Embed Size (px)
Citation preview
Auditing Logical Access in a Network Environment
Presented By, Eric Booker and Mark Ren
New York State Comptroller’s Office
Network Security Unit
Auditing Logical Access in a Network
Environment
In this presentation we will discuss:
• The fundamental concepts of Logical Access Control and protection of data
• Special considerations for auditing Logical Access in a distributed environment
Auditing Logical Access in a Network Environment
The fundamental concepts of Logical
Access Control and protection of data…
Technical Architecture
Policies and Procedures
Confidentiality,Integrity and Availability
The Fundamental Concepts of Logical Access
Confidentiality
• Confidentiality refers to limiting information access and disclosure to authorized users who have a business need for accessing specific data and preventing access by or disclosure to unauthorized ones.
• Confidentiality is related to the broader concept of data privacy -- limiting access to individuals' personal information. Federal statutes such as FERPA and HIPAA, set the legal terms of privacy.
• Integrity refers to the trustworthiness of information resources.
• It includes the concept of "data integrity" -- namely, that data has not been changed inappropriately, whether by accident or deliberately. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter.
Integrity
Availability
Availability may be affected by purely technical issues (e.g., a malfunctioning network device or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
Information Owners
Individuals who represent Information Ownersfor the data and tools they use. Information Owners are responsible for determining whoshould have access to protected resources within their jurisdiction based on users’ jobresponsibilities, and what those accessprivileges should be (read, update, etc.).
Information Owners
Information Owners should be identified for all entity information assets and assigned responsibility for the maintenance of appropriate security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc.
Data Classification
Information, like other assets, must be properly managed from its creation, through authorized use, to proper disposal. As with other assets, not all information has the same use or value, and therefore information requires different levels of protection. All information should be classified and managed based on its confidentiality, integrity and availability characteristics.
Data Classification
• Information must be classified and protected based on its importance to business activities, risks, and security best practices.
• The Information Owner will classify and secure information within their jurisdiction based on the information’s value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.
Access Control
Owners should make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.
Logical Access Control
Computer-based access controls are called Logical Access Controls. Logical Access Controls provide a technical means of controlling what information persons can use, the programs they can run, and the modifications they can make.
Policies and Procedures
Polices are the building blocks of network Logical Access Controls because they describe and document the controls over what level and type of protection is appropriate for individual data resources and who needs access to these resources.
User Account Lifecycle
Once resource owners have classified data according to its need for protective controls, entities should develop procedures to identify all functions of user management. This should include the generation, modification, and deletion of user accounts for access to the data.
Password Management
Procedures and standards for managing passwords should be implemented to ensure all authorized individuals accessing entity resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.
Network Access Control
An Organization needs to develop and implement procedures to protect its trusted internal network. Network controls should be developed and implemented to ensure that an authorized user can access only those network resources and services to perform their assigned job responsibilities.
Technical Architecture
New York State agencies:
• Most use a client server model
90% of the organizations audited utilize Microsoft Active directory
Active Directory
The main purpose of Active Directory is to provide central authentication and authorization services for Windows based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an entire organization.
Active Directory
Active Directory allows for:
• Policy-based administration using Group Policies
• Scalability (domain tree forest)• Replication of information (load
balancing etc.)• Security administration (authentication,
DACLs)• Interoperability
Active Directory
• Objects (and classes in the schema)• Object Publishing• Domains (trees, forests, trust, OUs)• Delegation and Group Policy concepts
Active Directory
Objects are the entities that make up a network. An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. When an Active Directory object is created, it generates values for some of the object's attributes.
Active Directory
Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary.
Active Directory
The schema keeps track of:
– Classes – Class attributes – Class relationships such as subclasses
(Child classes that inherit attributes from the super class) and super classes (Parent classes).
– Object relationships such as what objects are contained by other objects or what objects contain other objects.
Active Directory
Domains:
–The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD.
Active Directory
Domains:
– The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name.
Active Directory
Organizational Units:
– The objects held within a domain can be grouped into containers called Organizational Units (OUs).
Give a domain a hierarchy Ease its administration
Active Directory
Organizational Units:
–The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites .
Active Directory
Organizational Units:
–The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.
Active Directory
Business Example:
– A Typical structure of a organizationHuman ResourcesPayrollFinance
Active Directory
Business Example:
– As an employee assigned to Human Resources my access should be limited to HR applications and folders
– Likewise HR Data should not be accessible to other business units
Special considerations for auditing logical access in a distributed environment
Auditors should:
– Review organizations policies & procedures
– Compare to known and accepted industry standards
– Test whether users’ data access is tied to their job responsibilities
– Attempt predetermined “hacks” to test for network vulnerabilities that allow for inappropriate data access
Special considerations for auditing logical access in a distributed environment
Demonstration
Links of Interest
http://www.irongeek.com/http://nvd.nist.gov/http://sectools.org/http://johnny.ihackstuff.com/http://www.dirk-loss.de/onlinetoolshttp://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html
Questions
