Jim Kaplan's
audnet.gif (4937 bytes)

AuditNet Resource List
Audit Programs
 AuditNet Virtual Library
AuditNet Newsletter
Ask the Auditor
AuditNet Mailing Lists
Audit Jobs
Travel
Career Links
Partner Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising Opportunities
About AuditNet
About Jim Kaplan
AuditNet Seminars

Breeding Ground for Identity Theft

By  R. L. Brown, CISA

September, 2002

In my work as an IT Auditor for a major consumer products organization I review the information security of primary business partners that are connected to our “core corporate network” for various business purposes.  This activity helps to ensure conformity to corporate information security standards.

The purpose of this article is to describe how a typical organization’s IT environment could unknowingly contribute to an instance of identity theft.  System administrators need to acknowledge their current security position in order to make it stronger.

Background

Recently, I was part of an audit that reviewed the IT controls for a 3rd party organization responsible for managing our gift/giveaway/promotional/catalogue programs.  This business process involves distributing catalogues; processing customer orders including receiving order forms & associated coupons, performing credit checks; and managing customer centers.  

The 3rd party organization (we’ll call it Acme) is a fulfillment center.  It is a logistics operation handling our gift/giveaway/promotional/catalogue programs.  Our company contracts with Acme to receive and fulfill requests from our customers for items that they would like to purchase as a result of a promotional activity.  Acme has approximately 10,000 employees worldwide, 2 data centers in 2 of its locations and several warehouses with 2,000 workstations connected to its network.  Acme uses several temp agencies to fill its 500+ data entry positions. Our companies exchange financial and operational information on a daily basis. 

Scope & Methodology

Our review looked at general controls (e.g. Information Security, Change Control, Computer Operations) and the controls in a single application, which processes customer orders.  Specifically, what our team reviewed were: 

  1. The organization’s Information Security Policy.
  2. Logical Access Controls: Access Control Listings for critical directories/files
  3. Host Server Settings
  4. Network Authorization Procedures
  5. Workstation Controls (e.g. timeout passwords, sign-ons, data entry controls)
  6. Database Security controls
  7. Customer Order System Security Controls
  8. Change Control Procedures

What we found

Not surprisingly, the organization had no published Information Security Policy and no designated Security Officer.  We identified that the development group had full access to production data.  That customer credit card information was stored unencrypted in the database.  That audit logging functionality was not implemented.  Standardized images in the warehouse and data entry workstations made communication applications  and floppy drives available to all personnel regardless of the business need.  Specifically, Internet Explorer, FTP and Telnet applications were made available to all employees, including data entry personnel.  Last, but not least, in running a password cracking utility in the Unix production environment our team identified that 23% of all user accounts (46 of 200) had easily guessable passwords.

With the situation, as described above, it is easy to create a scenario where an individual, possibly a college student on summer leave doing data-entry work, with a knowledge of systems from her freshman computer science 101 class and an average curiosity level can locate the custcredinfo.table within the relational database program, copy that table to a text file and remove that text file from the premises either via floppy diskette or via telnet send it to her college webserver.  With planning, these steps could all happen in under 2 minutes.  Since the auditing functionality is not implemented, the system administrator is unable to give assurances that this has not happened.

Management Response to Findings:

“The users are unable to remember complex passwords.” 

It is technical management’s responsibility to communicate to users that security is a process of which they are the most important part.  For example, weekly or monthly memos including short articles on security (e.g. how to create a strong password); make sure that the logon banner includes their last logon time.  See http://www.identity-theft-protection.com/articles/pick_password.htm for a good starter.  Periodically, run a security utility on password files to ensure adherence to organizational policies. 

“The project for the roll-out of the data-entry workstations was under time constraints which required the use of a standard desktop image.” 

A step within the development project should include what applications are necessary for this group of users.  This would include a Risk Assessment, which would identify business functionality by user group.  The management philosophy should be “Access to those that require it for value added business purposes.”

The downside risk here is huge (i.e. total compromise of customer financial information).  In granting personnel access to unnecessary applications, your organization runs serious risks including fraud, industrial espionage and diminished productivity. 

“We don’t have enough budget to resource for a security log server.”

This depends on the activity of your online system.  However, system administrators would do well to take a page from the Hacker community – efficiency of monitoring (i.e. Silent Footprinting – technique used to “case” an organization while staying under the Radar of Intrusion Detection Software).  Identify key objects (files, directories) and track users activities relating to them.  Revisit these key objects periodically to ensure that they are representative of the true risk picture of the organization. 

In conclusion, before the state of an organization’s information security can get better it is imperative that administrators acknowledge their current security situation and take steps to improve it with the support of executive management.

If you have questions or comments on this article send them to editor@auditnet.org or to the author rlbrownjr5@cs.com

1 http://www.consumer.gov/idtheft/

Copyright © AuditNet.org.  

Copyright and Disclaimer

All rights reserved. No part of this Website may be reproduced in any form, by copying from the Internet, photostat, microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, without the written permission of the copyright owner.

Send comments to: editor@auditnet.org



Revised: January 31, 2010

Address of this Page is http://www.auditnet.org/