GREP-BLOG

Wednesday, 26 March 2014

What is privileged access? - A definition of privileged access from review of US financial institution regulation and ISO 27002

Why is it important to understand what privileged access is? Highlighting some examples of what can happen when privileged access is not managed appropriately demonstrates it is something that needs to be understood:

  • March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimei.
  • January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankii.
  • January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessiii.

From this, the impacts of not understanding and appropriately controlling privileged access are significant. The primary challenge with implementing privileged access policies and controls is a lack of a clear definition of what privileged access is.

Fortunately, US financial institutions regulation and the International Standards Organisation provide a starting point.


US Financial Institutions Regulation

The Board of Governors of the Federal Reserve System (the Board) implements the Federal Reserve Act and other laws pertaining to banking and financial activities. The Board implements those laws, in part, through its regulations A through to YY, which are codified in Title 12, Chapter II, of the Code of Federal Regulations within the US Code (USC)iv.

Section 6801 and section 6805 in Title 15 of the USC applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies. Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer informationv.

Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations.

Page 19 of the Federal Financial Institution Examination Council (FFIEC) Information Security Examination Handbook defines privileged access asvi:

the ability to override system or application controls”

A key point to note in this definition is the distinction between systems and applications. This distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

International Standards Organisation

The FFIEC Information Security Examination Handbook definition is aligned to the international standard ISO 27002 Information technology - Security techniques - Code of practice for information security management (ISO 27002).

Specifically, page 61 of ISO 27002 defines privileged access rights, as thosevii:

access rights which allow users to override system controls”

How this definition differs from the FFIEC definition is that is refers to access rights and these applying only to system controls rather than both system and application controls. This ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of their “access rights”.

Additionally page 62 of ISO 27002 defines system administration privileges asviii:

any feature or facility of an information system that enables the user to override system or application controls”

The last part of this definition is identical to the FFIEC wording “override system or application controls”. This additional ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of “any feature or facility of an information system”. As per the FFIEC definition, a key point to note in this definition is the distinction between systems and applications. As with the FFIEC definition, this distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

Finally, further guidance is available at page 56 of ISO 27002 which defines privileged operations asix:

use of privileged accounts, e.g. supervisor, root, administrator; system start-up and stop; [and] I/O device attachment/detachment”

While not a definition of privileged access it does provide useful interpretation guidance in what is commonly considered to be the operations of those with privileged access, and from this, what constitutes privileged access. In this case, operating system or database system administrator accounts such as “root”, “administrator” and “supervisor”. By extension, similar access to the access level of these accounts would be considered privileged access. This definition also describes the ability to execute system start-up; and stop and I/O device attachment/detachment, system level services generally accessible via service or system accounts.


Conclusion - A Working Definition of Privileged Access

From these sources we can develop a working definition of privileged access that is aligned to US regulatory requirements and international standards.

From the FFIEC definition, the working definition needs to cover both applications and systems. Expanding the FFIEC definition’s use of the term “ability” using ISO guidance, would result in the following definition:

Privileged access is the ability to override system or application controls, conferred to a user by virtue of their access rights or any feature or facility of an information system. This includes the ability to use system administration and service accounts.”

From this working definition, we can better understand what ability is considered privileged and that a user with this access would be considered to have privileged access. Policy making and controls based on this definition will ensure alignment with the US regulators and international standards hopefully resulting in better risk and control assessments to implement the necessary administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information.


Endnotes

i Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail, United States of America, 2006. Available at: http://www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873? (Accessed 6 March 2014).

ii Tarzy, B., Revoke legacy privileged accounts – or pay the consequences, United Kingdom, 2012. Available at: http://www.computing.co.uk/ctg/the-big-picture-blog/2157940/revoke-legacy-privileged-accounts-pay-consequences# (Accessed 6 March 2014).

iii Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, 2009. Available at: http://www.computerworld.com/s/article/9127157/Ex_Fannie_Mae_engineer_pleads_innocent_to_server_bomb_charge (Accessed 6 March 2014).

iv Government Printing Office, Electronic Code of Federal Regulations, United States of America, 2012. Available at: http://www.ecfr.gov/cgi-bin/ECFR?page=browse (Accessed 6 March 2014).

v Government Printing Office, GRAMM–LEACH–BLILEY ACT, United States of America, 1999. Available at: http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf (Accessed 6 March 2014).

vi Federal Financial Institution Examination Council, The FFIEC Information Security IT Examination Handbook, United States of America, 2006. Available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf (Accessed 6 March 2014).

vii International Organisation for Standardization (ISO), ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, Switzerland, 2005

viii Ibid


ix Ibid