396
A Practical Guide to Security Assessments
9. Does the user ID administration policy or procedure provide any guide-
lines about having strong passwords (e.g., minimum password length, use
of different types of characters)?
Guidance:
Passwords are a first line of defense in the overall information
security program. Having strong passwords can significantly enhance the
overall information security posture, but weak passwords can have a detri-
mental effect. Some commonly known best practices for strong passwords
can be used as standards for the organization. What is used really depends
on the company and its current practices for passwords — i.e., it might be too
much for them to go from very weak passwords (e.g., passwords such as an
individual’
s
name, the company name, or the word password) to very strong
passwords consisting of upper and lower case letters, numbers, and special
characters. When reviewing password strength, consider the following:
•Trying to make users have strong passwords is often a cultural battle,
which requires strong management support.
• If changes are made requiring stronger passwords, support calls to the
help desk will go up at least temporarily and possibly permanently.
• Enforcing strong passwords is much more feasible if the system auto-
matically enforces strong passwords.
Risk:
The risk associated with weak passwords is that they can be guessed
and then used to gain unauthorized access to IT resources. Commercial
tools as well as freeware, which is readily available on the Internet, can be
used to guess weak passwords in a matter of minutes.
Client Response:
10. Does the system have the ability to enforce password controls and if so,
is the company taking advantage of it. If not, why not? Some examples
of system-level enforcement include:
•Validation of password strength
•Passwords being forced to change at regular intervals
•Passwords not being recycled within a certain period of time
Guidance:
Good password management is almost impossible to enforce
manually. You can perform periodic audits to try to force users to have
strong passwords that are changed at regular intervals, but this method of
enforcement is very ineffective because it affects every user, which you
cannot check. The most effective way to enforce good password manage-
ment practices is to let the system enforce it. If these enforcement features
are available, they should be used; if they are not, there should be justifica-
tion. You may find cases where companies are reluctant to use these features
AU1706_book.fm Page 396 Wednesday, July 28, 2004 11:06 AM
Appendix N
397
because they are afraid of how users will react or because of the support
burden. In these cases, the risks have to be carefully reviewed to determine
what the recommendation is — i.e., some aspects of system enforcement
might be appropriate, but others might not.
Risk:
Without system-level enforcement of good password management,
enforcement is difficult. Users will have the tendency to not follow the
strong password rules unless they are being forced to do so in an automat-
ed fashion.
Client Response:
11. Are employees given any awareness training on user ID administration,
which incorporates password management?
Guidance:
Information security in general requires some level of aware-
ness training to be successful. Password management is one of the areas
that should be covered. Users are taught the password policy and given the
opportunity to ask any questions they might have. They are also taught the
value of having strong passwords. It is likely that many users are not aware
of the importance of strong passwords or that they share some accountabil-
ity if their user ID and weak password are used by malicious users to gain
unauthorized access to the company’s IT resources.
Risk:
The risk of not having awareness training related to password man-
agement is that users will be less likely to follow the rules. They will only
follow what the system forces them to.
Client Response:
12. Do the appropriate system or application owners approve access for their
systems?
Guidance:
As part of the access approval process, system and application
owners should be in a position to approve or disapprove access to systems
or applications they own. This process enforces the idea of ownership and
accountability as system and application owners make the decisions re-
garding access to the systems for which they are responsible. From an as-
sessment perspective, it is important to have owners at least for the
mission-critical systems. This process should be documented so there is an
audit trail of the approval.
AU1706_book.fm Page 397 Wednesday, July 28, 2004 11:06 AM
398
A Practical Guide to Security Assessments
Risk:
The risk of not having the system and application owners approve
access for their systems is a lack of accountability. This can have negative
impacts including:
• Users having inappropriate access
• Access not being removed during the termination process because
system and application owners are not involved in the ID administration
process
Client Response:
13. Is privileged access or access to operating system functions restricted to
the appropriate administrators? Does a formal approval process for
obtaining privileged access exist?
Guidance:
Privileged access is very powerful because one can do just
about anything on a system with that level of access. As such, this access
should be limited to only those individuals who require it. In most cases,
only system administrators should require this level of access to do their
jobs. In other cases, you may find some people need privileged access to
perform certain functions for a certain period of time, or they may need ad-
ministrator rights because of an application they support. For example, if
a security incident occurs, an investigator may need privileged access to a
system for a short period of time to collect evidence. In these cases, the in-
dividuals should provide written justification of why they need the access
and how long they need it for, which should be approved by management.
This process should be streamlined so privileged access can be granted
quickly if required (e.g., the case where an investigator requires access af-
ter a security incident).
Risk:
The risk of individuals having privileged access without business
justification and proper approval is that the access can be used to do con-
siderable damage or result in a security breach on a given system. This type
of access also enables people who damage a system to cover their tracks.
Client Response:
14. Do administrators with privileged access also have regular user accounts,
which are used for day-to-day nonadministrative responsibilities?
Guidance:
As a best practice, administrators with privileged access should
have regular accounts for day-to-day work. Privileged access should only
be used when performing administrative tasks that require having privileged
AU1706_book.fm Page 398 Wednesday, July 28, 2004 11:06 AM
Appendix N
399
access. Otherwise, regular IDs without privileged access should be used.
Those individuals who need privileged access to perform limited functions
as part of their jobs should have separate IDs for privileged access. Separate
IDs minimize the amount of time privileged access is in use and thus re-
duce the risk associated with this type of access.
Risk:
If administrators use their privileged accounts to do all of their work,
they increase the risk of doing something that can have a negative impact
on the system. Also, if such an individual is logged in and leaves the com-
puter unattended, someone can potentially do considerable damage to the
network.
Client Response:
15. Is privileged activity logged?
Guidance:
For accountability purposes, privileged access account activity
should be logged if the system has the functionality. There is a balance
here because logging does require system resources, which could poten-
tially hurt the overall performance of systems. The driving factor deter-
mining whether or not privileged activity is logged is based on the
environment and culture. As the environment becomes larger and multiple
people have privileged access, logging might become more necessary. Two
other aspects to consider when reviewing logging of privileged access are:
•To balance logging and potential performance problems, it is helpful
to identify what should be logged and if the system supports it, only
have certain items logged.
• The company should have adequate resources to review the logs unless
they are needed strictly for investigative purposes in case of an incident;
in this instance, reviewing logs is something that is done after the fact.
Risk:
The risk associated with not logging privileged activity is a potential
lack of accountability and ownership. As stated in the earlier question,
privileged access is powerful, and a lack of accountability can lead to mis-
use and an eventual security breach.
Client Response:
16. As a practice, do users normally use screen savers or do they lock their
screens when their personal computers (PCs) are unattended?
AU1706_book.fm Page 399 Wednesday, July 28, 2004 11:06 AM
400
A Practical Guide to Security Assessments
Guidance:
Leaving PCs unattended without using screen savers could re-
sult in loss of confidentiality of sensitive information. A typical person
might have multiple sessions of different applications open at one time.
One is bound to be e-mail, and others might be sensitive documents. Any-
one can walk by a PC and look at something they should not be seeing.
One thing often heard is that internal employees would not look at what is
shown on other people’s PCs, yet we all know that this certainly happens.
Using measures such as screen savers or locking of screens protects the
confidentiality of sensitive information and can enhance security. Al-
though the practice of using screen savers can be covered in a policy, it
should also be addressed in user awareness training.
Risk:
The risk of not using screen savers or other measures to lock down
PCs is that unauthorized users may access confidential information on
someone else’s PC or use someone else’s PC to gain access to the network.
In addition, they may look at confidential information on that PC if it is left
unattended. All of this can lead to potential embarrassment to the company
if the security of sensitive information is compromised.
Client Response:
17. What auditing and logging functions are enabled? Does anyone review
the logs?
Guidance:
To proactively monitor the security of systems, certain audit-
ing and logging functions should be enabled based on the environment and
the specific risks. The logs required for auditing and logging use system
resources, so clients must be careful when deciding what is to be logged.
Ideally, these logs should be reviewed on a regular basis with appropriate
follow-ups and actions taken. Clients may also have third-party tools that
can parse through log data and provide summary-type information, there-
by significantly reducing the time needed for analysis of log data. If clients
are not using tools to parse logs and make review and analysis easier, sug-
gesting the use of tools may be a worthwhile recommendation that can po-
tentially save time and provide better security.
Risk:
The risk with not having auditing or logging features enabled in-
cludes:
•A reactive instead of a proactive approach to security is being used.
• If a security incident occurs, the system may not have the information
required to do a proper investigation.
AU1706_book.fm Page 400 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.