Evaluating and Testing Access Controls

Organizations need to both build an access control environment and test it to see how it performs and behaves. In many cases, access control is the only barrier between outsiders and sensitive information. A great example is online banking: The only thing protecting your bank account information is your user ID and password. Don’t you want to be sure that the bank’s access control mechanism is working properly to protect your precious information from outsiders?

Computer systems contain information, which, in many cases, must be accessible to only authorized persons. However, weaknesses or vulnerabilities in access control software may permit users without the necessary credentials to also access this information. Additionally, poorly defined or inadequate access control policies can result in users having unauthorized access to sensitive data. User entitlement refers to the data access privileges that are granted to an individual user. Organizations must routinely — if not continually — review user entitlement to ensure overall data access privileges are appropriately administered in the organization. The audit and review process should be automated to increase efficiency, reduce errors, ensure completeness, and improve overall effectiveness.

Why test?

Organizations should perform penetration and vulnerability testing on these systems to ensure that they don’t possess any vulnerabilities or weaknesses that could permit unauthorized persons to view or alter information. You can carry out penetration testing (pen testing) manually, but more often than not, organizations use automated tools for faster identification of weaknesses in a system or its software applications.

Some terms used in pen testing that you need to know include

Port scanning: The process of probing a system to determine which TCP/IP service ports are running on the system.

Application scanning: The process of assessing whether an online application has any specific weaknesses that could permit exploitation. Some types of application scanning examine the source code itself in order to more easily identify vulnerabilities.

Black box testing: The tester has no prior knowledge of the system he or she tests.

White box testing: The person doing the testing has complete knowledge about the system that he or she tests. This testing provides maximum assurance that organizations can identify existing vulnerabilities — even if the organization gives the people doing the testing hints in advance.

Gray box testing: You guessed it — the people doing the testing have some (but not all) knowledge about the system they test.

Host scanning: The process of scanning a network in order to discover any host computers on the network.

Operating System (OS) detection: Determining the host OS, or the version of the host.

You can find numerous open-source and commercial scanning tools available, each designed to identify vulnerabilities in software applications, database management systems, operating systems, and network devices.

When and how to test

Most experts agree that you must test systems for vulnerabilities before placing those systems into production use. This principle is especially true for systems that users will access through the Internet. If you don’t test an Internet-facing system, attackers could exploit and “own” it faster than you can say “vulnerability testing.”

You should also test software that users access over the Internet or company networks for vulnerabilities as part of the functional testing performed prior to the release of new versions of the software. This additional testing can help to prevent any serious weaknesses from ever seeing the light of day (or the dark side of the Internet).

Organizations should adopt a software development life cycle (SDLC) process to govern any activities in software development or integration. Testing the software for vulnerabilities should be a formal part of the SDLC.

Read more about the software development life cycle in Chapter 7.