In Chapter 11 (attached), beginning at the section titled Network Access Control?, Calder and Watkins (2020) identify a number of areas covered under Network Access Control – (VPNs,

11

Access control

Control objective A.9 of the standard is extremely important; it focuses on access to information, and a properly thought-through and thoroughly implemented access control policy, within the ISMS, is fundamental to effec- tive information security. This control category provides for appropriate monitoring and is a major clause in the standard and a major component of the ISMS.

The reader needs to understand that access control has become increas- ingly critical over recent years. Chapter 1 set out the key reasons why cybercrime is on the increase and outlined the nature of the advanced persis- tent threat facing most economies today. In particular, it pointed to the growth in hacking. It is worth understanding the world of hackers, as a background to the need for effective access control.

Hackers

It has been argued that hackers have four prime motivations:

●● challenge – to solve a security puzzle and outwit an identified security set-up;

●● mischief – wanting to inflict stress or damage on an individual or organization;

●● working around – getting around bugs or other blocks in a software system;

●● theft – stealing money or information.

Hackers like to talk about ‘white hat’ and ‘black hat’ hackers, or just ‘hackers’ (good) and ‘criminal hackers’ (not so good). The argument is that the ‘black hat’ hackers are malicious and destructive while the ‘white hat’

IT GOVERNANCE162

hackers simply enjoy the challenge and are really on the side of good, offering their skills to help organizations test and defend their networks. This differentiation is convenient for hackers, who seem able to change hats as easily as they would evade network defences. The only sensible approach for any security-conscious organization is to assume that all hackers are potentially in the wrong-colour hats, however they might initially present themselves. ‘Grey hats’ is a term that has evolved to recognize the uncertain danger of so-called ‘ethical’ hackers.

The ‘Certified Ethical Hacker’ (CEH) certification is one of a growing range that have evolved to recognize a particular level of hacking skill, based on completion of an intensive training course. Those who go on such a course are not initially screened for their ethical bias, and one should approach the employment of a CEH with open eyes. Of course, the absence of a formal qualification should prevent one from hiring anyone to test network systems.

The term ‘cracker’ evolved to identify black hat hackers who break into computer systems specifically to cause damage or to steal data. Hackers like to say that crackers break into computers but that hackers get permission first, and will publish their discoveries. Of course, hackers become crackers, crackers become hackers, and either could become a security consultant.

‘Script kiddies’ are none of the above; most IT departments contain one or more individuals whose interest in testing the systems that they are employed to protect leads them from time to time beyond the law. They are not as sophisticated as hackers and so they have not yet qualified for a hat, but, using their own very simple code or, more usually, programs found on the internet, they can be just as lethal to unprotected systems as the higher profile hacker collectives that have gained press coverage in direct propor- tion to their hacking exploits.

Hacker techniques

Some of the more common, basic techniques that hackers use to gain access to networks are set out, alphabetically, below. The OWASP Top 10 are the most significant web application vulnerabilities, and the SANS Storm Centre releases updates on new, critical vulnerabilities. The list, which includes common hacker terms, keeps growing and is therefore never up to date:

●● Abusing software. Hackers, once they have gained access to a system, use the installed software for their own ends. This can include using

ACCESS CONTROL 163

administrative tools for uncovering network weak points for exploitation, abusing CGI (Common Gateway Interface) programs on web servers, exploiting vulnerabilities in Microsoft’s Internet Information Server (IIS), and so on. The advice of a network security specialist should be sought to ensure that the organization fully understands the current level and type of risks arising from these types of activities.

●● Back door. Programmers or administrators deliberately leave ways into software systems that can be used later to allow access to the system while bypassing the authorized user file. Sometimes, developers forget to take out something that was put there simply to ease development work or to assist with the debugging routine. Sometimes ways are deliberately left in to help field engineers maintain the system. However they get there, they can provide any unauthorized user with access to the system.

●● Back orifice. This program is a remote administration tool that has great potential for malicious use. It is very easy to use, so that script kiddies have no problem using it. It is also ‘extensible’, which means that it develops and improves with age. Most anti-malware systems should detect and remove back orifice, but new versions become available on a regular basis.

●● Broken authentication and session management. These attacks take advantage of flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc to impersonate users and take over privileged accounts.

●● Buffer overflow. A buffer is an area of memory that holds data to be processed. It has a fixed, predetermined size. If too many data are placed into the buffer, they can be lost or can overwrite other, legitimate data. Buffer overflow vulnerabilities have for a number of years been a major source of intrusion. They provide hackers with an opportunity to load and execute malicious code on a target workstation.

●● Cross-site request forgery (CSRF). This takes advantage of web applications that allow attackers to predict all the details of a particular action. Since browsers automatically send credentials such as session cookies, attackers can create malicious web pages that generate forged requests that are indistinguishable from legitimate ones.

●● Cross-site-scripting (XSS). This is the most prevalent web application security flaw and attackers attempt to exploit it by executing scripts in a victim’s browser to hijack user sessions, deface websites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

IT GOVERNANCE164

●● Denial of service (DoS). This sort of attack is designed to put an organization out of business for a time by freezing its systems. This is usually done by flooding a web server with e-mail messages or other data so that it is unable to provide a normal service to authorized users. A distributed denial-of-service (DDoS) attack uses the computers of other, third-party organizations or individuals (which have themselves been commandeered by the cracker) to mount the attack.

●● Exploit. This is either the methodology for making an attack against an identified vulnerability (the noun) or the act (the verb) of attacking or exploiting the vulnerability. Exploits are often published on the internet, either by black hats or by grey hats, who claim that this is a good way of forcing software suppliers to develop more secure software or to provide fixes for existing software.

●● ‘Man in the middle’. A hacker places himself or herself, undetected, between two parties to an internet transaction, whether on a local area network (LAN) or on an unsecured internet link. The hacker intercepts and reads messages between the two parties and can alter them without the intended recipient knowing what has happened. This is often recognized as a form of masquerading (see below).

●● Masquerading. A hacker will pretend to be a legitimate user trying to access legitimate information, using a password or PIN that was easily obtained or copied, and will then try to access more confidential information or execute commands that are not usually publicly accessible.

●● Network monitoring. This is also known as ‘sniffing’ and involves deploying some code on the internet to monitor all traffic, looking for passwords. These, and other ostensibly confidential information, are often sent ‘in the clear’, and therefore can easily be located and written to the hacker’s workstation for future use.

●● Password cracking. This is actually, on balance, very easy. Most users do not set up passwords or, if they do, use very simple passwords that they can easily remember, like ‘secret’ or ‘password’, or their children’s names, or birthdays, sports teams, particular anniversaries or family names. While some hackers can quickly identify particular users’ passwords, software is now available on the internet that will apply ‘brute force’ to try, automatically and at high speed, every theoretically possible alphanumeric combination of user name and password and, usually aided by a dictionary of common passwords, this can quickly enable a

ACCESS CONTROL 165

hacker to gain access to a system. Once a hacker locates the list of encrypted passwords on the security server, he or she can use internet- available software tools to decrypt it.

●● Polymorphic attacks. The polymorphic attack uses advanced techniques to obfuscate the malicious code that is executed when an attack successfully takes advantage of a system’s vulnerability to compromise the system. They continuously change (or ‘morph’) non-essential components of their code, while maintaining the core attack algorithm, to deceive intrusion detection systems.

●● Rootkit. Originally, a rootkit was a set of tools that allowed administrator- level access (called ‘root’ access in the Unix world) to a computer or network. These tools could also be used by an attacker to hide evidence of his or her intrusion. The term has therefore evolved to describe stealthy malware – malware such as a Trojan, virus or worm – that actively conceals its existence from computer users and system processes.

●● Security misconfigurations. These can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. They enable attackers to access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc to gain unauthorized access to or knowledge of the system.

●● ‘Social engineering’. The easiest and most common method of gaining access to a network or secure environment is to trick someone into providing confidential information. The hacker, for instance, poses as a network administrator or a fellow employee with an urgent problem that can only be resolved by the employee providing confidential information (such as user name or password). Alternatively, the hacker has a false business card, claiming to be a key technical or business support representative, or claims to be a new employee trying to get up to speed in the business. Staff should not divulge their password to anyone, even IT support staff. For emergency access to restricted systems and administrative applications, the information security manager may want to hold administrator passwords in a central password manager. Irregular testing needs to occur so that should an administrator be dismissed for any reason, the system(s) to which he or she had access can be maintained, and the passwords changed.

●● Spoofing. IP spoofing gains unauthorized access to a system by masquerading as a valid internet (IP) address. Web spoofing (phishing

IT GOVERNANCE166

and pharming) involves the hacker redirecting traffic from a valid web address to a fraudulent, lookalike website where customer information (and particularly credit card information) is captured for later illegal reuse. Phishing is also the attack vector of choice for deploying malware onto networks.

●● SQL injection. This is inputting SQL statements into a web form, trying to find design vulnerabilities that will allow the hacker to write directly to the database to change or extract the data.

●● Trojan horses. These are programs that, while they might appear to be useful utilities, are designed secretly to damage the host system. Some will also try to open up host systems to outside attack.

●● Zero Day attacks. These occur when a flaw in software has been discovered and exploits of the flaw appear before a fix or patch is available. Once a working exploit of the vulnerability is released into the wild, users of the affected software will be compromised until a software patch is available or some alternative mitigation is put in place.

Hackers do not exist only outside the organization. They are often employed by the organization that they target. They might also be disgruntled former (or about to be former) employees who want to take revenge on the organi- zation for letting them go. Internal hackers can be more dangerous than external ones, not least because they start off knowing far more than anyone outside the organization. They might already have access rights that are capable of getting them to places that the organization does not want them to visit. Equally, it is possible for an attacker to gain unauthorized access to the organization’s premises and, once inside the physical perimeter, to access a relatively unsecured machine through which the entire network can be reached. The fact that an information system is not directly connected to the internet does not mean that it is not liable to be attacked. Such systems have to be subject to the same level of security as those that are connected to the internet, and the risk assessment needs to take all possible risks into account.

System configuration

The first step that any organization should take in order to deal with the threat of hacking is to eliminate as many as possible of the vulnerabilities that may be native to the Microsoft (and other) software packages deployed in the workplace. This is done by ensuring that the systems are loaded

ACCESS CONTROL 167

and configured in line with the Microsoft guidelines (as set out at www.microsoft.com/en-gb/security (archived at https://perma.cc/YY9A-6W65)) and as amended or strengthened by the recommendations set out on the website of the CERT coordination centre (www.sei.cmu.edu/about/ divisions/cert/index.cfm (archived at https://perma.cc/C9ZJ-KUQ7)), the Software Engineering Institute of the Carnegie Mellon University. Their configuration recommendations are independent and, subject to the organi- zation’s own risk assessment, their recommendations ought to be adopted as basic good practice in server and workstation configuration.

Whatever technical requirements are adopted by the organization, they should be documented and appropriate steps taken to ensure, by means of a regular independent technical check, that they are being maintained.

Access control policy

Control 9.1.1 of ISO27002 says the organization should define and clearly document its access control policy on the basis of business and information security requirements and then to restrict access to what is defined in the policy. Access controls are both physical and logical, and, as they should complement each other rather than conflict, they should be considered together. This consideration has to take into account the range of risks from hackers and crackers, and, if necessary, specialist advice on the latest cracker threats and technological defences should be taken as part of the risk assess- ment process.

Access control rules and user rights for individual users and groups of users should be related to business objectives and clearly documented, and users should be aware of them. Failure to implement the policy properly will lead to too many people having access to too much information and at too high a level of confidentiality. This tends to lead to unauthorized access to information, disclosure to third parties of confidential information, etc. Training on the access control policy and access control rules should be part of basic user training. The level of dependency on other, highly individual- ized components of the ISMS means that each organization has to develop its own unique policy.

The access control policy in the ISMS should, ISO27002 says, take a number of factors into account:

●● Different business applications have different security requirements. These are determined by identifying all the information that the business

IT GOVERNANCE168

systems are carrying and through the individual risk assessments carried out for each critical business system; these risk assessments point at who should, and should not, be allowed access to the system.

●● Some information required for particular business applications may be processed by people who do not need access to the application itself (the ‘need-to-know’ principle in action). An example might be in an office workflow system, where the person who inputs a supplier delivery note to a purchase and payments application does not need access to the actual accounting or payment functions of the system. Such a person would need different access rights from those required by a person who triggers actual vendor payments.

●● The information classification system needs consideration. User access rights should reflect the level of information that users are allowed to see.

●● There should be consistency between the access control and information classification policies of different networks within the same organization; inconsistency leads to incoherence, which leads to people taking short cuts (because of there being an excessive number of user names and passwords, and too much variation in responsibility), and this leads quickly to breakdowns in information security.

●● Relevant legislation, particularly data protection legislation, and any contractual obligations that the organization has to protect particular data should be analysed and taken into account.

●● There should be standard user access profiles for common job categories, as this makes it straightforward to manage and provide training. In situations where people with similar jobs have different access rights, security will break down as individuals unofficially share the most useful access profiles. Authorization to create a new user name should set out the areas of the network to which the user is to have access.

●● A distributed, networked environment that recognizes a number of different types of connections should consider all of them, so that, for instance, a user who can access something on the desktop can also do so remotely. The Microsoft Windows roaming profile makes this possible.

●● Segregation of duties should apply here as well: if the organization is large enough, different roles should be responsible for processing access requests, authorizing them and setting them up.

●● Access controls, like all ISMS controls, should be periodically reviewed; as a weakness in this control could provide access to sensitive and

ACCESS CONTROL 169

confidential information or systems, it is as important to monitor this as it is to monitor the activity of those who have access to the organization’s bank account.

●● Access rights should be formally approved, regularly reviewed and removed or adjusted when an employee is terminated or has a change of role. (This aspect, covered by control A.9.2.6, was dealt with in Chapter 8.)

The access policy will set the key principles that are to govern access to information and information systems. In setting these rules, the ISMS must clearly differentiate between rules that are always enforced and those that are optional, conditional or occasion specific. A key principle should be that whatever is not expressly permitted is forbidden; the alternative, that what is not expressly forbidden is permitted, is much weaker and can, for instance, allow hackers on the organization’s staff full licence to indulge in whatever they think they can describe as being not forbidden.

Changes in information classifications, in user permissions and in access control rules (and these can happen both automatically through the system and as a result of human intervention, some of which may or may not require other approvals before implementation) should also be considered in drawing up the detailed rules. The overall objective must be to identify and close loopholes in the rules as early as possible. Regular review of access control rules is therefore very important.

Network Access Control

Network access control needs to be considered in the context of the chang- ing access needs of users and organizations. Accessibility of internal and external networked services should not compromise the security of those services. This means there need to be appropriate interfaces between the organization’s network and other networks, particularly the internet, with appropriate authentication mechanisms for users and equipment, and controls over user access to information services.

A private network that carries sensitive data needs to protect the privacy and integrity of that traffic. When such a network is connected to other networks, or when browser access is allowed, the remote terminals and other connections become extensions to that private network and must be protected accordingly. In addition, the private network must be protected

IT GOVERNANCE170

from outside attacks that could cause loss of information, breakdowns in network integrity or breaches in security.

There is more to the issue of network security than simply considering fixed private networks, whether local area networks (LANs) or wide area networks (WANs). WANs and LANs are usually discrete networks using fixed private cabling within the organization’s facilities to connect their information processing facilities (a LAN) or using privately leased or owned fixed data links to connect LANs in a number of different locations securely. Virtual private networks (VPNs), extranets and wireless networks are now important parts of the networking universe.

Virtual private networks (VPNs)

VPNs are, in effect, alternative WANs that replace or augment an existing fixed private network. There are two types of VPN: remote access VPNs, which extend the network to telecommuters, home offices and mobile work- ers, enabling them to log on securely to the corporate network across the internet; and site-to-site VPNs, which securely connect remote sites to a corporate or central site, using service provider connections or the internet. A VLAN is a group of end stations which, independent of physical location, are networked by means of a VPNs. VLANs have the same attributes as a physical LAN but allow you to group end stations even if they are not located physically on the same LAN.

VPNs utilize specific technologies, such as Internet Protocol Security (IPSec), which takes advantage of digital encryption technology. VPN tech- nology has become relatively ubiquitous, but installation of a VPN may require specialist technical advice as well as the specialist technology. The organization will need to carry out a risk assessment in respect of its VPN, expecting that it should employ the same security and management stand- ards for its VPN as for any fixed network.

Extranets

Extranets support business-to-business (b2b) commerce and collaboration between independent entities, typically via the internet. As markets consoli- date and core services are externalized, organizations need to communicate securely with a network of external partners that includes outsourcing companies, demand and supply chain partners, consultants and contractors. Extranets need to be extremely flexible and must be deployed quickly (in

ACCESS CONTROL 171

‘internet time’) without needing to redevelop or re-architect existing appli- cations while leveraging existing infrastructures. They must also be scalable, to allow for future growth to be supported quickly, easily and inexpensively. At the same time, extranets must ensure that confidential information remains confidential and that authenticated users can access only the services they are authorized to access. This needs to be done without requiring the partner, customer or vendor to change its security policies, network infra- structures or any aspect of its existing set-up for the benefit of the extranet.

This appears to fly in the face of the requirements of ISO27001; however, organizations need to respond to market drivers without compromising their information security. Extranets should be deployed in line with busi- ness objectives; there is no such thing as a ‘one size fits all’ extranet. Some extranets are designed for user groups simply to view static information, while others are designed for a more dynamic interaction with the enter- prise. The extranet might need to communicate with a mass of customers, or a mass of suppliers, or a small number of partners involved in product development or some combination of these.

Secure extranets will rely on encryption, strong two-factor or even multi-factor authentication, granular access control and other VPN security features. The extent to which third parties can effectively be bound by contracts is limited by the extent to which their terms can be accepted at the initial log-in stage of accessing the extranet. There are specialist products that can be deployed to create and manage secure extranets, or organiza- tions can create their own simply by implementing the types of security solution discussed in this book. The management process is the same for extranets as it is for other information security issues: carry out a risk assess- ment and deploy an appropriate, cost-effective solution.

NIST’s Special Publication 800–47, Security Guide for Interconnecting Information Technology Systems, provides guidance on planning, establish- ing, maintaining and terminating interconnections between independent organizational information systems. It can be accessed at csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB).

Wireless networks

Wireless networks are an increasingly important issue, in information secu- rity terms. Wireless networks are convenient, inexpensive to set up (there is no category five fibre optic cabling to lay or move) and they enable group working and data sharing to take place easily and simply. They consist of

IT GOVERNANCE172

notebooks, workstations, mobile devices and other peripherals that access a corporate network using shared radio waves, wireless access points and wireless networking protocols. The WEP (Wired Equivalent Privacy) and the 802.11 group of standards were created to tackle the vulnerability that comes from using shared radio waves to transmit data, in theory making wireless transmissions as safe as using a fixed network by encrypting wire- less traffic and using WEP to authenticate nodes.

However, many wireless networks have no security, WEP is extremely limited as a security technology, and wireless networks are extremely vulner- able. Flaws continue to be found (by ‘war drivers’ and ‘war chalkers’ and wireless hackers), which means that the wireless security standard is contin- uing to evolve, with WPA (wi-fi Protected Access), WPA2 and 802.11i the current security standards. Specialist security procedures will be necessary for wireless and networks mobile workers. These include advanced encryp- tion key management and, more significantly, placing the wireless network outside the organizational firewall, with no routes to the outside internet other than through a secure VPN. A detailed risk assessment drawing on specialist advice that reflects the risks of bandwidth theft, security gateway bypassing, identity theft, illegal activity and espionage should inform the decision on this issue.

There are a number of other basic security requirements in regard to wireless networking that should be put in place as a matter of course. These include changing the SSID (Service Set Identifier – the public name of a wire- less network) to one that does not identify its location or users, ensuring that access control is enabled, as well as requiring WPA or WPA2. Network administrators should, subject to their risk assessment, have a process for monitoring whether or not mobile wireless access points have been plugged into their network.

These sorts of wireless networks are not, however, the end of the story. Wireless networking includes the increasing array of machines that are designed to access corporate networks other than across fixed links. There is, of course, the mobile phone. S

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.