10. Access Controls
When we’re trying to control people’s access, we’ve already talked about how we want them to identify themselves, and then we want to authenticate people. Identification and authentication are similar but not necessarily the same. We talked about earlier how identification can also be identification. So you can either walk into a building or enter a restricted area. Authentication is when you prove your identity to a computer, to a network, to a server, or to a system. Then, of course, we have the concept of authorization. Once I’ve proven who I am, am I authorized, usually by some kind of access control list? Am I authorised to get into this, this, or this, or to do certain things on the system or on the network? And we also talked about accountability. We’re going to have logs, we’re going to have auditing, and we want to see what people have been doing. And it’s not always, like I said, just because we’re looking for some kind of suspicious activity. We could also just want to see how busy something is, or is something actually working? Are people actually able to get into something? I can look at the log and show that half the people who tried to get into this folder couldn’t, and yet they have the right to. So we can use it not only for security but also for performance.
As an IS auditor, I need to know: What are you doing about identification? What are you using to prove authentication? What are you using for access control, and what are you using for logging and accountability? So let’s talk about different kinds of logical access controls. Authentication System I sit down at a computer. I put in a username and password, or Windows eight. I tap, sketch, or draw. This is my alternative to having a password. or I put in a pin. Or I might have some other kind of mechanism. Most operating systems support this. a smart card. I can use a smart card to prove my identity. What’s nice about this is that we call it two-factor authentication. With one-factor authentication, you just do one thing, like, you know, something like your password. To activate two-factor authentication, you must have something, place it in a reader, and have a pin. So you have to possess something and know something. One example of two-factor authentication is the use of a smart card. We can also use biometrics to verify your identity based on a physical characteristic of yours. Another form of access control is an RSA token.
You may have used or seen these. With the RSA token, you have to possess something, and you can see the number here. This number is constantly changing, like every minute or two. Not only must you see the number and use it, but you must also place a pin in front of it. So you have to know a number, and then you type in that number and follow them as part of the whole thing. So you have to possess this thing. This thing is constantly changing its number, and you have to know something as well. So an RSA token is a very, very common way to prove identity as well. Now, as an IS auditor, of course, how are the tokens and the smart cards being distributed? And what is the contingency in case someone loses or forgets their token or their smartcard, or something happens to it? It breaks; it stops working. So we have to take a look at that. Is the company allowing people—oh, I forgot my token? Okay, just go in. Or are they still very stringently proving that person’s identity, even if they can’t use the normal two-factor authentication? So we need to be taking a look at that as well. So we know that we have authentication systems. We also know that we have antivirus systems. And we took a look at just one website where you can see the latest virus trends going on at that time. And there are ways of assigning something called role-based access control, or RBAC. With role-based access control, you’re generally in a role, and usually that means you’re part of a group. I’m in the sales group, so therefore, I can get into the sales folder. I’m in the administrators group, so therefore, I can log in with elevated privilege.
I’m in the something group, so I’m in this group or that group, and because of the role I’m in, the group I belong to is usually the way it’s done. I have this and that privilege in, say, a Windows environment. When I log on, I have a token associated with my authentication and log on, and any groups I belong to, their group IDs and security IDs are also stored in the token. So if I try to get to a folder, do any of them match? So if I’m trying to read something, maybe I belong to four groups plus me. I have five security IDs, five SIDS, that I can try against whatever I’m doing, and if any of them match and it’s okay, then I get in. So we had the idea of role-based assignment, and then, of course, we saw encryption. We can use encryption to digitally sign things. We can use hashing algorithms to prove the integrity of things. We can use encryption to actually encrypt and make things confidential. It could also be attachments or emails. It can be network packets; it can be files, folders, or whatever.
And then we have concepts like VPN, firewall, and router. Let’s take a look at these. A VPN. Lots of people work from home. Lots of people are road warriors. They work on the road; they work in hotspots; they work in hotels; they work at coffee shops with a VPN. Here’s the deal: If I’m at a Starbucks, a coffee bean, or some other coffee shop like that, I do not want to make an open, clear-text connection to the network that I’m connecting to across the internet. Because the Internet is a big public network, I want to encrypt all of my traffic. So a virtual private network is when you send traffic from your home, a conference center, or a hotel, and I’m on the road from wherever you send it. Typically, the Internet or a public network—this does not have to be the case. And I will have my traffic encrypted and digitally signed, usually.
And it’s sent, so in case anyone intercepts it, it’s encrypted. And by the time they break the encryption, it’s not worth it to them. It’s digitally signed, so we know it comes from me. And then it is sent to some kind of VPN server that receives my connection, decrypts everything, and sends my traffic further into the corporate network. So I can go to the email server, the database server, maybe see my own desktop and my workstation at work, whatever. So the idea of a VPN—a virtual private network—that is not truly private but encrypted and sent across a regular public network is very, very common. There are many VPN tools, and all the operating systems have the capability of doing VPNs. You can buy third-party tools. This is extremely common.
And we can even use smart cards and RSA tokens to initiate VPNs. The other question was, “How about a firewall or a router?” With a firewall, we have the concept of a device that can be software-based, but is usually hardware-based. We’ve got a device, and it’s basically a gateway that is very restrictive in allowing traffic to go through it. So here we are on our private network, and out here is the Internet or some other network. And the firewall controls traffic and only allows certain kinds of traffic to go through. Now, how you configure the firewall is an art unto itself. Some folks allow all traffic to go out but only certain kinds of restricted traffic to come in. Some folks are very restrictive about what can go out. And that is something, as an IS auditor, you have to look at and say, “What’s your firewall policy?” Can I see your firewall policy? Well, according to your policy, you only allow certain protocols or certain kinds of outbound traffic and then only certain kinds of replies or traffic coming in.
And we have to look at the configuration of the firewall to see if they’re actually doing what they claim to be doing. Or maybe there is no firewall policy, and we can just look at the firewall, look at its configuration, maybe run a few little tests, and say, “You know what, you’re allowing people to go to all these sites that you probably don’t want,” or you’re allowing all kinds of traffic. You must understand that a firewall is merely a front door. It’s not the end-all and be-all of network security. The first person who sets up a wireless access point has just circumvented the firewall because now that’s a radio wave going out, not going through the network or going through the firewall. The first person who sets up a dial-up connection just dials up on the phone line to another location and has just gone around the firewall. The first person who walks in and out with an Ash drive has just gone around the firewall. So realise that there are lots of organisations that spend way too much effort and time setting up the firewall properly. And never think about people walking in and out with flash drives or setting up wireless access points, dial-up modems, or VPNs.
They do not properly configure their VPNs because VPNs typically circumvent the firewall as well. So it’s just part of your overall examination of the network’s security. Another thing that you might want to look at is the configuration of the router. The router is simply a device that sits at the edge of the network and connects the internal network to the rest of the world, or connects the internal network via some provider across a T1 or dedicated line to some other branch office. So it’s your edge device, and really, a router is just a big freeway interchange with a big traffic cop sitting over it saying, “Okay, you go this way, you go this way.” It just looks at destinations and comes this way. Okay, go out there; you go that way. You go that way.
That’s all a router is. But the thing about it is, because it is your big interchange right there at the edge of your network, you can have all kinds of undesirable traffic. You can set up routers to filter some of that traffic. You can also compromise a router and have it forward a copy of all traffic that goes through it to some undesirable secret site. So as an IS auditor, we’re going to want to look at router configurations as well. So these are the different kinds of logical access controls. The next thing we’ll talk about is some of the different software we can use for logical access control.
11. Identification and Authentication
We were taking a look at different ways of instituting some kind of logical access control. with routers, firewalls, VPNs, antivirus, and role-based security. Whatever method you use, whether you use something software- or hardware-based, the whole point is that it’s going to ensure CIA triangle confidentiality, integrity, and availability. Now, some of them are for confidentiality, some are for integrity, but mostly they’re to protect our data from unauthorised people.
It hasn’t changed, and the people who do need it can get to it. It prevents unauthorised access to sensitive data and prevents unauthorised users from modifying or copying data. There are all kinds of software you can get, and operating systems and network devices can use it. All kinds of software you can have and apply that can enforce the CIA triangle, from encryption software to intrusion detection software to access control software to whatever else, whatever it does, though, whatever it is that you employ should somehow support the CIA. or at least some part of the CIA. Usually this access control software is indeed done at the operating system level and/or at the network level.
So we have identification and authentication. I prove my identity, and I prove it to a system. Username and password, some kind of biometric, some kind of two-factor authentication, the card or the token And so the easiest one, of course, is usernames and passwords. However, that’s also the easiest to hack. There are loads of tools that will just take a huge list of words and try them against some website or try them against some server until it goes through the whole list to see if that’s the password. And if that fails, then it’ll try combinations until it figures it out. So the one-factor username and password are not very strong. We can, of course, also have the idea of tokens or biometrics, or we can have a multifactor system where you have to maybe have two things. You have something, and you know what it is: the pin. And there’s also this concept called single sign-on. Single sign-on is now a method of making things easier for users.
But you as an auditor need to be aware of this because whenever you make something more convenient for people, you’re usually taking away from security or else putting in a whole lot more effort to maintain security. Single sign-on basically means that I log on once and am logged in no matter where I go in the network. Now in the background, what’s really happening is that my computer is constantly showing my credential, but I, as the user, don’t have to be bothered by it. That’s the idea of single sign-on. And the reason why we have single sign-on is because you can have whole different kinds of systems that have no one central authentication mechanism but instead have ways to kind of tie them together. So I log on to a Microsoft domain through federated services.
I only had to log on once here, and I can still get over there and get into a whole other system that’s not even Microsoft because we have this extensibility, this single sign-on. Realize that when you’re trying to tie these systems together again in the name of convenience, there are all kinds of opportunities for it to either break, not work, or have security vulnerabilities. So, when we look at the authentication system as auditors, we need to know what systems people have to log on to and how they do it. Because it might be that that’s safe, but it could be that the problem is that they’re just writing the password down, or they keep forgetting this, or they keep losing something, or they’ve shared their PIN or their password with people. So we need to know all the possibilities. Once I know what I’m looking at and all the systems people have to log on to, I can start thinking, “Okay, where could this break down?” Where could people circumvent it? So with the authorization process, I’ve proven my identity, and now I try to go and get into something.
I try to access a database, I try to open email, I try to get to my mailbox, I try to open a file or a folder, I try to print something, and I try to get to a server or a service. And with authorization, we’re determining who has the right, once they’ve proven themselves, to get into something. And we can use access rules, and we can also use a concept called least privileged. Now an access rule is simply a list of rules here, and that rule checks to see if my token, my authentication, has access based on what I’m trying to do. Usually we want to have a concept called “least privilege.” Don’t make everyone a domain administrator; don’t give everyone root privilege. Instead, you give them only enough privileges on the access control list that they need to do their job, no more. That’s generally the philosophy behind security: the principle of least privilege. Now there are different methods of access control.
There are mandatory, discretionary, role-based, and rule-based categories. mandatory, which exists on certain Unix systems used by the military. Essentially, policy is controlled by one central location and one central administrator. And you have to have a certain clearance level. You, the subject, have a certain clearance level to get to that object over there, and nobody can change it; no one has the ability to change it. Depending on your clearance level, you can do different things. That’s mandatory. There’s no discretion involved at all. Discretionary, which is what Microsoft, Linux, and most operating systems are, is where an administrator can, at their discretion, change the level of access.
So as an administrator, I can go to a file or folder, I can go to the security tab, and I can say that this group can read, that group can write, and I can change it as I please. As an administrator in the corporate environment, that’s usually what we see as discretionary-based access control. Role-based is usually based on what I do. And the way it’s usually implemented is that I belong to a group, and the group is granted permissions, so the administrator has to put me in that group. And so when I log on, here are the groups I belong to, their IDs, and me. If any of them match what I’m trying to do, then okay, I get in. Rule-based is usually used by things like routers and firewalls on network devices. They have no idea who the users are. All they know is that traffic is coming and there’s a list of rules. If that packet uses a certain protocol, then it can pass. If it does not use the protocol, it’s dropped and not forwarded. If it has certain keywords, attachments, executables, or other things in the traffic, they’re either allowed or not allowed. It makes no difference where they came from or who they came from.
Now, you can, of course, set rules saying if it comes from these IP addresses or these particular networks, yes or no. However, in rule-based architecture, these are usually network devices that don’t care who created them. They might care about the IP address or the protocol, but they’re usually looking to see if the traffic matches certain network rules (protocol, IP address, port number), so that’s rule-based. So your access control can include any of these. In a corporate environment, you’re probably not likely to see mandatory access control, but you will see it in the military. When it comes to routers and firewalls, you can expect to see discretionary, role-based, and rule-based behavior. So with logical access control administration, we can have it where it is controlled by one machine, like, say, Active Directory.
We’ve got an Active Directory domain controller, and it basically sends policies out from a central location. We can also have it decentralized. So, for example, I can go to each workstation and set some additional role-based security and some additional discretionary security. We must be aware of all methods of security implementation. Because maybe, okay, maybe they’ve got an active directory domain. Maybe they have group policy and active directory, and the policy is centrally stored and configured, and all machines are aware of it. But then somebody logs on locally as the local admin and totally circumvents all that. So you have to be aware of all the possibilities. When you’re an auditor, How are people perhaps getting around the access control that’s been set? One of the biggest things that people have to worry about is security for people coming in from the outside. I’m working from home or from a hotel. I’m working from some job site, some conference center, or some coffee shop.
So I’m connecting remotely, and this is a big one when we’re doing auditing people who are working from a remote location? They’re telecommuting. What are the risks of remote access? Well, if I’m working from home, maybe my kids are playing games on my laptop and they’ve infected my laptop.And now when I make a connection, my laptop is infecting the network. Maybe I have unauthorised access. I’m using the wrong kind of software. I’m using unauthorised software or unauthorised protocols, or maybe my software is not configured properly, or there are physical security issues. You know, my laptop, when I leave it for just a moment, someone else gets on it, or it just gets stolen, or something like that. Or it’s possible that since we’re allowing remote access, we have compromised machines that are acting like a denial of service once they connect. So, I mean, there are all kinds of risks to remote access. Again, you have to configure your VPN server and your firewall to control that.
And most operating systems allow you to configure network access protection, which is essentially a whole infrastructure of servers that require clients who connect to prove their health, that they have antivirus, patches, and firewalls enabled. a certain way. Before they’re allowed to even make a connection, they’re allowed to connect to the wireless network, or before they’re allowed to plug into a switch, they’re allowed to get past the switch onto the main network. There are whole disciplines and whole topics on remote access control, and there are actually whole classes that include remote access control. As part of the subject, as auditors, we have to ask about that. What controls are in place for all the remote access? We talked before about monitoring system access.
Okay? Who has the right to actually sit at this machine? Because you can set up auditing on most machines to see who’s been sitting here, you can look at the log and see who’s been accessing or even sitting there and getting a desktop. So we’ll want to look at that as well, especially for the servers, the routers, and the infrastructure devices. So when we’re trying to design, implement, and monitor access controls and we’re evaluating all that, the first thing is that you need to understand all the risks that are involved. You must also examine the documentation, job functions, and risk assessments as a whole. You need to gain familiarity with the environment, and that’s going to take a little bit of time. You need to review all of their documentation, their policies, and observe the way they’re doing things and their procedures.
We need to see if authentication is working right, if antivirus is working right, and if access control is working right. Are they using proper encryption? Are the firewalls configured correctly? If they’re using any kind of access control software, which they probably are, with NFS and share permissions and print permissions, Is that operating properly? What kinds of rights management are they using, and do they configure them? That right. And we also need to verify that if they’re allowing remote access, they’ve done so securely. and we need to evaluate that. And all of this takes some time. It takes reviewing everything, and it will also include a lot of penetration testing. So with that, that is the end of this topic. Let’s now talk about physical access control.
12. Physical Access Exposure
Now for the physical. And this is where a lot of just looking around and common sense can come in handy. Look at all of the physical grounds when you’re auditing. Look for opportunities for unauthorised entrance, sidedoors being propped open, or maybe a common restroom in a building. I can climb up into the ceiling and then come down into a secured area, looking for all the possibilities. Or perhaps a window that could be easily broken in order to gain entry. I mean, we’ve certainly had that, where we come in one morning and a window is broken, and now we’re looking for stuff that’s missing. But it’s not just access to your systems. It could also just be looking for ways to damage things or looking at damage that happens, vandalism, or theft. So do we have the cameras? Do we have the lighting? Do we have a high enough fence? Do we have the guard’s presence?
Or are we just in a place where that kind of activity is discouraged? And also, what kind of physical access do folks have to any sensitive data? I mean, I’ve walked into places where a server was sitting underneath a receptionist desk. In fact, I’ve been at a place where five servers were under a receptionist’s desk, and it was like, “What are you doing?” So lots of folks do that because maybe they don’t have a dedicated server room in a smaller environment or because a particular department or remote office doesn’t have it. Or maybe there’s no environmental control in the server room. It’s getting too hot. So they moved the servers out. You’ve got to watch out for that kind of thing. I’ve gone into a brand new building where, yes, this was designated to be the server room, but they didn’t account for just how much heat was being generated. And so they had to move the servers out because the room was so hot and there wasn’t enough AC there.
So it’s not just access to servers, data, and sensitive information, but also what kinds of threats your users face. So you can even think a little farther. You can think like, “Can people get access to things where they can embezzle or find out sensitive stuff from blackmailing people?” So you’re going to be looking for all kinds of opportunities there. When you mention physical access, we can imagine using a card to gain entry. Actually, in this case, we have two things. The card is usually just swiped, and the door unlocks. But we can also see that there’s a keypad there that we can punch in a code to get in as well. And when people have this kind of entry control, make sure that people aren’t piggybacking behind the person.
Five people enter after one person swipes their card. So when you’re looking for physical access control, look for all the very typical things. Are the doors locked? Are they closed? Is there any way to get around the doors? Climb through the ceiling, through the floor, or something along those lines? Are we logging people’s coming and going? Visitors? Do visitors have to be escorted with badges? What kind of identification systems do we have? Do we have cameras to extend the guard’s presence? And do we have guards? Do we need guards? And then what kinds of personnel do we have? Like if we have companies come and destroy documents, carry our backup tapes, or store our documents offsite in another location, are they bonded, and then do we have man traps and dead man doors? So the idea then is that you enter one door and are stuck in a small area, and when the first door closes, only then does the second door open. I actually have a humorous story about that.
This one, actually. I’m not going to name the organization, even though a high-ranking official wanted to bring in his favourite chair and did so at night when no one was around. However, the chair was large and heavy enough that the man trap mistook it for two people. And this guy was locked in there with his chair until someone came along hours later. So the concept of the man trapper, the dead man door, and then what physical barriers, lighting, and alarm systems do we have? So be looking for all of these kinds of physical access controls. Users also need to understand their own responsibilities. And this is part of the care and diligence required to train users so that they understand their responsibilities. It’s not enough to just say, “Hey, security is your responsibility.” You’ve got to train them what to look for. And it’s not enough just to say there’s suspicious activity. They may know obvious things like someone breaking in, but they may not know something that’s a little more subtle. So you need to make sure users understand their responsibilities in terms of more than just physical access.
And 20 of us don’t come in on one person’s badge, but also on system access or device access, because people are very often faked into thinking that somebody who’s acting official, wearing a logo t-shirt, acting like they know what they’re doing, is an official person. and they might not be. So you’ve got to make sure users know this. And as an IS auditor, I will randomly sample and ask people, “If you see this kind of situation, what do you do?” So for securing information systems facilities, there are all kinds of locations that you need to physically secure. Not only the server room, but also the area where developers are programming or running systems, operators are running like mainframes, storage facilities, offsite backup locations, disposal sites, and any kind of communications closet will need to be secured. I mean, like I’ve said before, I came in one time, and the telco room was propped open on a Sunday by a ladder, and no one was around. And, of course, all the hardware, the local area network, all the power sources, and the cables. So look for all of these places where there could be a vulnerability or where someone could sneak in some kind of equipment or sneak out some kind of equipment. I was at this one place. Yeah, they had a guard at the front door and nobody at the back door.
Anybody could go out the back door just by pushing open the door, and there was nobody there. So you have to be thinking of all possible entry and exit points and all places where any of the IS equipment might be, including the infrastructure for monitoring physical access. We can have intrusion detection, we can have surveillance, and we can have entry security systems that log people in when they type in a code, itlogs in that code that time.You’ll probably want to be looking at those logs when you are auditing for physical security. So when we are evaluating the design, implementation, and monitoring of physical access controls, some of the things we need to look at are: We need to tour the whole facility and see where everything is. Where are the printers, where are the doors, where are the servers, where is the telecom, and where are the telco codes down in the basement? Where is the stuff that is in and out of your control? We need to tour all the off-site locations. Where do you store things?
Where are the branch offices? We need to look at all these things. Now, of course, it does depend on the scope that was determined by the charter, but within that scope, you need to tour everything and take a look at everything. We need to review all the physical access and ask people, “Is this door open all the time or how are people getting in?” We need to test these controls. Let’s actually test it. I went to a place where you had to press a certain keystroke, but if you pushed hard enough, the doors just popped open because of the way they were. So, there was this key thing here, but I could just push it open. So, I mean, you have to test these things. You’ll have to look at all their documentation and all their logs and review the whole physical environment surrounding it. Yeah, your dumpsters are out there. But did you guys know that you’re throwing out sensitive documents that aren’t shredded there? Or the door to the loading dock is wide open, and by the way, people are sitting with their backs to a window and walking by, or, with a pair of binoculars, I can look straight at their computer screen. So you want to look at all of these possible things. when you’re evaluating physical security. The next thing we’ll talk about is environmental security.
