Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

An Auditor's Thoughts On Access Control

Four key access control considerations an auditor will look for

Regardless of whether it's for PCI, HIPAA, SOX, or GLBA, chances are high that if an auditor's bound for your organization, your access control is about to go under the microscope. With so many compliance-driven mandates around separation of duties and user monitoring dependent on strong access control regimes, it's no wonder that this is one of the key areas that auditors will focus their efforts.

For his part, Rick Link, managing director, southwest region at Coalfire Systems, says that after general policies, standards, and procedures, access control is one of the first things he examines in his audits. A security and audit professional for nearly 30 years, Link says that the following are some of his top-of-mind access control considerations during his assessments.

1. Multidimensional Authorization And Authentication
Before delving into access control specifically, Link says to stop a second and imagine a bull's eye with access to the data itself in the center and concentric circles around that. Each subsequent circle stands for the application, database, operating system, network, and then finally the physical data center layers. An interruption or compromise of any of the outer layers will affect access to those inside them.

"I'm looking at what are the authorization controls and what are the authentication controls for every layer of that bull's eye," he says. "Authorization is user account [approval] to get access to their data, and then authentication controls are going to be password controls."

On both counts, Link says he'll be looking for policies, standards, and procedures for ensuring security and reliability of access and user monitoring. So for authorization, that includes things as simple as policies around naming conventions, as well as definitions of what accounts can do on the system and user approval processes. For authentication, these policies include how often passwords are reset -- commonly between 30 to 60 days -- and length of passwords -- with seven being the safe bet in the industry at the moment, he says. Additionally, he'll also be looking at how passwords are transmitted and stored.

"The minimum security we're going to have around the passwords is that it has got to be encrypted -- encrypted at the time of entering and encrypted during storage," he says. Not only does this prevent malicious hackers from stumbling on a treasure trove of passwords, but it also is critical for maintaining the integrity of separation of duties.

2. Role-Based Access Control
Another important aspect to enterprise access control that's on Link's hot list is that the organization engages in role-based access control (RBAC). Ideally, organizations should be streamlining the authorization process by creating user roles based on the rule of least privilege. Well-defined roles and good administration of the provisioning and deprovisioning to roles make it easier to ensure users have access only to what their job requires.

"And every time a new user comes into the organization, I don't have to go add in his or her user ID to that particular set of database resources; I add them to the role," he says. "That role is the one that maintains the access and so that way, it makes it a whole lot more efficient for adding users to the system. Then their access is going to be controlled based on their job responsibility."

3. Privileged User Protections
In order to keep application and database environments humming, there's naturally going to be some IT super-users out there who will be able to touch more data than the common worker bee.

"Those are people that you should be logging everything they do," he says. "Typically, there's an administrator account that has access to the database that can do anything and everything. You want to monitor that account."

But he's not just looking for straight logging. He also looks to see whether the organization has instituted a way for specific users to log in to that root account through some sort of intermediary account that will allow for monitoring not just by the account, but by the user controlling that root account at any given time.

4. Filtering And Parsing User Activity
Effective access control doesn't just put up barriers to entry -- it also enables for more effective and granular visibility into what specific employees are doing within specific systems.

According to Link, one of the biggest problems he sees is around the compliance logging required by many regulations to monitor user activity. Often that log data remains untapped, with organizations failing to use a filtering mechanism or log management tool to parse data.

"You're interested only in those logs that meet a predefined set of parameters that are of concern to the organization," he says. "So, say a password after five attempts is automatically suspended and then you see another attempt tried five times and that's suspended. If the parsing tool can interrogate all that data, that's the alert I want to be sent to the security administrator or the analyst to investigate or follow."

As he explains, PCI is "very black and white" about having daily log reviews.

"If you have high alerts come in, what are your processes to deal with them?" he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.