Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit

Auditing Logical Access in a Network Environment In this presentation we will discuss: The fundamental concepts of Logical Access Control and protection of data Special considerations for auditing Logical Access in a distributed environment

Auditing Logical Access in a Network Environment The fundamental concepts of Logical Access Control and protection of data…

Confidentiality, Integrity and Availability Policies and Procedures Technical Architecture The Fundamental Concepts of Logical Access

Confidentiality Confidentiality refers to limiting information access and disclosure to authorized users who have a business need for accessing specific data and preventing access by or disclosure to unauthorized ones. Confidentiality is related to the broader concept of data privacy -- limiting access to individuals' personal information. Federal statutes such as FERPA and HIPAA, set the legal terms of privacy. FERPAHIPAA

Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data has not been changed inappropriately, whether by accident or deliberately. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. Integrity

Availability Availability may be affected by purely technical issues (e.g., a malfunctioning network device or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).

Information Owners Individuals who represent Information Owners for the data and tools they use. Information Owners are responsible for determining who should have access to protected resources within their jurisdiction based on users’ job responsibilities, and what those access privileges should be (read, update, etc.).

Information Owners Information Owners should be identified for all entity information assets and assigned responsibility for the maintenance of appropriate security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc.

Data Classification Information, like other assets, must be properly managed from its creation, through authorized use, to proper disposal. As with other assets, not all information has the same use or value, and therefore information requires different levels of protection. All information should be classified and managed based on its confidentiality, integrity and availability characteristics.

Data Classification Information must be classified and protected based on its importance to business activities, risks, and security best practices. The Information Owner will classify and secure information within their jurisdiction based on the information’s value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.

Access Control Owners should make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.

Logical Access Control Computer-based access controls are called Logical Access Controls. Logical Access Controls provide a technical means of controlling what information persons can use, the programs they can run, and the modifications they can make.

Policies and Procedures Polices are the building blocks of network Logical Access Controls because they describe and document the controls over what level and type of protection is appropriate for individual data resources and who needs access to these resources.

User Account Lifecycle Once resource owners have classified data according to its need for protective controls, entities should develop procedures to identify all functions of user management. This should include the generation, modification, and deletion of user accounts for access to the data.

Password Management Procedures and standards for managing passwords should be implemented to ensure all authorized individuals accessing entity resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.

Network Access Control An Organization needs to develop and implement procedures to protect its trusted internal network. Network controls should be developed and implemented to ensure that an authorized user can access only those network resources and services to perform their assigned job responsibilities.

Technical Architecture

New York State agencies: Most use a client server model  90% of the organizations audited utilize Microsoft Active directory

Active Directory The main purpose of Active Directory is to provide central authentication and authorization services for Windows based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an entire organization.

Active Directory Active Directory allows for: Policy-based administration using Group Policies Scalability (domain  tree  forest) Replication of information (load balancing etc.) Security administration (authentication, DACLs) Interoperability

Active Directory Objects (and classes in the schema) Object Publishing Domains (trees, forests, trust, OUs) Delegation and Group Policy concepts

Active Directory Objects are the entities that make up a network. An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. When an Active Directory object is created, it generates values for some of the object's attributes.

Active Directory Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary.

Active Directory The schema keeps track of: –Classes –Class attributes –Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes). –Object relationships such as what objects are contained by other objects or what objects contain other objects.

Active Directory Domains: –The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD.

Active Directory Domains : –The forest holds one or more transitive, trust- linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name.

Active Directory Organizational Units : –The objects held within a domain can be grouped into containers called Organizational Units (OUs).  Give a domain a hierarchy  Ease its administration

Active Directory Organizational Units: –The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites.

Active Directory Organizational Units: –The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.

Active Directory Business Example: –A Typical structure of a organization  Human Resources  Payroll  Finance

Active Directory Business Example: –As an employee assigned to Human Resources my access should be limited to HR applications and folders –Likewise HR Data should not be accessible to other business units

Special considerations for auditing logical access in a distributed environment Auditors should: –Review organizations policies & procedures –Compare to known and accepted industry standards –Test whether users’ data access is tied to their job responsibilities –Attempt predetermined “hacks” to test for network vulnerabilities that allow for inappropriate data access

Special considerations for auditing logical access in a distributed environment Demonstration

Links of Interest

Questions