Why
is it important to understand what privileged access is? Highlighting
some examples of what can happen when privileged access is not
managed appropriately demonstrates it is something that needs to be
understood:
- March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimei.
- January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankii.
- January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessiii.
From
this, the impacts of not understanding and appropriately controlling
privileged access are significant. The primary challenge with
implementing privileged access policies and controls is a lack of a
clear definition of what privileged access is.
Fortunately,
US financial institutions regulation and the International Standards
Organisation provide a starting point.
US
Financial Institutions Regulation
The
Board of Governors of the Federal Reserve System (the Board)
implements the Federal Reserve Act and other laws pertaining to
banking and financial activities. The Board implements those laws, in
part, through its regulations A through to YY, which are codified in
Title 12, Chapter II, of the Code of Federal Regulations within the
US Code (USC)iv.
Section
6801 and section 6805 in Title 15 of the USC applies the
Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions
including Bank holding companies. Section 501(b) of the GLBA
introduced the “Financial Institutions Safeguards” requirement
that requires financial institutions implement administrative,
technical, and physical safeguards to ensure the confidentially,
security and integrity of customer informationv.
Further
guidance as to how to establish these safeguards is provided by CFR
Regulation Y - Appendix F to Part 225 - Interagency Guidelines
Establishing Information Security Standards. These guidelines were
developed by the Member agencies of the Federal Financial
Institutions Examination Council (FFIEC). The FFIEC published
examination handbooks that apply to the examination of a financial
institution's operations and all related data, and serves as a
supplement to the agencies' GLBA 501(b) expectations.
Page
19 of the Federal Financial Institution Examination Council (FFIEC)
Information Security Examination Handbook defines privileged
access
asvi:
“the
ability to override system or application controls”
A
key point to note in this definition is the distinction between
systems and applications. This distinction means that privileged
access may exist at an application level as well as at the underlying
infrastructure system level.
International
Standards Organisation
The
FFIEC Information Security Examination Handbook definition is aligned
to the international standard ISO 27002 Information technology -
Security techniques - Code of practice for information security
management (ISO 27002).
“access
rights which allow users to override system controls”
How
this definition differs from the FFIEC definition is that is refers
to access rights and these applying only to system controls rather
than both system and application controls. This ISO guidance suggests
that the FFIEC definition’s “ability” is that ability conferred
to a “user” by virtue of their “access rights”.
“any
feature or facility of an information system that enables the user to
override system or application controls”
The
last part of this definition is identical to the FFIEC wording
“override system or application controls”. This additional ISO
guidance suggests that the FFIEC definition’s “ability” is that
ability conferred to a “user” by virtue of “any feature or
facility of an information system”. As per the FFIEC definition, a
key point to note in this definition is the distinction between
systems and applications. As with the FFIEC definition, this
distinction means that privileged access may exist at an application
level as well as at the underlying infrastructure system level.
Finally,
further guidance is available at page 56 of ISO 27002 which defines
privileged
operations
asix:
“use
of privileged accounts, e.g. supervisor, root, administrator; system
start-up and stop; [and] I/O device attachment/detachment”
While
not a definition of privileged access it does provide useful
interpretation guidance in what is commonly considered to be the
operations of those with privileged access, and from this, what
constitutes privileged access. In this case, operating system or
database system administrator accounts such as “root”,
“administrator” and “supervisor”. By extension, similar
access to the access level of these accounts would be considered
privileged access. This definition also describes the ability to
execute system start-up; and stop and I/O device
attachment/detachment, system level services generally accessible via
service or system accounts.
Conclusion
- A Working Definition of Privileged Access
From
these sources we can develop a working definition of privileged
access that is aligned to US regulatory requirements and
international standards.
From
the FFIEC definition, the working definition needs to cover both
applications and systems. Expanding the FFIEC definition’s use of
the term “ability” using ISO guidance, would result in the
following definition:
“Privileged
access is the ability to override system or application controls,
conferred to a user by virtue of their access rights or any feature
or facility of an information system. This includes the ability to
use system administration and service accounts.”
From
this working definition, we can better understand what ability is
considered privileged and that a user with this access would be
considered to have privileged access. Policy making and controls
based on this definition will ensure alignment with the US regulators
and international standards hopefully resulting in better risk and
control assessments to implement the necessary administrative,
technical, and physical safeguards to ensure the confidentially,
security and integrity of customer information.
Endnotes
i
Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail,
United States of America, 2006. Available at:
http://www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873?
(Accessed 6 March 2014).
ii
Tarzy, B., Revoke legacy privileged accounts – or pay the
consequences, United Kingdom, 2012. Available at:
http://www.computing.co.uk/ctg/the-big-picture-blog/2157940/revoke-legacy-privileged-accounts-pay-consequences#
(Accessed 6 March 2014).
iii
Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb
charge, United States of America, 2009. Available at:
http://www.computerworld.com/s/article/9127157/Ex_Fannie_Mae_engineer_pleads_innocent_to_server_bomb_charge
(Accessed 6 March 2014).
iv
Government Printing Office, Electronic Code of Federal
Regulations, United States of America, 2012. Available at:
http://www.ecfr.gov/cgi-bin/ECFR?page=browse
(Accessed 6 March 2014).
v
Government Printing Office, GRAMM–LEACH–BLILEY ACT,
United States of America, 1999. Available at:
http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf
(Accessed 6 March 2014).
vi
Federal Financial Institution Examination Council, The FFIEC
Information Security IT Examination Handbook, United States of
America, 2006. Available at:
http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf
(Accessed 6 March 2014).
vii
International Organisation for Standardization (ISO), ISO
27002:2005, Information technology - Security techniques - Code
of practice for information security management, Switzerland,
2005
viii
Ibid