The article below is a guest post by our US partner Information Systems Laboratories). ISL offers a wide range of services to help companies implement or improve a corporate cyber/information security program, including independent IT security evaluations, threat and vulnerability analysis and incident response plans.
ISL has entered a partnership with IS Decisions, as they recognize UserLock and FileAudit as efficient software solutions to implement FISMA/NIST compliance for 3 key NIST 800-53 control families:

• Access Control (AC)
• Identification and Authentication (IA)
• System and Information Integrity (SI)

UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Windows systems.

Hope you enjoy the article and I look forward to your comments,
François AMIGORENA
President & CEO

In the United States, FISMA Compliance is a matter of national security. To elevate its importance, all federal agencies are given an annual – and very publicly available – grade based on the effectiveness of their IT security programs. As a further incentive, if after failing a compliance assessment, in addition to the publication of your failing grade, your CIO may be greeted with a congressional hearing. If that is not enough, after the hearing, the Office of Management and Budget (OMB) may just cancel or delay funding of your government programs - none of which would be considered welcome news nor career-enabling.

Whether you work for a corporation or government agency, the importance of ensuring your data is safe goes without saying. In fact, the larger your corporation, the government places more importance on your data, thus moving you closer to the same requirements government agencies have.

What is FISMA?

The Federal Information Security Management Act (FISMA) was devised to assist agencies and departments of the federal government in securing their data. Chief Information Officers (CIOs), Inspectors General (IGs) and officials of government programs are required to conduct annual reviews of their information security program and report their findings to the Office of Management and Budget (OMB). The OMB then reports to Congress on each agency’s compliance. The annual report also must include an independent cyber security evaluation

What is NIST?

As an agency of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) has developed a set of controls and guidelines supporting FISMA which Federal agencies and organizations supporting them must follow.

NIST 800-53 Control Families

The 18 control families and their 205 respective controls covered by NIST 800-53 encompass everything from physical security to information systems security to spam prevention and has been designed to work for any organization - as long as the controls are selectively chosen and implemented. For the cyber security novice, though secure, implementing all the controls to their fullest extent would not only be prohibitively expensive but would severely cripple the organization’s ability to function efficiently which is in direct conflict to the purpose of these controls. The intent is to take a calculated risk-based approach to security by implementing just the right amount of controls. Doing so not only saves money, but also helps to improve your organization’s operational efficiencies. Maximizing these benefits is where the assistance of trained Cyber Security professionals is critical. The best Cyber Security Evaluation companies are those who take the necessary time to learn your environment and processes to ensure the optimum controls are selected and adhered to.

NIST 800-53 Control Family Summaries

Below are some of the points contained within each of the control families. For a complete view into each control, we recommend ISL’s Cyber Security Search Engine.

Access Control (AC)

Control: 22 | Class: Technical

The 22 controls making up this family provides security guidance with a focus on access control-based policies and procedures, remote access, access control lists (ACL), etc. helping to ensure access to physical and computer-based information systems are restricted to authorized individuals only.

Access Control: a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

Awareness and Training (AT)

Control: 5 | Class: Operational

The intention of these 5 controls is to ensure a Security Awareness and Training policy is established along with its respective procedures and sufficient security awareness training programs are employed.

Awareness: Activities which seek to focus an individuals attention on an (information security) issue or set of issues.
Training: strives to produce relevant and needed (information) security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individuals attention on an issue or set of issues.

Audit and Accountability (AU)

Control: 14 | Class: Technical

The purpose of this set of 14 controls is to have the organization identify, audit, track and report on particular events that could be a security risk.

Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Security Assessment and Authorization (CA)

Control: 7 | Class: Management

This set of 7 controls ensures the organization has a Security Assessment Plan which specifies the included controls and enhancements, their procedures and the selection of an independent assessment team to conduct an impartial assessment. In the event the assessment is conducted by an internal team (because the company is small for instance), the results of the assessment are to be reviewed and analyzed by an independent team of experts such as by ISL’s Cyber Security Evaluation team (Information Systems Laboratories).

Configuration Management (CM)

Control: 9 | Class: Operational

The intent of these 9 controls is to ensure the organization has a Configuration Management policy and formalized procedures in place to establish baseline configurations, change control, security impact analyses, component inventory, etc. to help ensure changes to systems are tracked since even minor changes can have severe security implications.

Configuration management is unique identification, controlled storage, change control, and status reporting of selected intermediate work products, product components, and products during the life of a system.

Contingency Planning (CP)

Control: 10 | Class: Operational

Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised.

Identification and Authentication (IA)

Control: 8 | Class: Technical

Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.
Authentication: A process that establishes the origin of information or determines an entity’s identity.

Incident Response (IR)

Control: 8 | Class: Operational

The 8 controls contained within this family guide the organization in the creation of a incident response policy and procedures to assist the proper response to an incident that may jeopardize the organization’s information system.

Maintenance (MA)

Control: 6 | Class: Operational

The intent of these 6 controls is to have the organization develop a System Maintenance Policy and supporting procedures to ensure the organization schedules, documents and reviews all maintenance and repairs of systems; uses approved maintenance tools; employing strong identification and authentication for remote maintenance, etc. In other words, these are operations required to keep hardware, software, data, etc. in good working order.

Media Protection (MP)

Control: 6 | Class: Operational

The 6 controls within the Media Protection family is to ensure the organization creates a Media Protection policy and supporting procedures to ensure proper steps are taken to protect data and prevent unintentional access and loss.

Physical and Environmental Protection (PE)

Control: 19 | Class: Operational

The 19 controls within this family help to enforce measures to protect information systems from unauthorized physical access.

Planning (PL)

Control: 6 | Class: Management

This family of 6 controls encourages the development of a System Security Plan, online rules of behavior for employees along with a security planning policy and procedures.

Personnel Security (PS)

Control: 8 | Class: Operational

The intent of the Personnel Security control family is to provide guidance in the hiring, security management and termination of employees.

Risk Assessment (RA)

Control: 5 | Class: Management

The Risk Assessment control family directs the organization in the creation of a Risk Assessment Policy and resulting procedures in order to assess the potential and magnitude of harm in the event of unauthorized access of information systems. In addition to the understanding of the potential risks, software and hardware solutions are implemented to help mitigate risk by identifying and addressing vulnerabilities.

System and Services Acquisition (SA)

Control: 14 | Class: Management

The System and Services Acquisition control family exists to ensure the budgetary means to support the ongoing security needs of the organization are established; systems are properly documented; software licensing is documented and enforced; peer-to-peer file sharing is not used to share unauthorized data or copyrighted material, etc.

System and Communications Protection (SC)

Control: 34 | Class: Technical

The System and Communications Protection control family consists of 34 controls. However, this is a little misleading as 11 of the controls have been withdrawn leaving 23 active controls. The breadth of this control family covers topics such as the physical and/or logical separation of system management interfaces from user functionality; security from non-security functions of the system; the prevention of unauthorized transfer of information from a commonly shared resource such as system memory; the protection of systems from Denial of Service attacks (DoS attacks); even the priority of system resources is called into question to ensure low priority services don’t negatively impact those of a higher priority.

System and Information Integrity (SI)

Control: 13 | Class: Operational

Some of the purposes behind the 12 controls within the System and Information Integrity control family are to identify, report and correct flaws in code including proper error handling; protection from malicious code such as viruses, Trojans, and spyware; monitoring of systems; the reception and reaction to internal and external security alerts; detection of unauthorized changes to data and software; protection from spam and predicting and preventing the failure of systems.

Program Management (PM)

Control: 11 | Class: Management

The 13 controls within the Program Management family directs the organization to develop an Information Security Program Plan, a process to ensure Plans of Action and Milestones (POA&M) are properly worked, etc.. Appointing a Senior Information Security Officer (SISO) or if your organization is a federal agency, a Senior Agency Information Security Officer (SAISO) are among some of the other directives to ensure the information security program is established and in working order.

Though this overview vastly simplifies the complexities and nuances of cyber security, we hope you have found this helpful. Should you have questions or would like to explore how your organization measures up to these and other controls, let us recommend our partner, Information Systems Laboratories (ISL).

Contact them if you are interested in receiving an Independent Cyber Security Evaluation.

You can also download free trial versions of UserLock and FileAudit from our website.

We are pleased to announce the UserLock 6.0 Beta Testing Program.

UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.

UserLock 6.0 is a major upgrade that comes with numerous new features and enhancements including:

- Time quotas: ability to define daily, weekly, monthly, etc. quotas.
- A third type of Protected Account: Organizational Units.
- Protection of IIS sessions (Ex: control access to Outlook Web Access or an Intranet).
- Ability to set the protected zone by selecting multiple computer Organization Units.
- Ability to define restrictions on workstations with computer Organizational Units.
- Audit and display session with local accounts.
- Specialized reports for RAS sessions (history, evolution and statistics).
- And more…

UserLock 6 beta will be ready in a couple of weeks. Would you like to test it?

Join our Beta Testing Program by filling out this online Web form.

We will share documents and resources and provide personalized technical support during your tests of the Beta.

Thank you in advance for your interest in UserLock 6.0!

Back in September 2010, Network World published an insightful article by Carolyn Duffy Marsan, titled «6 tips for guarding against rogue sys admins».

In this article, Carolyn underlined the fact that «one of the biggest threats that organizations face is losing sensitive data […] to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.»

Carolyn then described several practical steps IT departments can take to minimize the insider threat, including:

«Restrict and monitor users with special privileges»

More easily said than done if you only rely on native Windows features. Windows lacks the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware.

UserLock comes in handy here, as this software solution allows CIOs to:

• limit or prevent concurrent logins to a Windows network, based on user, user groups or session types,
• restrict user access to the network with multiple criteria: workstations, time, business hours, and connection type,
• follow the session activity on the network in real-time and get detailed, graphical reporting,
• automatically receive popup or email alerts for specific events such as denied logins, successful logins and logoffs.

«Keep user access and privileges current, particularly during times of job changes or layoffs»

Here again, native Windows features are not really oriented to easily provide this functionality.

Imagine the following example:
A Sys Admin (let us call him John) is fired and knows that his dismissal is coming. John is logged on at 04:00 pm and at 04:05 pm the CIO disables and/or deletes his account. Guess what happens? John is still logged on to a workstation and connected to some servers. All he has to do is unlock the workstation, (typically workstations do not go and check unlock requests with the domain controller). The result is that John is still able to work on his desktop and local drives, even though his account has been disabled and deleted.

With UserLock, a CIO can remotely lock, logoff and reset all sessions immediately, from potentially anywhere using the Web interface.

«Monitor employees found guilty of minor online misconduct»

When it comes to employees’ online behavior surveillance, two things are crucial:

To monitor logon sessions

Here again, native Windows features are not sufficient. System Admins are not able to answer the following questions in real time:

• Who is logged on at which computers?
• Which computers are being used by a given user?
• Who are the users currently logged on at this particular computer?

UserLock allows real time session surveillance and monitoring; at all times a CIO knows who is connected, from what workstation(s), since when…

To monitor access to files and folders

To monitor access to an organization’s files and folders, standard Microsoft systems only propose manual event logs. This functionality leaves administrators with hundreds or even thousands of events to decrypt and analyze to pinpoint the information of interest. This generates endless hours of non productive and error-prone work.

FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Microsoft Windows systems.

FileAudit instantly gives a comprehensive list of:

• read/write accesses
• file ownership changes (accepted or denied)
• permission modifications (accepted or denied)

Each record details:

• the user
• the domain
• the date and time of connection and disconnection

for:

• a file
• a selection of files
• a folder and subfolder
• a selection of folders and subfolders

«Educate your employees about insider threat»

Raising employees’ awareness about insider threat is a key component of an efficient IT security strategy. Regular training or offering a hotline so that employees can anonymously report fraud are part of the insightful measures that should be taken to mitigate insider threat. But one of the most efficient ways to make users security aware is to systematically remind them of their rights and duties each time they log on.

UserLock allows notifying all users prior to gaining access to a system with a tailor- made disclaimer. Users can for example be advised that system usage is monitored, recorded, subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties.

Another efficient way is to provide users at each connection with detailed information about their previous logons, so they can easily detect if someone else had successfully logged on (or attempted to log on)as them and potentially impersonated them. This is missing from native Windows features.

At each logon, UserLock provides users with information such as:

• last workstation logged on,
• date and time of last successful logon,
• history of all logons denied by UserLock and Windows since last successful logon,
• number of logons denied by UserLock and Windows since last successful logon.

We look forward to your comments and concerns. Feel free to post your remarks hereunder or use Twitter or Facebook to exchange with us.

Download UserLock now

According to several recent studies, the most costly or damaging attacks against information systems are more often caused by insiders (employees or contractors with authorized access).

Taking this fact into account, we developed an enterprise software solution named UserLock, whose main goal is to protect Windows networks from careless and/or fraudulent users, thus efficiently mitigating insider threat.

UserLock allows IT security teams to:

- prevent or limit simultaneous logon (same ID, same password), per user or user group
- record all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL,…) for future reference
- monitor user sessions in realtime (who is connected, from which workstation(s), for how long…)
- remotely lock, logoff and reset all interactive sessions
- define working hours and/or maximum session time for protected users and disconnect users with prior warning outside of the defined timeframe(s) and/or when time is up
- restrict user group’s network access per workstation or IP range
- notify all users prior to gaining access to a system with a tailor-made warning message (legal disclaimer, etc.)
- …

More than 750,000 UserLock licenses are already in use by worldwide security-demanding organizations including:
BAE Systems, Banco de Costa Rica, Barclays Bank, BMW, Computer Sciences Corporation, Frito-Lay, Lockheed Martin, Mitsubishi, National Bank of Kuwait, South Wales Police, Telcel, United Nations Organization, US Department of Justice, US Department of Veterans Affairs, US Navy Marine Corps, TimeWarner, …

You will find information about UserLock on our website and this whitepaper will provide you with further details about holes in Windows native login controls and how UserLock fills them in and helps organizations to comply with major regulatory constraints (HIPAA, SOX, PCI, NISPOM, DCID 6/3 - ICD 503, GLBA, US Patriot Act, FISMA…).

Get your free, fully-functional, 180-day copy of UserLock


CERT, Carnegie Mellon University Software Engineering Institute’s center for conducting and coordinating information security research, has released the Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1.

This valuable, insightful document (PDF - 88 pages) provides a comprehensive range of best practices to mitigate insider threat. And UserLock, our software solution to secure access to Microsoft Windows-based networks, can greatly help implementing a large part of them.

CERT BEST PRACTICE 2: Clearly document and consistently enforce policies and controls
“A consistent, clear message on organizational policies and controls will help reduce the chance that employees will inadvertently commit a crime or lash out at the organization for a perceived injustice.”

 
UserLock allows notifying all users prior to gaining access to a system with a tailor-made warning message.

These messages can for example include:
- a tailor-made legal disclaimer, including acceptable use of organization’s systems, information, and resources
- last workstation logged on
- date and time of last successful logon
- history of all logons denied by UserLock and Windows since last successful logon
- number of logons denied by UserLock and Windows since last successful logon.

CERT BEST PRACTICE 4: Monitor and respond to suspicious or disruptive behavior
“One method of reducing the threat of malicious insiders is to proactively deal with suspicious or disruptive employees.”

 
UserLock allows real time session surveillance and monitoring; at all times, a system administrator knows who is connected, from what workstation(s), since when… and can remotely lock, logoff and reset all sessions, either from the administration console or the Web interface.

CERT BEST PRACTICE 7: Implement strict password and account management policies and practices.
“If the organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms.”

 
UserLock allows:
- simultaneous logon (same ID, same password) limitation or prohibition, per user or user group, thus reducing the ability of users to share their credentials and preventing accountability and non-repudiation issues.
- defining working hours and/or maximum session time for protected users. Outside of this (these) timeframe(s) and/or when time is up, users will be disconnected with prior warning.
- user group’s network access restriction per workstation or IP range. By doing this, users can be limited to their own workstation, department, floor, building…

CERT BEST PRACTICE 12: Log, monitor, and audit employee online actions
“Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions.”

 
As seen here above, UserLock allows real time session surveillance and monitoring, but it also records all session logging and locking events in an ODBC database (Access, SQL Server, Oracle, MySQL …) for future reference.
Reports can automatically be generated at regular intervals, in order to update an Intranet Web site, or being sent by Email.
UserLock provides predefined reports, including:
- Session History: Comprehensive session list (logon, lock, logoff instances, users, domains, workstations…)
- Session Statistics: Displays for a given user and period, total sessions, total connection time, average time per session, per worked day or per week.
- User Sessions: Instantaneous view of all user session at display time.

CERT BEST PRACTICE 14: Deactivate computer access following termination
“It is important to follow rigorous procedures that disable all access paths into the organization’s networks and systems for terminated employees.”

With UserLock, an administrator can within seconds remotely lock, logoff and reset all sessions, either from the administration console or the Web interface.
Windows native features will indeed not prevent an employee to log onto his/her workstation even if his/her account has been disabled and deleted…

In-depth information in our whitepaper “Eight Holes in Windows Login Controls”

 
Detailed information about UserLock and free, fully-functional 180-day trial version

Our software solution FileAudit has just been mentioned in an article titled “10 ways to make sure your data doesn’t walk out the door”, written by Deb Schinder and published on TechRepublic website.

This article provides an up-to-date look at critical areas of concern when it comes to preventing data theft perpetrated by insiders.

Among useful advice, Deb Shinder recommends to use third-party auditing solutions that can audit file access across multiple storage sites and mentions FileAudit.

From its own console or with a simple right click in Windows Explorer, FileAudit indeed instantly provides IT Security teams with an error ridden and comprehensive list of:

- read/write accesses
- appropriation attempts (accepted or denied)
- permission modification attempts (accepted or denied)

each record detailing:

- the user
- the domain
- the date and time of connection and disconnection

for:

- a file
- a selection of files
- a folder and subfolders
- a selection of folders and subfolders

FileAudit is officially compatible with Windows 7 and can also :
- be scheduled to automatically archive into a database, at regular intervals, the access events occurring on one or more Windows systems for permanent storage.
- display file/folder access history in a printable report that can be scheduled to run automatically.
- export generated results in ASCII format, allowing their use in view of an audit or for subsequent analysis and control.

Download a free, 30-day fully-functional copy of FileAudit

PC Mag has just reviewed UserLock, our software solution that secures access to Windows networks, comprehensively reports on user sessions and efficiently mitigates insider threat.

This in-depth review has been performed by Samara Lynn, Network Analyst, and published on March 2010, 12th.

We cannot resist the pleasure of quoting some extracts from this review:

- BOTTOM LINE: it’s an impressive product

- Takes away pain using Group Policy for user account control. Intuitive interface. Easy install.

- UserLock efficiently and quickly handled restricting users from network access

- Windows administrators will feel right at home here.

- At a price of $10.50 USD per user session, (the price goes down as the amount of user session licenses purchased goes up) it won’t break the bank, either.

- Setup’s a cinch

- Adding a user account is as easy in UserLock as it is to give folder permissions to a user in Windows.

- The big advantage of UserLock though, is its simplicity.

- More important, [UserLock] aids in shoring up network security.

- Overall, UserLock is a solid tool that any Windows Network Administrator should consider adding to their network management toolkit if tight user access control is mandatory for their organization.

Read the full review in PC Mag

Get a free, fully-functional, 180-day copy of UserLock