Unauthorized access can lead to devastating effects. Entities can become victims of malicious activities such as identity theft, financial fraud, theft of data (e.g., credit card data) and attacks on systems (e.g., denial of service), which can be especially harmful for online businesses. All of these harmful effects have been the subject of various news reports in the past.
Criminals, especially IT-savvy ones, have become expert at recognizing weaknesses in access and have become knowledgeable about the tools necessary to successfully exploit weak systems. In fact, experts say more and more criminals are focusing on IT crimes rather than traditional street crimes. Statistics from the Computer Emergency Readiness Team (CERT) and industry security analysts show that about 80 percent of all malicious activities come from current or former employees.1
Thus, more than ever, one of the prime concerns in any audit, and for management, is the logical access to computer systems and data. The proliferation of IT, and the Internet in particular, has caused the risks associated with systems and data to explode. In fact, this topic has made the American Institute of Certified Public Accountants (AICPA)’s Top Technology Initiatives every year since 2005 and is ranked first on the 2010 list.2 Some level of audit risk and business risk exists in virtually every audit because of a variety of IT-related vulnerabilities, but especially access controls.
Earlier this year, this column identified five areas of IT general controls (ITGC) that should be examined in every financial audit.3 Logical access was one of those five. This article adds further information, in a broader sense of audits, about logical access.
To mitigate the risks associated with access control, it is necessary to identify the risks associated with access controls and to assess the level of those risks. An entity must then establish sound policies and procedures for granting authorized users access while simultaneously protecting itself from unauthorized access. This area of concern is generally considered a subset of identity and access management (IAM). One method for addressing these risks is through the perimeter for authorized access, the process of granting access on only a need-to-know basis (including admin rights) and the process of terminating employees.
Mitigating Logical Access Risks
On the perimeter, best practices include authorization and authentication of users in the access rights policies and procedures.
Authorization access controls are those with an objective to ensure that the person seeking access is authorized. This control is most often associated with login credentials and procedures, e.g., requiring an ID and password. However, the hacker world has developed sophisticated tools that can break fairly easily into systems with unsophisticated passwords (names, words found in the dictionary, etc.). Therefore, over the years, best practices have been expanded to include “strong” passwords, frequent changes to passwords and multifactor access controls, as appropriate. The greater the risk, the greater the need for more sophisticated and secure access, and the greater the need for additional layers of access controls. The more of the following elements a password includes, the stronger it is considered to be:
- It is at least eight characters long.
- It includes at least one special character.
- It includes at least one number.
- It mixes cases for alpha characters.
- It uses an incoherent phrase (i.e., not an address, etc.).
The purpose of these elements is to thwart existing hacker tools that can guess passwords. Weak passwords and PINs are the major cause for security breaches, according to IT consulting firm Frost & Sullivan.4 Usernames and passwords/PINs are usually static or shared across multiple accounts by users, making them relatively easy prey to hackers and crackers. The security profession and financial institutions have responded with temporary PINs and other tools and procedures.
Authentication controls have a different objective. They attempt to ensure that persons logging in to the system are who they say they are. One classic illustration of this extra layer is biometrics. That is, controls are not sufficient where risks are relatively high and the access controls consist of only an authorization control with one layer—ID and password.
Most savvy IT managers add tools such as USB tokens, smart cards, temporary PINS and biometrics on top of ID and password. A USB token, such as one from Entrust or Aladdin, is a hardware device that must be connected to the remote computer in a USB slot before access will be granted. Smart cards are swiped on a reader—similar to the way credit cards are used—on the computer and are combined with the ID and password to grant access. Temporary PINs are numbers sent back to a prearranged device, such as a text message to a cell phone or a small pager device, in which, to gain remote access, users have a limited time to enter the PIN along with their ID and password. The greater the risk, such as a remote login to sensitive data, the greater the need for strong controls for authentication.
However, it is not enough to protect the perimeter. According to CERT in a white paper titled “An Introduction to Insider Threat Management,” over the last 10 to 15 years, organizations have spent billions of dollars building stronger defenses to protect their data and systems from hackers and external malicious parties. On average, more than 75 percent of corporate IT security budgets is directed toward protecting against outsiders, even though the annual Computer Security Institute/FBI Computer Crime and Security Study continues to show that insiders were responsible for just as many incidents as outsiders. A 2009 Information Security Magazine survey shows the biggest increase in IT spending is in the area of IAM, with the biggest driver being preventing unauthorized access of sensitive information by employees.
Once logged in, even an authorized user should be constrained from having access to all data and applications. Employees should have access to only those applications necessary to do their particular job. That limitation also includes data access rights of read-only, read/write or no access, where applicable (i.e., need-to-know access). For instance, a good security policy would be to have a strong logical access system on the network to log in to the system (e.g., Active Directory applied effectively on Microsoft SQL Server). But then, where risks are high, the entity should have another system of login credentials and access granted for each key application. Some application systems, such as Microsoft Dynamics, provide their own access control as a separate layer of security over data access via the applications. If both of these access control systems are managed properly, someone’s ability to break through the perimeter can be mitigated by strong access controls in the “back office” system—that is, a strong pair of controls to prevent unauthorized access. This need-to-know approach to applications is a key element of sound access controls.
Administrative access rights are a critical area that need controls because of the broad access rights “admin” has once logged into the system, and they are included as part of “need to know.” Adequate access controls should provide for the application of best practices for the administrator function of databases or database management systems (DBMS), such as DB2, Oracle and SQL Server. They include, but are not limited to, not using a default ID/password for admin, minimizing the number of employees with admin access and establishing some modicum of segregation of duties. Admin rights are especially critical for operating systems in which root access can be granted, giving someone “the keys to the kingdom.” Obviously, this area is another that should be examined during most IT audits of any nature.
Lastly, when employees are terminated, there should be effective controls in place to terminate the employee’s access to the systems. At termination, entities sometimes forget about logins and access rights formally granted to employees. All entities need an effective control or set of controls to ensure that all terminated employees lose all access rights.
An effective and logical approach is to tie access control to human resources (HR) procedures. When an employee is hired, transferred or leaves the organization, the HR procedures should include the requisite changes to that employee’s access rights. When a new employee is hired, that person’s “need to know” should be assessed and access rights should be granted to only those applications and data necessary for that person’s job responsibilities. Either the application or the network software should have the means to limit access appropriately. If an employee is transferred, those access rights may change because of the different responsibilities involved in the transfer. Thus, the HR transfer process should include a review of and a change, if necessary, in access rights. When an employee leaves the organization for any reason, but especially if the employee is fired, access rights should be terminated as close to the person’s termination as possible, but no later than the person’s last day on the job.
Conclusion
The IT auditor should consider the previously disclosed procedures in an audit to ensure that access controls are adequate to mitigate the risks associated with access, including limiting the access of legitimate employees to need to know, and mitigating the risk of an unauthorized intrusion.
Endnotes
1 Hirschhorn, Karen; “Hacker Activities,” IT Defense Magazine, December/January 2007, p. 12-15. See also the Insider Threat Research web page at www.cert.org/insider_threat/.
2 Per the 2010 AICPA Top Technology Initiatives Survey conducted mid-2010. Question: “Which top ten technology considerations are driving your business or practice today?” Number one answer: “Security of data, code and communications/data security and document retention/ security threats.” See http://infotech.aicpa.org.
3 Singleton, Tommie; “The Minimum IT Controls to Assess in a Financial Audit (Part II),” ISACA Journal, vol. 2, 2010
4 Ayoub, Robert; “An Overview and Competitive Analysis of the One Time Password (OTP) Market” (White Paper), Frost & Sullivan, June 2009, http://whitepapers.techrepublic.com.com/abstract.aspx?docid=1016477
Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting IS using microcomputers. Singleton is also a scholar-in- residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the ISACA Journal.