@ISACA Volume 5  11 March 2015

Five Key Considerations for Privileged User and Access Management


If we have learned nothing else from the Edward Snowden classified information releases, it is that privileged users may be the greatest asset, but also the most challenging adversaries. Privileged users and systems are those with credentials that provide significant or unrestricted access to applications, systems and technologies. While necessary for the implementation, maintenance and operation of these capabilities, these people and systems also represent a significant risk to organizations. These users have the potential to cause material negative impacts to organizations if they act maliciously or inappropriately. It is important to effectively and diligently manage both privileged user and access management in order to maintain an effective information security posture. There are 5 key considerations that should be included when addressing privileged user and access management:

  1. Consider whether users and systems need the level of privileged access that they currently have. Following the practice of least-privileged access limits the number of privileged entry points for an adversary to leverage in an attack. It is important to scrutinize requests for privileged access to ensure providing it is the only way for the user or system to complete the tasks or activities that led them to request this access. It is often the case that a user or system owner will request privileged and broad-spectrum access because it is the easiest and simplest way for them to remove their perceived efficiency and productivity roadblocks. But users often have not considered other options that may require less privilege while still meeting their requirements and achieving their intended goals. The risk, security and audit professional should review these requests to identify if there are alternative options that enable the requester to achieve the same goal without significantly increasing complexity or creating inefficiency. These requests also provide an opportunity to educate the requestor on the threats, vulnerabilities and resulting risk that privileged access can create.
  2. Regularly and comprehensively review privileged access. The need for privileged access is often scrutinized at the initial request, but then allowed to continue beyond its actual need. It is often the case that changes to architecture and design, system and application upgrades, changes in role, and updates to processes and procedures limit or remove the need for ongoing privileged access for users and systems. Many organizations have embraced the idea of quarterly or annual access reviews for their regulated and sensitive systems, but ignore their perceived nonessential or low-risk systems. This oversight represents an ideal opportunity for an adversary to leverage their ability to access systems as an entry point to then be used to attack other systems in an environment. It is important to review privileged access of all systems initially at the time of provisioning and then at any time privileged access rights are either granted or expanded for any account.
  3. Segregate sensitive systems and data stores into secure enclaves. Limiting the access pathways to sensitive systems and data stores can dramatically reduce the ways adversaries can abuse their access. It is often not practical or cost efficient to deploy and manage privileged user and system access and management controls across entire IT environments. Instead, it is suggested that sensitive systems and data stores are grouped into segmented secure enclaves where security controls can be focused and effectively managed. Access to these assets can then be funneled through highly controlled access points using jump servers, which can act as a gateway for administrative access and activities to the systems beyond them. They can be highly monitored controls such as multifactor authentication, administrative password vaults, activity recording and behavior monitoring. Implementing these kinds of controls benefits the entire secure enclave instead of having to deploy these capabilities individually on all systems throughout the IT environment.
  4. Ensure you have effective oversight for the use of privileged access. Effective risk and security governance requires ongoing oversight of not only the provisioning of privileged access, but also the use of the privileges they provide. Administrative access and activities should include recording and monitoring to ensure that any malicious or inappropriate activities can be proactively identified or, at a minimum, are available for review during incident response activities. For sensitive systems and data stores, it is suggested to have a network activity recording that captures all administrative interactions. For nonadministrative but privileged interactions, detailed logging should be enabled on the systems and data stores, and the logs should be stored in a central logging solution that is not accessible to the users whose activities are being monitored.
  5. Be sensitive to cultural considerations when integrating privileged user and access management controls. Sensitivity to the culture of an organization is vital to the success of any risk and security control. In the case of privileged user and access monitoring and management, it is important to be open about the use of these controls and their benefits to the individual and the organization. Privileged users should be encouraged to view activity monitoring as a benefit and not as a sign of mistrust or concern. One approach that can be used is to promote the concept of “trust but verify” as a justification for the use of privileged user and access management controls. This concept promotes the use of oversight and verification capabilities to provide independent assurance and validation of activities and actions. Trust but verify controls, such as user activity monitoring, can be explained and promoted as a way to ensure that privileged users will rarely be wrongly accused of abusing their privileges or knowingly carrying out malicious acts. Activity monitoring capabilities provide detailed and factual records of a privileged user’s activities and provide evidence to minimize any chance of suspicion. Also, if privileged users are aware of the existence of activity-monitoring capabilities, they are less likely to attempt to misuse their privileged access rights out of fear of detection and the resulting negative consequences.

“If we have learned nothing else from the Edward Snowden classified information releases, it is that privileged users may be the greatest asset, but also the most challenging adversaries. ”

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Learn to Protect Your Android or iPhone From Malware


Mobile malware is becoming more sophisticated as mobile technology advances. To help you better understand the threats mobile devices could encounter, ISACA has partnered with Palo Alto Networks to bring you the “Revealing the Secrets: Advances in Android and iOS Attacks” webinar. This webinar will take place on 17 March at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Brian Tokuyoshi, senior solution analyst at Palo Alto Networks, will lead this webinar. Palo Alto Networks’ threat research teams are familiar with the latest mobile malware advances. In this webinar, Tokuyoshi will teach attendees about what new malware is capable of, how mobile users are exposed to it and the methods that can help mitigate exposure to this kind of risk.

To learn more about the webinar or register, visit the Revealing the Secrets: Advances in Android and iOS Attacks page of the ISACA web site.


Tools for a Rapidly Changing Digital World


Invest in yourself by becoming an ISACA member and/or renewing your ISACA membership. Your commitment to continued learning and professional development is critical to our rapidly changing digital world.

From students to experienced professionals, ISACA creates the content you need to thrive. Its academic partnerships align classroom teaching with ISACA’s educational materials and model curricula. ISACA also has the latest cybersecurity-related information. Cybersecurity Nexus (CSX) keeps new and experienced professionals up to date on the latest threats while also providing best practices to mitigate risk.

ISACA’s Knowledge Center is another great place to gain access to the tools that assure trust in a digital world. With more than 100 existing topics and the opportunity to suggest a new topic, your thirst for knowledge will always be quenched in the Knowledge Center. The Knowledge Center is also a great way to connect with others.

ISACA member Muhammad Mushfiqur Rahman, CISA, CCNA, CEH, ITIL V3, MCITP, MCP, MCSE, MCTS, OCP, explains, “The biggest value of my membership and participation in ISACA is the opportunity to build relationships with my colleagues, ISACA members worldwide and throughout the industry.”

What is your most valuable ISACA membership benefit? Tell us on Facebook.


June 2015 Exam Registration Reminder


There is still time to register for the June 2015 Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) certification exam. Register on the Exam Registration page of the ISACA web site until the final registration deadline of 10 April.

For those individuals looking to take the CISA exam in Chinese Mandarin Traditional, German, Hebrew or Italian or the CISM exam in Japanese and Korean, the June exam administration is the only administration offering testing in these languages.

Information such as exam dates and deadlines and key exam-day information can be found in the ISACA Candidate Information Guide.


Book Review:  Business Data Networks and Security

Reviewed by Ibe Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS

The 9th edition of Raymond R. Panko and Julia Panko’s Business Data Networks and Security has gone through the evolutionary fires of refinement and come out as a comprehensive resource on network architecture, its history, functionality, security and operations. The book’s outline of the various components and elements of networks is remarkable, not just in the breadth of topics, but in the practicality of its delivery. The extensive and clever use of 3-D-like imagery is exceptional and serves to spark the reader’s interest. The content is contemporary, the topics are relevant and the outline is concise. Information security professionals, academics and network security practitioners will find this book useful and practical and other professionals will find it intriguing.

This book features a number of security topics that students, academics and security professionals can identify with and understand easily. The text is compelling and there are several valuable illustrations and figures that connect theory with a pictorial perspective that readers will find appealing and useful. In addition, the book has numerous questions that engage the reader to reflect on the subject matter and invoke a practical inquisitiveness about the topics discussed. The topics are treated with adequate depth and detail and are backed up with real-life events that connect the text to reality. The case studies and chapters put the text into a practical perspective and show deeper insights into the chapter’s objectives.

The book is modeled like a real-life network security lab featuring a range of resources: theory, practical examples and knowledge testing. Illustrations guide the reader to the specifics and applications of the issues discussed. There is expansive coverage of different dimensions of security and networking topics, with a resourceful glossary at the end of the book.

The book is split into 2 broad sections: Basic concepts and principles are covered in the first 4 chapters, and the application of these concepts and principles comprise the next 7 chapters and glossary.

Business Data Networks and Security is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).