Beruflich Dokumente
Kultur Dokumente
November 2002
System Audit
Review:
1.Lines of Business
2.Applications
3.Technology Infrastructure
4.Service Providers
Exploit Vulnerabilities
Risk M itigation
Design Security
Policy
Final Audit
White Hat
INDEX
8. Credentials Page 10
2
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
Today, information is the lifeblood of most organizations. With the increase in global
Internet access, the possibility of security risks has increased significantly. With the
advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client and
consumer information has become the primary focus of many regulatory commissions
like the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.
AUDITING PROCESS
The auditing process can be performed using various methodologies. The Black Hat
approach does not give the security auditor any information of the network or the
architecture. In contrast, the White Hat approach provides an auditor with network
information and schematics beforehand.
This method is intended to closely replicate the efforts of an actual attacker. This is the
best way to find out what hackers can do remotely without any knowledge of the
network. The first step is to footprint the network. The foot-printing technique is
performed as quietly as possible so the attacker does not alert the network
administrators. This method usually begins with DNS queries and Internet searches for
any public information that may assist in the attack.
3
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
Q. What does an attacker look for? How does he/she know we are vulnerable?
A. Any skilled attacker has a list of vulnerabilities and configurations. Most of this
information is memorized and can be spotted instantly. For example, during the
scanning phase, if an attacker notices the network running Apache or Bind on Unix,
they would then perform a particular exploit based on that version number.
One thing to keep in mind a real attacker uses hand-written code or code traded in
underground communities, a major reason why automated security scanning software s
do not suffice.
Once the attacker has zeroed in on an IP range, the scanning begins. This is often
performed with shareware or custom compiled programs. These scans are typically
referred to as half-open connections and are designed to avoid log entries. This
approach can be used to bypass firewalls and perimeter routers to map the network.
After scanning the network, the attacker has a good idea of what can be accessed from
the outside and begins to compile this information to give an overview of possible points
of entry. After careful consideration and research, a typical attack is carried out. After
gaining access to the first host, intruders begin to cover their tracks and patch any hole
used to enter the network. Once inside, an attacker would try to gain access to other
network resources. This can be achieved by installing sniffers and protocol analyzers to
capture traffic in hopes of stealing clear text passwords. Once breached, perimeter
defense systems offer little protection or notification of illicit activity, unless host-based
intrusion detection is in place and properly managed. Intruders could be free to go from
machine to machine or database to database until their goal is achieved.
This method can be used separately or following execution of the Black Hat approach.
The auditor begins by actually meeting with the staff and gathering information on the
network architecture and all configurations of routing equipment and defenses
components.
This information is then analyzed and predictions are made on possible vulnerabilities
that exist based on known issues and professional experience. The auditor then goes to
an outside Internet connection and attempts to exploit these vulnerable areas and gain
access to the system. This method is usually performed after the black hat method and
after initial securing of the network. This is final procedure in the initial auditing process.
4
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
After the initial audit, the next step would be to a perform risk mitigation analysis and
secure the network accordingly. This is a vital part of the security assessment process.
This step includes associating cost vs. risk scenarios and factoring in security
transparency to the user. There are three models reflected in security including Open,
Restrictive, and Closed. Choosing one or more depends on the data that is being
protected and what you wish to provide the users.
A. Best practices and standards have been established to calculate risk exposure. To
calculate risk exposure, two variables P (L) and S (L) are used. P (L) is the probability
of loss, and it is a threat frequency value. S (L) is the severity of the potential loss. By
factoring these two components together, we can calculate potential risk exposure.
The reduction in value of an asset from one threatening incident is called Single Loss
Expectancy (SLE). SLE is the resulting value after a threat has been applied.
EXAMPLE:
The value of our ERP database = $100,000. If a hacker breaks into the system and
destroys 80% of it, the value has been reduced by $80,000. The SLE would be $80,000
and calculated as follows:
5
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
ANNUALIZING RISK
In calculating risk exposure, many experts use risk analysis tools such as SAFE
(Standard Annual Frequency Estimate). Common SAFE values are listed in the table
below:
Using our previous example, if the probability exists that a hacker will destroy 80% of a
database occurs every two years, our SLE equation would be:
SLE = .5 x $80,000
SLE = $40,000
$40,000 is what our company can expect to incur in risk each year. Utilizing these
calculations provides you and your team with a basis on which to evaluate and make
decisions on system safeguards.
This arguably is one of the most important and least managed aspects of network
security. A security policy should represent the nucleus of all network activities. It is
what holds everything together and helps ensure predictable results to network
migrations, rules, and changes in the network. In addition, a sound policy often includes
incident handling and disaster recovery.
6
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
Remember, developing sound policies can only be carried out after proper
analysis is performed.
Upon completing any risk mitigation, approving costs of necessary equipment, and
enacting policy changes, a new design should be ready for implementation.
Some of the areas and technologies that are often addressed in developing a new
design include:
7
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
A. The overwhelming consensus is to follow a layered security approach and perform active
management of security policies.
A remediation and/or migration plan should include a sound security policy and
architectural blueprint focused on minimizing interruptions to daily business operations.
Where possible, efforts should be taken to leverage existing technologies, policies and
tools negating re-engineering efforts; further reducing possible impact and associated
deployment costs.
FINAL AUDIT
The final audit is performed after creating the security policy and implementing the new
security architecture. In the final audit, we utilize the White Hat approach to compare
and contrast the results from the previous assessments.
8
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
STAYING SECURE
The life cycle of security has no end. The security process consists of ongoing system
enhancements. Security testing and evaluation should be conducted at a minimum of
every three years or whenever a major change is made to the system. For systems that
are exposed to constant threat (e.g. web servers) or that protect critical information such
as firewalls, testing should be conducted more frequently, perhaps quarterly.
Secure the
Network
Monitor Your
Network
Packaged Software
Ø eEye Retina Scanner
Ø Saint
Ø Nessus
Ø ISS Internet/System
Scanner
Ø Harris STAT
Ø Foundstone Fscan
Ø Network Associates
9
White Paper on
Information Security Auditing / Implementation Procedures
November 2002
Josh has performed a significant number of IT Security Assessments over the past five
years. During this time, he has achieved the following levels of certification:
Cisco Certified Network Associate (CCNA), Cisco Security Specialist (QI 2003),
Network Security Certified (Brain Bench), Firewall Intrusion Detection Certified (Brain
Bench), HTML Certified, Advance Design & Cold Fusion Certified, Certified by
BellSouth in Frame Relays
10