Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CMA, CPA
A key fact to remember about logical access controls is one of its primary purposes: to mitigate the risk of unauthorized activities while not inhibiting legitimate authorized access. Then, we should remember that statistics and research continually have shown that about 75-80 percent of all malicious activities actually originate from within the entity and not from external intruders. Thus, it is logical that an effective strategy should focus about 75 percent of its efforts and controls toward mitigating the risk that someone internal to the system does something malicious.
Those responsible for logical access or auditing logical access should consider the potential scope of tools, techniques and methods that can detect internal malicious activities and monitor for it continually. It seems the Prevention-Detection-Correction (PDC) model would be one way to ensure a robust system for mitigating the risk of internal malicious activities.
PDC is a robust system of logical access controls that would, therefore, be able to prevent someone internal from doing something malicious. Limited access is one way to try to prevent malicious activities by employees. But, limited access needs to have a sufficient strength and breadth of application. Therefore, it increases the prevention aspect of logical access if the entity can cost-effectively add strong authentication to its logical access controls aimed at authorized access.
Probably, the most effective authentication controls are temporary personal identification numbers (PINs) sent to a pager device and biometrics. Both of these methods are becoming less expensive and, thus, should be considered. Obviously, there are other methods, and more important, IT auditors should continue to check the landscape of tools being developed for even more effective authentication methods (see “IT Audit Basics: Mitigating IT Risks for Logical Access
” for more details). In addition, it seems rational that banks and financial institutions (especially credit card companies) have to authenticate well, so mimicking the tools and techniques of banks should be effective (thus, the pager idea).
Detection methods would be designed to detect a malicious activity if one occurred. One method would be to examine the intrusion detection system (IDS). If the entity has an IDS, it should configure it to include internal sources, if possible. If it does not have an IDS, it should consider the cost-effectiveness of using one or something with similar capabilities.
Correction methods try to reverse the adverse effects and restore the system to stability, including revisions of the logical access to keep the type of unauthorized activity that was discovered from occurring again. For instance, most systems have some ability to produce logs of employees’ activities. Thus, making sure the system can log those activities can be valuable in correcting the event and in revising controls to prevent it from happening again.
One last aspect of PDC is to remember that it is possible for employees to inadvertently become a perpetrator of a malicious activity, for example, unknowingly having one’s computer infected with a key logger, in which the perpetrator captures banking credentials or other sensitive data to conduct malicious activities (e.g., identification theft). It is imperative, therefore, that the firewalls and antivirus system (AVS) be implemented, configured appropriately and updated rigorously. This would include some e-mail filtering controls to prevent the virus or malicious code from being downloaded at all (i.e., using PDC in dealing with malicious code).
Read Tommie W. Singleton’s recent Journal Column: