Aug 21 2008

Access control fraud and countermeasures

Category: Access ControlDISC @ 1:22 am

These days access to the internet is a business requirement. Most businesses are selling their products and services on the internet which sometimes requires customers to have access to the critical assets such as applications and databases. The global growth of the internet has increased complexity and potential risks to these assets. In some cases, one potential breach may put the organization’s very existence at risk.  French bank Société Générale made a frightening announcement in Jan. 2008 that it has uncovered a $7.14 billion US fraud — one of history’s biggest.  A trader at the futures desk misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.”


In a security review, the reviewer will first determine the criticality of an asset and focus on how that asset is accessed by employees, the risks that unauthorized access by insiders or outsiders could pose to the organization, and if access control has sufficient countermeasures in place to mitigate those risks.  In other words, the security review will determine the risk level of access control to a particular asset and what appropriate control should be in place based on level of risk. At the same time, the business’s first priority is to make information available with effective access control in place. Based on criticality, assets subject to security review present different level of risk associated with access control. In other words, “not all data breaches are created equal.”


Authorization control is utilized to determine access to network resources. Authentication will determine the identity of the user. Authentication verifies that the login belongs to a user who is attempting to gain access to the system which can be obtained through PKI, smart cards, USB devices, tokens and biometrics.  Accounting keeps the records of user activity including what was used, when and for how long. Most of the application and operating systems have strong auditing features in place to track the activities of a user. Accounting records can be very useful for forensic evidence in case of a security breach. Authenticity covers validity of the information, if someone misrepresents your information by claiming that it is his or hers. Authenticity addresses all forms of information misrepresentation and authenticity of the system users.


In system profiling, the reviewer determines the criticality of access control and the risk posed to an organization where the risk is directly proportional to the criticality of an asset. Higher risk will require stronger controls or perhaps multiple controls. Security review should determine that controls in place are sufficient to avoid unauthorized access and non-repudiation of information and people. In many ways a password is the weakest link in the access control of a network defense. The best passwords are at least 60 random characters, letters, numbers, and punctuation which can be stored on a portable flash drive flash drive, to be retrieved when needed. All the passwords for the critical infrastructure should have these password characteristics. One weak password in the critical infrastructure can become a launching pad to access other resources in the network.


Security tools can be used to collect user permissions in a spreadsheet, which can be utilized to analyze the effectiveness of authentication, authorization, accounting, and authenticity. This analysis will determine if users have appropriate access based on need, role and security policy of the organization. Non-repudiation is the cornerstone of access control which assures the validity of a transaction and user. Regular monitoring and non-repudiation of users in all facets of access control might be necessary to mitigate the identity fraud associated with high profile assets. Compliance only addresses the bare minimum required to comply with a control but to measure the strength of a control in high profile assets, a security reviewer should use due care to regularly evaluate the effectiveness of access control at all levels. It might not be an example of due diligence when some regulations fail to require data encryption.


Security Threats


Rogue Trader Crushes Bank Societe Generale


httpv://www.youtube.com/watch?v=h4qD_ooM198


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: accounting, authentication, authenticity, authorization, bast passwords, countermeasure, data encryption, due diligence, fraud, higher risk, identity fraud, mitigate, non-repudiation, potential risks, security review, security tools, societe general, unauthorized access