Information Security Auditing White Paper v3

8/9/2019 Information Security Auditing White Paper v3

1/10

White Paper onInformation Security Auditing / Implementation Procedures

November 2002

Review:

1.Lines of Business2.Applications3.Technology Infrastructure4.Service Providers

White Hat

FFiinnaall AAuuddiitt

AAnnaallyyzzee PPootteennttiiaall VVuullnneerraabbiilliittiieess

Black Hat White Hat

SSyysstteemm AAuuddiitt

EExxppllooiitt VVuullnneerraabbiilliittiieess

RRiisskk MMiittiiggaattiioonn

SSeeccuurree tthhee NNeettwwoorrkk

DDeessiiggnn SSeeccuurriittyy

RReemmeeddiiaattiioonn && MMiiggrraattiioonn

EExxeeccuuttee SSeeccuurriittyy PPoolliiccyy


2/10


November 2002

2

INDEX

1. The Auditing Process Page 3

Black Hat Method

White Hat Method

2. Post Audit Page 5

Costs Associated with SecurityBreaches

3. Designing a Security Policy Page 6

4. Designing a Secure Architecture Page 7

5. Remediations & Migrations Page 8

6. Final Audit Page 8

7. Staying Secure Page 9

8. Credentials Page 10


3/10


November 2002

3

Today, information is the lifeblood of most organizations. With the increase in globalInternet access, the possibility of security risks has increased significantly. With the

advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client andconsumer information has become the primary focus of many regulatory commissionslike the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.

Information security is an ever-evolving challenge, requiring proper attention and duediligence to maintain. Within this white paper, we will discuss Information Technology(IT) auditing techniques and secure network implementation methodologies.

Q. What is involved in an effective IT security audit?

A. The following steps comprise a sound system assessment through implementationof a security policy.

AUDITING PROCESS

The auditing process can be performed using various methodologies. The Black Hatapproach does not give the security auditor any information of the network or thearchitecture. In contrast, the White Hat approach provides an auditor with networkinformation and schematics beforehand.

BLACK HAT METHOD

This method is intended to closely replicate the efforts of an actual attacker. This is thebest way to find out what hackers can do remotely without any knowledge of thenetwork. The first step is to footprint the network. The foot-printing technique isperformed as quietly as possible so the attacker does not alert the networkadministrators. This method usually begins with DNS queries and Internet searches forany public information that may assist in the attack.


4/10


November 2002

4

FOLLOWING AN ATTACKERS FOOTSTEPS

Q. What does an attacker look for? How does he/she know we are vulnerable?

A. Any skilled attacker has a list of vulnerabilities and configurations. Most of thisinformation is memorized and can be spotted instantly. For example, during thescanning phase, if an attacker notices the network running Apache or Bind on Unix,they would then perform a particular exploit based on that version number.

One thing to keep in minda real attacker uses hand-written code or code traded inunderground communities, a major reason why automated security scanning softwaresdo not suffice.

Once the attacker has zeroed in on an IP range, the scanning begins. This is oftenperformed with shareware or custom compiled programs. These scans are typicallyreferred to as half-open connections and are designed to avoid log entries. Thisapproach can be used to bypass firewalls and perimeter routers to map the network.

After scanning the network, the attacker has a good idea of what can be accessed fromthe outside and begins to compile this information to give an overview of possible pointsof entry. After careful consideration and research, a typical attack is carried out. Aftergaining access to the first host, intruders begin to cover their tracks and patch any holeused to enter the network. Once inside, an attacker would try to gain access to other

network resources. This can be achieved by installing sniffers and protocol analyzers tocapture traffic in hopes of stealing clear text passwords. Once breached, perimeterdefense systems offer little protection or notification of illicit activity, unless host-basedintrusion detection is in place and properly managed. Intruders could be free to go frommachine to machine or database to database until their goal is achieved.

WHITE HAT METHOD

This method can be used separately or following execution of the Black Hat approach.The auditor begins by actually meeting with the staff and gathering information on the

network architecture and all configurations of routing equipment and defensescomponents.

This information is then analyzed and predictions are made on possible vulnerabilitiesthat exist based on known issues and professional experience. The auditor then goes toan outside Internet connection and attempts to exploit these vulnerable areas and gainaccess to the system. This method is usually performed after the black hat method andafter initial securing of the network. This is final procedure in the initial auditing process.


5/10


November 2002

5

POST AUDIT ACTIVITIES

After the initial audit, the next step would be to a perform risk mitigation analysis andsecure the network accordingly. This is a vital part of the security assessment process.This step includes associating cost vs. risk scenarios and factoring in securitytransparency to the user. There are three models reflected in security including Open,Restrictive, and Closed. Choosing one or more depends on the data that is beingprotected and what you wish to provide the users.

Q. What are the costs of protecting versus doing nothing?

A. Best practices and standards have been established to calculate risk exposure. To

calculate risk exposure, two variables P (L) and S (L) are used. P (L) is the probabilityof loss, and it is a threat frequency value. S (L) is the severity of the potential loss. Byfactoring these two components together, we can calculate potential risk exposure.

P (L) = the probability of the potential lossS (L) = the severity of the potential lossR (E) = the total risk exposureP (L) x S (L) = R (E)

The reduction in value of an asset from one threatening incident is called Single Loss

Expectancy (SLE). SLE is the resulting value after a threat has been applied.

SLE = Original Total Cost of Ownership Remaining Value

EXAMPLE:

The value of our ERP database = $100,000. If a hacker breaks into the system anddestroys 80% of it, the value has been reduced by $80,000. The SLE would be $80,000and calculated as follows:

$80,000 = $100,000 - $20,000


6/10


November 2002

6

ANNUALIZING RISK

In calculating risk exposure, many experts use risk analysis tools such as SAFE(Standard Annual Frequency Estimate). Common SAFE values are listed in the tablebelow:

SAFE Value Frequency of Occurrence

.01 Once every 100 years





1 Once a year

10 10 times a year

20 20 times a year

Using our previous example, if the probability exists that a hacker will destroy 80% of adatabase occurs every two years, our SLE equation would be:

SLE = .5 x $80,000

SLE = $40,000

$40,000 is what our company can expect to incur in risk each year. Utilizing thesecalculations provides you and your team with a basis on which to evaluate and makedecisions on system safeguards.

DESIGNING A SECURITY POLICY

This arguably is one of the most important and least managed aspects of networksecurity. A security policy should represent the nucleus of all network activities. It is

what holds everything together and helps ensure predictable results to networkmigrations, rules, and changes in the network. In addition, a sound policy often includesincident handling and disaster recovery.


7/10


November 2002

7

Q. We dont have a policy. Where do we start?

A Enlisting the services of an outside organization is common. These organizations meetthe requirements set forth by many regulatory commissions for third-party assessmentsprior to external industry auditing.

Remember, developing sound policies can only be carried out after properanalysis is performed.

DESIGNING A SECURE ARCHITECTURE

Upon completing any risk mitigation, approving costs of necessary equipment, and

enacting policy changes, a new design should be ready for implementation.

Some of the areas and technologies that are often addressed in developing a newdesign include:

Perimeter Routing/ Perimeter Filtering Firewall Configuration / Installation Intrusion Detection Systems (Network and Host) Security Policy Creation Incident Handling Policy Honey Pots Server Hardening Anti-Virus Implementation Wireless Security Application Security Administrative entry points to your secure servers Encryption on the Network and the Internet VPN Technologies Central Logging Management


8/10


November 2002

8

Q. What is the best architectural model to follow?

A. The overwhelming consensus is to follow a layered security approach and perform activemanagement of security policies.

REMEDIATIONS AND MIGRATIONS

A remediation and/or migration plan should include a sound security policy andarchitectural blueprint focused on minimizing interruptions to daily business operations.Where possible, efforts should be taken to leverage existing technologies, policies andtools negating re-engineering efforts; further reducing possible impact and associateddeployment costs.

Actual tasks could include:

Patching Servers (Hardening) Firmware Upgrades Software Upgrades Router Configuration Changes Firewall Configuration Changes Implementation of New IP Scheme(s) Creation/modification of DMZ(s) Implementation of Additional Technology/Tools

FINAL AUDIT

The final audit is performed after creating the security policy and implementing the newsecurity architecture. In the final audit, we utilize the White Hat approach to compareand contrast the results from the previous assessments.


9/10


November 2002

9

STAYING SECURE

The life cycle of security has no end. The security process consists of ongoing system

enhancements. Security testing and evaluation should be conducted at a minimum ofevery three years or whenever a major change is made to the system. For systems thatare exposed to constant threat (e.g. web servers) or that protect critical information suchas firewalls, testing should be conducted more frequently, perhaps quarterly.

SecuritySecurity

PolicyPolicy

Secure theSecure the

NetworkNetwork

Test the

Configuration

Monitor YourMonitor Your

NetworkNetwork

Improve YourImprove Your

NetworkNetwork

Open Source Tools Nmap

Packaged Software eEye Retina Scanner Saint

Nessus ISS Internet/System

Scanner

Harris STAT Foundstone Fscan

Network Associates


10/10


November 2002

10

This White Paper was compiled by:

Josh Perrymon, Network Security Specialist

Josh has performed a significant number of IT Security Assessments over the past fiveyears. During this time, he has achieved the following levels of certification:

Cisco Certified Network Associate (CCNA), Cisco Security Specialist (QI 2003),Network Security Certified (Brain Bench), Firewall Intrusion Detection Certified (BrainBench), HTML Certified, Advance Design & Cold Fusion Certified, Certified byBellSouth in Frame Relays

Published by Andrea Hopkey, Director of Corporate Development

Documents

Information Security Auditing White Paper v3