IT Auditing: Firewall Management Intrusion Detection, Intrusion Prevention & Security Information Management AC475 Team Project: Katherine Jackowski Elizabeth Kearney-Lang Daureen Lingley-Chor Security Information Management PS1 Selection of Areas of Examination The two areas of interest our team chose are Firewall Management and Intrusion Detection, Intrusion Prevention and Security Information Management which complement each other well; all focusing on the safeguarding of company assets. Since our collective knowledge in these areas was quite limited we felt they would be challenging topics to research. The potential threats to an Information System are numerous with names that sound as if they might be more from a video game i.e. botnet, smurf attack, Trojan horse, but whose potential damage to an Information System could be financially devastating. Our research began with An Introduction to Computer Security: The NIST Handbook and included the Special Publications from the National Institute of Standards and Technology SP 800-41 Revision 1 entitled Guidelines on Firewalls and Firewall Policy, SP 800-94 entitled Guide to Intrusion Detection and Prevention Systems. We also used our textbook, Information Technology Auditing and Assurance by James A. Hall. The following ISACA Standards were utilized as well: P3 Intrusion Detection Systems (IDS) P4 Viruses and other Malicious Code P6 Firewall Procedure G40 Review of Security Management Practices We visited various vendor websites and utilized the White Papers from Skybox Security entitled How to Painlessly Audit Your Firewalls and Tufin entitled Firewall Operations Management, Auditing, and Compliance. Risks, Threats and Exposures A risk is any and all exposure to the possibility of loss or theft, also known as a threat. All businesses assume some risk--no business is immune to the exposure of threats. Because opportunity and risk go hand in hand, you cannot have opportunity without also having some risk and wherever there is risk, there is potential opportunity. The key is to minimize potential risk and eliminate exposures to threats as much as possible; this is done through the use of controls. Threats to an organization’s Information System’s security can come from both internal and external sources and can be both intentional and accidental. According to the 1991 Annual Report submitted by the Computer System Security and Privacy Advisory Board, the following areas were found to contribute to the economic loss of organizations: “65% errors and omissions; 13% dishonest employees; 6% disgruntled employees; 8% loss of supporting infrastructure, including power, communications, water, sewer, transportation, outsiders, including viruses, espionage, dissidents, and malcontents of Page 2 of 23 Security Information Management various kinds, and former employees who have been away for more than six weeks1.” Between the years 1999 – 2003, attacks on computer servers increased by over 530% to 137,000 incidents in the United States2. FinCEN3 reported in their Suspicious Activity Report that computer intrusions have increased more than 500% from 2003 to 2004. On April 13, 2011, Senator Sheldon Whitehouse, a Democrat from Rhode Island, and Senator Jon Kyl, a Republican from Arizona, introduced a bill acknowledging that “businesses in the United States are bearing enormous losses as a result of criminal cyber attacks, depriving businesses of hard-earned profits that could be reinvested in further job-producing innovation.” The bill is entitled the Cyber Security Public Awareness Act of 2011. If enacted, this bill S.813, will require the Department of Homeland Security along with various branches of the government to report to Congress on the frequency and impact of cyber security incidents and the number of prosecutions for cybercrimes occurring in the United States. It will also require “a summary of the plans of the Secretary of Homeland Security to enhance public awareness of common cyber security threats, including a description of the metrics used by the Department of Homeland Security for evaluating the efficacy of public awareness campaigns” to be submitted to Congress.4 Information Security is an area that will continue to require organizations to monitor and reassess potential risks, threats and exposures to their Information Systems. Key Success Factors Senior management commitment to Information security Management’s understanding of Information security issues Information Security centrally-based Integration between security objectives and business objectives Proactive security plan which includes awareness training of staff Automated risk management process which includes definition of risk limits and risk tolerance Performance measurements Up-to-date Protective Techniques Enforcement of Security Policies Avoid over-control that may reduce the efficiency of the system Applications are secured before implementation An Introduction to Computer Security – The NIST Handbook SP 800-12 The World Technology Risk Checklist 7.3 3 FinCen - Financial Crimes Enforcement Network – a U.S. government agency established by the U. S. Department of Treasury in 1990 to provide multi-source financial intelligence and analysis. 4 http://ezp.bentley.edu/login?url=http://search.proquest.com/docview862230 1 2 Page 3 of 23 Security Information Management Service Level Agreements (SLAs) are utilized with suppliers to promote awareness and co-operation relative to security IT Governance fosters ethical behavior PS2 Selection of Client or Selection of Knowledgeable Sources Client Our client, Image Polymers Company, LLC, is a small manufacturing business established in 1991 with their headquarters located in Andover, Massachusetts and their manufacturing facility located in Mount Pleasant, Tennessee. They are a wholly owned subsidiary of Mitsui Chemicals America, Inc. Image Polymers Company outsources their IT functions to Covisia Solutions, Inc. The software they currently use is Windows XP Professional operating system and Sage Software, a SQL server-based enterprise management software system, MAS500 Version 7.30.40. They also use Sage Fixed Assets System software, and Microsoft Office 2007(Excel, Word, Outlook, and PowerPoint). Image Polymers Company LLC as a total of five servers; there is a virtualized server with three distinct server areas. The first one contains a domain controller section for access control (confirming usernames and passwords), the exchange section (for the e-mail system) and the file storage and print section. The second is the Citrix server which is used for virtual networking. The third is the MAS500 server which houses the MAS500 database. There is also a back-up server for the Domain controller and another Back-up Business Disaster Recovery (BDR) server. PS3 Prepare Statement of Control Objectives To ensure preventative, detective, and corrective measures are in place and working as intended to protect the Information System from intrusion.To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate fraudulent activity. To control access to the Information Systems to prevent unauthorized use and to restrict authorized use. PS4 Identification of Control Criteria Master List of Controls Firewall Management Page 4 of 23 Security Information Management Control Resource Firewall Policy5 NIST SP 800-41 Revision 1, Tufin System Security Plan NIST SP 800-41 Revision 1 Segregation of Duties NIST SP 800-41 Revision 1 Testing – Configuration Compliance Analysis NIST SP 800-41 Revision 1 Apply Patches NIST SP 800-41 Revision 1 Logs & Alerts NIST SP 800-41 Revision 1 Firewall Policy Back-up NIST SP 800-41 Revision 1 Ruleset Back-up NIST SP 800-41 Revision 1 Review of Firewall Policy NIST SP 800-41 Revision 1 Penetration Testing NIST SP 800-41 Revision 1 Configuration compliance with Network Security Policies Skybox Security Network Access Policy Skybox Security Periodic reviews of configurations (at least every six months) Skybox Security PCI DSS Compliance Requirements Skybox Security Manage Changes (Change Impact Analysis) (2x/month) Skybox Security, CobiT AI6 Configuration Compliance Analysis (1x/qtr) Skybox Security Configuration Optimization (1x/year) Skybox Security Intrusion Detection, Intrusion Prevention and Security Management Control Resource IPDS System NIST SP 800-94 Restrict network access to IPDS components NIST SP 800-94 Limit direct access to IPDS components NIST SP 800-94 Update IPDS System NIST SP 800-94 Protect IPDS management communication NIST SP 800-94 Log System (Reporting Module) NIST SP 800-94, ISACA P3 Maintain Log Files in secure location NIST SP 800-94 Perform vulnerability tests NIST SP 800-94 Conduct penetration tests NIST SP 800-94 Intrusion Detection, Intrusion Prevention and Security Management (continued) Antivirus Software Spyware 5 A complex set of rules defining access privileges and restrictions for specific users and services. Page 5 of 23 Security Information Management Training Response Procedure Back-up Procedure Security Policy ISACA G40 Unique user ID and password for each individual network user Automated enforcement of password change Policy and Procedures related to Third Party Access Implement and annually evaluate physical security access Segregation of Duties Inactive session shutdown Periodic Review of Security System ISACA G40 Asset Classification ISACA G40 Background Screening of Employees ISACA G40 Page 6 of 23 Security Information Management Control Identification Form CONTROL OBJECTIVE: To ensure preventative, detective, and corrective measures are in place and working as intended to protect the Information System from intrusion. To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate fraudulent activity. Control IPDS System (Intrusion Prevention and Detection System) Control Category Mechanism Create unique passwords for IPDS users and administrator Restrict network access to IPDS components Mechanism Limit direct access to IPDS components Mechanism Update Intrusion Detection System (IPDS) when new threat is detected and regularly Mechanism Protect IPDS management communication through physical or logical separation or encryption Mechanism Mechanism Type of Control General Primary Preventative Detective General Secondary Preventative General Secondary Preventative General Secondary Preventative Control Benefit To prevent the unauthorized access and minimize possibility of undetected intrusions. Limited access to authorized users only in order to safeguard assets. Preservation of the IPDS components. Adverse Impact of Control Not In Place/Effect Intrusion i.e. malware or spyware – loss of confidentiality and integrity. Compromised Information System. Disclosure of proprietary information. Unauthorized access: Compromised system integrity and availability by disabling the IPDS system. Useless IPDS System. Preservation of the IPDS components. Useless IPDS System. General Primary Preventative Most up-to-date intrusion detection available to fight newly recognized potential intrusions. Vulnerable to new intrusion techniques. General Secondary Preventative Protection from unauthorized changes Manipulation of communication log. Page 7 of 23 Security Information Management Control Log System to record logins, activities and intrusions Maintain Log System files in secure location Perform vulnerability assessments/tests quarterly Conduct penetration tests periodically Firewall Policy Network firewall Antivirus Software Spyware/Malware Control Category Mechanism Type of Control Application Primary Detective Policy General Secondary Preventative Mechanism General Primary Detective Mechanism General Primary Detective Organizational General Secondary Preventative Mechanism General Primary Preventative Mechanism General Primary Preventative Mechanism General Primary Preventative Control Benefit Keep a log of login and activities to determine patterns—aiding in detection of intrusions and malicious code To keep a record for future management/audit reference To confirm the system is functioning as designed and intended To confirm the system is functioning as it should Rules for the Firewall to follow To complement the IPDS System; filter network traffic To complement the IPDS System; detect many threats the IPDS cannot To complement the IPDS System in a multi-layered approach. Page 8 of 23 Adverse Impact of Control Not In Place/Effect Altered or missing log file; no audit trail/history available. Altered or missing log file; no audit trail/history available—unaware of log activity. Do not know if the current system is functioning as it should—no assurance mechanisms. Do not know if the current system is functioning as it should; increased risk of system being compromised. Ineffective firewall either allowing a threat in or slowing down the Information System. Unauthorized access to Information Systems; compromised system and data integrity. Infected with malware i.e. virus, worms, Trojan horse, malicious mobile code, blended threats, keystroke logger, backdoors. Infection with malware and non-malware forms of spyware; slows the system, considerably affecting system functionality and availability. Security Information Management Training Control Category Policy Response Procedure Procedure Back-up Procedure Procedure Control Type of Control General Secondary Preventative General Primary Preventative General Secondary Control Benefit Personnel have the skills required to deal with the security issues Provide uniform response if a threat is detected Current back-up if needed. Page 9 of 23 Adverse Impact of Control Not In Place/Effect Unqualified personnel could lead to security compromise. Incorrect measure taken when threat is detected. Unnecessary extended downtime. Security Information Management Control Identification Form CONTROL OBJECTIVE: To control access to the Information Systems to prevent unauthorized use and to restrict authorized use. To ensure proper controls are in place to ensure data and system availability in order for the Information Systems to fully support the organization’s objectives. Control Security Policy Unique user ID and password for each individual network user (proper length; mix of letters, numbers, & symbols) Automated enforcement to changing passwords Control Type of Category Control Organizational General Secondary? Preventative Policy General Secondary Preventative Policy Policy & Procedures regarding Third Party Access Policy Policy & Procedure to deactivate access prior to employee termination Policy Control Benefit To communicate the Policies authorized by Management. Controls access to the system and fosters system security. General Secondary Preventative General Secondary Preventative Frequent password changes limit the likelihood of unauthorized access. Controls, limits and restricts outside access to the system ensuring system integrity. General Secondary Preventative Ensures only active employees have access to the system, limiting the possibility of retaliation or sabotage of system. Page 10 of 23 Adverse Impact of Control Not In Place/Effect Lack of awareness of Security Policy; compromised system and data integrity. Unauthorized access to information which could affect the security of information. Possible password theft and unauthorized access to the system. System could be compromised due to no controls as to how the system could be accessed by outside parties (example: guest password would ensure employees do not share their passwords with guest users); avoid group passwords, as this erodes accountability Disgruntled employees may access the system and compromise the data and security of the system or obtain proprietary information. Security Information Management Control Written Acceptable Use Policy with required Signature of employee Implement and annually evaluate physical security (i.e. locks, alarms systems, etc.) Properly segregate duties regarding the Information System to limit access Inactive sessions shutdown after a defined period of inactivity Control Category Legal Type of Control General Secondary Preventative General Primary Preventative Detective Organizational General Secondary Preventative Prevent unauthorized access Adverse Impact of Control Not In Place/Effect System could be vulnerable to unauthorized access due to password sharing or weak password selection, also email usages (downloads, links); peripheral devices, such as laptops and USBs, etc. Increased risk -- Unauthorized access gained Limit access based on job descriptions and appropriate access Too many people with unlimited access, which can lead to unauthorized access and affect the reliability of the data. Mechanism Prevent unauthorized access when a system is left idle for a period of time Gain unauthorized access. Mechanism General Secondary Preventative Control Benefit Ensures employee knowledge of and responsibility to properly safeguard the system. Page 11 of 23 Security Information Management Control Evidence Form Control IPDS System (Intrusion Prevention and Detection System) Evidence that Control Would be in Place Third arty confirmation. Documentation of procedure for IPDS system, review audit security log. Create unique passwords for IPDS users and administrator List of users and administrators. Restrict network access to IPDS components List of users and administrators. Limit direct access to IPDS components View physical location for lock or method of restriction accessing components i.e. sensors or agents, management server, database server. Updated Log File. List of updates from vendor. Update Intrusion Detection System (IPDS) when new threat is detected and according to vendor recommendations Protect IPDS management communication through physical or logical separation or encryption Log System to record log-ins and intrusions Third party confirmation. Log file. Maintain Log System files in secure location View physical location of Log System. Perform vulnerability assessments/tests quarterly Third Party Confirmation. Observe vulnerability test. Page 12 of 23 Evidence that Control Would be in Effect System availability. No disruption or minimal disruption of service due to detected intrusions. Audit security log, documentation of system review and response. Security Information Management Conduct penetration tests bi-annually Control Network firewall Antivirus Software Spyware Training Response Procedure Back-up Procedure Third Party confirmation. Observe penetration test. Evidence that Control Would be in Place Software License. View Software License. View program in program files on equipment i.e. laptop, server. View Software License. View program in program files on equipment i.e. laptop, server. Physical written documentation. Sign-in list of employees attending training. Documents used in training classes. Written documentation of procedure. Documentation readily available in hardcopy or online. Written documentation of procedure. Documentation readily available in hardcopy or online. Page 13 of 23 Evidence that Control Would be in Effect Security Information Management Control Security Policy Unique user ID and password for each individual network user (long in length - mix of letters, numbers, & symbols) Automated enforcement to change password within a predetermined period Policy & Procedures regarding Third Party Access Evidence that Control Evidence that Control Would be in Place Would be in Effect Documented Understanding of Policy by Management. Policy. Policy is readily available in hardcopy and online. List of UserIDs. List of active employees. Number of employees matches the number of UserIDs. Documented Policy. Automated program alert. Understanding of Policy by Management and staff. Documented Policy. SLA Understanding of Policy by Management and Third Party. Policy & Procedure to deactivate access prior to employee termination Documented Policy Understanding of Policy by Management and staff. Written Acceptable Use Policy with required Signature of employee Documented Policy. Document with Employee’s signature. Understanding of Policy by Employees. Implement and annually evaluate physical security (i.e. locks, alarms systems, etc.) Properly segregate duties regarding the Information System to limit access Inactive sessions shut-down after a defined period of inactivity Documented procedure. Understanding of Procedure by Management. Documented review. RACI Chart. Organization Chart Appropriate access rights dependent upon duties. Documented Policy. Computer returns to log-in screen. Page 14 of 23 Log-in required to access system after designated allotment of time. Security Information Management Audit Objectives To determine whether controls are in place and in effect to provide reasonable assurance that preventative, detective, and corrective measures are in place and working as intended to protect the Information System from intrusion. To determine whether controls are in place and in effect to provide reasonable assurance that assets are safeguarded and fraudulent activity is prevented, detected and mitigated. To determine whether controls are in place and in effect to provide reasonable assurance that unauthorized access to the Information Systems is prevented and authorized use is restricted. To determine whether controls are in place and in effect to provide reasonable assurance that data and system availability is maintained in order for the Information Systems to fully support the organization’s objectives. Audit Steps (note: these are just bulleted thoughts I had while at the gym; I will develop real audit steps) o Gain knowledge/understanding o Identify the current infrastructure i.e. hardware, software o Mission Statement o Obtain existing policies o RACI (organization) charts o Business objectives o Assess and determine risk (do we need to assess the risk of the organization as well as audit risk?) o Current risk o Risk appetite o Risk tolerance o Define scope o Determine qualifications (existing and needed) o Get specialist (where necessary) o Determine procedures o Tests of controls o Report o Review with management o Revise o submit Page 15 of 23 Security Information Management Page 16 of 23 Security Information Management Audit Evidence Form for Assessment of Controls in Place Control IPDS System (Intrusion Prevention and Detection System) Create unique passwords for IPDS users and administrator Control Criteria Evidence that Would Show the Control to be in Place (Control Evidence) Obtain list of users and administrators. Interview management and staff and IT staff. Restrict network access to IPDS components Limit direct access to IPDS components Update Intrusion Detection System (IPDS) when new threat is detected and quarterly Protect IPDS management communication through physical or logical separation or encryption Log System to record log-ins and intrusions Maintain Log System files in secure location View physical location for lock or method of restriction accessing components i.e. sensors, agents, View log file. View physical location of Log System. Perform vulnerability assessments/tests quarterly Page 17 of 23 Audit Evidence Evidence Obtained as to Whether the Control is in Place (Audit Evidence) Control in Place Y/P/N Security Information Management Control Control Criteria Evidence that Would Show the Control to be in Place (Control Evidence) Conduct penetration tests biannually Network firewall Antivirus Software Spyware Training Response Procedure Back-up Procedure Page 18 of 23 Audit Evidence Evidence Obtained as to Whether the Control is in Place (Audit Evidence) Control in Place Y/P/N Security Information Management Control Control Criteria Evidence that Would Show the Control to be in Place (Control Evidence) Security Policy Unique user ID and password for each individual network user (long in length - mix of letters, numbers, & symbols) Automated enforcement to changing passwords Policy & Procedures regarding Third Party Access Policy & Procedure to deactivate access prior to employee termination Written Policy re: proper use of Information System with required Signature of employee Implement and annually evaluate physical security (i.e. locks, alarms systems, etc.) Properly segregate duties regarding the Information System to limit access Inactive sessions shut-down after a defined period of inactivity Page 19 of 23 Audit Evidence Evidence Obtained as to Whether the Control is in Place (Audit Evidence) Control in Place Y/P/N Security Information Management Audit Conclusion Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings. Review control tables and Audit Results Comparison Sheets. Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the controls in place appropriate in design to address the control objective? Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect? Completed by: Date: Reviewed by: Date: Page 20 of 23 Security Information Management Audit Results Comparison Sheet – Control Criteria to Review or Test Results Control Control Evidence that Would Demonstrate the Control Would be in Place Control in Place Y/P/N Page 21 of 23 Control Evidence that Would Demonstrate the Control Would be in Effect Control in Effect Y/P/N Security Information Management Audit Conclusion Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings. Review control tables and Audit Results Comparison Sheets. Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the controls in place appropriate in design to address the control objective? Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect? Completed by: Date: Reviewed by: Date: Page 22 of 23 Security Information Management Works Cited Firewall Operations Management, Auditing and Compliance. (2011, February). Retrieved April 2011, from Tufin Secure Track Web site: http://www.tufin.com ISACA. (2010). IT Standards, Guidelines,and Tools and Techniques for Audit and Assurance and Control Professionals. Rolling Meadows. Scarfone, K., & Hoffman, P. (2009, September). National Institute of Standards and Technology Guidelines on Firewalls and Firewall Policy SP800-41 Revision1. Gaithersburg, Maryland, United States of America. Scarfone, K., & Mell, P. (2007, February). National Institute of Standards and Technology Guide to Intrusion Detection and Prevention Systems (IPDS) SP 800-94. Gaithersburg, Maryland, United States of America. Skybox Security, Inc. (2010, May). Retrieved April 2011, from Skybox Security Web Site: http://www.skyboxsecurity.com http://www.cloudave.com/wordpress/wp-content/uploads/2010/09/bitglobe-security.jpg Page 23 of 23