The document discusses authorization and access management topics including access control lists, logical access security administration, remote access security, and audit logging. It covers authorization issues, common connectivity methods for remote access like virtual private networks, and controls for securely administering access in distributed environments.
The document discusses authorization and access management topics including access control lists, logical access security administration, remote access security, and audit logging. It covers authorization issues, common connectivity methods for remote access like virtual private networks, and controls for securely administering access in distributed environments.
Original Title
Chapter 5_ Identify and Access Management - Part 2
The document discusses authorization and access management topics including access control lists, logical access security administration, remote access security, and audit logging. It covers authorization issues, common connectivity methods for remote access like virtual private networks, and controls for securely administering access in distributed environments.
The document discusses authorization and access management topics including access control lists, logical access security administration, remote access security, and audit logging. It covers authorization issues, common connectivity methods for remote access like virtual private networks, and controls for securely administering access in distributed environments.
CHAPTER 5 - PART 2 ○Can contain access at the discretion of the policy maker or individual user TOPICS COVERED ● Changes in users’ job roles, old access rights ● Authorization Issues and new access rights a) Introduction b) Access Control Lists LOGICAL ACCESS SECURITY c) Logical Access Security Administration ADMINISTRATION d) Remote Access Security ● Audit Logging in Monitoring System Access ● In a client-server environment, the access I&A a) Introduction and authorization process can be administered b) Access Rights to System Logs either through a Centralized or decentralized c) Tools for Audit Trail (Logs) Analysis environment d) Cost Considerations ● Advantages of decentralized environment: ● Naming Conventions for Logical Access ○ Onsite security administrator Controls ○ Timely resolution of issues ○ More frequent monitoring of controls ● Risks associated with distributed AUTHORIZATION ISSUES responsibility (compared to centralized administration): INTRODUCTION ○ Use of local standards instead of ● Authorization process: need to identify and organizational standards differentiate among users ○ Lower security management ● Access rules: specify who can access what ○ Management checks and audits not ● Access: be documented need-to-know and available need-to-do basis ● Ways to control remote and distributed sites: ● Computer access: for various levels 1) Implement software controls over access ● IS auditor needs to know what can be done to the computer, data files and remote and what is restricted with the access access to the network should be ● Examples of access restrictions at the file implemented. level generally include the following: 2) Secure the physical control environment. ○ Read, inquiry or copy only The physical control environment should ○ Write, create, update or delete only be as secure as possible, with additions, ○ Execute only such as lockable terminals and a locked ○ A combination of the above computer room. ● Least dangerous type of access: read only. 3) Control access from remote locations. This is because the user cannot alter or use the Access from remote locations via modems computerized file beyond basic viewing or and laptops to other microcomputers printing. should be controlled appropriately. 4) Limit opportunities for unauthorized people to gain knowledge of the system. ACCESS CONTROL LIST Opportunities for unauthorized people to ● logical access control mechanisms use access gain knowledge of the system should be authorization tables, also referred to as access limited by implementing controls over control lists (ACLs) or access control tables. access to system documentation and ● Access control list (ACL): to provide security manuals. authorization 5) Set-up controls for data transmitted from ● ACLs refer to a register of: remote locations. Controls should exist for ○ Users (including groups, machines and data transmitted from remote locations, processes) who have permission to use a such as sales in one location that update particular system resource accounts receivable files at another ○ Access permitted location. The sending location should ● ACLs vary in capability and flexibility transmit control information, such as ● Advanced ACLs: transaction control totals, to enable the ○ Can be used to explicitly deny access to receiving location to verify the update of particular individual or group its files. When practical, central monitoring should ensure that all remotely processed
MARIA BERNISE DIMZON • JONAS ROSQUILLO 1
Chapter 5: Identify and Access Management - Part 2
data have been received completely and ● Use of VPNs can create holes in security updated accurately. infrastructure 6) Implement controls to ensure correctness ● The encrypted traffic can hide unauthorized and currency of replicated files at actions or malicious software that can be multiple locations, and that no data transmitted through such channels. duplication arises. When replicated files ● Preventive controls: Intrusion detection exist at multiple locations, controls should systems (IDS) and virus scanners ensure that all files used are correct and ● Good practice: terminate all VPNs to the same current and, when data are used to endpoint in a VPN concentrator and not accept produce financial information, that no VPNs directed at other parts of the network. duplication arises. ● Less common method: use of dial-up lines (modem asynchronous point-to-point or integrated services digital network- ISDN) in REMOTE ACCESS SECURITY accessing an organization’s network access server (NAS) that works in concert with an INTRODUCTION organization’s network firewall and router ● Remote access connectivity to their configuration. information resources is required ● NAS handles user authentication, access ● Various methods and procedures are control and accounting, while maintaining available connectivity. ● Same functionality: connect via organization’s ● Most common protocol: Remote Access Dial-in networks and organization’s office User Service (RADIUS) and Terminal Access ● Same network standards and protocols: Controller Access Control System (TACACS) Transmission Control Protocol/Internet ● Good security practice: terminate call after Protocol (TCP/IP)- based systems and recording the no. systems network architecture (SNA) systems ● Standard security practice: NAS to initiate a for mainframe call back ● Support for connections: Asynchronous ● Remote access server (RAS): server whose OS point-to-point connectivity, integrated is set-up to accept remote access; dial-up services digital network (ISDN) connectivity not based on centralized control; dial-on-demand connectivity, and dedicated not recommended lines ● Advantages of dial-up connectivity are its low end-user costs (local phone calls) and that it is COMMON CONNECTIVITY METHODS FOR intuitive and easy to use (familiarity). REMOTE ACCESS ● Disadvantages are related to performance ● TCI/IP internet-based remote access: cost ● Dedicated network connections: use private effective approach to use public network network circuits; considered safest; used by infrastructure and connectivity under which branch/regional offices Internet service providers (ISPs) manage ● Advantages and disadvantage of dedicated modems and dial-in servers, and DSL and network connections cable modems reduce costs further to an ● Advantages of dedicated network connections organization. include greater performance gains in data ● Virtual private network (VPN): used to throughput and reliability, and data on a communicate securely data packets over the dedicated link belonging to the subscribing internet organization, where an intruder would have to ● Available VPN technologies apply the Internet compromise the telecommunications provider Engineering Task Force (IETF) IPSec standard. itself to access the data link. ● Advantages of VPNs: ● A disadvantage is that cost is typically two- to a) ubiquity, five-times higher than connections to the b) ease of use, Internet. c)inexpensive connectivity, ● Remote access risks: d)read, inquiry or copy only access 1) Denial of service (DOS) - remote users ● Disadvantages of VPNs: may not be able to gain access to data or a) less reliable, applications that are vital for them to b) no central authority, carry out their day-to-day business c) difficult to troubleshoot
MARIA BERNISE DIMZON • JONAS ROSQUILLO 2
Chapter 5: Identify and Access Management - Part 2
2) Malicious third parties - these may gain ○ Logs with control numbers or other access to critical applications or sensitive tracking data data by exploiting weaknesses in ○ Conduct periodic spot checks or audits communications software and network ○ Use of automated media tracking protocols systems 3) Misconfigured communications software - may result in unauthorized access or TOOLS FOR AUDIT TRAIL (LOGS) ANALYSIS modification of an organization’s ● Purpose of the tools developed: to reduce and information resources delineate info 4) Misconfigured devices on the corporate ● Audit trail software: can create large files computing infrastructure ● Use of automated tools: the difference 5) Not correctly secured host systems - can ● Types of tools: be exploited by an intruder gaining access a) Audit reduction tools: remotely ○ Reduce volume of audit trail 6) Physical security issues over remote users’ ○ Remove records of little significance computers ○ Remove records generated by ● Remote access controls: specified classes of events a) Policy and standards b) Trend/variance-detection tools b) Proper authorizations ○ Look for anomalies c) Identification and authentication ○ More sophisticated processors that mechanisms monitor usage and detect variations d) Encryption tools and techniques can be constructed e) System and network management c) Attack-signature-detection tools ○ Look for sequence of events ________________END________________ indicating or showing unauthorized access AUDIT LOGGING AND MONITORING SYSTEM d) Security information and event ACCESS management (SIEM) systems: ○ Capture audit trails and perform real-time analysis INTRODUCTION ○ Can be configured to perform ● Security features of access control software: automated tasks automatically log and report all attempts ● Audit trail: to monitor activities of suspicious COST CONSIDERATION nature ● Audit trails involve many costs ● Keystroke logging: for sensitive access ● System overhead is incurred privileges ● Logging every event could lead the system to ● Issues: 1) What is logged?, 2) Who has access lock-up or to slow to logs?, and 3) How long logs are retained? ● Another cost consists of human and machine time to perform the analysis; use of simple ACCESS RIGHTS TO SYSTEM LOGS analyzers and complex tools ● Access rights to system logs should be ● Final cost of audit trails: cost of investigating controlled unexpected events ● Who should have access to system logs? ● Frequency of review of reports = Sensitivity of Managers and Administrators- Yes; Personnel the info or Staff- No ● IS auditor: ensure logs cannot be altered ● Use of digital signatures, write-once devices, without an audit trail security information and event management ● IS auditor should look for: (SIEM) system ○ Patterns indicating abuse of access ● Audit trail files/records should be protected: privileges Why? How? ○ Violations and/or use of incorrect ● Audit trail for legal concerns passwords ● Confidentiality of audit trail information may ● Actions when a violation is identified: be protected; use of strong access controls 1) Refer problem to security administrator and encryption ● Media logging is used for accountability
MARIA BERNISE DIMZON • JONAS ROSQUILLO 3
Chapter 5: Identify and Access Management - Part 2
2) Investigate and determine severity of the
violation 3) Notify executive management, not the law enforcement officials, if violation attempt is serious 4) Set-up procedures to manage public relations 5) Provide written guidelines to identify types and levels of violations, and how these will be addressed 6) Apply consistent disciplinary action 7) Include in the corrective measures the review of access rule
NAMING CONVENTIONS FOR LOGICAL
ACCESS CONTROLS ● Access capabilities: rules which stipulate which users are authorized to access what resource and at what level ● Access control naming conventions: ○ Are structures to govern user access and user authority ○ Are required to establish accountability and SOD ○ Are set-up by the owners of the data or application ○ Should promote efficient access rules and simplify security administration ● Sophisticated naming conventions: depend on importance and level of security needed ● Naming conventions for system resources: pre-requisite for efficient implementation of security controls ● Structure of naming conventions: resources with same high-level qualifier can be governed by generic rule(s)
