• Agents of Exposures


Access Control SoftwareAccess Control Software is designed to prevent

unauthorized access to data, use of system function

and programs, unauthorized changes to data and to

detect and prevent unauthorized attempts to

access computer resources.

• Access Control Software tasks

• Access Control Software functions

• Access Control Software authorization components

• Decentralized / Remote Processing issues


Logical Security Features• Two phase User Identification / Authentication

process

• Logging Computer Access

• Computer features that bypass security

• Data Classification

• Safeguarding Confidential Data on a PC

• Naming conventions for Access Controls


Auditing Logical Access• Evaluating Logical Access Controls

• Review Reports from Access Control Software

• Data Ownership Issues

• Bypass Security Controls


Management Support

Management Support and Commitment

Management must demonstrate a concern for

security

Management must clearly approve and support

formal security awareness and training.

This may require special management security

training since security is not necessarily a part of

management expertise.


Access Philosophy

Access Philosophy

Access to computerized resources and information must be based on a documented “need-to-know, need-to-do” basis only.

“need-not-know” basis ?


Compliance

Compliance with Relevant Legislation and

Regulations

The policy should state that compliance is

required with all relevant legislation, such as that

requiring confidentiality of personal information,

or specific regulations relating to particular

industries; e.g. banking or financial institutions.


Access Authorization

Access Authorization

The data owner or manager who is responsible for

the accurate use and reporting of the information

should provide written authorization for users to

gain access to computerized information.

The manager should give this documentation

directly to the security administrator so

mishandling or alteration of the authorization

does not occur.


Reviews of Access Authorization

Reviews of Access Authorization

Like any other control, access controls should be evaluated regularly to ensure that they are still effective.

Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls.

The security manager, with the assistance of the managers who provide access authorization, should review the access controls.

Any access exceeding the “need-to-know, need-to-do” philosophy should be changed accordingly.


Raising Security Awareness Distribution of a written security policy. Training on a regular basis for new employees,

users, and support staff. Non-disclosure statements signed by the

employees Use of newsletter, web page, videos to

promulgate security awareness Visible enforcement of security rules. Simulate security incidents for improving security

procedures. Reward employees who report suspicious events Periodic audits


Employee Responsibilities Reading the security policy

Keeping logon-Ids and passwords secret

Reporting suspected violations of security to the security administrator.

Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people.

Conforming to local laws and regulations

Adhering to privacy regulations with regard to confidential information (health, legal, etc)


Employee Responsibilities Non-employees with access to company systems

should also be held accountable for security policies and responsibilities.

These include contract employees, vendors, programmers/analysts, maintenance personnel and clients.


Role of Security Administrator The security administrator, typically a member of

the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

In large organization, the security administrator is usually a full-time function; in small organizations someone may perform this function with other non-conflicting responsibilities.


Role of Security Administrator For proper segregation of duties, the security

administrator should NOT be

responsible for updating application data

an end user

application programmer

computer operator

data entry clerk.


Security Committee Security guidelines, policies, and procedures affect

the entire organization and as such should have the support and suggestions of end users, executive management, security administration, IS personnel, and legal counsel.

Individuals representing various management levels should meet as a committee to discuss these issues and establish security practices.

The committee should be formally established with appropriate terms of reference and regular minuted meetings with action items, which are followed up on at each meeting.


Operator Console These privileged computer terminals control most

computer operations and functions.

Most operator consoles do not have strong logical access controls and provide a high level of computer system access - a high risk combination.

These terminals should be be placed in a suitably controlled facility so that physical access can only be gained by authorized personnel.


Online Terminal Online access to computer systems through

terminals typically requires entry of at least a logon-ID and password.

May also require further entry of authentication or identification data for access to specific application systems.

Personal Computers (PCs) are often used as online access terminals through terminal emulation software.

This poses a particular risk as the PCs can be programmed to store and recall user access codes and passwords.


Batch Job Processing This mode of access is indirect since access is

achieved via processing of transactions. It involves accumulating input transactions and

processing them as a batch after a given interval of time or after a certain number of transactions.

Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system)

Additionally, procedures and authorization to manipulate accumulated transactions prior to processing the batch should be carefully controlled.


Dial-up Ports Involves hooking a remote terminal or PC to a

telephone line and gaining access to the computer by

dialing a telephone number that is connected to the

computer.

Security is achieved by providing a means of

identifying the remote user to determine authorization

to access.

This may be done by means of a call-back feature, use

of logon-ID and password, use of access control

software, or by requiring a computer operator to verify

the identity of the caller and then provide the

connection to the computer.


Telecommunications Network

Involves linking a number of computer terminals

or PCs to the host computer through a network of

telecommunication lines.

The telecommunication lines may be private

(dedicated to one user) or public, such as the

public switched network..

Security should be provided in the same manner

as applied to online terminals.


Technical Exposures

Technical Exposures involve unauthorized or

unintentional implementation or modification of

data and software.

Data Diddling - Involves changing data before or

as it is entered into the computer. This is one of

the most common abuses because it requires

limited technical knowledge and occurs before

computer security can protect data.


Technical Exposures

Trojan Horses

Involves hiding malicious, fraudulent code in an

authorized computer program

This hidden code will be executed whenever the

authorized program is executed.

A classic case is the Trojan horse in a payroll

calculating program that shaves a barely

noticeable amount off each paycheck and credits

it to the perpetrator’s payroll account.


Technical Exposures

Logic Bombs

The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future.

They are very difficult to detect before they blow up; thus of all the computer crime schemes they have the greatest potential for damage.

Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator.

Could also be used in extortion schemes.


Technical Exposures

Rounding Down

Involves drawing off small fractions of money from a computerized transaction or account and rerouting this amount to the perpetrator’s account.

Since the amounts are so small, they are rarely noticed.

For example, if a transaction amount were Rs.12,30,456.39, the rounding down technique may round the transaction to Rs. 12,30,456.35


Technical Exposures

Salami Techniques

Involves slicing small amounts of money from a computerized transaction or account and is similar to rounding down technique.

For example, if a transaction amount were Rs.12,30,456.39, the Salami technique truncates the last few digits from the transaction amount so that it becomes Rs. 12,30,456.30 or Rs. 12,30,456.00 depending on the calculation built into the program.


Technical Exposures

Worms

These are destructive programs that may destroy data or utilize tremendous communication resources but do not replicate like viruses.

These do not change other programs, but can run independently and travel from machine to machine across network connections.

Worms may also have portions of themselves called segments running on different machines.


On 2 November 1988, Robert Tappan Morris, a graduate student at Cornell University, unleashed a program which spawned copies of itself and spread throughout the network.

Within hours, the worm had invaded 2,000 to 6,000 computers, about 10% of the Internet at the time. The program also clogged all the systems it hit, dialing virtually every computer it invaded.

When Morris saw the damage that was taking place, he posted a message on the Net with instructions for disabling the worm. However by then the damage was done. On 16 May 1990, Morris was convicted and fined $10,000 and sentenced to 3 years probation.


Technical Exposures

Trap Doors

Are exits out of an authorized program that allow for insertion of specific logic, such as program interrupts, to permit a review of data during processing.

These holes also permit insertion of unauthorized logic.


Technical Exposures

Asynchronous Attacks

These occur in multiprocessing environments where data moves asynchronously (one character at a time with start and stop bits).

As a result, numerous data transmissions must wait for the line to be free.

Data that are waiting are susceptible to unauthorized access called asynchronous attacks.

These attacks, usually small pin-like insertions into cable, may be committed via hardware and are extremely hard to detect.


Technical Exposures

Data Leakage

Involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.


Technical Exposures Wire-tapping - involves eavesdropping on

information transmitted over transmission lines. Also known as sniffing.

Piggybacking - is an act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link.


Technical Exposures

Shut down of the Computer

Can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer.

Only individuals having high-level systems logon-ID can usually initiate the shut down process.

Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.


Technical Exposures

Denial of Service Attack

This is an attack that disrupts or completely denies service to legitimate users, networks, systems, or other resources.

The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.


Viruses

Viruses are the colds and flus of computer

security: ubiquitous, at times impossible to avoid

despite the best efforts, and often very costly to

an organization's productivity.


Viruses

Viruses are a significant and a very real logical

access issue.

The term “virus” is a generic term applied to a

variety of malicious computer program code

inserted into other executable code that can self-

replicate and spread from computer to computer.

Traditional viruses attach themselves to other

executable code, infect the user’s computer,

replicate themselves on the user’s hard disk and

then damage data, hard disk or files.


How many viruses are there?

By early 2002, there were more than 15,000

computer viruses !

The huge number is explained in part by the ease

with which potential viral writers can get the tools

and actual viral code to work with, either from the

Internet or other channels.

In May 1997, the Digital Hackers’ Alliance

announced the availability of a CD-ROM with over

10,000 viruses. They also offered to give the first

100 customers a collection of 50 virus creation

tools free of charge.


Viruses

Viruses usually attack the following parts of the

computer

Executable program files (.exe or .com files) - 85%

of all viruses are program viruses.

File-directory system that tracks the location of all

the computer’s files. (FAT table)

Boot and system areas that are needed to start

the computer. - Michelangelo virus

Macro Viruses (Microsoft Word viruses - Concept,

Wazzu)


Viruses

Can a virus infect data files?

• Some viruses (e.g., Frodo, Cinderella) modify non-

executable files.

• However, in order to spread, the virus code must be

executed.

• Therefore "infected" non-executable files cannot be

sources of further infection.

• Such "infections" are usually mistakes, due to bugs

in the virus. However, there is an increasing

possibility of viruses spreading through the sharing

of data files.


Viruses

Viruses can spread rapidly via

Removable Drives - 62%

Email - 20%

Downloads - 11%

Web Browsing - 5%

Shrink wrapped software - 2%


Anti-Virus Policies

Build any system from original, clean master copies.

Boot only from original diskettes whose write-

protection has always been in place.

Allow no disk to be used until it has been scanned on

a stand-alone machine that is used for no other

purpose and is not connected to the network.

Update virus software scanning definitions regularly.

Write-protect all diskettes with .exe and .com

extensions

Have vendors run demonstrations on their machines

not yours.


Anti-Virus Policies

Enforce a rule of not using shareware without first

scanning the shareware thoroughly for a virus.

Insist that field technicians scan their disks on a test

machine before they use any of their disks on the

system.

Ensure that the network administrator uses

workstation and server anti-virus software.

Ensure that all servers are equipped with an

activated current release of the anti-virus software.

Educate users so they will heed these policies.


Anti-Virus - Hardware Tactics

Use workstations without floppy drives.

Use boot virus protection (i.e. built-in firmware-

based virus protection)

Use remote booting.

Use a hardware-based password.

Use write-protect tabs on floppy disks.


What is the best Anti-virus program?

None!

Different products are more or less appropriate in

different situations, but in general you should

build a cost-effective strategy based on multiple

layers of defence. There are three main kinds of

anti-virus software:

Scanners

Activity Monitoring Programs

Integrity Checkers


Anti-Virus Software

Scanners

These look for sequences of bits called signatures

that are typical of virus programs.

Scanners examine memory, disk boot sectors,

executables and command files for bit patterns

that match a known virus.

Scanners therefore need to be updated frequently

to be effective. Examples: FindViru in Dr Solomon's AntiVirus

ToolKit, Frisk Software's F-PROT, McAfee's VirusScan


Anti-Virus Software

Activity Monitoring Programs

Interpret DOS and ROM basic input output system (BIOS) calls, looking for virus-like actions such as attempts to write to another executable, reformat the disk, etc.

Activity monitors can be annoying because they cannot distinguish between a user’s request and a program or virus request.

As a result, users are constantly asked to confirm actions like formatting a disk or deleting a file or set of files.

Examples: SECURE and FluShot+


Anti-Virus Software

Integrity Checkers

These compute a small checksum or hash value

(usually CRC or cryptographic) for files when they

are presumably uninfected,

and later compare newly calculated values with the

original ones to see if the files have been modified.

This catches unknown viruses as well as known

ones and thus provides “generic” detection.

Examples: ASP Integrity Toolkit (commercial), and

Integrity Master and VDS (shareware)


Anti-Virus Software

Integrity checkers are considered to be the

strongest line of defence against computer viruses,

because

they are not virus-specific

and can detect new viruses without being

constantly updated.

However, they should not be considered as an

absolute protection--they have several drawbacks,

cannot identify the particular virus that has

attacked the system, and there are successful

methods of attack against them too.


Anti-Virus Software

Modification Detectors

Some modification detectors provide HEURISTIC

DISINFECTION.

Sufficient information is saved for each file so that

it can be restored to its original state in the

case of the great majority of viral infections,

even if the virus is unknown.

Examples: V-Analyst 3 (BRM Technologies, Israel),

the VGUARD module of V-Care and ThunderByte's

TbClean.


Anti-Virus Software


Anti-Virus Software

Virus Removal

Once a virus has been detected, an eradication

program can be used to wipe the virus from the

hard disk.

Sometimes eradication programs can kill a virus

without having to delete the infected program or

data file, while other times those infected files

must be deleted.

Inoculators are programs which will not allow a

program to be run if it contains a virus.


Is Windows a Virus?No, Windows is not a virus. Here's what viruses do:

They replicate quickly - okay, Windows does that.

Viruses use up valuable system resources, thereby slowing

down the system - okay, Windows does that.

Viruses will, from time to time, crash your hard disk - okay,

Windows does that too.

Viruses are usually carried, unknown to the user, along with

valuable programs and systems. Sigh... Windows does that, too.

Viruses will occasionally make the user suspect their system is

too slow and the user will buy new hardware. Yup, that's with

Windows, too.


Is Windows a Virus?Until now it seems Windows is a virus but there are

fundamental differences:

Viruses are well supported by their authors,

Run on most systems,

Their program code is fast, compact and efficient

They tend to become more sophisticated as they

mature.

Conclusion : Windows is not a virus. It's a bug !!


Computer Crime Exposures

Committing crimes that exploit the computer and

the information it contains can be damaging to

the reputation, morale and very existence of an

organization. Threats to the business include the

following:

Financial Loss - These losses can be direct,

through loss of electronic funds or indirect,

through the costs of correcting the exposure.



Legal Repercussions

There are numerous privacy and human rights laws

to consider when developing security policies.

Not having proper security measures could expose

the organization to lawsuits from investors and

insurers.

Most companies must also comply with industry-

specific regulatory agencies.

The IS auditor should obtain legal assistance when

reviewing the legal issues associated with computer

security.



Loss of Credibility or Competitive Edge

Many organizations, especially service firms such

as banks, financial institutions need credibility

and public trust to maintain a competitive edge.

A security violation can severely damage this

credibility resulting in loss of business and

prestige.



Blackmail / Industrial Espionage

By gaining access to confidential information or

the means to adversely impact computer

operations, a perpetrator can extort payments or

services from an organization by threatening to

exploit the security breach.

Some perpetrators may not be looking for

financial gain. They merely want to cause damage

due to dislike of the organization or for self-

gratification.


Agents of Exposures

Hackers

Hackers are typically attempting to test the limits

of access restrictions to prove their ability to

overcome the obstacles. They usually do not

access a computer with the intent of destruction;

however, this is quite often the result.


Agents of Exposures

Employees / IS Personnel

These individuals have the easiest access to

computerized information since they are the

custodians of this information.

In addition to logical access controls, good

segregation of duties and supervision help reduce

logical access violations by these individuals.


Agents of Exposures

Interested or Educated Outsiders

Competitors

Foreigners

Organized criminals

Crackers (paid hackers working for a third party)

Phreakers (hackers attempting access into the

telephone/communication system)


Access Control Software

Generally performs the following tasks:

Verification of the user

Authorization of access to defined resources

Restriction of users to specific terminals

Reports on unauthorized attempts to access

computer resources, data or programs



Provide the following functions of verifying user

authorization:

To sign-on at the network and subsystem level

At the application and transaction level

Within the application

At the field level for changes within a database

Verify subsystem authorization for the user at the

file level.



Authorization Components Logon-IDs and user authentication Limitation to specific terminals for specific logon-IDs Based on predetermined times Specific tasks to be initiated from a predefined

library Establishing rules of access Creation of individual accountability and auditability Logging events Logging user activities Reporting capabilities



Following is a list of computerized files and facilities that should be protected by logical access controls:

System Software

Data

Application software

Telecommunication lines

Libraries

Password library

Tape files

Procedure libraries



Advantages of Decentralized Environment

The security administration is on site at the distributed location

Security issues can be resolved in a more timely manner

Security controls are monitored on a more frequent basis



Risks related to the Decentralized Environment

The possibility that local standards might be implemented rather than those required by the organization.

Levels of security management might be below that which can be maintained by a central administration.

Distributed security administration requires a greater degree of management checks and audit by central administration to ensure standards are maintained.



Issues related to Remote Processing Environment

Software controls over access to the computer, data

files and remote access to the network should be

implemented.

Access from remote locations via modems and laptops

to other computers should be controlled appropriately.

Supervisory controls should be established over terminal

and computer operations at remote locations

When replicated files exist at multiple locations, controls

should ensure that all files used are correct and current.


Identification / AuthenticationThe two phase User Identification/Authentication

process consists of the following:

Identification - Users must identify themselves to

the access control software by name or account

number.

Authentication - Users must prove they are who

they claim to be. Authentication is a two way

process where the software must first verify the

validity of the user and then proceed to verify prior

knowledge information.


Identification / AuthenticationFor example, users may provide the following:

Remembered information such as name, account

number, and password

Processor objects such as badge, plastic cards and

key.

Personal characteristics such as fingerprint, voice,

and signature.


Features of PasswordsA password should be easy for the user to

remember but difficult for the perpetrator to guess.

When the user logs on for the first time, the system

should force a password change

If the wrong logon-ID or password is entered, say

three times, the account should be locked-out.

Passwords should be internally one-way encrypted.

Passwords should be changed regularly.

Passwords should not be shared


Syntax of Passwords Ideally, passwords should be 5 to 8 characters in

length

Should be a combination of alphabetic, upper case

and lower case, and numeric characters.

Should allow special characters like &^%$, etc.

Passwords should not be identifiable with the user -

such as first name, spouse’s name, pet’s name etc.

Should not use common names or dictionary terms.

The system should not permit previous passwords

to be used again.


Password combinations A 4-digit numeric password could be cracked on a

modest PC in 0.02 seconds - faster than you can

blink your eyes !!

If you increase the length of the password from 4

digits to 6, you find that the time to crack would be

100 times more - or 2 seconds.

Increasing again from 6 to 8 digits, you end up with

just under 4 minutes to crack the password.


Password Combinations

Numeric

Single case alpha

Single case alpha, numeric

Single case alpha, numeric, special

Mixed case alpha, numeric, special

Password Combinations (5 - 8 characters)

Tim

e

429.5 yrs

3.7 mins 5.4 mins 24 mons32.2 yrs


Real World Scenario L0pht Heavy Industries, a group of hackers who

have turned their expertise into a security

consulting business, claim that during a corporate

audit they performed for a ‘large high technology

company’, they cracked 90% of the passwords in

under 48 hours on a Pentium II/300.

They further state that 18% of the passwords were

cracked under 10 minutes !


Password Dilemma The best password is one that can’t be guessed.

If a password can’t be guessed, it is probably

difficult to remember.

If a password is hard to remember, the user will

probably write it down somewhere.

If a password is written down, it is probably no

longer secure.


Session Controls Logon-Ids not used for a number of days should be

deactivated to prevent misuse. This can be done

automatically by the system or manually by the

security administrator.

The system should automatically disconnect a

logon session if no activity has occurred for a period

of time. This reduces the risk of misuse of an active

logon session left unattended because the user left

for lunch or for a meeting.


Data File Access Read, inquiry, or copy only

Write, create, update, or delete only

Execute


Logging Computer AccessComputer access and attempted access violations

can be automatically logged by the computer and

reported. The security administrator should review

the access report and look for:

Patterns or trends that indicate abuse of access

privileges, such as concentration on a sensitive

application

Violations such as attempting computer file access

that is not authorized and/or use of incorrect

passwords.


Access Violations The violation should be referred to the security

administrator. The security administrator should investigate and

determine the severity of the violation. If the violation is serious, executive management should

be notified. They are normally responsible for notifying law enforcement agencies.

Written guidelines should exist that identify various types and levels of violations and how they will be addressed.

Disciplinary action should be a formal process that is consistently applied.

Corrective measures should include review of access rules.


Bypassing SecurityGenerally, only system programmers should have access to these features:

Bypass Label Processing (BLP) - BLP bypasses computer reading of the file label. Since most access control rules are based on file names (labels), this can bypass access security.

System Exits - This system software feature permits the user to perform complex system maintenance which may be tailored to a specific environment.

Special System Logon-Ids - These logon-Ids are often provided by the vendor and are the same for all similar systems. The passwords should be changed immediately upon installation.


Data ClassificationThe National Institute of Standards and Technology

(NIST) describes the following four classifications:

Sensitive :

Applies to information that requires special

precautions to assure the integrity of the

information, by protecting it from unauthorized

modification or deletion.

It is information that requires a higher than normal

assurance of accuracy and completeness.

For example passwords, encryption parameters, etc.


Data ClassificationConfidential

Applies to the most sensitive business information

that is intended strictly for use within an

organization.

Its unauthorized disclosure could seriously and

adversely impact the organization’s image in the

eyes of the public.

For example application program source code,

project documentation, etc.


Data ClassificationPrivate

Applies to personal information that is intended for

use within the organization.

Its unauthorized disclosure could seriously and

adversely impact the organization and / or its

customers.

For example customer account data, e-mail

messages, etc.


Data ClassificationPublic

Applies to data that can be accessed by the public

but can be updated/modified by authorized people

only.

For example company web pages, monetary

transaction limit data, etc.


PC Security Issues Sensitive data should not be stored on a PC. The simplest

and most effective way to secure data and software is to

remove the storage medium, such as disk, cassette or tape

from the machine when it is not in use and lock it in a safe.

Vendors offer lockable enclosures, clamping devices and

cable fastening devices that help prevent equipment theft.

The computer can also be connected to a security system

that sounds an alarm if the equipment is moved.

Passwords can be allocated to individual files to prevent

them from being opened by an unauthorized person.


PC Security Issues Preventing the theft of data is virtually impossible. The

medium itself is inexpensive, but the data residing on

disks may be vital to the company. A practical solution

is to record all sensitive data on removable hard drives,

which are more easily secured than fixed or floppy

disks.

Preventive controls such as encryption become more

important for protecting sensitive data in the event the

PC or laptop is lost, stolen, or sold.

Other procedures may require that the PC or laptop

may only be used in a physically-secured area and

must not be taken from that location.


Naming Conventions On larger mainframe and minicomputer systems,

access control naming conventions are structures

used to govern user access to the system and user

authority to access or use computer resources.

The owners of the data or application, along with

the help of the security administrator, usually set up

the naming conventions.

It is important to establish naming conventions that

both promote the implementation of efficient access

rules and simplify security administration.


Naming Conventions Naming conventions for system resources such as

datasets, volumes, programs, and terminals are an

important perquisite for efficient administration of

security controls.

Naming conventions can be structured so that

resources beginning with the same high-level qualifier

can be governed by one or more generic rules.

This reduces the number of rules required to

adequately protect resources, which, in turn, facilitates

security administration and maintenance efforts.


Evaluating Logical AccessWhen evaluating logical access controls, the IS

Auditor should:

Obtain a general understanding of the security risks

facing information processing through a review of

relevant documentation, inquiry, observation, risk

assessment, and evaluation techniques.

Document and evaluate controls over potential

access paths into the system to assess the

adequacy, efficiency, and effectiveness by reviewing

appropriate hardware and software security features

and identifying deficiencies or redundancies.


Evaluating Logical Access Test controls over access paths to determine that

they are functioning and effective by applying

appropriate audit techniques.

Evaluate the access control environment to

determine if the control objectives are achieved by

analyzing test results and other audit evidence.

Evaluate the security environment to assess its

adequacy by reviewing written policies, observing

practices and procedures and comparing them with

appropriate security standards and procedures.


Evaluating Logical AccessFamiliarizing with the IS Processing Environment:

This is the first step of the audit and involves

obtaining a clear understanding of the technical,

managerial and security environment of the IS

facility.

This typically includes interviews, physical

walkthroughs, review of documents and risk

assessments.


Document the Access PathsThe access path is the logical route the end user takes

to access computerized information. Its starts with a

terminal and typically ends with the data being

accessed. The IS Auditor should evaluate each

component for proper implementation and proper

physical and logical access security. A typical sequence

of the components follows:

Terminal

A terminal is used by an end user to sign on. It should

be physically secured, and logon-Id and password

should be subject to conditions outlined in the security

policy.


Document the Access PathsTelecommunications Software

It intercepts the logon to direct it down the

appropriate telecommunications link.

The telecom software can restrict terminals to specific

data or application software.

A key audit issue with telecom software is to ensure

all applications have been defined to the software and

the various optional telecom control and processing

features used are appropriate and approved by

management.

This analysis typically requires the help of a system

software analyst.


Document the Access PathsTransaction Processing Software

This software routes transactions to the appropriate

application software.

Key audit issues include ensuring proper identification

/ authentication of the user, and authorization of the

user to gain access to the application.

This analysis is performed by reviewing internal tables

that reside in the transaction processing software or in

the system security software.

Access to these should be restricted to the security

administrator.


Document the Access PathsApplication Software

The application software processes transactions in

accordance with program logic.

Audit issues include restricting access to the

production software library to only the

implementation coordinator.


Document the Access PathsDatabase Management Software

The DBMS software directs access to the

computerized information.

Audit issues include ensuring that all data elements

are identified in the data dictionary, that access to

data dictionary is restricted to the DBA, and that all

data elements are subject to logical access control.


Document the Access PathsAccess Control Software

The access control software can wrap logical access

security around all the above components.

This is done via internal security tables.

Audit issues include ensuring all the above

components are defined to the access control

software, providing access control rules that define

who can access what on a need-to-know basis and

restricting access to the security tables to the

security administrator.


Conduct ReviewsReports from Access Control Software

The reporting features of Access Control Software

provide the security administrator with the

opportunity to monitor adherence to security policies.

By reviewing a sampling of reports, the IS Auditor can

determine if enough information is provided to

support an investigation and if the security

administrator is performing an effective review of the

report.

Unsuccessful access attempts should be reported and

should identify the time, terminal, logon and file or

data element for which access was attempted.


Conduct ReviewsApplication System Operations Manual

The application systems manual should contain

documentation on the programs that are generally

used throughout a data processing installation to

support the development, implementation,

operations, and use of application systems.

This manual should include information about which

platform the application can run on, database

management systems, compilers, interpreters,

telecom monitors and other applications that can

run with the application.


Conduct ReviewsWritten Policies, Procedures, and Standards

Policies and procedures provide the framework and

guidelines for maintaining proper operation and

control.

The IS Auditor should review the policies and

procedures to determine if they set the tone for

proper security and provide a means for assigning

responsibility for maintaining a secured computer

processing environment.


Conduct ReviewsFormal Security Training

Effective security will always be dependent on people.

Security can only be effective if people know what is

expected of them and what their responsibilities are.

They should know why various security measures,

such as locked doors and the use of logon-Ids, are in

place and the repercussions of violating security.

Employees should be encouraged to identify and

report possible security violations.

Training should start with new employee orientation or

induction and should be an ongoing process.


Data OwnershipFormal Security Training

Data ownership refers to the classification of the data elements and allocation of responsibility to ensuring that it is kept confidential, complete, and accurate.

A key point of ownership is that by assigning responsibility for protecting computer data to particular employees, accountability is established.

By interviewing a sampling of data owners, the IS Auditor can determine if they are aware of their data ownership duties.

The IS Auditor should review the classification of data and evaluate its appropriateness.


Data OwnershipData Owners

These are generally managers and directors responsible for using information for running and controlling the business.

Their security responsibilities include authorizing

access, ensuring access rules are updated when

personnel changes occur and regularly inventorying

access rules for the data for which they are responsible.

Data Custodians These people are responsible for storing and

safeguarding the data and include IS personnel such as systems analysts and computer operators.


Data OwnershipData Users

Often referred to as end users, are the actual users of the computerized data.

Their levels of access should be authorized by data owners and restricted and monitored by the security administrator.

Security Administrator Security administrators are responsible for providing

adequate physical and logical security for IS programs, data, and equipment.

Normally the security policy will provide basic guidelines under which the security administrator will operate.


Data OwnershipDocumented Authorizations

Data access should be identified and authorized in

writing. The IS Auditor can review a sample of these

authorizations to determine if the proper level of

written authority was provided.

Access Standards

Access Standards should be reviewed by the IS

Auditor to ensure that they meet organizational

objectives for separating duties, that they prevent

fraud or error and that they meet policy requirements

for minimizing the risk of unauthorized access.


Bypass Security FeaturesTypically include

Bypass label processing

Special system maintenance logon-Ids

Operating system exits

Installation utilities

I/O appendages.


Bypass Security FeaturesSince bypass security features can be exploited by

technically sophisticated intruders, the IS Auditor

should be interested in compensating features,

including the following:

All uses of these features should be logged,

reported and investigated by the security

administrator or system software manager.

Unnecessary bypass security features should be

deactivated.

If possible, the bypass security features should be

subject to additional logical access controls.


Penetration TestingPenetration tests are used by the IS Auditor which

simulate techniques used by a hacker. Typical

components of a penetration test include:

Attempting to guess passwords by using password

cracking tools which generate passwords from

dictionaries, common phrases, or combinations of

letters and numbers.

Searching for programmer back doors into

operations.

Attempting to overload communications software.

Exploiting known vulnerabilities in software.


Password AdministrationAccess controls and password administration are

reviewed to determine that:

Procedures exist for adding individuals to the list of

those authorized to have access to computer

resources, changing their access capabilities and

deleting them from the list.

Passwords are of adequate length, cannot be easily

guessed and do not contain repeating characters.

Passwords are changed periodically.

Procedures provide for the suspension of user

accounts, or the disabling of terminals in case of

security violations.


Thank You

[email protected]

www.cyberlawconsulting.com logical it security by prashant mali

Documents

access philosophy access

logical access slide

unauthorized access

methods of access

security management

logical access issues

auditing logical access

security procedures