Page 75 - Cyber Defense eMagazine - October 2017
P. 75

What Could Go Wrong?

               So, organizations are realizing there is a huge risk regarding elevated, direct access to
               production that is not audited, logged, controlled or governed. Auditors must take action
               to assess the risk, govern it, minimize it and take control over SSH keys. Failure to act
               is likely to have several negative consequences.

               First, you would fail an audit dramatically. Not having control over 30 percent of your
               production access could be construed as material weakness to your environment, from
               a controls perspective. And if you talk about a financial institution that is publicly traded,
               and they fall under the Sarbanes-Oxley umbrella, this is a huge problem.


               From a SOX perspective, when a CFO or CEO signs off on attestations, they are saying
               they have complete visibility and control over access. However, the reality is that they
               have no visibility or control over their production due to poor or non-existent SSH key
               management.

               Second, it opens the door to threats that you don’t even have visibility into. For instance,
               a malicious insider could be leveraging uncontrolled, unaudited privileged access that is
               not monitored or logged, and you wouldn’t be able to tell.

               By the same token, if you are being breached by an attacker who is leveraging  back
               doors or exploits in this environment, the same thing would happen. You would have no
               visibility into the data that is being compromised or potentially compromised, and by law
               you  must  notify  and  report  accordingly.  So,  what  would  your  reported  evidence  look
               like?

               New Guidance

               Organizations  must  adopt  best  practices,  leverage  automation,  establish  ongoing
               monitoring  and  auditing,  and  govern  all  access  equally  to  ensure  SSH  access  is
               authorized and that the access falls within governance guidelines.


               In  light  of  the  critical  need  for  action,  ISACA  has  recently  released  a  new  guidance
               document,  SSH:  Practitioner  Considerations.  In  collaboration  with  industry  experts,
               practitioners and ISACA subject matter experts, the white paper provides an excellent
               overview  of  what  SSH  is,  its  background,  assurance  considerations  and  practitioner
               impacts and suggested controls.







                    75   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   70   71   72   73   74   75   76   77   78   79   80