Canaudit Perspective: Volume 11, Issue 3

Using a Security Baseline to Drive Your 2011 Audit Plan
By Gordon Smith (April 2010)

Download PDF of article at www.canaudit.com/Perspectives/Volume11-Issue3.pdf

Again this year, there is an increase in security breaches and electronic fraud. The results of our audits, penetration tests, and security baselines indicate that many organizations have not implemented the controls necessary to defeat or detect and mitigate an attack. In previous articles, I have outlined the risks and the defenses needed to ensure that our servers, desktops, and data are properly protected. Given the increased activity, we must recheck our security, identify poorly secured machines and databases, and seal the gaps.

I suggest that you perform a security baseline review as soon as possible, as part of your 2011 audit planning. You need to find the security gaps in your organization’s networks and remediate poorly secured hardware, software, and databases before the cyber criminals take advantage of the gaps. The baseline audit includes a full review of the Windows Active Directory and the machines within the Active Directory; UNIX, Linux and mainframes; databases, and the data within them. The first step in the audit process is to map the network using gentle scanning techniques. This enables you to identify the machines, devices, and databases within your environment.

After mapping the network, the baseline objectives must be prioritized. We suggest starting with Windows. Windows machines are particularly vulnerable and are the primary target for the cyber criminals. Poor user management, missing patches, and malware are the primary threats. Unless the preliminary assessment points you elsewhere, we suggest that you start with your Windows environment. At a minimum, you should test for the presence of malware on the machines, poor account management, security and audit policies, and missing patches.

My next priority would be databases. New exploits, some I have demonstrated in my classes, make it easy to identify poorly secured databases. The primary targets are MS/SQL, Oracle, and DB2. Let me be clear. These databases, properly installed, provide the protection required to ensure your data is safe and sound. Unfortunately, many administrators do not read the manual (the RTM control) to ensure that the correct controls are implemented when they install the database. We identify the databases within your network using port scanners. MS/SQL uses TCP port 1433, Oracle often uses TCP port 1521, and DB2 can use a variety of TCP ports depending on the host system.

Once we identify the databases, we use the known default passwords to connect to the database. If we connect using a default password, the database is clearly poorly secured. Depending on the scope of the baseline review, you may want to go further. You can check the configurations to identify other missing or weak controls.

Our next objective is to determine the controls available in the UNIX and Linux environments. For these environments, we use a series of scans to identify vulnerabilities. These include poorly secured trust relationships that permit unauthenticated access up to the root level, insecure services such as telnet and FTP that can be used to glean passwords, and the old faithful of security auditing – default accounts and passwords. In a full UNIX/Linux audit we would also run and evaluate our proprietary scripts.

Our next objective is to test the network devices. As with UNIX, we scan the machines for vulnerabilities. We use known safe and sane exploits to gain access to the devices. One of the items we do not test is susceptibility to denial-of-service attacks. As these attacks can damage the device or make portions of the network inoperable, we choose not to perform this type of destructive testing. Be aware that attackers may attempt to do a denial-of-service attack. Make sure that you have mechanisms in place to detect and negate these attacks.

The last of our internal tests is the mainframe. We test default accounts and passwords as well as the logon credentials gleaned from the Windows and UNIX environments. To avoid disabling accounts, we perform our testing against the FTP port, as this is a gap in security coverage on just about every mainframe we have audited. For safety, we ensure that we only submit one account and one password against this port. We do not want to disable any accounts in the process of conducting our tests.

Once we have completed the internal threat assessment, we move onto wireless and the Internet. The wireless is rather straightforward. We tour the facilities using our wireless detection software. Once wireless access points are identified, we determine if they are authorized and secured. We also test the encryption, if used, to determine that it is securely implemented. Surprisingly, many installations use simple, easy-to-guess encryption keys, making compromising the wireless network segment less complex.

Our Internet testing is more complex because of the many variables that must be tested. In addition to machine differences, each Internet connection can use many different software tools. As a result, most of our testing is manual. While other audit or security firms may simply run Nessus or Nmap against the Internet connections, we believe in eliminating false positives. This requires us to manually test each vulnerability to determine if, in fact, it really is an issue. One of the biggest and justified complaints the IT folks can make is that the audit produced a massive list of vulnerabilities. On further testing, the vulnerabilities were found to be false positives. To avoid this situation, we do the required testing to ensure that all vulnerabilities reported are true vulnerabilities.

In some cases, testing of the vulnerability may cause a denial-of-service attack. In these cases, we report them but mention we could not safely determine the status of the vulnerability. We suggest that the web analysts investigate the potential vulnerability and secure it if required.

Lastly we test the web applications. These applications are seldom subjected to a full review. As a result, there are often flaws, such as SQL injection, which can place the application and the data used by the application at risk. We use a combination of automated software and manual techniques to identify the flaws and eliminate the false positives. This audit can take one or two weeks per application depending on the complexity and the types of controls.

Upon completion of the above testing, we are ready to consolidate the data into an audit report and develop a series of metrics. The metrics are used to measure improvements made (or not made) in subsequent audits. Reducing the audit and security issues to metrics enables executives and senior management to monitor the remediation efforts without having to blow away the smoke that is so often used to hide the lack of a remediation effort. The metrics are facts, and facts can be monitored.

This high-level overview of our security baseline is intended to assist you in preparing your 2011 audit plan. When the baseline is complete, you will have the facts necessary to determine where your IT audit risk is and to prioritize the audits in your audit universe. If the Windows environment is very insecure, then a full audit of Windows is mandated early in 2011. If UNIX is the most vulnerable, then this audit takes precedence over others. The greatest benefit of the security baseline is that the IT folks are provided with a punch list of things that should be fixed over the next few months. Then when next year’s audit cycle starts, they should have implemented most of the required remediation. If not, then their inaction can earn them a critical assessment of their control structure.

There are several ways to complete your security baseline. The first is to do it yourself. I like this approach as it ensures that your IT audit group has the required skills to audit in a complex technical environment. If you do not have the skills on staff, then you have two options as I see it. The first is to attend the Canaudit hands-on workshop, Performing an IT Audit and Security Baseline. This class is taught several times a year, with the next one coming up in May in Austin, Texas. The skills and tools you gain in this session will help you to perform your first security baseline. For more information on the class in Austin, visit www.canaudit.com/pdw052010info.html or email Brenna@canaudit.com. We have extended our discount deadline for this event until April 23rd.

If you do not have the skills on staff or your resources are already committed, then Canaudit would be pleased to perform the security baseline for your firm. We will even let one or two of your staff observe as we work so you can gain an understanding of the process. We currently have openings for late spring and summer project delivery. Please email me at Gordon@canaudit.com if you would like more information.

In closing, remember that it is important to re-perform the security baseline or a mini baseline twice a year to monitor the remediation efforts. Management needs the metrics so that they can evaluate the efforts of the IT team.

As always, the opinions in this article are mine and mine alone. Please send me your comments, both positive and negative, to Gordon@canaudit.com.

Audit and Security Services

Canaudit specializes in a variety of information system and technology audits, ranging from periodic network penetration testing to full network and operating system security review. Our tailored audits provide an objective, disciplined, and in-depth analysis to evaluate and improve the effectiveness of risk management, control and security within your organization’s technological environment.

For interest in Canaudit to perform an IT audit for your organization, please email Gordon@canaudit.com or Tamra@canaudit.com, or call (805) 583-3723.

Professional Development

Canaudit provides quality seminars to various organizations including audit and security chapters and major corporations. These seminars range from technical information system audit classes to internal audit classes aimed at everyone from an introductory level up to management. With nearly 20 courses to choose from, we are sure to have one that will meet your individual needs. In addition to chapter and private seminars, Canaudit also holds public courses. For more information on upcoming public courses and to register, visit www.canaudit.com/seminars.html. Questions relating to Canaudit professional development or to schedule a Canaudit seminar, please email Brenna@canaudit.com or call (805) 583-3723.