Comments
Transcript
IT AUDITING FOR NON-IT AUDITORS CUAV 2015 Conference
CUAV 2015 Conference IT AUDITING FOR NON-IT AUDITORS Shedding Light on Key Controls Michelle Workman Glenn Wilson George Mason University Old Dominion University Account Management User Account Management Privileged Account Management User Account Management What is it? ◦ Managing the life-cycle of user accounts: requesting, approving, administering, and terminating Why is it important? ◦ Authorized users may use accounts for unauthorized purposes ◦ Unauthorized users may use/exploit accounts for unauthorized and sometimes malicious purposes User Account Management Best Practices: ◦ Documented account management policy that formalizes the process for requesting, granting, administering, and terminating accounts ◦ Access is granted on the principles of least privilege and separation of duties ◦ Limit/Prohibit the use of generic and shared accounts User Account Management Best Practices (continued): ◦ Require prompt notification when a user account is no longer required or a user’s access level requirements change ◦ Periodically review all user accounts and corresponding privileges Avoid privilege creep with user access recertifications Avoid rubber stamping: occurs when business units are asked to review and approved “cryptic” access privileges User Account Management Best Practices (continued): ◦ Monitoring account usage to identify: Dormant accounts Users who have logged in during unusual hours User Account Management Common Misconceptions ◦ When determining whether IDs are personal or generic, do not depend on format alone ◦ Don’t only test “front door” access (a user’s access to data through an application) ◦ Vendor accounts are required ◦ Disabling vs. deleting user accounts User Account Management Red Flags ◦ Generic and shared accounts ◦ Common account management practices that promote violations of least privilege and separation of duties: Playing the short staffed card: “We have small staff and therefore have to grant broad access to lots of people” “We have a large staff and people change jobs and tend to accumulate the sum of all the privileges they’ve ever had” System limitations: “The system doesn’t support granular enough privileges” Account cloning: “We copy privileges for users in the same role” Privileged Account Management What is it? ◦ An account that is used to perform tasks that an ordinary user account cannot perform Why is it important? ◦ These accounts allow users to perform elevated/sensitive tasks, often with impunity, because multiple users know the same account ID and password Privileged Account Management Best Practices ◦ Documented policy for the management of privileged accounts ◦ Reduce the complexity of privileged accounts ◦ Eliminate, where possible, the practice of sharing privileged account credentials among multiple people ◦ Privileged accounts should only be used to perform tasks requiring elevated rights Privileged Account Management Best Practices (continued) ◦ Document the functionality of privileged accounts ◦ Consider account “check-out” mechanisms that require an employee to log a request for specific privileged account credentials ◦ Consider mechanisms that change the password associated with a privileged account a certain length of time after it has been requested for use by an employee Privileged Account Management Best Practices (continued) ◦ Log the activity of privileged accounts; these logs should be maintained on a separate server from the one being audited so the privileged user does not have rights to change the stored logs ◦ Monitor the use of privileged accounts ◦ Have procedures in place to ensure that an employee no longer with the university has access to privileged accounts Privileged Account Management Common Misconceptions ◦ Privileged accounts are only at risk from attackers outside of the network Attackers on the inside who have hijacked a legit account for their own needs Staffers who abuse access for one reason or another Or - and most likely - a user with too much access who makes a mistake that results in a security incident Privileged Account Management Common Misconceptions (continued) “When you’re in positions of privileged access, like a systems administrator, you’re exposed to a lot more information on a broader scale than the average employee,” says Snowden. “Because of that you see things that may be disturbing. Over the course of a normal person’s career, you’d only see one or two instances, but when you see everything, you see them on a more frequent basis.” Privileged Account Management Common Misconceptions (continued) Privileged Account Management Common Misconceptions (continued) ◦ Only a few trusted individuals know the passwords for privileged accounts Privileged Account Management Red Flags ◦ Users of privileged accounts do not have a separate, less privileged account to perform day to day tasks (e.g., checking email) ◦ Weak password policy: privileged passwords are frequently not subject to a policy requiring regular password changes or locking the account after so many failed login attempts ◦ Passwords for privileged application, service, and batch accounts are often embedded/hard coded and stored in plain text Account Management Resources ◦ SANS Critical Security Controls (http://www.sans.org/critical-security-controls/) Control #16: Account Monitoring and Control Control #12: Controlled Use of Administrative Privileges ◦ ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Libra ry/LogicalAccessControlGuideline04_18_2007.pdf) Data Backup: What is the Objective? The backup method must ensure the required recovery. Recovery time objective (RTO) = Statement of duration and service level within which a business function must be restored after a disruption, to avoid unacceptable consequential loss. Recovery point objective (RPO) = Statement of data loss related to backup points and service recovery time. Data Backup: Why is it Important? There odds are strong that you will need them Hardware failures Soft failures / data corruption File and transaction deletions Failed upgrades Malicious activity Data Backup: Modes Disk > Tape Disk > Disk Disk <> Media Disk <> Device Data Backup: Methods File level backups Block level backups Transactional logs Real-time replication Virtual snapshots Disk imaging Data Backup: Schemes Full Full + Differential Full Backup + Incremental Backups Rotations - First In, First Out Grandfather-father-son Tower of Hanoi Data Backup: Best Practices Conduct a formal business impact analysis Geographically separate backups Establish a lifecycle operations calendar Conduct recovery objective testing Classify data to establish required security Design a monitoring and remediation workflow Conduct tape and file inventory audits Protect the backup database or catalog Data Backup: Misconceptions Everything is all backed up Info Technology Services handles it all Assuming that all backups are secure We don’t need local backups because the vendor can/will provide the data Data Backup: Red Flags No formal communication of recovery objectives Mismatched recovery objectives and backup methods Infrequent or absence of full restorative testing Missing or weak error handling procedures Missing or weak vaulting or data inventory procedures Diminished data management and security standards Missing or weak contractual agreements Data Backup: Resources • NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov112010.pdf • United States Computer Emergency Readiness Team https://www.us-cert.gov • Iron Mountain http://www.ironmountain.com/Knowledge-Center.aspx Password Policies What is it? ◦ A set of rules designed to enhance security by requiring users to employ strong passwords and use them properly Why is it important? ◦ Without a strong policy enforcing password requirements, people continue to choose bad passwords and protection practices Password Policies SplashData released its annual list of the 25 most common passwords found on the Internet Shows that many people continue to put themselves at risk by using weak, easily guessable passwords Password Policies Best Practices ◦ There is no one size fits all password policy – requirements should be commensurate with the level of risk and sensitivity of the system ◦ The password policy should also include human factors (social engineering factors) to ensure the integrity of the user’s password ◦ Prohibit the transmission and storage of passwords in clear text Password Policies Red Flags ◦ “Off setting” password parameters If password history is not set, then password expiration is negated If minimal password age is set too low, users can change their password repeatedly in the same day until password history is exceeded, and begin reusing their original password ◦ (specific to a Windows environment): the “Store passwords using reversible encryption” setting is misleading ◦ Forgotten passwords are reissued Password Policies Common Misconceptions ◦ One size fits all password policy – should be based on the level of risk and sensitivity of the system ◦ Balancing the threat of a brute force attack on user passwords vs setting an account lockout threshold ◦ The longer and more complex your password is, the stronger and more secure it is ◦ You are protected so long as you enforce a strong password policy Password Policies Common Misconceptions (continued) ◦ https://www.youtube.com/watch?v=opRMrEfAIiI Password Policies Resources ◦ ITRM Guideline SEC509-00: IT Logical Access Control Guideline (http://www.vita.virginia.gov/uploadedfiles/VITA_Main_Public/Libra ry/LogicalAccessControlGuideline04_18_2007.pdf) ◦ NIST Special Publication 800-118 (Draft) (http://csrc.nist.gov/publications/drafts/800-118/draft-sp800118.pdf) Sensitive Data Storage: Data Types Virginia Information Technologies Agency Website Personally Identifiable Information, including information that describes, locates or indexes anything about an individual including financial transactions, Social Security numbers, medical history, ancestry, religion, political ideology, criminal or employment record and photographs. Proprietary research data Certain confidential proprietary data Network diagrams and IP addresses Server names and configurations Contract cost estimates Sensitive Data Storage: Importance • Compliance and legal • Grants and funding • Organizational reputation • System / network intrusion • Theft of organizational assets • Data integrity Sensitive Data Storage: Best Practices Commonwealth of Virginia ITRM Standard SEC501-09 May 1, 2015 1.10. FAMILY: MEDIA PROTECTION MP-1-COV Media Protection Prohibit the storage of sensitive data on any non-network storage device or media, except for backup media, unless the data is encrypted and there is a written exception approved by the Agency Head accepting all residual risks. MP-4 MEDIA STORAGE Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. MP-6 MEDIA SANITIZATION The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Sensitive Data Storage: Best Practices Identify and classify sensitive data elements in your data Know what policies and standards apply to each data element Know the necessary business uses for the sensitive data - Store sensitive data in the least mobile, most secured locations - Store sensitive data with the least access possible - Maintain a secured state as continuously as possible Utilize strong, standardized full-device or container encryption and employ proper encryption key management Know why an element of sensitive data is necessary and do not collect sensitive data unless there is an absolute business necessity. Collecting only a portion of sensitive data may be sufficient such as the last four digits of a credit card number or social security number. Sensitive Data Storage: Misconceptions • Knowing everywhere their sensitive data is stored • Everyone is aware of data policies and standards • Drives are as secure as a managed database • It’s highly secure because its encrypted • Assuming control strength is essentially the same across a variety of storage media and storage situations. Sensitive Data Storage: Red Flags Failure to systematically classify data No set policies for data management User awareness training is absent or informal Weak or absent technical controls to enforce policies Business pressure drives control design/implementation Not encrypting data before uploading to the Cloud Large volume of data extracts stored in various formats on local drives, network shares and removable media. Sensitive Data Storage: Resources • National Institute of Standards and Technology NIST SP800-53 Revision 4 Cybersecurity Framework http://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf • Virginia Information Technologies Agency Information Security Management Standard SEC 501-09 https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/Inform ation_Security_Standard_SEC501.pdf • NIST Special Publication 800-11 Guide to Storage Encryption Technologies for End User Devices http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf Production Change Controls What is it? ◦ Controls to manage changes, updates, or modifications to hardware, operating systems, applications, and databases ◦ It’s the process used to request, review, specify, plan, approve, and implement changes Production Change Controls Why is it important? ◦ Significant risk that unauthorized, unapproved, or untested changes may be introduced into the production environment ◦ Critical system failure/disruption of IT services due to unforeseen technical problems ◦ Potential security implications Production Change Controls Best Practices ◦ Needs to be appropriate separation of duties between who can request a change, approve a change, develop a change, test the change, and move the change into production Production Change Controls Best Practices (continued) ◦ Ideally systems should have at least three separate environments for development, testing and production The test and production environments should be as similar as possible If cost prohibits having three environments, testing and development could take place in the same environment; but development activity would need to be closely managed during acceptance testing Production Change Controls Best Practices (continued) ◦ As a general principle development and production should always be separate with no crossover Developers should not have access to production systems Developers may be granted access to production for emergency changes using pre-established accounts for this purpose at the time of need Production Change Controls Best Practices (continued) ◦ No code should ever be installed in a production environment that has not been approved and tested ◦ Not only test that the changes are operating as intended, but to verify that only intended and approved changes were made and to assess its impact on operations and security ◦ A back-out plan needs to be established for the specific changes that describes how a failed change can be restored to its previous state Production Change Controls Common Misconceptions ◦ Only changes of a certain size need to be documented At a minimum a change log should be maintained that includes a brief functional description of the change; date the change was implemented; who made the change; who authorized the change; and what technical elements were affected by the change ◦ We manually log/track all changes, so all changes are known Production Change Controls Red Flags ◦ Only a production environment exists ◦ No mechanism to detect and log changes being moved to production ◦ Nothing supporting version control ◦ The number of “emergency changes” far exceeds the number of normal changes Production Change Controls COBIT: Build, Acquire and Implement (BAI)06 Manage Changes (through ISACA membership) Data Accuracy & Integrity: What is it? • • • • • • Components of data quality (accuracy, completeness, validity, consistency) Accuracy refers to “correctness” of value and format. Integrity refers to maintaining and assuring accuracy through prevention of unintentional changes over its entire life-cycle. Both are dependent on system design, implementation, operation and usage. The successful input of data into a system not meeting the standard for correctness is a data accuracy failure. Unintended changes to data resulting from any cause is a failure of data integrity. Data Accuracy & Integrity: Importance Business intelligence Life critical systems Record retention and compliance (Clery Act, Sarbanes-Oxley, Do Not Call Registry, HIPAA) Error propagation through depts. and business functions. Duplication of records Erroneous reports and filings Communication errors Data Accuracy & Integrity: Best Practices • Do not rely solely on system design and operation • Establish a formal data control function • Conduct cause and effect analysis on any noted errors, omissions or exceptions • Develop methods to detect/correct data issues in real time • Design error checking routines into data interfaces • Communicate data standards and definitions • Limit data feeds to the systems of record • Lock or signature stamp archives and templates • Audit and test data records and files Data Accuracy & Integrity: Testing • What should be tested? − Closed records − Permanent records − Fee schedules − Calculated values − Spreadsheets Data Accuracy & Integrity: Testing • Comparative Tests − File signatures − Content based tools − Source records to extracts Data Accuracy & Integrity: Testing • Rule Based Tests − Format consistency − Boundary checks − Completeness − Invalid duplication Data Accuracy & Integrity: Red Flags Overreliance on soft controls Relying on weak or fuzzy matching algorithms Relying on default system/application controls Structural database updates / system conversion Weak or absent data control function or processes Unvetted ad hoc reports, update queries and scripts Instances of workarounds and manual corrections Data Accuracy & Integrity: Resources • The Practitioner's Guide to Data Quality Improvement by David Loshin http://dataqualitybook.com/ • Experian Data Quality Resource Center https://www.edq.com/resource-center/ Thank You! Feel free to contact us for any additional information Michelle Workman [email protected] Glenn Wilson [email protected]