Queen Essays

11

Access control

Control objective A.9 of the standard is extremely important; it focuses on access to information, and a properly thought-through and thoroughly implemented access control policy, within the ISMS, is fundamental to effec- tive information security. This control category provides for appropriate monitoring and is a major clause in the standard and a major component of the ISMS.

The reader needs to understand that access control has become increas- ingly critical over recent years. Chapter 1 set out the key reasons why cybercrime is on the increase and outlined the nature of the advanced persis- tent threat facing most economies today. In particular, it pointed to the growth in hacking. It is worth understanding the world of hackers, as a background to the need for effective access control.

Hackers

It has been argued that hackers have four prime motivations:

●● challenge – to solve a security puzzle and outwit an identified security set-up;

●● mischief – wanting to inflict stress or damage on an individual or organization;

●● working around – getting around bugs or other blocks in a software system;

●● theft – stealing money or information.

Hackers like to talk about ‘white hat’ and ‘black hat’ hackers, or just ‘hackers’ (good) and ‘criminal hackers’ (not so good). The argument is that the ‘black hat’ hackers are malicious and destructive while the ‘white hat’

IT GOVERNANCE162

hackers simply enjoy the challenge and are really on the side of good, offering their skills to help organizations test and defend their networks. This differentiation is convenient for hackers, who seem able to change hats as easily as they would evade network defences. The only sensible approach for any security-conscious organization is to assume that all hackers are potentially in the wrong-colour hats, however they might initially present themselves. ‘Grey hats’ is a term that has evolved to recognize the uncertain danger of so-called ‘ethical’ hackers.

The ‘Certified Ethical Hacker’ (CEH) certification is one of a growing range that have evolved to recognize a particular level of hacking skill, based on completion of an intensive training course. Those who go on such a course are not initially screened for their ethical bias, and one should approach the employment of a CEH with open eyes. Of course, the absence of a formal qualification should prevent one from hiring anyone to test network systems.

The term ‘cracker’ evolved to identify black hat hackers who break into computer systems specifically to cause damage or to steal data. Hackers like to say that crackers break into computers but that hackers get permission first, and will publish their discoveries. Of course, hackers become crackers, crackers become hackers, and either could become a security consultant.

‘Script kiddies’ are none of the above; most IT departments contain one or more individuals whose interest in testing the systems that they are employed to protect leads them from time to time beyond the law. They are not as sophisticated as hackers and so they have not yet qualified for a hat, but, using their own very simple code or, more usually, programs found on the internet, they can be just as lethal to unprotected systems as the higher profile hacker collectives that have gained press coverage in direct propor- tion to their hacking exploits.

Hacker techniques

Some of the more common, basic techniques that hackers use to gain access to networks are set out, alphabetically, below. The OWASP Top 10 are the most significant web application vulnerabilities, and the SANS Storm Centre releases updates on new, critical vulnerabilities. The list, which includes common hacker terms, keeps growing and is therefore never up to date:

●● Abusing software. Hackers, once they have gained access to a system, use the installed software for their own ends. This can include using

ACCESS CONTROL 163

administrative tools for uncovering network weak points for exploitation, abusing CGI (Common Gateway Interface) programs on web servers, exploiting vulnerabilities in Microsoft’s Internet Information Server (IIS), and so on. The advice of a network security specialist should be sought to ensure that the organization fully understands the current level and type of risks arising from these types of activities.

●● Back door. Programmers or administrators deliberately leave ways into software systems that can be used later to allow access to the system while bypassing the authorized user file. Sometimes, developers forget to take out something that was put there simply to ease development work or to assist with the debugging routine. Sometimes ways are deliberately left in to help field engineers maintain the system. However they get there, they can provide any unauthorized user with access to the system.

●● Back orifice. This program is a remote administration tool that has great potential for malicious use. It is very easy to use, so that script kiddies have no problem using it. It is also ‘extensible’, which means that it develops and improves with age. Most anti-malware systems should detect and remove back orifice, but new versions become available on a regular basis.

●● Broken authentication and session management. These attacks take advantage of flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc to impersonate users and take over privileged accounts.

●● Buffer overflow. A buffer is an area of memory that holds data to be processed. It has a fixed, predetermined size. If too many data are placed into the buffer, they can be lost or can overwrite other, legitimate data. Buffer overflow vulnerabilities have for a number of years been a major source of intrusion. They provide hackers with an opportunity to load and execute malicious code on a target workstation.

●● Cross-site request forgery (CSRF). This takes advantage of web applications that allow attackers to predict all the details of a particular action. Since browsers automatically send credentials such as session cookies, attackers can create malicious web pages that generate forged requests that are indistinguishable from legitimate ones.

●● Cross-site-scripting (XSS). This is the most prevalent web application security flaw and attackers attempt to exploit it by executing scripts in a victim’s browser to hijack user sessions, deface websites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

IT GOVERNANCE164

●● Denial of service (DoS). This sort of attack is designed to put an organization out of business for a time by freezing its systems. This is usually done by flooding a web server with e-mail messages or other data so that it is unable to provide a normal service to authorized users. A distributed denial-of-service (DDoS) attack uses the computers of other, third-party organizations or individuals (which have themselves been commandeered by the cracker) to mount the attack.

●● Exploit. This is either the methodology for making an attack against an identified vulnerability (the noun) or the act (the verb) of attacking or exploiting the vulnerability. Exploits are often published on the internet, either by black hats or by grey hats, who claim that this is a good way of forcing software suppliers to develop more secure software or to provide fixes for existing software.

●● ‘Man in the middle’. A hacker places himself or herself, undetected, between two parties to an internet transaction, whether on a local area network (LAN) or on an unsecured internet link. The hacker intercepts and reads messages between the two parties and can alter them without the intended recipient knowing what has happened. This is often recognized as a form of masquerading (see below).

●● Masquerading. A hacker will pretend to be a legitimate user trying to access legitimate information, using a password or PIN that was easily obtained or copied, and will then try to access more confidential information or execute commands that are not usually publicly accessible.

●● Network monitoring. This is also known as ‘sniffing’ and involves deploying some code on the internet to monitor all traffic, looking for passwords. These, and other ostensibly confidential information, are often sent ‘in the clear’, and therefore can easily be located and written to the hacker’s workstation for future use.

●● Password cracking. This is actually, on balance, very easy. Most users do not set up passwords or, if they do, use very simple passwords that they can easily remember, like ‘secret’ or ‘password’, or their children’s names, or birthdays, sports teams, particular anniversaries or family names. While some hackers can quickly identify particular users’ passwords, software is now available on the internet that will apply ‘brute force’ to try, automatically and at high speed, every theoretically possible alphanumeric combination of user name and password and, usually aided by a dictionary of common passwords, this can quickly enable a

ACCESS CONTROL 165

hacker to gain access to a system. Once a hacker locates the list of encrypted passwords on the security server, he or she can use internet- available software tools to decrypt it.

●● Polymorphic attacks. The polymorphic attack uses advanced techniques to obfuscate the malicious code that is executed when an attack successfully takes advantage of a system’s vulnerability to compromise the system. They continuously change (or ‘morph’) non-essential components of their code, while maintaining the core attack algorithm, to deceive intrusion detection systems.

●● Rootkit. Originally, a rootkit was a set of tools that allowed administrator- level access (called ‘root’ access in the Unix world) to a computer or network. These tools could also be used by an attacker to hide evidence of his or her intrusion. The term has therefore evolved to describe stealthy malware – malware such as a Trojan, virus or worm – that actively conceals its existence from computer users and system processes.

●● Security misconfigurations. These can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. They enable attackers to access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc to gain unauthorized access to or knowledge of the system.

●● ‘Social engineering’. The easiest and most common method of gaining access to a network or secure environment is to trick someone into providing confidential information. The hacker, for instance, poses as a network administrator or a fellow employee with an urgent problem that can only be resolved by the employee providing confidential information (such as user name or password). Alternatively, the hacker has a false business card, claiming to be a key technical or business support representative, or claims to be a new employee trying to get up to speed in the business. Staff should not divulge their password to anyone, even IT support staff. For emergency access to restricted systems and administrative applications, the information security manager may want to hold administrator passwords in a central password manager. Irregular testing needs to occur so that should an administrator be dismissed for any reason, the system(s) to which he or she had access can be maintained, and the passwords changed.

●● Spoofing. IP spoofing gains unauthorized access to a system by masquerading as a valid internet (IP) address. Web spoofing (phishing

IT GOVERNANCE166

and pharming) involves the hacker redirecting traffic from a valid web address to a fraudulent, lookalike website where customer information (and particularly credit card information) is captured for later illegal reuse. Phishing is also the attack vector of choice for deploying malware onto networks.

●● SQL injection. This is inputting SQL statements into a web form, trying to find design vulnerabilities that will allow the hacker to write directly to the database to change or extract the data.

●● Trojan horses. These are programs that, while they might appear to be useful utilities, are designed secretly to damage the host system. Some will also try to open up host systems to outside attack.

●● Zero Day attacks. These occur when a flaw in software has been discovered and exploits of the flaw appear before a fix or patch is available. Once a working exploit of the vulnerability is released into the wild, users of the affected software will be compromised until a software patch is available or some alternative mitigation is put in place.

Hackers do not exist only outside the organization. They are often employed by the organization that they target. They might also be disgruntled former (or about to be former) employees who want to take revenge on the organi- zation for letting them go. Internal hackers can be more dangerous than external ones, not least because they start off knowing far more than anyone outside the organization. They might already have access rights that are capable of getting them to places that the organization does not want them to visit. Equally, it is possible for an attacker to gain unauthorized access to the organization’s premises and, once inside the physical perimeter, to access a relatively unsecured machine through which the entire network can be reached. The fact that an information system is not directly connected to the internet does not mean that it is not liable to be attacked. Such systems have to be subject to the same level of security as those that are connected to the internet, and the risk assessment needs to take all possible risks into account.

System configuration

The first step that any organization should take in order to deal with the threat of hacking is to eliminate as many as possible of the vulnerabilities that may be native to the Microsoft (and other) software packages deployed in the workplace. This is done by ensuring that the systems are loaded

ACCESS CONTROL 167

and configured in line with the Microsoft guidelines (as set out at www.microsoft.com/en-gb/security (archived at https://perma.cc/YY9A-6W65)) and as amended or strengthened by the recommendations set out on the website of the CERT coordination centre (www.sei.cmu.edu/about/ divisions/cert/index.cfm (archived at https://perma.cc/C9ZJ-KUQ7)), the Software Engineering Institute of the Carnegie Mellon University. Their configuration recommendations are independent and, subject to the organi- zation’s own risk assessment, their recommendations ought to be adopted as basic good practice in server and workstation configuration.

Whatever technical requirements are adopted by the organization, they should be documented and appropriate steps taken to ensure, by means of a regular independent technical check, that they are being maintained.

Access control policy

Control 9.1.1 of ISO27002 says the organization should define and clearly document its access control policy on the basis of business and information security requirements and then to restrict access to what is defined in the policy. Access controls are both physical and logical, and, as they should complement each other rather than conflict, they should be considered together. This consideration has to take into account the range of risks from hackers and crackers, and, if necessary, specialist advice on the latest cracker threats and technological defences should be taken as part of the risk assess- ment process.

Access control rules and user rights for individual users and groups of users should be related to business objectives and clearly documented, and users should be aware of them. Failure to implement the policy properly will lead to too many people having access to too much information and at too high a level of confidentiality. This tends to lead to unauthorized access to information, disclosure to third parties of confidential information, etc. Training on the access control policy and access control rules should be part of basic user training. The level of dependency on other, highly individual- ized components of the ISMS means that each organization has to develop its own unique policy.

The access control policy in the ISMS should, ISO27002 says, take a number of factors into account:

●● Different business applications have different security requirements. These are determined by identifying all the information that the business

IT GOVERNANCE168

systems are carrying and through the individual risk assessments carried out for each critical business system; these risk assessments point at who should, and should not, be allowed access to the system.

●● Some information required for particular business applications may be processed by people who do not need access to the application itself (the ‘need-to-know’ principle in action). An example might be in an office workflow system, where the person who inputs a supplier delivery note to a purchase and payments application does not need access to the actual accounting or payment functions of the system. Such a person would need different access rights from those required by a person who triggers actual vendor payments.

●● The information classification system needs consideration. User access rights should reflect the level of information that users are allowed to see.

●● There should be consistency between the access control and information classification policies of different networks within the same organization; inconsistency leads to incoherence, which leads to people taking short cuts (because of there being an excessive number of user names and passwords, and too much variation in responsibility), and this leads quickly to breakdowns in information security.

●● Relevant legislation, particularly data protection legislation, and any contractual obligations that the organization has to protect particular data should be analysed and taken into account.

●● There should be standard user access profiles for common job categories, as this makes it straightforward to manage and provide training. In situations where people with similar jobs have different access rights, security will break down as individuals unofficially share the most useful access profiles. Authorization to create a new user name should set out the areas of the network to which the user is to have access.

●● A distributed, networked environment that recognizes a number of different types of connections should consider all of them, so that, for instance, a user who can access something on the desktop can also do so remotely. The Microsoft Windows roaming profile makes this possible.

●● Segregation of duties should apply here as well: if the organization is large enough, different roles should be responsible for processing access requests, authorizing them and setting them up.

●● Access controls, like all ISMS controls, should be periodically reviewed; as a weakness in this control could provide access to sensitive and

ACCESS CONTROL 169

confidential information or systems, it is as important to monitor this as it is to monitor the activity of those who have access to the organization’s bank account.

●● Access rights should be formally approved, regularly reviewed and removed or adjusted when an employee is terminated or has a change of role. (This aspect, covered by control A.9.2.6, was dealt with in Chapter 8.)

The access policy will set the key principles that are to govern access to information and information systems. In setting these rules, the ISMS must clearly differentiate between rules that are always enforced and those that are optional, conditional or occasion specific. A key principle should be that whatever is not expressly permitted is forbidden; the alternative, that what is not expressly forbidden is permitted, is much weaker and can, for instance, allow hackers on the organization’s staff full licence to indulge in whatever they think they can describe as being not forbidden.

Changes in information classifications, in user permissions and in access control rules (and these can happen both automatically through the system and as a result of human intervention, some of which may or may not require other approvals before implementation) should also be considered in drawing up the detailed rules. The overall objective must be to identify and close loopholes in the rules as early as possible. Regular review of access control rules is therefore very important.

Network Access Control

Network access control needs to be considered in the context of the chang- ing access needs of users and organizations. Accessibility of internal and external networked services should not compromise the security of those services. This means there need to be appropriate interfaces between the organization’s network and other networks, particularly the internet, with appropriate authentication mechanisms for users and equipment, and controls over user access to information services.

A private network that carries sensitive data needs to protect the privacy and integrity of that traffic. When such a network is connected to other networks, or when browser access is allowed, the remote terminals and other connections become extensions to that private network and must be protected accordingly. In addition, the private network must be protected

IT GOVERNANCE170

from outside attacks that could cause loss of information, breakdowns in network integrity or breaches in security.

There is more to the issue of network security than simply considering fixed private networks, whether local area networks (LANs) or wide area networks (WANs). WANs and LANs are usually discrete networks using fixed private cabling within the organization’s facilities to connect their information processing facilities (a LAN) or using privately leased or owned fixed data links to connect LANs in a number of different locations securely. Virtual private networks (VPNs), extranets and wireless networks are now important parts of the networking universe.

Virtual private networks (VPNs)

VPNs are, in effect, alternative WANs that replace or augment an existing fixed private network. There are two types of VPN: remote access VPNs, which extend the network to telecommuters, home offices and mobile work- ers, enabling them to log on securely to the corporate network across the internet; and site-to-site VPNs, which securely connect remote sites to a corporate or central site, using service provider connections or the internet. A VLAN is a group of end stations which, independent of physical location, are networked by means of a VPNs. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN.

VPNs utilize specific technologies, such as Internet Protocol Security (IPSec), which takes advantage of digital encryption technology. VPN tech- nology has become relatively ubiquitous, but installation of a VPN may require specialist technical advice as well as the specialist technology. The organization will need to carry out a risk assessment in respect of its VPN, expecting that it should employ the same security and management stand- ards for its VPN as for any fixed network.

Extranets

Extranets support business-to-business (b2b) commerce and collaboration between independent entities, typically via the internet. As markets consoli- date and core services are externalized, organizations need to communicate securely with a network of external partners that includes outsourcing companies, demand and supply chain partners, consultants and contractors. Extranets need to be extremely flexible and must be deployed quickly (in

ACCESS CONTROL 171

‘internet time’) without needing to redevelop or re-architect existing appli- cations while leveraging existing infrastructures. They must also be scalable, to allow for future growth to be supported quickly, easily and inexpensively. At the same time, extranets must ensure that confidential information remains confidential and that authenticated users can access only the services they are authorized to access. This needs to be done without requiring the partner, customer or vendor to change its security policies, network infra- structures or any aspect of its existing set-up for the benefit of the extranet.

This appears to fly in the face of the requirements of ISO27001; however, organizations need to respond to market drivers without compromising their information security. Extranets should be deployed in line with busi- ness objectives; there is no such thing as a ‘one size fits all’ extranet. Some extranets are designed for user groups simply to view static information, while others are designed for a more dynamic interaction with the enter- prise. The extranet might need to communicate with a mass of customers, or a mass of suppliers, or a small number of partners involved in product development or some combination of these.

Secure extranets will rely on encryption, strong two-factor or even multi-factor authentication, granular access control and other VPN security features. The extent to which third parties can effectively be bound by contracts is limited by the extent to which their terms can be accepted at the initial log-in stage of accessing the extranet. There are specialist products that can be deployed to create and manage secure extranets, or organiza- tions can create their own simply by implementing the types of security solution discussed in this book. The management process is the same for extranets as it is for other information security issues: carry out a risk assess- ment and deploy an appropriate, cost-effective solution.

NIST’s Special Publication 800–47, Security Guide for Interconnecting Information Technology Systems, provides guidance on planning, establish- ing, maintaining and terminating interconnections between independent organizational information systems. It can be accessed at csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB).

Wireless networks

Wireless networks are an increasingly important issue, in information secu- rity terms. Wireless networks are convenient, inexpensive to set up (there is no category five fibre optic cabling to lay or move) and they enable group working and data sharing to take place easily and simply. They consist of

IT GOVERNANCE172

notebooks, workstations, mobile devices and other peripherals that access a corporate network using shared radio waves, wireless access points and wireless networking protocols. The WEP (Wired Equivalent Privacy) and the 802.11 group of standards were created to tackle the vulnerability that comes from using shared radio waves to transmit data, in theory making wireless transmissions as safe as using a fixed network by encrypting wire- less traffic and using WEP to authenticate nodes.

However, many wireless networks have no security, WEP is extremely limited as a security technology, and wireless networks are extremely vulner- able. Flaws continue to be found (by ‘war drivers’ and ‘war chalkers’ and wireless hackers), which means that the wireless security standard is contin- uing to evolve, with WPA (wi-fi Protected Access), WPA2 and 802.11i the current security standards. Specialist security procedures will be necessary for wireless and networks mobile workers. These include advanced encryp- tion key management and, more significantly, placing the wireless network outside the organizational firewall, with no routes to the outside internet other than through a secure VPN. A detailed risk assessment drawing on specialist advice that reflects the risks of bandwidth theft, security gateway bypassing, identity theft, illegal activity and espionage should inform the decision on this issue.

There are a number of other basic security requirements in regard to wireless networking that should be put in place as a matter of course. These include changing the SSID (Service Set Identifier – the public name of a wire- less network) to one that does not identify its location or users, ensuring that access control is enabled, as well as requiring WPA or WPA2. Network administrators should, subject to their risk assessment, have a process for monitoring whether or not mobile wireless access points have been plugged into their network.

These sorts of wireless networks are not, however, the end of the story. Wireless networking includes the increasing array of machines that are designed to access corporate networks other than across fixed links. There is, of course, the mobile phone. Smartphones themselves carry large amounts of important contact information, and retained data, voice and text messages make them potential targets for attackers. Mobile devices, which are able to remotely access corporate networks are becoming more popular with hack- ers and virus writers as a route into otherwise well-defended networks.

Bluetooth is a wireless protocol built into a widening range of products to enable short-range wireless data communication between equipment and with Bluetooth hubs. Voice communication with computers, and voice over

ACCESS CONTROL 173

IP (VoIP) technology, are becoming more and more effective. All of these technologies have real vulnerabilities and pose real security threats to organ- izations, from airborne virus infection to data loss and unauthorized network access. These tools will, however, continue proliferating because they improve the productivity of workers and the interconnectedness of data. Banning these tools will not be an effective solution for organizations. Information security advisers will need to keep themselves abreast of devel- opments and will have to become adept at carrying out risk assessments on new technologies and on finding appropriate security solutions to the vulnerabilities and threats that are thus identified. Specialist advice may be necessary on a regular basis, and organizations may decide that, as a matter of policy, they will not adopt new technologies for a defined initial period during which they hope that their vulnerabilities will be identified and solu- tions to them found. NIST’s paper SP 800–48, Security for Wireless Networks and Devices, at https://csrc.nist.gov, (archived at https://perma.cc/Z5WL- 42XB), provides a good technical overview of the security issues.

The essential starting point for tackling the network access part of the ISO27001 exercise is a network map that shows clearly all the assets on the network, and all their connections, whether internal or external. It should also show any wireless connections and any related domains, including certainly any demilitarized zones (DMZs) and extranets. A series of risk assessments is then carried out in respect of each of the external connec- tions, and appropriate controls, selected from those identified by ISO27002 are selected to deal with the assessed risk.

Access to networks and network services

Control A.9.1.2 says the organization should design and implement a policy, within its ISMS, that ensures that users have access only to the services that they have been specifically authorized to use. The policy should identify which networks and network services are allowed to be accessed, the authorization procedures necessary prior to any such access, and the controls necessary to protect access to network connections and network services – which should extend to how the means of accessing these networks are controlled. This policy should be consistent with the access control policy discussed in relation to A.9.1.1 and should recognize and allow for the future evolution of networking technologies in a way that provides guidance to the organization on how to respond securely to these changing circum- stances. This all means that users should see, on their desktops, only icons

IT GOVERNANCE174

for those services that they are authorized to access; no information should be provided about other services that are on the network, as attempts to crack into them should not be encouraged.

Firewalls and routers are key components of the network security perimeter.

Firewalls and network perimeter security

Network perimeter security controls access to the network so that only authorized users can access applications, data and services running on the network. Firewalls are generally the first security product that organizations deploy to protect their network perimeters. A firewall provides a barrier to traffic seeking to cross the perimeter and permits only authorized traffic to pass, in line with a predetermined access policy. Firewalls will also usually provide some level of network address translation (NAT) services, denial-of- service (DoS) attack protection, IPSec VPN services and intrusion detection services. A perimeter firewall may also need to integrate with device-level firewalls on mobile laptops and smartphones.

There are a large number of firewalls available, and the organization should research the market thoroughly before making its choice. In general, vendors that have been in the business for some years and that clearly have resources adequate to maintain the development of their products should be favoured. It is important that the chosen anti-malware software should be able to work with the preferred firewall. At the same time, and bearing in mind the speed of change in the security market, current security sites (see Chapter 4) should be consulted to establish which firewall products are proving easiest for hackers to conquer or most inadequate for current performance requirements.

Once the firewall has been chosen, the policies that it is to apply will need to be selected and documented in a way that reflects a specific risk assess- ment. It is important that these are chosen as the result of an informed risk analysis that is in line with the organization’s access control policy, as other- wise it will find itself unable to operate effectively. There are internet resources that the organization needs, and the safest perimeter policy, which is simply to close all ports on the firewall, is not necessarily the most sensi- ble. As usual, specialist technical advice, combined with current information about security vulnerabilities and threats derived from vendor and inde- pendent websites, may be necessary for the correct configuring of the firewall.

ACCESS CONTROL 175

NIST has a Special Publication, number 800–41, titled Guidelines on Firewalls and Firewall Policy. The document contains guidelines on config- uring and administering firewalls as well as covering related issues such as VPNs, web and e-mail servers and intrusion detection. It contains links to other firewall-related resources. The NIST website is at https://csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB).

The firewall and its correct configuration can be business-critical for any organization, and the vendor’s default password (which will be widely known) must be changed. An ISO27001 auditor will therefore want to see evidence that managers have reviewed the firewall configuration. Any subse- quent changes to the rules agreed for the firewall need to go through the same authorization process, with evidence available to prove this, and not be implemented at the whim of a system administrator.

Routers and switches

In addition, the organizational network infrastructure should be built using routers and switches that themselves have adequate security features. The selection of routers and switches should be subject to the same level of care as was the selection of a firewall, and, while these are technically simpler devices, they too can provide an attacker with a way into the network. Routers and switches should be configured in line with the manufacturer’s recommendations (including changing the vendor’s default password) and have correctly configured and up-to-date access control lists (ACLs). ACLs ensure that only legitimate users can pass through the router or switch. Routers and switches can also have core firewall technology embedded in them, and the choice of which switches and routers to deploy should be made in the light of a risk assessment and a review of independent assess- ments of vendor products.

Organizations with larger networks should also consider technology solutions that enable them centrally to define, distribute, enforce and audit security policies for a large number of routers, switches and firewalls. Cisco, for instance, provides technology solutions that specifically enable this type of centralized security control. The larger the network, the more important – and cost-effective – such a solution is. In addition, larger organizations should consider (in the light of the risk assessment) deploying intrusion detection systems (IDSs) that can monitor and reactively respond to intru- sions as they occur, and network vulnerability scanners that proactively identify areas of weakness. These are important because while firewalls

IT GOVERNANCE176

provide an enforced path control for external users, they do not actively analyse the traffic for attacks or search the network for vulnerabilities. In particular, firewalls do not address the threats posed by insiders. IDS packages can be sourced through major vendors of security products and through the security sites on the internet. In considering IDS packages, the total cost of ownership will be important, and the organization must be clear on how it will deal practically with the output of the detection system. There should also be regular scans of the network for the existence of unauthorized wireless access points.

Large organizations, or organizations that need to run large networks or complicated mixes of services dealing with a complex web of partners, customers and vendors, should consider constructing the network as a whole. This will require the input of a network specialist, and the organiza- tion chosen to provide this service should be able to point to similar solutions successfully implemented for similar clients elsewhere. Large networks might be segmented, or compartmentalized, structured around a number of separate logical domains, as a method of limiting the extent to which an intruder can affect the entire network.

Network intrusion detection systems (NIDS)

A network intrusion detection system is hardware or software that auto- mates the process of monitoring events in systems or networks to detect intrusions. An intrusion is an attempt to break into or misuse an informa- tion system, or bypass its security controls, in order to compromise the confidentiality, integrity and availability of information stored on it.

There are different types of intrusion detection systems. A NIDS, also known as a ‘network sniffer’, monitors packets on the network and attempts to discover if a hacker is attempting to break into the system (or cause a denial-of-service attack). A system integrity verifier (SIV) monitors system files to find when an intruder changes them so as to set up a back door. Log file monitors (LFM) monitor log files generated by network services. In a similar manner to NIDS, these systems look for patterns in the log files that suggest that an intruder is attacking. There are a number of products that perform these various tasks and that can be quickly and easily identified through a product search. Use of such a product should be as the result of a risk assessment, and its use should be planned alongside any other network monitoring and anti-malware tools that the organization chooses to deploy.

ACCESS CONTROL 177

Reference should also be made to the NIST publication SP 800–31, Intrusion Detection Systems, which can be accessed on the NIST website (see above).

User authentication for external connections

It would make sense for the organization to ensure that access to its network by remote users is subject to authentication. A risk assessment should be the basis of selecting an appropriate remote access authentication control; clearly, the existence of any dial-up or wireless access to the network offers attackers a potential way into it. There are a number of approaches and technologies that might, depending on the risk assessment, be appropriate.

The most straightforward methods of authenticating remote users include RADIUS (Remote Access Dial-In User Service), TACACS+ and Kerberos protocols, combined with CHAP and PAP protocols, which are the founda- tion of secure remote access across the internet. Strong, two-token authentication is also an effective component of remote access authentica- tion, and there are a number of vendors that provide effective services based on these technologies.

Dedicated private lines or facilities for checking network user addresses can be used to provide assurance that the source of the connection is trusted. Equally, dial-back procedures and controls (eg by enabling the modem dial- back facility on a remote access service) can provide protection against unauthorized connections, although, to be secure, these controls should not be used where network services provide call forwarding (now available on most modern telecommunications services). Call-back processes must happen only after the incoming call has been disconnected, and thorough testing should be carried out to ensure that this control actually works.

Node authentication is an alternative method of authenticating connec- tions to remote computer systems. These might be the computer systems of partners, vendors or other third parties. Where a remote computer accesses another computer system, it is authenticated following one of the controls (other than hardware or two-token authentication, which is designed for human users) such as a cryptographic one identified above. This is to ensure that the automatic connection to or from a remote computer does not provide a way of gaining unauthorized access to a business application. A risk assessment should identify the critical nodes and be used to justify the level of control implemented.