White Paper on

Information Security Auditing / Implementation Procedures

November 2002

System Audit

Black Hat White Hat

Analyze Potential Vulnerabilities

Review:
1.Lines of Business
2.Applications
3.Technology Infrastructure
4.Service Providers

Exploit Vulnerabilities

Risk M itigation

Secure the Network

Design Security
Policy

Rem ediation & M igration

Plans

Final Audit

White Hat

Execute Security Policy

 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

INDEX

1. The Auditing Process Page 3

· Black Hat Method

· White Hat Method

2. Post Audit Page 5

· Costs Associated with Security

Breaches

3. Designing a Security Policy Page 6

4. Designing a Secure Architecture Page 7

5. Remediations & Migrations Page 8

6. Final Audit Page 8

7. Staying Secure Page 9

8. Credentials Page 10

2
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

Today, information is the lifeblood of most organizations. With the increase in global
Internet access, the possibility of security risks has increased significantly. With the
advent of the Gramm-Leach-Bliley Act ("GLB") in 1999, safeguarding client and
consumer information has become the primary focus of many regulatory commissions
like the FTC, FDIC/OCC, SEC, NCUA, and HIPPA.

Information security is an ever-evolving challenge, requiring proper attention and due

diligence to maintain. Within this white paper, we will discuss Information Technology
(IT) auditing techniques and secure network implementation methodologies.

Q. What is involved in an effective IT security audit?

A. The following steps comprise a sound system assessment through implementation

of a security policy.

AUDITING PROCESS

The auditing process can be performed using various methodologies. The Black Hat
approach does not give the security auditor any information of the network or the
architecture. In contrast, the White Hat approach provides an auditor with network
information and schematics beforehand.

BLACK HAT METHOD

This method is intended to closely replicate the efforts of an actual attacker. This is the
best way to find out what hackers can do remotely without any knowledge of the
network. The first step is to footprint the network. The foot-printing technique is
performed as quietly as possible so the attacker does not alert the network
administrators. This method usually begins with DNS queries and Internet searches for
any public information that may assist in the attack.

3
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

FOLLOWING AN ATTACKER S FOOTSTEPS

Q. What does an attacker look for? How does he/she know we are vulnerable?

A. Any skilled attacker has a list of vulnerabilities and configurations. Most of this
information is memorized and can be spotted instantly. For example, during the
scanning phase, if an attacker notices the network running Apache or Bind on Unix,
they would then perform a particular exploit based on that version number.

One thing to keep in mind a real attacker uses hand-written code or code traded in
underground communities, a major reason why automated security scanning software s
do not suffice.

Once the attacker has zeroed in on an IP range, the scanning begins. This is often
performed with shareware or custom compiled programs. These scans are typically
referred to as half-open connections and are designed to avoid log entries. This
approach can be used to bypass firewalls and perimeter routers to map the network.

After scanning the network, the attacker has a good idea of what can be accessed from
the outside and begins to compile this information to give an overview of possible points
of entry. After careful consideration and research, a typical attack is carried out. After
gaining access to the first host, intruders begin to cover their tracks and patch any hole
used to enter the network. Once inside, an attacker would try to gain access to other
network resources. This can be achieved by installing sniffers and protocol analyzers to
capture traffic in hopes of stealing clear text passwords. Once breached, perimeter
defense systems offer little protection or notification of illicit activity, unless host-based
intrusion detection is in place and properly managed. Intruders could be free to go from
machine to machine or database to database until their goal is achieved.

WHITE HAT METHOD

This method can be used separately or following execution of the Black Hat approach.
The auditor begins by actually meeting with the staff and gathering information on the
network architecture and all configurations of routing equipment and defenses
components.

This information is then analyzed and predictions are made on possible vulnerabilities
that exist based on known issues and professional experience. The auditor then goes to
an outside Internet connection and attempts to exploit these vulnerable areas and gain
access to the system. This method is usually performed after the black hat method and
after initial securing of the network. This is final procedure in the initial auditing process.

4
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

POST AUDIT ACTIVITIES

After the initial audit, the next step would be to a perform risk mitigation analysis and
secure the network accordingly. This is a vital part of the security assessment process.
This step includes associating cost vs. risk scenarios and factoring in security
transparency to the user. There are three models reflected in security including Open,
Restrictive, and Closed. Choosing one or more depends on the data that is being
protected and what you wish to provide the users.

Q. What are the costs of protecting versus doing nothing?

A. Best practices and standards have been established to calculate risk exposure. To
calculate risk exposure, two variables P (L) and S (L) are used. P (L) is the probability
of loss, and it is a threat frequency value. S (L) is the severity of the potential loss. By
factoring these two components together, we can calculate potential risk exposure.

P (L) = the probability of the potential loss

S (L) = the severity of the potential loss
R (E) = the total risk exposure
P (L) x S (L) = R (E)

The reduction in value of an asset from one threatening incident is called Single Loss
Expectancy (SLE). SLE is the resulting value after a threat has been applied.

SLE = Original Total Cost of Ownership Remaining Value

EXAMPLE:

The value of our ERP database = $100,000. If a hacker breaks into the system and
destroys 80% of it, the value has been reduced by $80,000. The SLE would be $80,000
and calculated as follows:

$80,000 = $100,000 - $20,000

5
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

ANNUALIZING RISK

In calculating risk exposure, many experts use risk analysis tools such as SAFE
(Standard Annual Frequency Estimate). Common SAFE values are listed in the table
below:

SAFE Value Frequency of Occurrence

.01 Once every 100 years
.02 Once every 50 years
.1 Once every 10 years
.2 Once every 5 years
.5 Once every 2 years
1 Once a year
10 10 times a year
20 20 times a year

Using our previous example, if the probability exists that a hacker will destroy 80% of a
database occurs every two years, our SLE equation would be:

SLE = .5 x $80,000
SLE = $40,000

$40,000 is what our company can expect to incur in risk each year. Utilizing these
calculations provides you and your team with a basis on which to evaluate and make
decisions on system safeguards.

DESIGNING A SECURITY POLICY

This arguably is one of the most important and least managed aspects of network
security. A security policy should represent the nucleus of all network activities. It is
what holds everything together and helps ensure predictable results to network
migrations, rules, and changes in the network. In addition, a sound policy often includes
incident handling and disaster recovery.

6
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

Q. We don t have a policy. Where do we start?

A Enlisting the services of an outside organization is common. These organizations meet

the requirements set forth by many regulatory commissions for third-party assessments
prior to external industry auditing.

Remember, developing sound policies can only be carried out after proper
analysis is performed.

DESIGNING A SECURE ARCHITECTURE

Upon completing any risk mitigation, approving costs of necessary equipment, and
enacting policy changes, a new design should be ready for implementation.

Some of the areas and technologies that are often addressed in developing a new
design include:

· Perimeter Routing/ Perimeter Filtering

· Firewall Configuration / Installation
· Intrusion Detection Systems (Network and Host)
· Security Policy Creation
· Incident Handling Policy
· Honey Pots
· Server Hardening
· Anti-Virus Implementation
· Wireless Security
· Application Security
· Administrative entry points to your secure servers
· Encryption on the Network and the Internet
· VPN Technologies
· Central Logging Management

7
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

Q. What is the best architectural model to follow?

A. The overwhelming consensus is to follow a layered security approach and perform active
management of security policies.

REMEDIATIONS AND MIGRATIONS

A remediation and/or migration plan should include a sound security policy and
architectural blueprint focused on minimizing interruptions to daily business operations.
Where possible, efforts should be taken to leverage existing technologies, policies and
tools negating re-engineering efforts; further reducing possible impact and associated
deployment costs.

Actual tasks could include:

· Patching Servers (Hardening)

· Firmware Upgrades
· Software Upgrades
· Router Configuration Changes
· Firewall Configuration Changes
· Implementation of New IP Scheme(s)
· Creation/modification of DMZ(s)
· Implementation of Additional Technology/Tools

FINAL AUDIT

The final audit is performed after creating the security policy and implementing the new
security architecture. In the final audit, we utilize the White Hat approach to compare
and contrast the results from the previous assessments.

8
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

STAYING SECURE

The life cycle of security has no end. The security process consists of ongoing system
enhancements. Security testing and evaluation should be conducted at a minimum of
every three years or whenever a major change is made to the system. For systems that
are exposed to constant threat (e.g. web servers) or that protect critical information such
as firewalls, testing should be conducted more frequently, perhaps quarterly.

Secure the
Network

Improve Your Security Test the

Network Policy Configuration

Monitor Your
Network

Open Source Tools

Ø Nmap

Packaged Software
Ø eEye Retina Scanner
Ø Saint
Ø Nessus
Ø ISS Internet/System
Scanner
Ø Harris STAT
Ø Foundstone Fscan
Ø Network Associates

9
 White Paper on
Information Security Auditing / Implementation Procedures
November 2002

This White Paper was compiled by:

Josh Perrymon, Network Security Specialist

Josh has performed a significant number of IT Security Assessments over the past five
years. During this time, he has achieved the following levels of certification:

Cisco Certified Network Associate (CCNA), Cisco Security Specialist (QI 2003),
Network Security Certified (Brain Bench), Firewall Intrusion Detection Certified (Brain
Bench), HTML Certified, Advance Design & Cold Fusion Certified, Certified by
BellSouth in Frame Relays

Published by Andrea Hopkey, Director of Corporate Development

10