<strong>ISO</strong>/<strong>IEC</strong><strong>18028</strong>-1:2006(E)public networks. Each type of remote log-in should have additional controls appropriate to the nature of theconnection type. Control examples are:— not allowing direct access to system and network software from accounts used for remote access, exceptwhere additional authentication has been provided (see Clause 13.6.3 below), and perhaps end-to-endencryption,— protecting information associated with e-mail software and directory data stored on PCs and laptops usedoutside of an organization's offices by its personnel, from unauthorized access.13.6.3 Authentication EnhancementsThe use of user id/password pairs is a simple way to authenticate users, but they can be compromised orguessed. There are other more secure ways to authenticate users, particularly remote users. Authenticationenhancements should be required when a high possibility exists that an unauthorized person may gain accessto protected and important systems. This may be, for example, because the access may be initiated usingpublic networks, or the accessing system may be out of the direct control of the organization (e.g. via alaptop).Where authentication enhancements over network connections are required (for example, by contract) orjustified by the risks, an organization should consider strengthening the person authentication process byimplementing relevant controls.Simple examples are using:— CLID, which may be thought of as the originating telephone number seen by the receiving equipment.Although CLID has some value as being the claimed ID of the calling party, it is open to spoofing andshould not be used as a proven ID without further authentication. CLID is often used as a quick identifierin the establishment of backup links (especially over ISDN) between sites,— links via modems that are disconnected when not in use, and only connected after verification of thecaller's identity.More complex, but very important, examples - particularly in the context of remote access, are:— using other means of identification to support the authentication of users, such as remotely verified tokensand smart cards (e.g. through readers attached to PCs), hand held one time pass key generation devices,and biometric based facilities,— ensuring that the token or card can only function in conjunction with the authorized user's authenticatedaccount (and preferably, that user's PC and location/access point) and, for example, any related PIN orbiometric profile.Generically this is termed strong, two factor, authentication. If tokens are used, a user is required to know aPIN which with the token enables the production of a unique authentication value. With regard to smartcards,these can be viewed as automating the use of token access. In order to be 'opened', the user should supplythe PIN to the card after inserting it into the smartcard reader. Then, whenever authentication is required bythe central or remote systems, the smartcard may be 'called' directly to 'sign' data (proving authentication)using a key embedded in the smartcard.13.6.4 Remote System IdentificationAs implied in Clause 13.6.3 above, where relevant authentication should be enhanced by verification of thesystem (and its location/access point) from which external access is made.It should be recognized that different network architectures can offer differing identification capabilities. Thus,the organization may achieve enhanced identification by choosing an appropriate network architecture. Allsecurity control capabilities of the chosen network architecture should be considered.50 © <strong>ISO</strong>/<strong>IEC</strong> 2006 - All rights reserved
<strong>ISO</strong>/<strong>IEC</strong><strong>18028</strong>-1:2006(E)13.6.5 Secure Single Sign-onWhere network connections are involved, users are likely to encounter multiple identification andauthentication checks. In such circumstances users may be tempted to adopt insecure practices such aswriting down passwords or re-using the same authentication data. Secure single sign-on can reduce the risksof such behavior by reducing the number of passwords that users have to remember. As well as reducingrisks, user productivity may be improved and helpdesk workloads associated with password resets may bereduced.However, it should be noted that the consequences of failure of a secure single sign-on system could besevere because not one but many systems and applications would be at risk and open to compromise(sometimes termed the "keys to the kingdom" risk).Stronger than normal identification and authentication mechanisms may therefore be necessary, and it maybe desirable to exclude identification and authentication to highly privileged (system level) functions from asecure single sign-on regime.13.7 Network Audit Logging and MonitoringIt is very important to ensure the effectiveness of network security through audit logging and ongoingmonitoring, with the rapid detection, investigation and reporting of, and response to, security events and thenincidents. Without this activity, it is not possible to be sure that network security controls always remaineffective and that security incidents will not occur with resultant adverse effects on business operations.Sufficient audit log information of error conditions and valid events should be recorded to enable thoroughreview for suspected, and of actual, incidents. However, recognizing that recording huge amounts of auditrelated information can make analysis difficult to manage, and can affect performance, care has to be takenover time in what is actually recorded. For network connections, audit logs should be maintained that includethe following types of event:— remote failed log-on attempts with dates and times,— failed re-authentication (or token usage) events,— security gateway traffic breaches,— remote attempts to access audit logs,— system management alerts/alarms with security implications (e.g. IP address duplication, bearer circuitdisruptions),In a networking context, audit logs should be drawn from a number of sources, such as routers, firewalls, IDS,and sent to a central audit server for consolidation and thorough analysis. All audit logs should be examined inboth real time and off line. In real time, logs may be displayed on a rolling screen and used to alert potentialattacks. Off line analysis is essential as this allows the greater picture to be determined with trend analysisbeing undertaken. First indications of an attack may be that there are substantial "drops" in the firewall logs,indicating probing activity against a potential target. An IDS system may also detect this in real time againstan attack signature. Thus, it is emphasized that great care should be taken in selecting the right audit loganalysis tools, to provide quick, focused and readily understandable outputs.Audit trails should be maintained online for a period in accordance with the needs of the organization, with allaudit trails backed up and archived in a manner that ensures integrity and availability, e.g. by using WORMmedia such as CDs. Further, audit logs contain sensitive information or information of use to those who maywish to attack the system through network connections, and possession of audit logs may provide proof oftransfer over a network in the event of a dispute - and are therefore particularly necessary in the context ofensuring integrity and non-repudiation. Therefore all audit logs should be appropriately protected, includingwhen archived CDs are destroyed at the designated date. Audit trails should be securely retained for a periodin accordance with organizational requirements and national legislation, It is also important that timesynchronization is properly addressed for all audit trails and related servers, for example using NTP,particularly for forensics and possible use in prosecutions.© <strong>ISO</strong>/<strong>IEC</strong> 2006-All rights reserved 51