Monday, March 31, 2008

Security Audits

Late 2005 I was working for a consulting company in the Milwaukee area. In an attempt to continue to move from a break-fix environment to a more proactive, managed IT approach, I was asked to develop a security audit methodology, which we would use in conjunction with our "taste-test" approach to new customers.

A taste-test was really nothing more than an engineer and a salesman showing a potential client how smart we were, how messed up their environment was, and how we could help them. We decided to use the Security Audit as another layer to enhance what we had to offer.

Here is an outline of the methodology I used, which was borrowed in large part from the SANS institute, along with a sample statement of work that was presented to my now employer.

Read this doc on Scribd: Security Audit Methodology
Security Audits A security audit will use best practice methods to discover, assess, test, and finally, suggest modifications to existing security infrastructure. Guiding Principles The Principle of Least Privilege involves giving a person or a process the minimal authority necessary to accomplish the job or task. Its objective is to control information flow by protecting against information leakage. Data classification determines the level of security controls needed to protect data. Data can be classified as confidential, private, public, or unclassified. Confidential data requires more security controls than data classified as private. The Separation of Duties principle is achieved by dividing a task and authority for a specific business process among multiple users. The primary objective is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring funds online, the password needed to access the online account would be partially entered by two people to complete it. Confidentiality is the principle of non-disclosure of information to unauthorized users, entities, or processes. Integrity is the prevention of modification or destruction of an asset by an unauthorized user or entity; often used synonymously with data integrity, which asserts that data has not been exposed to malicious or accidental alteration or destruction. Availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. Identification is the means in which users claim their identities to a system. Most commonly used for accesscontrol, identification is necessary for authentication and authorization. Defense in Depth is a concept used to describe layers of defense strategies. The components at each layer work in tandem to provide one cohesive security mechanism. Risk Analysis Approach The formula for calculating risk is: risk = threats x vulnerability x value of assets. It is always important to assign numerical values or use a convention like high, medium, and low to reach conclusions. See Kepner Tregoe and NIST’s Risk Management Guide for IT Systems. Stage 1 Conducting the Assessment • Identify and interview key personnel for information gathering: See Assessment Questions. • Identify all critical and non-critical security components ( firewall, IDS, proxy, apps, DB, etc) • Use Appendix A as a template for security assessments of all identified security components. Security assessments should include a Business Impact Analysis (BIA) that will be used to determine the appropriate controls (technical and administrative) described in the policy. o Identify all threats, vulnerabilities and security issues in each component. • Discover and map network to identify any infrastructure issues. o LanMapshot, Visio • Scan network using vulnerability remediation utilities. o GFI LanGuard, Nessus on LAN o Lophtcrack for weak password analysis o Ae2, wwwhack, brutus for WWW access o Thc-pptp-bruter for PPTP Gateways o MS Best Practice Analyzer for Exchange o MS Baseline Security Analyzer for Servers Stage 2 Formulation of Target Security Architecture Design Target designs are based on results and recommendations as determined in the assessment. 1. A logical architecture of IT security components is needed to organize the physical architecture and implement security in all identified architectures. The logical structure includes processes, technology and people. It consists of perimeter security, a computer incident response team, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure security. 2. Physical architecture designs include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demilitarized Zone (DMZ), internal and external connections and devices used, and diagrams of other architectures in relation to security architecture. Especially helpful are diagrams with IP addressing schemes identified. Stage 3 Construct Policies and Procedures According to Merriam-Webster’s Online Dictionary, a policy is: 1. A management or procedure based primarily on material interest 2. A definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions and a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body. Companies develop policies and procedures to guide their employees and external companies on how to behave. While creating polices, one needs to achieve a delicate balance between security and the ability to conduct business. Security should never be seen as an impediment but an enabler as one provides solutions and alternatives. Policies are general in nature and should be distinguished from standards. A policy might read, “All communications must be protected from eavesdropping.” The standard will show how this is to be accomplished and what technologies need to be deployed to achieve the policy. It is very important for policies and standards to have the support of the executive team. It is equally important for people to understand the policy and its objectives so that it gets the support it needs to achieve compliance. Auditors can use these policies as references when conducting audits as auditing complements all the endeavors of security to achieve compliance by measuring against these policies to uncover any deviation from policy. Findings that are discovered by audit would be deviations from policy and best practices. It is important to note that in reality many system or device-related policies will end up being translated as configurations on these systems and devices to implement policy. As such, parallel development of polices and architecture is necessary. For example, a policy can say “no surfing of illegal sites.” As the Internet server is being built, we have to configure the server to block all illegal sites known. As such, policies are translated to server configurations. Once all policies and standards have been developed, the next Stage can begin or the next Stage can be done in parallel. Stage 4 Implement Target Security Architecture Design Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes should have a plan that defines timelines, funding, and resources needed to implement these changes. Stage 5 Integration of Security Practices to Maintain Secure Status Security is a mindset and a process. In order to maintain a secure environment, one needs to define the role of IT security staff in evaluating all changes to the architecture, systems design, and network structure to maintain secure status in day-to-day operations. In order to achieve this goal, security has to be integrated into two main processes: 1. Change management process: Any changes to networks and other infrastructure components must go through this process. 2. Project management methodology and guidelines guide the various technology projects in the organization. Security should be integrated into these guidelines at all stages deemed necessary by these guidelines. For example, security can be integrated in Joint Application Development sessions (JAD), business requirement definitions stages, and implementation and development stages of project management methodology. Getting involved in new projects allows the security architect to integrate security controls that implement policy. It also allows the security architect to anticipate and develop new policies and standards.

Read this doc on Scribd: SOW Security
Friday, October 07, 2005 David Demarais Integrated Billing 7071 South 13th Street Suite 104 Oak Creek, WI 53154 Dear David, The following contains MyCompany's proposal for a network security audit. We, at MyCompany's, feel this solution will meet the needs of Integrated Billing network and data security requirements. Overview This proposal outlines the scope of work necessary to implement the network security audit at Integrated Billing. The suggested stages will ensure a proper audit, and recommend steps toward securing your environment. Performing a security audit is not a trivial affair. For a moderate sized firm in a single location, total calendar time to complete the audit may be three weeks to a month, dedicating an engineer to the project full time. Security audits, especially for the first audit, are not inexpensive. Costs depend on a wide variety of factors. A firm with a couple of hundred people in a single office with the "normal" array of computer applications found in a typical law firm, might expect to pay $25,000 to $30,000 for a good in-depth security audit. If you have never had a security audit, costs may be higher. In addition, the first time audit is likely to disclose a great number of items which are worthy of further attention (i.e. more time and cost to fix potential security issues). Of course, over time, you can expect to narrow the scope of follow on audits. So costs might possibly be reduced. Scope of Services Stage 1 Conduct Security Assessment 1. Identification of key personnel to be interviewed for information gathering. 2. Identification of all critical and non-critical security components to be assessed (e.g. firewalls, IDS, proxy, applications, databases, etc.) 3. Conduct a Business Impact Analysis (BIA) that will be used to determine the appropriate controls (technical and administrative) to develop the policies. 4. Identification of all threats, vulnerabilities and security issues in each component. Stage 2 Formulation of Target Security Architecture Designs 1. Conduct logical architecture design of IT security components to organize the physical architecture and implement security in all identified architectures. The logical structure includes processes, technology and people. It consists of perimeter security, antivirus policy, security administration, a Disaster Recovery Plan (DRP), risk and threat analysis, data security, application security, and infrastructure security. 2. Conduct physical architecture design to include network diagrams illustrating firewalls, mail gateways, proxies, modem pools, VLANs, Demiliterized Zone (DMZ), internal and external connections and devices used, and diagrams of other architectures in relation to security architecture. Stage 3 Construction of Policies and Procedures Develop policies and procedures to guide employees on acceptable use. When creating these polices, client will be consulted to achieve a delicate balance between security and the ability to conduct business. Stage 4 Implementation of Target Security Architecture Design Once the conceptual design and all related policies and procedures are developed, implementation of target security architecture can begin. Projects that implement architectural changes will have a plan that defines timelines, budgets, and resources needed to implement these changes. Stage 5 Integration of Security Practices to Maintain Secure Status 1. Change management process: Any changes to networks and other infrastructure components must go through this process. 2. Project management methodology and guidelines will serve to guide various technology projects in the organization. Security should be integrated into these guidelines at all stages necessary by these guidelines. I would again like to thank you for allowing MyCompany L.L.C. the opportunity to provide for your computer and networking needs. This solution has been prepared by your personal engineer, John Croson, and reviewed by the technical services team. John can be reached at XXX-XXX-XXX x XXX, or by email at, jcroson@MyCompany.com Please contact John or myself if you have questions or require additional technical information. Sincerely, MyCompany L.L.C. pdolan@MyCompany'snet.com Acceptance of this proposal and statement of work is acknowledged by your authorized signature below. ___________________________________ Accepted By __________________ Title ____________ Date

The Assessment Questions and associated appendix.

Read this doc on Scribd: Assessment Questions
Assessment Questions: Servers Vendors and models. yes no comments Are servers up to date with patches? What services are open? Are the services needed? Is/Are the device/devices positioned correctly in the network? What are all secure and non-secure interfaces? What is the history of the servers? Is there a process for making any changes? Who is responsible for account management? Are the logs being checked? Who is responsible for reviewing the logs? What are password policies for the network? What is the physical security of the server equipment? Backups / UPS What type of backups and rotations are in place? Are the tapes stored off-site or on site? Is the data encrypted and/or secure? Is there an emergency data recovery plan? Is there power failover protection? Virus / Spam / Spyware What brand/version of virus protection is present? How often are the definitions updated? Are the updates automatic? What brand/version of spam protection? Is there spyware protection? Does the company have an internet / acceptable use policy? Firewall Vendor and model. Is system up to date with patches? Is the position in the network correct? Is there IDS present? Is logging enabled and checked? What ports are open/forwarded and to what hosts? WAN What type of logs can we get from the ISP? What type of monitoring is done on the connections? May we perform vulnerability scans on these devices? Can we obtain routing information? LAN What are the standards of cables used? What is the network topology? i.e. Bus, Linear, Star, Hybrid, Mesh, Ring What is the layout of cabling and devices? What types of routers, hubs and switches are used? Do they have user name and password to access? Is change management used when changing routers or switch configurations? Who approves these changes? What is the policy regarding connecting to LAN? What is the policy regarding activating ports? Who has access to physical space? Is there a policy for connecting external vendors to the LAN? Is physical security practiced properly for accessing premises and process for activating and deactivating badges, LAN ports and LAN connection drops? If there is Wireless access, is encryption used? If so, what type? Are workstation applications and OS patched? Is there change management at the workstation level for hardware/software? Is there Virus/Spyware protection at the workstation? Is it managed by IT, or user level?

Read this doc on Scribd: Appendix A
Appendix A Security Assessment Component Type Business Impact Analysis Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Observations Recommendations Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place? Required For Operations? Would a security breach have any implications? Are there administrative/technical policies in place?

Then I put together a process sheet those that needed it, mainly for the junior engineers.

Read this doc on Scribd: GFI LanGuard HowTo (brief)
Security Audit How-To • Network Setup Monday, March 21, 2005 You will need to be connected to the network, and have GFI LanGuard N.S.S. installed in order to perform these tasks. If you don’t have these installed, get one of the internal engineers to assist you in the installation and configuration. Once you are setup, at your client’s location, you will have to connect to a network, probably through a CAT 5 connection in their server-room at a switch/hub, or at another location in the office area. It is necessary to be connected to the LAN that the rest of the workstations on the domain are connected to. You will also need a domain administrator’s username and password. If the clients IP addresses are served via DHCP, then you can simply start scanning with GFI. If not, you will have to find out what the address scheme is from a workstation on the LAN. The easiest way to do this is by going to Start, Run…, and type cmd in the open box. Then click the OK button. Once your CMD window is open, type the command ipconfig /all. You should get a screen that looks a little like this one. You may have to click the “maximize” button to see all of it. The Maximize button----- The best way to change your IP is to go to Start, Control Panel. Once in control panel, go to Network and Internet Connections in Category View (Windows XP), or Network Connections in Classic View (Windows XP, 2000). Find the device called Local Area Connection, right click, and choose Properties. You should see a window like this. Next, highlight Internet Protocol (TCP/IP), and click the Properties button. Click the “Use the following IP address, and type in similar settings to that of the machine you checked, but make sure that the last number of the IP is different. No two machines with the same IP address are allowed on the network, so you may get an error if you choose one that already exists. If so, just change the last digit of the IP until you get no error. Duplicate all the rest of the settings, like Subnet Mask, Default Gateway, and DNS servers. • GFI Setup If you don’t have GFI set up for reporting, you need to do this step. Open GFI LanGuard N.S.S. rightclick Scan Filters and click New, Filter… Give your filter a meaningful name, like MyCompany. Then, exclude your workstation from all scan reports by clicking Add and selecting the Hostname option and clicking next. Change the condition to read “Not Equal To”, fill in your machine name, then click Add. Now you must select the correct items to report on. Select all the items pictured below. The left screen shows the first few items, and the right is simply a scrolled view. Make sure everything beneath Vulnerabilities is selected. Click Ok when you are done. The next step is to perform the GFI security scan. Run GFI LanGuard Networks Security Scanner. If you are in a domain, choose alternative credentials, supplied by the contact, i.e. the domain admin in the Using box. Next, type in the domain\username in the User Name box. Finally type in the password in the Password box. If you are NOT in a domain, select “A Null Session” from the Using box. Then in the Scan Target box, type in the IP range of the network, discovered by setting up your PC manually, as shown on page one, or open a CMD window, and obtain that information, again as outlined on page one. Enter the IP range, as in the example below. Press the Scan button. It will take approximately 40 minutes for a 25 PC environment. Once it is completed, you will see something that looks like this. Click on the MyCompany Scan Report and review your new scan.

Funny thing is, after we'd stop in and perform our tests, show the customer where they were vulnerable, they were still reluctant to sign.

Boggles my mind, especially after I was able to get into a SMB unprotected wireless environment, find a vulnerable workstation, and show the owner a spreadsheet of his employees salaries. SCARY.

No comments: