ISO27001 compliance and Privileged Access MonitoringFebruary 24, 2014

AbstractHow to control and audit remote access to your servers to comply with ISO27001:2013 using the

BalaBit Shell Control Box

Copyright © 1996-2014 BalaBit IT Security Ltd.

Table of Contents1. Preface ............................................................................................................................................. 3

1.1. Using SCB for compliance ....................................................................................................... 31.2. What SCB is ........................................................................................................................... 31.3. How SCB works ..................................................................................................................... 41.4. Real-time content monitoring with SCB .................................................................................... 41.5. 4-eyes authorization ................................................................................................................ 51.6. Supported protocols ................................................................................................................ 51.7. Public references ..................................................................................................................... 5

2. Using SCB for ISO27001 compliance .................................................................................................. 73. Other important features .................................................................................................................. 144. Summary ........................................................................................................................................ 15

4.1. About BalaBit ....................................................................................................................... 15

2www.balabit.com

1. Preface

This paper discusses the advantages of using BalaBit Shell Control Box (SCB) to control remote access to yourUNIX/Linux andWindows servers, networking devices, as well as your virtualized applications. SCB can transparentlycontrol, audit and replay protocols commonly used to remotely access and manage servers, including the SecureShell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and Virtual Network Computing(VNC) protocols. This document is recommended for technical experts and decision-makers working on auditingserver-administration and remote-access processes for policy compliance (for example, PCI DSS or ISO 27001),or simply to gather information for forensics situations in case of security incidents. However, anyone with basicnetworking knowledge can fully understand its contents. The procedures and concepts described here are applicableto ISO27001:2013 and version 3 F5 of BalaBit Shell Control Box.

1.1. Using SCB for compliance

Compliance is becoming increasingly important in several fields— laws, regulations and industrial standards mandateincreasing security awareness and the protection of customer data. As a result, companies have to increase theirauditability and the control over their business processes, for example, by ensuring that only those employees haveaccess sensitive data who really need to, and also carefully auditing all accesses to these data.

The BalaBit Shell Control Box (SCB) is a device to control and audit data access: access to the servers where youstore your sensitive data. Being independent from the controlled servers, it also complements the system and ap-plication logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions.Using an independent device for auditing is advantageous for the following reasons:

■ SCB organizes the audited data into sessions called audit trails, making it easy to review the actions ofindividual users;

■ SCB provides reliable, trustworthy auditing data, even of system administrator accounts who are ableto manipulate the logs generated on the server, and

■ SCB allows you to create an independent auditor layer. The auditor can therefore control, audit and reviewthe activities of the system administrators, while being independent from them.

Owing to its authentication, authorization, and auditing capabilities like 4-eyes authorization and real-time monit-oring and auditing, SCB can play an essential part in the access control of remote access, for example, in the controlof remote server administration.

1.2. What SCB is

BalaBit Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtualdesktops, or networking devices, and records the activities of the users accessing these systems. For example, itrecords as the system administrators configure your database servers through SSH, or your employees make trans-actions using thin-client applications in VMware View. The recorded audit trails can be replayed like a movie toreview the events exactly as they occurred. The content of the audit trails is indexed to make searching for eventsand automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by manycompliance requirements, like PCI DSS or ISO 27001. It is an external, fully transparent device, completely inde-pendent from the clients and the servers. The server- and client applications do not have to be modified in orderto use SCB; it integrates smoothly into the existing infrastructure.

3www.balabit.com

Preface

The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative accessto servers and networking devices. It is a tool to oversee server administrators and server administration processesby controlling the encrypted connections used in server administration. It is an external, fully transparent device,completely independent from the clients and the servers. The server- and client applications do not have to bemodified in order to use SCB — it integrates smoothly into the existing infrastructure.

Figure 1. Controlling remote access with the BalaBit Shell Control Box

1.3. How SCB works

SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audittrails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation.In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstancesof the event are readily available in the audit trails, therefore the cause of the incident can be easily identified. Therecorded audit trails can be displayed like a movie — recreating all actions of the administrator. In other words:with SCB you can oversee and control the work of the system administrators, creating a new management levelthat has real power over the system administrators.

Fast forwarding during replay and searching for events (for example, mouse clicks, pressing the Enter key) andtexts seen by the administrator is also supported. Reports and automatic searches can be configured as well. Toprotect the sensitive information included in the communication, the two directions of the traffic (client-server andserver-client) can be separated and encrypted with different keys, therefore sensitive information like passwordsare displayed only when necessary.

The protocols that SCB can control are not only used in remote administrative access, but also in thin-client envir-onments — like Citrix ICA, VNC, or RDP used to access Windows Terminal Services. For such applications SCBprovides an application-independent way to record the activities of the clients.

1.4. Real-time content monitoring with SCB

SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (forexample, a particular command or text) appears in the command line or on the screen, or if a window with a par-ticular title appears in a graphical protocol. Since content-monitoring is performed real time, SCB can prevent

4www.balabit.com

How SCB works

harmful commands from being executed on your servers. SCB can also detect numbers that might be credit cardnumbers. In case of RDP connections, SCB can detect window title content.

The following actions can be performed:

■ Log the event in the system logs.

■ Immediately terminate the connection.

■ Send an e-mail or SNMP alerts about the event.

■ Store the event in the connection database of SCB.

SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP Drawingchannels, and in VNC connections.

1.5. 4-eyes authorization

SCB can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorizationis required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This author-ization is in addition to any authentication or group membership requirements needed for the user to access theremote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband author-ization and monitoring method. The authorizer has the possibility to terminate the connection any time, and alsoto monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player ap-plication, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just likewatching a movie.

1.6. Supported protocols

SCB 3 F5 supports the following protocols:

■ The Secure Shell (SSH) protocol used to access Unix-based servers and network devices.

■ The Remote Desktop Protocol (RDP) used to access Microsoft Windows platforms. Accessing RemoteDesktop Services (RemoteApp programs) is also supported.

■ Citrix XenApp and XenDesktop.

■ The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems.

■ The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocolused with legacy Unix devices and mainframes.

■ The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remotegraphical access in multi-platform environments.

■ VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to accessremote servers.

■ The HTTP protocol (including HTTPS) commonly used to access the web interface of appliances,networking devices, and other applications.

1.7. Public references

Among others, the following companies decided to use SCB in their production environment:

5www.balabit.com

4-eyes authorization

■ Alfa Bank (http://alfabank.com/)

■ Arcui (http://www.arcui.com/)

■ Emerging Markets Payments Jordan (http://em-payments.com/)

■ Dubai Islamic Bank PJS (http://www.dib.ae/)

■ National Bank of Kuwait (http://www.nbk.com/)

■ Svenska Handelsbanken AB (http://www.handelsbanken.com/)

■ The Central Bank of Hungary (http://english.mnb.hu/)

■ Ankara University (http://en.ankara.edu.tr/)

■ ČEZ Group (http://www.cez.cz/en/home.html)

■ Fiducia IT AG (http://fiducia.de/)

■ Leibniz Supercomputing Centre (LRZ) (http://www.lrz.de/english/)

■ MTS Ukraine Mobile Communications (http://www.mts.com.ua/eng/main.php )

■ Orange Romania (http://www.orange.ro/)

■ Telenor Group (http://www.telenor.com)

6www.balabit.com

Public references

2. Using SCB for ISO27001 compliance

The following table provides a detailed description about the requirements of the ISO/IEC 27001:2013 Standardrelevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health In-surance Portability and Accountability Act (HIPAA) include similar requirements.

A.6.1 Internal organizationObjective: To establish a management framework to initiate and control the implementation and operation of in-formation security within the organization.

How SCB helps you: SCB provides a way to controland audit access to remote servers, services, and applic-ations, independently from the users and the server ad-ministrators. This allows you to create a separate auditorlayer above system administrators. It also helps to segreg-ate the fields of IT maintenance and IT security, andprovides a way to fully audit and control the work ofsystem administrators. This greatly increases the chanceof finding human errors, and decreases the possibilitiesof internal misuse.

A.6.1.2 Segregation of duties.

Control: Conflicting duties and areas of re-sponsibility shall be segregated to reduce oppor-tunities for unauthorized or unintentionalmodification or misuse of the organization'sassets.

A.9.1 Business requirements of access controlObjective: To limit access to information and information processing facilities.

How SCB helps you: Although SCB is not a general-purpose firewall, it can granularly control access toservers, applications, and protocol features, based onthe identity of the user, or group-memberships. In addi-tion to access control, SCB can fully audit the events ofthe connections into searchable, replayable, movie-likeaudit trails.

A.9.1.2 Access to networks and networkservices.

Control: Users shall only be provided with ac-cess to the network and network services thatthey have been specifically authorized to use.

A.9.2 User access managementObjective: To ensure authorized user access and to prevent unauthorized access to systems and services.

How SCB helps you: SCB gives you the possibilityto control remote access from a central location. It canenforce strong authentication and authorizationmethods,and provide customized access control to the auditedsystems.

A.9.2.3 Management of privileged accessrights.

Control: The allocation and use of privilegedaccess rights shall be restricted and controlled.

7www.balabit.com

Using SCB for ISO27001 compliance

How SCB helps you: SCB provides a single pointthat authenticates and controls access to the protectedservers and services. For example removing a user fromyour central LDAP (for example, Active Directory)database instantly and automatically revokes all accessof that user. SCB also supports scenarios when the userdoes not know the actual credentials used to access theserver. This makes removing access rights easy evenwhen shared accounts are used.

A.9.2.6 Removal or adjustment of accessrights.

Control: The access rights of all employees andexternal party users to information and inform-ation processing facilities shall be removedupon termination of their employment, contractor agreement, or adjusted upon change.

A.9.4 System and application access controlObjective: To prevent unauthorized access to systems and applications.

How SCB helps you: SCB can complement thiscontrol in several different ways: it can serve as a centralauthentication host that controls remote access to yourservers and services that use the SSH, RDP, Telnet,VNC, Citrix ICA, VMWare View, or HTTP/HTTPSprotocols, allowing you to control, audit, and authentic-ate remote privileged access (for example, database andserver administrators), and also thin-client users (forexample, Citrix XenApp, XenDesktop, or MicrosoftTerminal Services). SCB also allows you to control whichremote applications or protocol features are availablefor a specific user, for example:

A.9.4.1 Information access restriction.

Control:Access to information and applicationsystem functions shall be restricted in accord-ance with the access control policy.

■ limit (and also audit) file transfers like SCPand SFTP,

■ permit SSH but disable port forwarding,

■ permit RDP access but disable file redirec-tion,

■ prevent the user from starting specific applic-ations (this feature of SCB detects the com-mand or application to be started in real time,and can terminate the connection, or raisean alert if the user tries to access a prohibitedapplication, for example, the sudo in aLinux/UNIX terminal, or theGroup PolicyManagement window on a Microsoft Win-dows server).

To limit access to certain information, SCB can integratewith DLP systems to process the information that theuser accessed in the connection.

8www.balabit.com

A.9.4 System and application access control

How SCB helps you: SCB has numerous featuresthat support the secure log-on procedure, including thefollowing:

A.9.4.2 Secure log-on procedure.

Control: Where required by the access controlpolicy, access to systems and applications shallbe controlled by a secure log-on procedure. ■ Enforce the use of strong encryption meth-

ods, for example, by disallowing the use ofweak cipher algorithms in the connections.

■ Enforce the use of strong authenticationmethods, for example, disable the use ofpassphrases, and require the users to authen-ticate with X.509 certificates.

■ Authenticate the users to a central LDAPdatabase (for example, Microsoft ActiveDirectory).

■ SCB can serve as an authentication gateway,where the users must authenticate before ac-cessing the target server or service. Thegateway authentication can happen inband,within the audited connection, or also out-band, using an external, secondary connec-tion to SCB.

■ You can set up SCB to require the users toauthenticate on SCB using their own creden-tials (for example, their own certificate orpassword), and SCB can use different creden-tials to access the target server. This is usefulif the target server (for example, a legacymainframe, or a network device) does notsupport strong authentication methods, hasonly a built-in account, or you do not wantthe users to know the actual credentials tothe target server.

■ SCB can use a credential store or a passwordvault to authenticate on the target server.

A.10.1 Cryptographic controlsObjective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/orintegrity of information.

9www.balabit.com

A.10.1 Cryptographic controls

How SCB helps you: SCB can enforce the use ofstrong encryption methods, for example, by disallowingthe use of weak cipher algorithms in the audited connec-tions. The recorded audit trails can be digitally signedand encrypted using strong encryption methods. It iseven possible to require multiple certificates to bepresent to decrypt the audit trails.

A.10.1.1 Policy on the use of cryptograph-ic controls.

Control: A policy on the use of cryptographiccontrols for protection of information shall bedeveloped and implemented.

A.12.1 Cryptographic controlsObjective: To ensure correct and secure operations of information processing facilities.

How SCB helps you: SCB can complement change-management policies and controls if the informationprocessing facilities are remotely managed using a remoteaccess protocol supported by SCB, for example, SSH orRDP. Such changes can be audited by SCB, and be partof the documentation of the change. For example, theaudit trails can be used in forensic situations or generalreview to verify that a particular configuration changewas actually performed.

A.12.1.2 Change management.

Control:Changes to the organization, businessprocesses, information processing facilities andsystems that affect information security shallbe controlled.

A.12.4 Logging and monitoringObjective: To record events and generate evidence.

How SCB helps you: SCB can record and audit theactions of system administrators and other privilegedusers accessing systems and services remotely, for ex-ample, using the Secure Shell (SSH), Remote Desktop(RDP), HTTP, Citrix ICA, VMware View, Telnet, andVirtual Network Computing (VNC) protocols. The re-corded events can be replayed like a movie, and arestored in encrypted, digitally signed, and timestampedformat, preventing manipulation or misuse. SCB is anexcellent tool to find and review faults and actions inforensics situations.

A.12.4.1 Event logging.

Control: Event logs recording user activities,exceptions, faults and information securityevents shall be produced, kept and regularlyreviewed.

How SCB helps you: SCB is an individual appliancethat can operate transparently, so the users of the auditedconnection have no access to the appliance. On SCB,the audit trails can be stored in encrypted, digitallysigned, and timestamped format preventingmanipulationor misuse.

A.12.4.2 Protection of log information.

Control: Logging facilities and log informationshall be protected against tampering and unau-thorized access.

10www.balabit.com

A.12.1 Cryptographic controls

How SCB helps you: SCB was developed exactlyfor this purpose: to control, monitor, and audit remoteaccess activities. SCB provides reliable, digitally signed,and encrypted audit trails and reports about remotesystem administration activities to ensure that every eventis properly logged. The events can be reviewed exactlythe same way as they happened.

A.12.4.3 Administrator and operator logs.

Control: System administrator and system op-erator activities shall be logged and the logsprotected and regularly reviewed.

How SCB helps you: SCB can automatically syn-chronize its system clock to a remote time server. Thatway the audit trails contain accurate time information— even if the server logs are mistimed because the clockof the server is not accurate or has not been synchron-ized.

A.12.4.4 Clock synchronisation.

Control: The clocks of all relevant informationprocessing systems within an organization orsecurity domain shall be synchronised to asingle reference time source.

A.13.1 Network security managementObjective: To ensure the protection of information in networks and its supporting information processing facilities.

How SCB helps you: SCB can control, monitor, andaudit the encrypted channels used in remote service ac-cess and remote application access, and can also enforcestrong authentication and authorizationmethods, includ-ing gateway authentication, two-factor authentication,and 4-eyes authorization.

SCB can also monitor the terminal connections used toaccess networking devices, such as routers and switches.This real-time monitoring and alerting feature allowsyou, for example, to collect configuration changes ofCisco routers, or even prevent the network administrat-ors from executing unwanted commands.

A.13.1.1 Network controls.

Control: Networks shall be managed and con-trolled to protect information in systems andapplications.

A.15.2 Supplier service delivery managementObjective: Tomaintain an agreed level of information security and service delivery in line with supplier agreements.

11www.balabit.com

A.13.1 Network security management

How SCB helps you: SCB is ideal to oversee ITservices managed by third parties, for example, remotesupport or remote servicemanagement. SCB can providedetailed, replayable audit trails and reports to review theactions of the third party. It also offers strong accesscontrol methods to limit the access of the third party tothe absolutely necessary, for example:

A.15.2.1 Monitoring and review of suppli-er services.

Control:Organizations shall regularly monitor,review and audit supplier service delivery.

■ grant access only in a specific maintenancewindow,

■ require out-of-band authentication on theSCB gateway,

■ limit the available channels in the remoteconnection,

■ prevent the user from starting specific applic-ations (this feature of SCB detects the com-mand or application to be started in real time,and can terminate the connection, or raisean alert if the user tries to access a prohibitedapplication, for example, the sudo in aLinux/UNIX terminal, or theGroup PolicyManagement window on a Microsoft Win-dows server),

■ enforce the 4-eyes principle to oversee thethird party, and permit remote connectionsfrom the third party only if someone has au-thorized the connection and is actively mon-itoring the events.

A.16.1 Management of information security incidents and improvementsObjective: To ensure a consistent and effective approach to the management of information security incidents,including communication on security events and weaknesses.

How SCB helps you: SCB collects information inde-pendently from the clients and the servers, therefore itcannot be manipulated. The audit trails can be stored inencrypted, digitally signed, and timestamped format toprevent manipulation or misuse. SCB provides reliableaudit trails and reports about remote system accessactivities to ensure that every event is properly loggedand the events can be reviewed exactly the same way asthey occurred. This is especially useful since many applic-ations do not log enough information to exactly recon-struct the actions of the users. SCB can complementthese logs.

A.16.1.7 Collection of evidence.

Control: The organization shall define and ap-ply procedures for the identification, collection,acquisition and preservation of information,which can serve as evidence.

12www.balabit.com

A.16.1 Management of information security incidents and improvements

A.17.2 RedundanciesObjective: To ensure availability of information processing facilities.

How SCB helps you: The SCB appliance supportshigh-availability configurations, where two SCB unitsoperate together in fail-over mode, and every incomingdata is instantly available on both units. Also, the appli-ances can be equipped with redundant power units.

A.17.2.1 Availability of information pro-cessing facilities.

Control: Information processing facilities shallbe implemented with redundancy sufficient tomeet availability requirements.

13www.balabit.com

A.17.2 Redundancies

3. Other important features

This section highlights some of the features of BalaBit Shell Control Box that were not discussed in detail so far,but are useful to know about.

Protocol inspectionSCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the applic-ation level (Layer 7 in the OSI model), rejecting all traffic violating the protocol— an effective shield against attacks.This high-level understanding of the traffic gives control over the various features of the protocols, like the authen-tication and encryption methods used in SSH connections, or the channels permitted in RDP traffic.

Detailed access controlSCB allows you to define connections: access to a server is possible only from the listed client IP addresses. Thiscan be narrowed by limiting various parameters of the connection, for example, the time when the server can beaccessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH orRDP connections (for example, SCB can permit SSH port-forwarding only to selected users, or disable access toshared drives in RDP). Controlling the authentication means that SCB can enforce the use of strong authenticationmethods (public key), and also verify the public key of the users.

High availability supportAll audited traffic must pass SCB, which can become a single point of failure. If SCB fails, the administrators cannotaccess the protected servers for maintenance. Since this is not acceptable for critical servers and services, SCB isalso available with HA support. In this case, two SCB units (a master and a slave) having identical configurationoperate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning,the other one becomes immediately active, so the servers are continuously accessible.

Seamless integrationThe system is fully transparent, no modification on the client or the server is necessary, resulting in simple and costeffective integration into your existing infrastructure.

Automatic data and configuration backupsThe recorded audit trails and the configuration of SCB can be periodically transferred to a remote server. The latestbackup — including the data backup — can be easily restored via SCB's web interface.

Managing SCBSCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly definedusing a set of privileges: manage SCB as a host, manage the connections to the servers, or view the audit trails. Theweb interface is accessible via a network interface dedicated to the management traffic. This management interfaceis also used for backups, logging to remote servers, and other administrative traffic.

14www.balabit.com

Other important features

4. Summary

This paper has shown how to use the BalaBit Shell Control Box (SCB) appliance to control privileged access toremote systems and record the activities into searchable and replayable movie-like audit trails, and how to use theaudit trails in forensic situations. SCB is an ideal choice to enhance your IT infrastructure if your organization mustcomply to external regulations like ISO 27001:2013.

4.1. About BalaBit

BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development ofprivileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customersagainst internal and external threats and meet security and compliance regulations. As an active member of theopen source community, we provide solutions to a uniquely wide range of both open source and proprietary plat-forms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments.

BalaBit is also known as the logging "company", based on the company's flagship product, the open source logserver application syslog-ng, which is used by more than 1 000 000 companies worldwide and became the globallyacknowledged de-facto industry standard.

BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte TechnologyFast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partnersworldwide. Our R&D and global support centers are located in Hungary, Europe.

To learn more about commercial and open source SCB products, request an evaluation version, or find a reseller,visit the following links:

■ Shell Control Box homepage

■ Product manuals, guides, and other documentation

■ Contact us and request an evaluation version

■ Find a reseller

All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1117 Budapest, Alíz Str. 2 Phone: +361 398 6700 Fax: +36 1 208 0875 Web: http://www.balabit.com/Copyright © 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution,and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit.

The latest version is always available at the BalaBit Documentation Page.

15www.balabit.com

Summary