ISO27001 compliance and Privileged Access Monitoring

February 24, 2014

Abstract
How to control and audit remote access to your servers to comply with ISO27001:2013 using the
BalaBit Shell Control Box
Copyright 1996-2014 BalaBit IT Security Ltd.
Table of Contents
1. Preface ............................................................................................................................................. 3
1.1. Using SCB for compliance ....................................................................................................... 3
1.2. What SCB is ........................................................................................................................... 3
1.3. How SCB works ..................................................................................................................... 4
1.4. Real-time content monitoring with SCB .................................................................................... 4
1.5. 4-eyes authorization ................................................................................................................ 5
1.6. Supported protocols ................................................................................................................ 5
1.7. Public references ..................................................................................................................... 5
2. Using SCB for ISO27001 compliance .................................................................................................. 7
3. Other important features .................................................................................................................. 14
4. Summary ........................................................................................................................................ 15
4.1. About BalaBit ....................................................................................................................... 15
2 www.balabit.com
1. Preface
This paper discusses the advantages of using BalaBit Shell Control Box (SCB) to control remote access to your
UNIX/Linux and Windows servers, networking devices, as well as your virtualized applications. SCBcan transparently
control, audit and replay protocols commonly used to remotely access and manage servers, including the Secure
Shell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and Virtual Network Computing
(VNC) protocols. This document is recommended for technical experts and decision-makers working on auditing
server-administration and remote-access processes for policy compliance (for example, PCI DSS or ISO 27001),
or simply to gather information for forensics situations in case of security incidents. However, anyone with basic
networking knowledge can fully understand its contents. The procedures and concepts described here are applicable
to ISO27001:2013 and version 3 F5 of BalaBit Shell Control Box.
1.1. Using SCB for compliance
Compliance is becoming increasingly important in several fields laws, regulations and industrial standards mandate
increasing security awareness and the protection of customer data. As a result, companies have to increase their
auditability and the control over their business processes, for example, by ensuring that only those employees have
access sensitive data who really need to, and also carefully auditing all accesses to these data.
The BalaBit Shell Control Box (SCB) is a device to control and audit data access: access to the servers where you
store your sensitive data. Being independent from the controlled servers, it also complements the system and ap-
plication logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions.
Using an independent device for auditing is advantageous for the following reasons:
SCB organizes the audited data into sessions called audit trails, making it easy to review the actions of
individual users;
SCB provides reliable, trustworthy auditing data, even of system administrator accounts who are able
to manipulate the logs generated on the server, and
SCB allows you to create an independent auditor layer. The auditor can therefore control, audit and review
the activities of the system administrators, while being independent from them.
Owing to its authentication, authorization, and auditing capabilities like 4-eyes authorization and real-time monit-
oring and auditing, SCB can play an essential part in the access control of remote access, for example, in the control
of remote server administration.
1.2. What SCB is
BalaBit Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual
desktops, or networking devices, and records the activities of the users accessing these systems. For example, it
records as the system administrators configure your database servers through SSH, or your employees make trans-
actions using thin-client applications in VMware View. The recorded audit trails can be replayed like a movie to
review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events
and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many
compliance requirements, like PCI DSS or ISO 27001. It is an external, fully transparent device, completely inde-
pendent from the clients and the servers. The server- and client applications do not have to be modified in order
to use SCB; it integrates smoothly into the existing infrastructure.
3 www.balabit.com
Preface
The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access
to servers and networking devices. It is a tool to oversee server administrators and server administration processes
by controlling the encrypted connections used in server administration. It is an external, fully transparent device,
completely independent from the clients and the servers. The server- and client applications do not have to be
modified in order to use SCB it integrates smoothly into the existing infrastructure.
Figure 1. Controlling remote access with the BalaBit Shell Control Box
1.3. How SCB works
SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit
trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation.
In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances
of the event are readily available in the audit trails, therefore the cause of the incident can be easily identified. The
recorded audit trails can be displayed like a movie recreating all actions of the administrator. In other words:
with SCB you can oversee and control the work of the system administrators, creating a new management level
that has real power over the system administrators.
Fast forwarding during replay and searching for events (for example, mouse clicks, pressing the Enter key) and
texts seen by the administrator is also supported. Reports and automatic searches can be configured as well. To
protect the sensitive information included in the communication, the two directions of the traffic (client-server and
server-client) can be separated and encrypted with different keys, therefore sensitive information like passwords
are displayed only when necessary.
The protocols that SCB can control are not only used in remote administrative access, but also in thin-client envir-
onments like Citrix ICA, VNC, or RDP used to access Windows Terminal Services. For such applications SCB
provides an application-independent way to record the activities of the clients.
1.4. Real-time content monitoring with SCB
SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for
example, a particular command or text) appears in the command line or on the screen, or if a window with a par-
ticular title appears in a graphical protocol. Since content-monitoring is performed real time, SCB can prevent
4 www.balabit.com
How SCB works
harmful commands from being executed on your servers. SCB can also detect numbers that might be credit card
numbers. In case of RDP connections, SCB can detect window title content.
The following actions can be performed:
Log the event in the system logs.
Immediately terminate the connection.
Send an e-mail or SNMP alerts about the event.
Store the event in the connection database of SCB.
SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP Drawing
channels, and in VNC connections.
1.5. 4-eyes authorization
SCB can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorization
is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This author-
ization is in addition to any authentication or group membership requirements needed for the user to access the
remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband author-
ization and monitoring method. The authorizer has the possibility to terminate the connection any time, and also
to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player ap-
plication, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like
watching a movie.
1.6. Supported protocols
SCB 3 F5 supports the following protocols:
The Secure Shell (SSH) protocol used to access Unix-based servers and network devices.
The Remote Desktop Protocol (RDP) used to access Microsoft Windows platforms. Accessing Remote
Desktop Services (RemoteApp programs) is also supported.
Citrix XenApp and XenDesktop.
The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems.
The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocol
used with legacy Unix devices and mainframes.
The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote
graphical access in multi-platform environments.
VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to access
remote servers.
The HTTP protocol (including HTTPS) commonly used to access the web interface of appliances,
networking devices, and other applications.
1.7. Public references
Among others, the following companies decided to use SCB in their production environment:
5 www.balabit.com
4-eyes authorization
Alfa Bank (http://alfabank.com/)
Arcui (http://www.arcui.com/)
Emerging Markets Payments Jordan (http://em-payments.com/)
Dubai Islamic Bank PJS (http://www.dib.ae/)
National Bank of Kuwait (http://www.nbk.com/)
Svenska Handelsbanken AB (http://www.handelsbanken.com/)
The Central Bank of Hungary (http://english.mnb.hu/)
Ankara University (http://en.ankara.edu.tr/)
EZ Group (http://www.cez.cz/en/home.html)
Fiducia IT AG (http://fiducia.de/)
Leibniz Supercomputing Centre (LRZ) (http://www.lrz.de/english/)
MTS Ukraine Mobile Communications (http://www.mts.com.ua/eng/main.php)
Orange Romania (http://www.orange.ro/)
Telenor Group (http://www.telenor.com)
6 www.balabit.com
Public references
2. Using SCB for ISO27001 compliance
The following table provides a detailed description about the requirements of the ISO/IEC 27001:2013 Standard
relevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health In-
surance Portability and Accountability Act (HIPAA) include similar requirements.
A.6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and operation of in-
formation security within the organization.
HowSCBhelps you: SCB provides a way to control
and audit access to remote servers, services, and applic-
ations, independently from the users and the server ad-
ministrators. This allows you to create a separate auditor
layer above systemadministrators. It also helps to segreg-
ate the fields of IT maintenance and IT security, and
provides a way to fully audit and control the work of
system administrators. This greatly increases the chance
of finding human errors, and decreases the possibilities
of internal misuse.
A.6.1.2 Segregation of duties.
Control: Conflicting duties and areas of re-
sponsibility shall be segregated to reduce oppor-
tunities for unauthorized or unintentional
modification or misuse of the organization's
assets.
A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
HowSCBhelps you: Although SCBis not a general-
purpose firewall, it can granularly control access to
servers, applications, and protocol features, based on
the identity of the user, or group-memberships. In addi-
tion to access control, SCB can fully audit the events of
the connections into searchable, replayable, movie-like
audit trails.
A.9.1.2 Access to networks and network
services.
Control: Users shall only be provided with ac-
cess to the network and network services that
they have been specifically authorized to use.
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
How SCB helps you: SCB gives you the possibility
to control remote access from a central location. It can
enforce strong authentication and authorization methods,
and provide customized access control to the audited
systems.
A.9.2.3 Management of privileged access
rights.
Control: The allocation and use of privileged
access rights shall be restricted and controlled.
7 www.balabit.com
Using SCB for ISO27001 compliance
How SCB helps you: SCB provides a single point
that authenticates and controls access to the protected
servers and services. For example removing a user from
your central LDAP (for example, Active Directory)
database instantly and automatically revokes all access
of that user. SCB also supports scenarios when the user
does not know the actual credentials used to access the
server. This makes removing access rights easy even
when shared accounts are used.
A.9.2.6 Removal or adjustment of access
rights.
Control: The access rights of all employees and
external party users to information and inform-
ation processing facilities shall be removed
upon termination of their employment, contract
or agreement, or adjusted upon change.
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
How SCB helps you: SCB can complement this
control in several different ways: it can serve as a central
authentication host that controls remote access to your
servers and services that use the SSH, RDP, Telnet,
VNC, Citrix ICA, VMWare View, or HTTP/HTTPS
protocols, allowing you to control, audit, and authentic-
ate remote privileged access (for example, database and
server administrators), and also thin-client users (for
example, Citrix XenApp, XenDesktop, or Microsoft
Terminal Services). SCBalso allows you to control which
remote applications or protocol features are available
for a specific user, for example:
A.9.4.1 Information access restriction.
Control: Access to information and application
system functions shall be restricted in accord-
ance with the access control policy.
limit (and also audit) file transfers like SCP
and SFTP,
permit SSH but disable port forwarding,
permit RDP access but disable file redirec-
tion,
prevent the user fromstarting specific applic-
ations (this feature of SCB detects the com-
mand or application to be started in real time,
and can terminate the connection, or raise
an alert if the user tries to access a prohibited
application, for example, the sudo in a
Linux/UNIXterminal, or the Group Policy
Management window on a Microsoft Win-
dows server).
To limit access to certain information, SCB can integrate
with DLP systems to process the information that the
user accessed in the connection.
8 www.balabit.com
A.9.4 System and application access control
How SCB helps you: SCB has numerous features
that support the secure log-on procedure, including the
following:
A.9.4.2 Secure log-on procedure.
Control: Where required by the access control
policy, access to systems and applications shall
be controlled by a secure log-on procedure. Enforce the use of strong encryption meth-
ods, for example, by disallowing the use of
weak cipher algorithms in the connections.
Enforce the use of strong authentication
methods, for example, disable the use of
passphrases, and require the users to authen-
ticate with X.509 certificates.
Authenticate the users to a central LDAP
database (for example, Microsoft Active
Directory).
SCB can serve as an authentication gateway,
where the users must authenticate before ac-
cessing the target server or service. The
gateway authentication can happen inband,
within the audited connection, or also out-
band, using an external, secondary connec-
tion to SCB.
You can set up SCB to require the users to
authenticate on SCB using their own creden-
tials (for example, their own certificate or
password), and SCBcan use different creden-
tials to access the target server. This is useful
if the target server (for example, a legacy
mainframe, or a network device) does not
support strong authentication methods, has
only a built-in account, or you do not want
the users to know the actual credentials to
the target server.
SCB can use a credential store or a password
vault to authenticate on the target server.
A.10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or
integrity of information.
9 www.balabit.com
A.10.1 Cryptographic controls
How SCB helps you: SCB can enforce the use of
strong encryption methods, for example, by disallowing
the use of weak cipher algorithms in the audited connec-
tions. The recorded audit trails can be digitally signed
and encrypted using strong encryption methods. It is
even possible to require multiple certificates to be
present to decrypt the audit trails.
A.10.1.1 Policy on the use of cryptograph-
ic controls.
Control: A policy on the use of cryptographic
controls for protection of information shall be
developed and implemented.
A.12.1 Cryptographic controls
Objective: To ensure correct and secure operations of information processing facilities.
HowSCBhelps you: SCB can complement change-
management policies and controls if the information
processing facilities are remotely managed using a remote
access protocol supported by SCB, for example, SSH or
RDP. Such changes can be audited by SCB, and be part
of the documentation of the change. For example, the
audit trails can be used in forensic situations or general
review to verify that a particular configuration change
was actually performed.
A.12.1.2 Change management.
Control: Changes to the organization, business
processes, information processing facilities and
systems that affect information security shall
be controlled.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
How SCB helps you: SCB can record and audit the
actions of system administrators and other privileged
users accessing systems and services remotely, for ex-
ample, using the Secure Shell (SSH), Remote Desktop
(RDP), HTTP, Citrix ICA, VMware View, Telnet, and
Virtual Network Computing (VNC) protocols. The re-
corded events can be replayed like a movie, and are
stored in encrypted, digitally signed, and timestamped
format, preventing manipulation or misuse. SCB is an
excellent tool to find and review faults and actions in
forensics situations.
A.12.4.1 Event logging.
Control: Event logs recording user activities,
exceptions, faults and information security
events shall be produced, kept and regularly
reviewed.
HowSCBhelps you: SCB is an individual appliance
that can operate transparently, so the users of the audited
connection have no access to the appliance. On SCB,
the audit trails can be stored in encrypted, digitally
signed, and timestamped format preventing manipulation
or misuse.
A.12.4.2 Protection of log information.
Control: Logging facilities and log information
shall be protected against tampering and unau-
thorized access.
10 www.balabit.com
A.12.1 Cryptographic controls
How SCB helps you: SCB was developed exactly
for this purpose: to control, monitor, and audit remote
access activities. SCB provides reliable, digitally signed,
and encrypted audit trails and reports about remote
systemadministration activities to ensure that every event
is properly logged. The events can be reviewed exactly
the same way as they happened.
A.12.4.3 Administrator and operator logs.
Control: System administrator and system op-
erator activities shall be logged and the logs
protected and regularly reviewed.
How SCB helps you: SCB can automatically syn-
chronize its system clock to a remote time server. That
way the audit trails contain accurate time information
even if the server logs are mistimed because the clock
of the server is not accurate or has not been synchron-
ized.
A.12.4.4 Clock synchronisation.
Control: The clocks of all relevant information
processing systems within an organization or
security domain shall be synchronised to a
single reference time source.
A.13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
HowSCBhelps you: SCBcan control, monitor, and
audit the encrypted channels used in remote service ac-
cess and remote application access, and can also enforce
strong authentication and authorization methods, includ-
ing gateway authentication, two-factor authentication,
and 4-eyes authorization.
SCB can also monitor the terminal connections used to
access networking devices, such as routers and switches.
This real-time monitoring and alerting feature allows
you, for example, to collect configuration changes of
Cisco routers, or even prevent the network administrat-
ors from executing unwanted commands.
A.13.1.1 Network controls.
Control: Networks shall be managed and con-
trolled to protect information in systems and
applications.
A.15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
11 www.balabit.com
A.13.1 Network security management
How SCB helps you: SCB is ideal to oversee IT
services managed by third parties, for example, remote
support or remote service management. SCBcan provide
detailed, replayable audit trails and reports to review the
actions of the third party. It also offers strong access
control methods to limit the access of the third party to
the absolutely necessary, for example:
A.15.2.1 Monitoring and review of suppli-
er services.
Control: Organizations shall regularly monitor,
review and audit supplier service delivery.
grant access only in a specific maintenance
window,
require out-of-band authentication on the
SCB gateway,
limit the available channels in the remote
connection,
prevent the user fromstarting specific applic-
ations (this feature of SCB detects the com-
mand or application to be started in real time,
and can terminate the connection, or raise
an alert if the user tries to access a prohibited
application, for example, the sudo in a
Linux/UNIXterminal, or the Group Policy
Management window on a Microsoft Win-
dows server),
enforce the 4-eyes principle to oversee the
third party, and permit remote connections
from the third party only if someone has au-
thorized the connection and is actively mon-
itoring the events.
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents,
including communication on security events and weaknesses.
HowSCBhelps you: SCBcollects information inde-
pendently from the clients and the servers, therefore it
cannot be manipulated. The audit trails can be stored in
encrypted, digitally signed, and timestamped format to
prevent manipulation or misuse. SCB provides reliable
audit trails and reports about remote system access
activities to ensure that every event is properly logged
and the events can be reviewed exactly the same way as
they occurred. This is especially useful since many applic-
ations do not log enough information to exactly recon-
struct the actions of the users. SCB can complement
these logs.
A.16.1.7 Collection of evidence.
Control: The organization shall define and ap-
ply procedures for the identification, collection,
acquisition and preservation of information,
which can serve as evidence.
12 www.balabit.com
A.16.1 Management of information security incidents and improvements
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
How SCB helps you: The SCB appliance supports
high-availability configurations, where two SCB units
operate together in fail-over mode, and every incoming
data is instantly available on both units. Also, the appli-
ances can be equipped with redundant power units.
A.17.2.1 Availability of information pro-
cessing facilities.
Control: Information processing facilities shall
be implemented with redundancy sufficient to
meet availability requirements.
13 www.balabit.com
A.17.2 Redundancies
3. Other important features
This section highlights some of the features of BalaBit Shell Control Box that were not discussed in detail so far,
but are useful to know about.
Protocol inspection
SCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the applic-
ation level (Layer 7 in the OSI model), rejecting all traffic violating the protocol an effective shield against attacks.
This high-level understanding of the traffic gives control over the various features of the protocols, like the authen-
tication and encryption methods used in SSH connections, or the channels permitted in RDP traffic.
Detailed access control
SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This
can be narrowed by limiting various parameters of the connection, for example, the time when the server can be
accessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH or
RDP connections (for example, SCB can permit SSH port-forwarding only to selected users, or disable access to
shared drives in RDP). Controlling the authentication means that SCB can enforce the use of strong authentication
methods (public key), and also verify the public key of the users.
High availability support
All audited traffic must pass SCB, which can become a single point of failure. If SCB fails, the administrators cannot
access the protected servers for maintenance. Since this is not acceptable for critical servers and services, SCB is
also available with HA support. In this case, two SCB units (a master and a slave) having identical configuration
operate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning,
the other one becomes immediately active, so the servers are continuously accessible.
Seamless integration
The system is fully transparent, no modification on the client or the server is necessary, resulting in simple and cost
effective integration into your existing infrastructure.
Automatic data and configuration backups
The recorded audit trails and the configuration of SCB can be periodically transferred to a remote server. The latest
backup including the data backup can be easily restored via SCB's web interface.
Managing SCB
SCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly defined
using a set of privileges: manage SCB as a host, manage the connections to the servers, or view the audit trails. The
web interface is accessible via a network interface dedicated to the management traffic. This management interface
is also used for backups, logging to remote servers, and other administrative traffic.
14 www.balabit.com
Other important features
4. Summary
This paper has shown how to use the BalaBit Shell Control Box (SCB) appliance to control privileged access to
remote systems and record the activities into searchable and replayable movie-like audit trails, and how to use the
audit trails in forensic situations. SCB is an ideal choice to enhance your IT infrastructure if your organization must
comply to external regulations like ISO 27001:2013.
4.1. About BalaBit
BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development of
privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers
against internal and external threats and meet security and compliance regulations. As an active member of the
open source community, we provide solutions to a uniquely wide range of both open source and proprietary plat-
forms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments.
BalaBit is also known as the logging "company", based on the company's flagship product, the open source log
server application syslog-ng, which is used by more than 1 000 000 companies worldwide and became the globally
acknowledged de-facto industry standard.
BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology
Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners
worldwide. Our R&D and global support centers are located in Hungary, Europe.
To learn more about commercial and open source SCB products, request an evaluation version, or find a reseller,
visit the following links:
Shell Control Box homepage
Product manuals, guides, and other documentation
Contact us and request an evaluation version
Find a reseller
All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1117 Budapest, Alz Str. 2 Phone: +36
1 398 6700 Fax: +36 1 208 0875 Web: http://www.balabit.com/
Copyright 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution,
and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit.
The latest version is always available at the BalaBit Documentation Page.
15 www.balabit.com
Summary