Contributed by: Vernice Stefano, Assistant Director IT Audit
The COVID-19 pandemic heightened risks to data and data protection measures as organizations and individuals rushed to enable or expand remote working and learning capabilities. In addition, the rush to acquire, build, or update systems and solutions to track the impact of the pandemic and distribute emergency and stimulus funds made it an opportune time for threat actors.
According to the New York State Department of Labor (DOL) “more than 30 typical years’ worth of benefits [or $65 billion, were] paid in just 11 months.”1 Needless to say, thirty (30) years’ worth of work in just eleven (11) months is intense and would have required significant changes to personnel, processes, and systems, at the very least, to address the sheer volume of inquiries, visits, applications, etc. The DOL reported that there were over 425,000 fraudulent claims for unemployment insurance. That is roughly one fraudulent claim every minute for 11 months - 11 months is just over 475,000 minutes.
There is no shortage of scope areas (audit- speak for what auditors audit) during the COVID-19 pandemic relative to information and cyber security. A quick search of “covid-19 cybersecurity audit” provides over 23 million results. Even before the COVID-19 public health emergency, governments and industries were rolling out new or updated data protection rules and regulations to try to combat cybersecurity threats. One can spend thousands of hours trying to get through this information.
Controls (audit-speak for what is put in place to address risks to business or institution objectives) come in three forms – people, process, and/or technology. It is the same for cybersecurity; and while most of us think IT or information security professionals are responsible for cybersecurity controls, a very important piece, in a multi-layered approach to cybersecurity, depends on users; actually, users with privileged access; well actually, the supervisors of users with privileged access.
RIT’s Information Access and Protection (IAP) Standard classifies data into four categories: Private (e.g., social security numbers), Confidential (e.g., health information), Internal (e.g., building floor plans), and Public data.2 Private and Confidential data are those that fall under some regulatory or contractual obligation for protection. Per the IAP Standard “[i]f you access Private or Confidential Information at RIT, you are a privileged user.” For purposes of this article, Private and Confidential data will be referred to as privileged data.
The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) lists, among others, the following control: Protect - Access Control #4; Access permissions and authorization are managed, incorporating the principles of least privilege and separation of duties.3 Based on this, and other related controls, auditors typically look at how management (audit-speak for the team or person we are auditing) ensures that access to privileged data is granted only to individuals who need it to fulfill their job function. Account management and maintenance is an essential part of this. RIT’s Account Management Standard states the following under the Account Management and Maintenance section.
4.1.1. Managers are responsible for reviewing account and access privileges with the employee upon notification of job changes (e.g., termination, job changes).
4.1.2. Data owners of Private information identified by ITS should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status.4
If you supervise employees who have privileged access, consider whether any changes to your organization or your team (say due to the pandemic, the migration of roles and responsibilities to the RIT Service Center, changes in job status, etc.) warranted a change to any access they have.
Generate or obtain a list of users with access to system(s) that contain privileged data along with information on what the access entails, i.e., the users’ roles or responsibilities within the system. If such a list does not exist, work with a system administrator, or equivalent, to create the report. Most systems/solutions have this type of report.
Do not forget to include shared drive access in your review. In addition to system or logical access reviews, if, for instance, your office retains privileged data in paper form, obtain and review the list of users who have physical access to your area. Obtain a list of Lenel keycard holders, for example, and review whether access is appropriate for the users’ roles and responsibilities.
You might need to have changes made to users’ access or, at a minimum, talk to users or other supervisors on whether certain access is required “incorporating the principles of least privilege and separation of duties [SOD].” Depending on the system and/or if SOD cannot be attained, you might need to implement monitoring controls (audit-speak for reviewing the activities of users), also known as a compensating control (audit- speak for an alternative control). An example of SOD is one where an individual who provisions access to a system is not the same individual who performs user access reviews. A SOD conflict arises when the same person has both responsibilities. Another SOD conflict is if you review your own privileged access.
If changes are warranted, ensure they are made. Try to eliminate SOD conflicts. If a SOD conflict cannot be avoided, for example, it is cost prohibitive and/or it would negatively impact business or institution objectives, ensure you have monitoring controls in place, and that they are part of the user access review:
Let us know if you have any questions or want to discuss the above further. IACA is always happy to consult and advise departments on cybersecurity and other controls.
1 “The New York State Department of Labor Stops Fraudsters from Stealing Unemployment Benefits During Covid-19 Pandemic.” Covid-19 Updates, 2 Feb. 2021, dol.ny.gov/news/new-york-state-department-labor-stops-fraudsters-stealing-more-55-billion-unemployment. Accessed 11 Mar. 2021.
Contributed by: Contributed by: Ben Woelk, ISO Program Manager; Written by: Arin McLaughlin, ISO Communications Associate
Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this Issue, we’ll talk about tracking cookies and privacy.
Cookies are small fragments of text used to collect and save user data. When you visit a website, you are assigned an ID that is contained within a cookie. This allows the site to see pages you visit and whatever other information you enter on that specific site, including username, real name, passwords, and billing and credit card information. They are often used by companies and marketers to provide you with targeted advertisements and content.
Brief History on Cookies
In 1994, Lou Montulli, writer of the web browser Lynx, and founding engineer of Netscape, attempted to create an “ecommerce solution for the web.” Before this, the internet had no method for remembering your login, making it difficult to navigate different ecommerce websites. The solution to this problem was “magic cookies,” which now allowed the web to have a “memory” of what the user was doing. Tracking cookies were originally created to grant shoppers the ability to add items to a shopping cart without having to buy immediately. Someone could add things to a digital shopping cart, leave the site, and return to all of their items still in the cart.
First-Party vs. Third-Party Cookies
First-party cookies are created from the site that you are actually using. These cookies allow websites to remember all of the information they collected during your visit. These are considered the “good cookies.”
First-party cookies are considered the “good” cookies due to the fact that they only track you on the website you are directly visiting. These help make the user’s experience smoother and more convenient by remembering information such as your login, language preference, virtual shopping cart, etc.
Third-party cookies are placed onto a user’s computer when they visit a website and then piggyback off of it, potentially gaining almost all of the information that the website is able to collect. They are created from a domain different from the one you are visiting directly and can be used for marketing and other purposes. These are the cookies that you should be most cautious with.
Have you ever looked at a product online and then seen ads for that same product on a different website? Third-party cookies track all of your activity and habits while you are browsing the internet. They are used mostly by marketers due to their cross-site ability. They are able to see your activity on multiple websites, allowing them to show you more specific and targeted ads. This raises the issue of “flash cookies,” which are cookies that can resurrect cookies you have deleted without you even knowing. One of the biggest issues with cookies is the ability for hackers to access your cookies from pages you visit, potentially gaining access to some personal and account information. One way attackers can do this is by dropping a cookie in your browser through an ad and logging into your accounts that have been saved through other cookies. This information can now be tracked and sold to marketers or hackers.
Are Cookies Harmful?
No, tracking cookies will not damage your computer. It is a good practice however to clear your cookies periodically to avoid your computer running slower. You can clear your cookies inside the browsing data and history section of your browser’s settings. That being said, cookies are not completely harmless. Companies that are tracking you through cookies can collect information about your internet viewing and other information.
Should I Accept Cookies & How Can I Avoid Them?
Should I Allow Website Notifications?
While you are browsing the internet, you may have noticed a prompt asking permission to send you notifications. This will allow the website to send push-notifications and they are able to do it even when the website isn’t being used. This can become a problem with unsecured or malicious websites, as they now have the ability to send notifications to your computer, including links to phishing websites. Browsers like Chrome have added a new feature which prevents websites from sending users malicious or harmful notifications. Notifications can be disabled by going to your browser’s Privacy & Security settings, navigating to the permissions for notifications and blocking that content. You can also block future requests from websites to allow notifications.
How Do I Tell If A Website Is Secure?
The first thing you can check when trying to determine if a website is secure is the URL. Websites that start with HTTPS rather than HTTP are secured with an SSL certificate. This means that all the data that passes through the website server is encrypted. This can easily be checked by identifying the small padlock next to the address bar on your browser. Another thing to look out for is whether the website has a more current look and feel and is actively maintained. A poorly maintained website may also have old security and coding, making it less secure. If you are concerned that a website may not be secure, don’t accept the cookies.
RIT is excited to announce a new and engaging information security awareness opportunity partnered with Living Security, a company that specializes in high production training programs. CyberEscape Online is an exciting adventure where you will have to work with your team to solve digital puzzles within a certain amount of time. Teamwork, problem solving, and good security habits will all be necessary to complete the objective in the time given. Check out the trailer for CyberEscape Online and visit our website for more information!
Join us for a discussion of tips, tools, and best practices that will help you enjoy the internet more safely, whether you’re using a personal computer, smartphone, or tablet.
During the 2.5 hour Internal Controls and Fraud in the Workplace class, the importance of, components of, and the responsibility for establishing and maintaining effective internal controls are discussed. Various examples of what can happen when controls are non-existent or break down (i.e., fraud) are shared throughout the class. The session is required in order to receive the RIT Accounting Practices, Procedures and Protocol Certificate of Completion. However, anyone interested in learning about internal controls and fraud prevention is welcome to attend.
To learn more about these important topics, sign up for a session at the CPD website.
Unit Level Risk Assessment—How to Advance Your Organization’s Agility
The first step towards successfully managing risk is to implement an effective risk assessment methodology. Risk assessment is a systematic process for identifying and evaluating both external and internal events (risks) that could affect the achievement of objectives, positively or negatively. During this 2.5 hour class, we will discuss the key components of an effective risk assessment process and how to integrate it into the business process to provide timely and relevant risk information to management. To learn more about this offering, see the corresponding CPD website.
What is most important when it comes to managing access to privileged data?
Access is managed, incorporating the principles of least privilege and separation of duties.
Access is granted only to individuals who need it to perform their job.
Access is granted to anyone with a management role.
Both A & B.
Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage. Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment and many others.