Logical Access Controls

Logical access controls are implemented to protect the aforesaid resources from the below mentioned exposures:

Technical Exposures

Technical exposures include unauthorized implementation or modification of data and software. Technical exposures include the following:

Data Diddling

Data diddling involves the change of data before or as they are entered into the system. A limited technical knowledge is required to data diddle and the worst part with this is that it occurs before computer security can protect data.

Bombs

These  programs  destruct  the  program  or  data  on  the  happening  of   some   logical event. For example: Employee may set up a bomb to activate after his name is removed  from the company’s payroll records.

Worms

• A Worm is a program that stores itself into the computer’s memory and  replicates  into areas of idle memory.
• Worm systematically occupies idle  memory until the MEMORY  IS EXHAUSTED and  the system fails.

Rounding Down

This refers to rounding of small fractions of a denomination and transferring these small fractions into an account. As the amount is small it gets rarely noticed.

Salami Techniques

Slicing of small amounts of money from computerized transaction or account.

           Difference from Rounding Down

A Salami technique is slightly different from a rounding technique in  the  sense  only  last few digits are rounded off here. For example, in the rounding down technique, Rs. 21,23,456.39 becomes Rs. 21,23,456.35, while in the Salami technique the transaction amount Rs. 21,23,456.39 is truncated to either Rs. 21,23,456.30 or Rs. 21,23,456.00, depending on the calculation.

Trap Doors

It is a software that allows unauthorized access (back door entry) to system without going through normal login procedure.

Spoofing

• A spoofing attack involves forging one’s source address. One machine is used to impersonate the other in spoofing technique.
• Spoofing occurs when a penetrator duplicates the logon procedure, captures the user’s password, attempts for a system crash and makes the user login again. It is only the second time the user actually logs into the system.

Asynchronous Attacks

They occur in many environments where data can be moved asynchronously across telecommunication lines. Numerous transmissions must wait for the clearance of the line before data being transmitted. Data that are waiting to be transmitted are liable to unauthorized access called asynchronous attack. These attacks are hard to detect because they are usually very small pin like insertions. There are many forms of asynchronous attacks.

• Data Leakage: Data is critical resource for an organization to function effectively. Data leakage involves leaking information out of the computer by means of dumping files to paper or stealing computer reports and tape.
• Wire-tapping: This involves spying on information being transmitted over telecommunication network.
• Piggybacking: Tapping into a telecommunication line and using the authorized user data packets to enter into system when he logs into system,  authorized  user unknowingly carries the perpetrator into the system.

Logical access violators ? (i.e. who indulge in Sabotage etc.)

• Hackers: Hackers try their best to overcome restrictions to prove their ability. They never try to misuse the computer intentionally.
• Employees (authorized or unauthorized)

• IS Personnel: they have easiest access to computerized information since they are custodians of this information.
• End Users
• Former Employees: should be cautious of former employees who have left the  organization on unfavorable terms.
• Crackers

Logical Access Controls

• User Access Management
  • User registration: Information about every user is documented.
  • Privilege management: Access privileges to be aligned with job responsibilities.
  • User password management: Issue, revocation and reissue of password.
  • Review of user access rights: periodic review of access rights.

User responsibilities

• Password use: Mandatory use of strong passwords& to maintain confidentiality.
• Unattended user equipment: Not to leave unattended computers.

• Network Access Control: An Internet connection exposes an organization to the harmful elements of the outside world. The protection can be achieved through the following means:
• Policy on use of network services: An enterprise wide policy applicable  to  internet  service requirements aligned with the business need for using the  Internet  services  should be part of this policy.
• Enforced path: Based on risk assessment, it is necessary to specify  the  exact  path  or route connecting the networks; e.g., internet access by employees will be routed through   a firewall.
• Segregation of networks: Based on the sensitive information handling function; say a connection between a branch office and the head-office, this network is to be isolated  from the internet usage service.
• Network connection and routing control: The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility.
• Security of network services: The techniques of authentication and authorization policy should be implemented across the organization’s network.

Firewall

• A Firewall is a system that enforces access control between two networks.
• To accomplish this, all traffic between the external network and the organization’s network must pass through the firewall that will allow only authorised traffic.
• The firewall must be able to safeguard both internal and outward flow of traffic.
• Encryption: Encryption is the conversion of data into a secret code for storage in databases and transmission over networks.

The sender uses an encryption algorithm with a key to convert the original message called the Clear text into Cipher text.

This is decrypted at the receiving end.

Two general approaches are used for encryption viz. private key and public  key  encryption.

• Call Back Devices: It is based on the principle that the key to network security is to keep the intruder off the Intranet rather than imposing  security  measure after  the  criminal has connected to the intranet.

The call- back device requires the user to enter a password and then the system breaks  the connection. If the caller is authorized,  the call back device  dials the caller’s  number  to establish a new connection.

This limits access only from authorized terminals or telephone numbers and prevents an intruder masquerading as a legitimate user.

This also helps to avoid the call forwarding and man-in-the middle attack

Operating System Access Control:

• Automated terminal identification: This will help to ensure that a specified session could only be initiated from a certain location or computer terminal.
• Terminal log-in procedures: A log-in is done by entering user-id and password, the system validates it and allow access to authorized user only.
• Access Token: If the log on attempt is successful, the Operating System creates an access token that contains privileges granted to the user during that login session.

• Access Control List: This list contains information that defines the access  privileges  for all valid users of the resource.
• Discretionary Access Control: The system administrator usually determines; who is granted access to specific resources and maintains the access control list.

However, in distributed systems, resources may be controlled by the end-user. Resource owners in this setting may be granted discretionary access control, which allows them to grant access privileges to other users.

For example, the controller who is owner of the general ledger grants read only privilege to the budgeting department while accounts payable manager is granted both read and write permission to the ledger.

• User identification and authentication: The users must be identified and authenticated in a foolproof manner. Depending on risk assessment, more stringent methods like Biometric Authentication or Cryptographic means  like  Digital Certificates should be employed.
• Password management system: An operating system could  enforce  selection  of  good passwords. password file should not be accessible to users.
• Use of system utilities: System utilities are the programs that help to manage critical functions of the operating system e.g. addition or deletion of users. Obviously, this utility should not be accessible to a general user. Use and access to these utilities should be strictly controlled and logged.
• Duress alarm to safeguard users: If users are forced to execute some instruction under threat, the system should provide a means to alert the authorities.
• Terminal time out: Log out the user if the terminal is inactive for a  defined period.  This will prevent misuse in absence of the legitimate user.
• Limitation of connection time: Define the available time slot. Do not allow any transaction beyond this time. For example, no computer access after 8.00 p.m. and before 8.00 a.m. - or on a Saturday or Sunday.

Application and Monitoring System Access Control: Some of the steps are as follows:

• Information access restriction::The access to information is prevented by application specific menu interfaces, which limit access to system function. A user can access only to those items, s/he is authorized to access. Controls are implemented on the access rights    of users. For example - read, write, delete, and execute. And ensure  that sensitive output  is sent only to authorized terminals and locations.
• Sensitive system isolation: Based on the critical constitution of a system  in an enterprise,  it may even be necessary to run the system in an isolated environment.  Monitoring  system access and use is a detective control, to check if preventive  controls discussed so far are working. If not, this control will detect and report any unauthorized activities.
• Event logging: In Computer systems, it is easy and viable to maintain extensive logs for all types of events. It is necessary to review if logging is enabled and the logs are archived properly. An intruder may penetrate the system by trying different passwords and user ID combinations. All incoming and outgoing requests along with attempted access should be recorded in a transaction log. The log should record the  user ID,  the  time of the access and the terminal location from where the request has been originated.