3
Computer Audit Update April 1992 . C. Stoll. What do you feed a trojan horse? Proceedings of the l Oth National Computer Security Conference, Baltimore, Maryland, September 1987. . J. van Horne and L. Halme, Analysis of computer system audit trails -- final report. Technical Report TR-85007, Sytek, Mountain View, California, May 1986. 4. T.F. Lunt, Ann Tamaru, Fred Gilham, R. Jagannathan, Caveh Jalali, H.S. Javitz, A. Valdes, P.G. Neumann, and T.D. Garvey. A real-time intrusion-detection expert system (IDES) -- final technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992. . P.A. Karger. Limiting the damage potential of discretionary Trojan horses. Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987. . R.R. Linde. Operating system penetration. Proceedings of the National Computer Conference, 1975. . T.F. Lunt, J. van Horne, and L. Halme. Analysis of computer system audit trails -- initial data analysis. Technical Report TR-850009, Sytek, Mountain View, California, September 1985. Teresa Lunt is director of Secure Systems Research at SRI International, Menlo Park, Cafifornia. She is leading two landmark projects: the SeaView multilevel secure relational database system and the IDES intrusion-detection system. She is also leading new research in the areas of: security for real-time systems, inference control in multilevel database systems, security for knowledge-based systems, and using AI techniques for computer security. SOME THOUGHTS ON ACCESS CONTROL Willie List Too many passwords All services supplied electrically require an identification of the organization and usually also the individual within the organization using the service in order to send them a bill. This identification normally comprises a password and user ID in addition to the specific codes etc to make the connection. If a person uses many services then remembering all the codes can be tedious-- senior people often let their secretaries remember for them! In planning the use of multiple services, facilities should be provided to generate 'automatically' generate the myriad passwords. These should themselves be encrypted and perhaps a more positive identification of the user, than just a password, is required as well. Hackers must be kept out This is easier said than done. Many external people have a legitimate need to access systems -- maintenance staff are but one example. Best practice states that access codes should be granted on each specific occasion access is required. This is an administrative hassle for both the organization and its supplier, made more difficult as increasingly remote diagnostics of hardware and the updating of software packages are being used by suppliers. What happens if in the middle of the night the system goes down and the person who can issue passwords is absent? If hackers were only third parties it would be relatively easy to keep them out, but often hackers are insiders or gain information on access routines from insiders. Keep the restrictions simple All people need to be identified to the system; this allows logs to be kept properly. Few people 8 ©1992 Elsevier Science Publishers Ltd

Some thoughts on access control

Embed Size (px)

Citation preview

Page 1: Some thoughts on access control

Computer Audit Update April 1992

. C. Stoll. What do you feed a trojan horse? Proceedings of the l Oth National Computer Security Conference, Baltimore, Maryland, September 1987.

. J. van Horne and L. Halme, Analysis of computer system audit trails - - final report. Techn ica l Report TR-85007, Sytek, Mountain View, California, May 1986.

4. T.F. Lunt, Ann Tamaru, Fred Gilham, R. Jagannathan, Caveh Jalali, H.S. Javitz, A. Valdes, P.G. Neumann, and T.D. Garvey. A real-time intrusion-detection expert system (IDES) - - final technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.

. P.A. Karger. Limiting the damage potential of discretionary Trojan horses. Proceedings of the 1987 IEEE Symposium on Security and Privacy, April 1987.

. R.R. Linde. Operating system penetration. Proceedings of the National Computer Conference, 1975.

. T.F. Lunt, J. van Horne, and L. Halme. Analysis of computer system audit trails - - initial data analysis. Technical Report TR-850009 , Sytek, Mounta in View, California, September 1985.

Teresa Lunt is director of Secure Systems Research at SRI International, Menlo Park, Cafifornia. She is leading two landmark projects: the SeaView mul t i level secure relat ional da tabase sys tem and the IDES intrusion-detection system. She is also leading new research in the areas of: security for real-time systems, inference control in multilevel database systems, security for knowledge-based systems, and using AI techniques for computer security.

SOME THOUGHTS ON ACCESS CONTROL

Willie List

Too many passwords

All services supplied electrically require an identification of the organization and usually also the individual within the organization using the service in order to send them a bill. This identification normally comprises a password and user ID in addition to the specific codes etc to make the connection. If a person uses many services then remembering all the codes can be tedious-- senior people often let their secretaries remember for them! In planning the use of multiple services, facilities should be provided to generate 'automatically' generate the myriad passwords. These should themselves be encrypted and perhaps a more posit ive identification of the user, than just a password, is required as well.

Hackers must be kept out

This is easier said than done. Many external people have a legitimate need to access systems - - maintenance staff are but one example. Best practice states that access codes should be granted on each specific occasion access is required. This is an administrative hassle for both the organization and its supplier, made more difficult as increasingly remote diagnostics of hardware and the updating of software packages are being used by suppliers. What happens if in the middle of the night the system goes down and the person who can issue passwords is absent? If hackers were only third parties it would be relatively easy to keep them out, but often hackers are insiders or gain information on access routines from insiders.

Keep the restrictions simple

All people need to be identified to the system; this allows logs to be kept properly. Few people

8 ©1992 Elsevier Science Publishers Ltd

Page 2: Some thoughts on access control

April 1992 Computer Audit Update

need rights to amend or delete data; many people require to input data. Most data in commercial concerns is not conf ident ia l wi th in the organization.

To simplify the access controls therefore:

Make sure those authorized to amend and delete data are the right (few) people.

Be very clear on what is confidential, for what period of time and who should be allowed to see the data. Set limited access rights to the identified data only; leave the rest to have a general read only access right at, say, departmental or section level. This may require amendments to applications so that restricted data is clearly separable from the rest before this can be achieved.

Certain people, probably the IT staff, will have very substantial rights. In these cases it is important to clearly identify which people are required to have these rights and how effective supervision of their work can be carried out.

Be aware of the limitations of the implemented restrictions

It is a complex task to coordinate the various restriction functionality in operating software, access control software, database management software and telecommunications monitoring software, so that they effectively implement the required restrictions in a cost effective way. Compromises in the ideal restrictions may need to be made to achieve cost effectiveness both in development and ongoing processing.

In addit ion, in older appl icat ions the restrictions on the access to the data itself are often built into the application programs. It is a long task to identify all the accesses in old programs. Unless essential, these should be changed, if required, as the programs are being maintained for other reasons.

Maintenance of the restrictions implemented is administratively difficult. All joiners, leavers and changes in job responsibility require that the

access rights are updated. This sometimes gets way behind. The restrictions will not prohibit people working within their access rights from making mistakes or committing fraud. Access controls are not a substitute for traditional error detection routines.

Don't forget the users

User management set the restrictions, therefore: restrictions should be set on their instructions; they should be provided with a schedule (that they can understand) showing the exact restrictions implemented for confirmation of correctness from time to time (corruption of access tables does occur).

Don't waste money

It is po in t less impos ing computer confidentiality restrictions if the data is left lying around on desks. If data is very confidential it may be more effective and cheaper to keep it on a stand-alone machine in a locked room. Data transfers to and from the machine being made physically.

Conclusion

Access controls form a part of the total control structure in an organization. With today's technology and organization structures they are usually complex to administer thoroughly. It is therefore necessary for management to play an active part in setting up and maintaining the restrictions so that only necessary ones are implemented in a cost effective manner. Given the emphasis on security in the discussions about open systems, one can hope that tools will become available which will simplify the task of managing access restrictions in networks.

The ICAEW has recently published an IT briefing concerning access control risks. 'IT Briefing number 1 - Access Controls Risks and Countermeasures ' , Inst i tute of Char tered Accountants in England and Wales, ISBN: 1 85355 248 8. Willie List CA, MBCS, is director of

©1992 Elsevier Science Publishers Ltd 9

Page 3: Some thoughts on access control

Computer Audit Update April 1992

the Kingswell Partnership Ltd and secretary of the British Computer Society's Security Committee.

AUDIT IMPLICATIONS OF FOREST AND TREES

Chris Nelms

Forest and Trees (F&T) is one of the first of a new type of PC software tools to reach the market. The suppliers have called this new breed Data Access and Reporting Tools (DARTs). F&T is a PC product which enables the user to download data from a wide range of PC and mainframe-based systems into, for example, a spreadsheet. Obviously there is nothing new about downloading data from mainframes to PCs, or transferring data between PC packages. However, F&T has a number of features which distinguish it from conventional downloading and file translating:

It can download not just from one type of system, but from many, simultaneously if required. This includes AS400, Dataease and many other minis, mainframes, and PC spreadsheet and database packages. As well as being convenient, it means users need only learn one downloading method to download from all these environments. The language it uses is SQL, this is likely to be of huge benefit in avoiding re-keying of data from one system to another. It could also potent ia l l y lead to the creat ion of a management information database out of a collection of independent systems.

The link is dynamic: update data in the source database, and data in the target spreadsheet is automatically updated. This also means that a spreadsheet can use data too voluminous to be contained in one spreadsheet. (I am not clear what happens to performance if the source database is

very large and takes a long time to read for updating.)

F&T can, if necessary , be asked to summarize data in the source database before importing it.

4 F&T can be programmed to display warning messages if figures go outside preset limits, even while the user is in another application. One could envisage a warning flashing up if debtors exceed their credit l imits, or payment dates are not met.

F&T can be set up to 'drill down' through data. For example, using a shortened version of the client name to produce a list of possible clients on a system; then pointing the mouse and clicking it on one of those to display a list of the client's accounts; and finally pointing and clicking on one of the accounts to produce a s ta tement of transactions. This all has to be set up in advance, of course. It could similarly be set up to enable managers to 'drill down' from a P&L expense figure to the constituent account balances, to account postings, and to invoices and journal entries.

While F&T is quite user friendly, one does need to be computer literate to use it. The data to be extracted from a mainframe application system, for example, can all be selected from menus of tables and columns by pointing and clicking the mouse, but the user still needs to know his way around the database, and what all the cryptic names of tables and columns mean.

F&T is strictly for data downloading. It cannot be used to upload, so there is no risk of data being updated from outside the application. However, F&T does raise a number of security issues that auditors should be aware of:

F&T can enable logical access controls to be circumvented if they are part of the application software rather than the system software. This is because it goes straight to the data, bypassing any controls that are built into the application that is normally used to access the data. This means that

10 ©1992 Elsevier Science Publishers Ltd


Some Thoughts on the Open Access Movement & Your Role in It

Some Thoughts on the Open Access Movement & Your Role in It

Education
Some Introductory Thoughts

Some Introductory Thoughts

Documents
13. Some Challenging Thoughts

13. Some Challenging Thoughts

Documents
Some Preliminary Thoughts

Some Preliminary Thoughts

Documents
Some Truly Great Thoughts

Some Truly Great Thoughts

Leadership & Management
SOME THOUGHTS ON CANADIAN AND AMERICAN … · some thoughts on canadian and american eclecticism in public architecture . adrian ... neo-renaissance, ... some thoughts on canadian

SOME THOUGHTS ON CANADIAN AND AMERICAN … · some thoughts on canadian and american eclecticism in public architecture . adrian ... neo-renaissance, ... some thoughts on canadian

Documents
Some Thoughts On Bitcoin

Some Thoughts On Bitcoin

Technology
Some thoughts….. Using PowerPoint.

Some thoughts….. Using PowerPoint.

Documents
Some thoughts on Epicurus

Some thoughts on Epicurus

Documents
SOME THOUGHTS ON MERITOCRACY

SOME THOUGHTS ON MERITOCRACY

Documents
Sustainability: Some thoughts

Sustainability: Some thoughts

Documents
Trager_1962 Some Thoughts on Juncture

Trager_1962 Some Thoughts on Juncture

Documents
Some Thoughts on Autobiography

Some Thoughts on Autobiography

Documents
some thoughts on Pair Programming

some thoughts on Pair Programming

Technology
Some Thoughts on Prospecta

Some Thoughts on Prospecta

Documents
Some thoughts about leadership

Some thoughts about leadership

Government & Nonprofit
Some Early Thoughts

Some Early Thoughts

Education
Some Wonderful Thoughts

Some Wonderful Thoughts

Education
Some DNSSEC thoughts

Some DNSSEC thoughts

Documents
Depression – some psychological thoughts…

Depression – some psychological thoughts…

Documents
Some thoughts about future

Some thoughts about future

Investor Relations
Some Thoughts on Causation

Some Thoughts on Causation

Documents
Some Thoughts on Color

Some Thoughts on Color

Documents
Some Beautiful Thoughts For You

Some Beautiful Thoughts For You

Spiritual
Some introductory thoughts…

Some introductory thoughts…

Documents
Some thoughts on genebank management

Some thoughts on genebank management

Technology
Some Thoughts On Architecture

Some Thoughts On Architecture

Design
THE GAMBLING SECTOR: Some History, Some Evidence and Some Thoughts

THE GAMBLING SECTOR: Some History, Some Evidence and Some Thoughts

Documents
Some thoughts on innovation

Some thoughts on innovation

Business
Some spontaneous thoughts

Some spontaneous thoughts

Spiritual