Page 155 - Courses
P. 155

Logical Security: The Network Layer

            •  More than one domain controller may exist in any one domain (e.g. a primary and a secondary).
               Others may exist depending on the extent of an organization’s network. Additional domain
               controllers primarily act as backup if the primary is unavailable. They also help with network
               load balancing for general user response time.
            •  All domain controllers within a domain talk to one another, so at any one point, all will have the
               same information.

            Trust Relationships
            •  A trust relationship is a logical relationship in which rights and privileges are shared between two
               domains.
            •  An organization could have several domains with trust relationships between them, such that if
               someone logs into one domain, he or she can then access other domains. There could also be no
               trust relationship between domains, such that an additional login is required.
            •  One reason for separate, untrusted domains is to secure data for a specific purpose from the
               general domain (i.e., network). Examples of separate, untrusted domains can be seen in credit
               card processing or when processing confidential data.

            Security Risks

            Physical access:
            •  Network devices are usually physically secure in a wiring closet, cloud vendor cage, or computing
               center. Access to network devices could occur through unauthorized access to these locations.
            •  Once physical access occurs, a bad actor could logically connect to the device and gain control
               with proper credentials or they could damage or steal the device.

            Logical access:
            •  Account vendor-supplied default passwords and IDs may not be changed, thus allowing
               unauthorized access into network devices.
            •  Utilization of weak passwords – or the complete absence of passwords – can be easily guessed
               by humans, or password-cracking software.
            •  Excessive use of trusted rights between test and production domains allow a bad actor to
               propagate between domains unnoticed.
            •  Weak logging and monitoring practices limit suspicious activity detection, including data leakage
               and fraud.

            Controls

            Network controls:
            •  Passwords for vendor-supplied accounts are changed and IDs are disabled.
            •  Access to passwords is restricted (emergency/shared privilege accounts utilize one-time use
               password generation software).
            •  Physical access to data centers and wiring closets is restricted.
                   •  Strict approval process before granting access to areas that contain networking
                       equipment or cables.


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   150   151   152   153   154   155   156   157   158   159   160