One hot trend in audit regulations ... and 2 cold facts behind it.
What's a hot trend in IT security audit regulations? Privileged accounts and passwords. These are the pre-built administrative IDs found in virtually every piece of hardware and software in an organization, such as root on UNIX UNIX
Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). , Administrator in a Windows workstation (1) Any PC running Windows.
(2) Using a Windows server as a client PC. The server versions of Windows are occasionally used as desktop computers to take advantage of the additional robustness and features built into server products. See Windows server. and embedded Inserted into. See embedded system. passwords that connect applications. Privileged passwords are under increased scrutiny in evolving regulations such as:
**** Sarbanes-Oxley 404. This legislation requires that companies prove they have control over their financial systems. If an enterprise has key financial information whose administrative access is not sufficiently secured or managed, then that organization may be in violation of Sarbanes-Oxley.
**** HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, . This set of healthcare regulations encompasses similar requirements to Sarbanes-Oxley. For HIPAA, the goal is to ensure patient information is absolutely confidential and secure. If an organization allows unsecured administrative access to patient data, it may be violation of HIPPA Hip´pa
n. 1. (Zool.) A genus of marine decapod crustaceans, which burrow rapidly in the sand by pushing themselves backward; - called also bait bug ltname>. See Illust. under Anomura. .
**** PCI (1) (Payment Card Industry) See PCI DSS.
(2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). . Payment Card Industry standards are perhaps the most explicit in terms of managing, securing and updating privileged passwords. These requirements, as spelled out in sections 8.5.1 through 8.5.16, have become the standard for many other legislative bodies. For example, parallels can be found in the energy industry's NERC/FERC compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). .
**** More international regulations are being added daily. A partial list of international regulations that touch on privileged passwords now includes Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations , 21 CFR CFR
See: Cost and Freight Part 11 and Gramm-Leach-Bliley.
**** Country-specific regulations are also on the rise. When it comes to privileged identities, numerous countries around the world are enacting tighter regulations for control of privileged passwords, such as France's "Loi de Securite Financicre," Germany's "KonTraG," the UK's "Combined Code" and the Netherlands' "Tabaksblat Code".
Every day I work with auditors and enterprises in order to help enforce these and related regulations. But no matter what the regulation, industry or country, two key principles hold true. These "cold hard facts" are:
1. Organizations must prove control over key systems and information
Time was, sensitive information was stored in file folders with locks. I remember that time well! The more powerful an individual was in an organization, the more the keys to those many locks jangled in his or her pocket. Now those days are gone, and a full key ring seems to be solely reserved for folks who maintain facilities. One beneficial thing I miss about those good old "key days" was that it was simple to track who had access to what information. Typically a slip of paper in the CEOs desk listed the number of keys and who had them. If a key were lost or went missing, all keys would be replaced. Today that confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead resides in electronic file folders in a wide array of systems inside an organization. Send a sensitive document in an email and--bingo--it now exists in even more places than ever before, including the mail server and recipient storage systems. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , even the most sensitive documents can exist in a multitude of electronic filing cabinets, making it even more important to keep track of the ever-expanding list of electronic keys.
The first electronic keys to be tracked were those for individual workers, such as the identity Jane_Marketer. In this sense, identity management solutions do a wonderful job of provisioning users to systems. For example, a typical provisioning maneuver would ensure that Jane_Marketer was provisioned to have access to Microsoft Office Microsoft's primary desktop applications for Windows and Mac. Depending on the package, it includes some combination of Word, Excel, PowerPoint, Access and Outlook along with various Internet and other utilities. , Quark quark (kwôrk): see elementary particles.
Any of a group of subatomic particles thought to be among the fundamental constituents of matter—more specifically, of protons and neutrons. Express and Email Blaster 3000 ... and NOT to the general ledger General Ledger
A company's accounting records. This formal ledger contains all the financial accounts and statements of a business.
The ledger uses two columns: one records debits, the other has offsetting credits. system. Identity Management solutions will also remind Ms. Marketer that she needs to change her password regularly, such as every 30 days. Control the electronic keys for individual employees and you would seem to be controlling access to all sensitive information.
Sadly, it's not that simple. Virtually every piece of hardware and software has privileged identities built-in--these are basically secret keys which are added to system by its creator. The best-known privileged identity is the Administrator account that appears when starting up your local workstation. Manufacturers create these identities because somewhere, sometime, some user is going to do something so incredibly unexpected that their actions crash the entire system.
The privileged identity is the manufacturer's back door to restart destroyed and corrupted systems. Because it is the entry point of last resort, it's built so that it can not be disabled or destroyed. Sometimes clever IT folks find a way to remove the privileged identity, but this can compromise the integrity of the entire system and weaken your case for free technical support if the need arises (and trust me, it will!) Accidents happen, and when they do it's great to have a privileged account to fix them. So the next question is this: How many of these privileged identities exist in your organization? Analyst research firms such as IDC* have estimated that the number of privileged identities far outstrips those for personal accounts. It's not hard to replicate their math. Every employee has at least one workstation and that workstation has at least one privileged identity. Add to that all the privileged IDs in firewalls, email servers See mail server. , applications, databases and so on, and the number grows quickly; especially when you consider that some systems include dozens of privileged identities, depending on what subsystem you are trying to restore.
To sum up, the myriad regulations covering privileged identities all concur CONCUR - ["CONCUR, A Language for Continuous Concurrent Processes", R.M. Salter et al, Comp Langs 5(3):163-189 (1981)]. on one fact: Proving control over a target electronic system means proving that EVERY key to that system is completely secure. And in the high-tech world, that means keys for both personal identities and privileged identities.
2. Accountability, Accountability, Accountability
A second principle driving many regulations is that of accountability. Here's the reasoning. Suppose you have an employee who is up to no good. Perhaps this perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. wants to copy the customer database and sell it to a competitor. Or maybe our baddie wants to erase one year's worth of incriminating in·crim·i·nate
tr.v. in·crim·i·nat·ed, in·crim·i·nat·ing, in·crim·i·nates
1. To accuse of a crime or other wrongful act.
However no matter what the motivation, our perpetrator has decided to do something nasty and doesn't want to get caught. Their next step? Turn to Google and search. In minutes they'll find out about these wonderful privileged identities: super-secret and anonymous ways to do virtually anything to any system and leave no fingerprint. They'll also find dozens of pre-written scripts that are available for instant download with the most common manufacturer default passwords for any privileged identity.
A note on default privileged passwords. When manufacturers create privileged back-door identities, they also insert a default password into that identity BEFORE the system ships. Once the target system hits a company's loading dock, it's often time-consuming to locate and manually update all these default passwords. In the end, many rushed IT departments skip this step. In fact, surveys show that up to 40% of default privileged passwords are never changed.** It comes as no surprise then that insider attacks using these privileged identities are now the most common and serious security threat to enterprises, according to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. the Department of Defense and Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). .***
Now back to our hypothetical perpetrator. Next we reach the part of the story where our imaginary baddie has done their work and all heck breaks loose. The internal search is on for the employee who stole the database ... the judge wants to know who erased every email in 2003 ... and as the internal auditor Internal auditor
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. , your phone rings off the hook. But whatever the catastrophe, you as auditor will be asked to review internal systems and find the culprit. And who will these systems say was at fault?
Here is where the regulations step in. It's simply not acceptable to set up an identity called "Administrator" in a system that's built to track "Jane_Marketers." In organizations where that practice is approved, it inevitably comes back to haunt the audit and security groups. The best practice is to tie anonymous identities to personal ones, and have the reports and paper trail to back up your systems.
In summary, there are a multitude of regulations that require enterprises to secure privileged passwords, the all-powerful and anonymous codes built into almost every piece of hardware and software. These regulations have two main purposes: first, to ensure that privileged identities are in fact secured; and second, to tie any activity performed under these generic and anonymous IDs to real-life individuals. The good news is that automated solutions can help accomplish both of these tasks. The bad news is, of course, that until all your privileged identities are secured and personalized per·son·al·ize
tr.v. per·son·al·ized, per·son·al·iz·ing, per·son·al·iz·es
1. To take (a general remark or characterization) in a personal manner.
2. To attribute human or personal qualities to; personify. , your organization may be at risk for insider attacks, lost revenue and failed audits.
Adam Bosnian is Vice President of Cyber-Ark Software, developers of the Enterprise Password Vault.
*Source: IDC, "Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise," Jan