Case Study in Business Information Security by Rabia06

VIEWS: 207 PAGES: 24

									              Case Study in
       Business Information Security
                         IT Security Audit

                         RDA Corporation

Todd Fine, MCSE, MCSD, CNA
Director, Security and Integration Practice, RDA
          Quick Introduction to RDA
   IT Consulting company in the Security, Integration, and
    AppDev spaces
   Partners: Microsoft, IBM,, Rational, BEA, and…CIS!
       MS Gold Certified in Security and E-commerce solutions (only
        handful in the U.S.)
   Verticals: Insurance, Capital finance and Commercial
                 Security Offering
   Security Assessments, Audits and Implementations
   Software security architecture design, including PKI and
    training on .NET
   Active Directory, ISA Server and Exchange design and
   Network and Systems Consulting (VPNs, firewalls,
    network design, wireless)
   Disaster Recovery / Business Continuity Assessment
    and Implementation
      Case Study: Company Profile
   Financial Services: Annuity’s industry
   Pioneered Web-based approaches to transactions in the
    annuity market on the Internet
   Connect all industry constituencies: carriers and
    manufacturers, distributors and point of sale
    representatives, customers
   Client list includes large financial and insurance
    institutions including Merrill Lynch, Charles Schwab,
    Fidelity,GE Financial, Nationwide, and more
   Provide new, secure distribution channels for partner
    products and services
    Business Situation and Challenges
   As a financial institution, must work within strict regulatory
   Customers and Partners extremely strict on security, performing
    lengthy due diligence activities before coming on board
       facility site visits
       security policy and procedure reviews
       penetration/hacking attempts
   As part of strong focus on security, perform an annual security audit,
    the results of which are provided to their partners
   Underlying drivers can be understood by stating the issues of utmost
    importance to the organization in this arena:
     1. Guaranteeing privacy for partners, and their partner’s data
     2. Ensuring the highest degree of protection from hostile attacks
          Project Mission Statement
    Ensure that critical production networks, applications,
     and especially data, are secure and protected from
     attack. This will be accomplished via a comprehensive
     Security Audit designed to:
    1.   Probe and validate security state via penetration
         testing and vulnerability assessments
    2.   Review current security practices, policies, and
    3.   Present resulting security posture in the context of
         security industry best practices, baselined against
         industry standards
           Methodology and Approach
   RDA uses a custom methodology, based on best practices from
    several industry-leading standards and methodologies, including:
        BS7799/ISO-17799 Information Security Standard
        Open Source Security Testing Methodology
        National Institute of Standards and Technology (NIST) Network
         Security Testing Guidelines
        Benchmarking and Comparative Scoring (CIS)
   For benchmarking and comparison of security state, there have
    been no dominant (and in fact few at all) standards
   CIS is the emerging leader in this arena, for which RDA is a partner
   RDA uses the CIS benchmarking tools and scoring systems where
    possible within the security audit
              CIS Overview/Recap
   CIS includes a large group of user organizations,
    security professionals and auditors that have
    collaboratively agreed upon security configuration
    specifications that:
      Represent a prudent level of due care (Level-1), and

      Consensus best-practice (Level-2) security
       configurations for computers connected to Internet
   CIS scoring tools are used to determine how systems
    measure up to these widely accepted security
    CIS Tools Used in this Case Study
   CIS Windows 2000 Benchmark
      Criteria used for scoring are divided into three categories:
            Service Packs and Hotfixes
            Policies
            Security Settings
   CIS Cisco Router Security Benchmark
      Router Auditing Tool: for benchmarking Cisco router security
      Measures router configuration against CIS Level 1 configuration
      Downloads router config, checks against benchmark settings
   CIS “SANS Top Twenty” Vulnerability Scanner
      “Top Twenty” vulnerabilities benchmarking tool
      Runs specific set of scans targeting SANS top 20 vulnerabilities
    CIS Benchmark & Scoring Tool for W2K
    W2K scoring tool measures globally applied security
     policies on Windows servers and workstations
    Combination of guidance published by SANS Institute,
     the NSA and the DoD, plus CIS members
    Level-1 defines minimum standards for securing W2K
     servers and workstations
    Level-1 security actions specified satisfy 3 conditions:
     1. Can be safely implemented by a SysAdmin of any
        level of technical security skill
     2. Will “do no harm” to functionality commonly required
        by everyday users
     3. Can be scored by the CIS software tool
        CIS Tools: Windows Platform
   “Score” produced is a number between 1 and 10
       Service Packs
       Hotfixes Needed
       Non-Expiring Passwords
       Policy Mismatches for Account and Audit Policies
       Restrict Anonymous
       Security Options Mismatches
Results: W2K Benchmarks
            Results: W2K Benchmark
   Strengths
      Minimum password length set high
      Logon security banners and warnings are enabled
      User desktops locked down for access
      Accounts locked out until the administrator enables them
      Unnecessary services disabled
      Console access requires authentication w/ RSA encryption
   Weaknesses
      No max password age to force users to change passwords
      Passwords do not meet standard guidelines for complexity
      Insufficient restrictions for anonymous connections. NULL
       usernames and passwords can be used to obtain information from
       systems on the domain
      System not set for "No access w/o explicit anonymous
       Conclusions: W2K Benchmark
   Summary
      Mainly reliant on firewall and token authentication for security
      Several password policy enhancements and server configuration
       settings are necessary to enhance OS hardening of the servers

   Recommendations
      Set option for “No access without explicit anonymous access
       given” in the security policy for the Domain
      Set limited password ages for all passwords
      Increase password complexity requirements
      Additional restrictions for anonymous connections should be set
           Disable the ability to enumerate system information through
            the use of a NULL username and password
CIS Benchmark & Scoring Tool: IOS Router
   Measures router configuration against CIS Level 1 benchmark
   Downloads router configuration, checks it against benchmark
   For each configuration, produces:
      A list of each rule checked with a pass/fail score
      Raw and weighted overall score
      List of IOS commands that will correct problems identified
   Also comes with a Router Security Configuration Guide (by NSA)
      Provides technical guidance to help administrators and security
       officers improve network security
      Principles and guidance for secure configuration of IP routers,
       with detailed instructions for Cisco routers
      Use to help control access, resist attacks, shield network
       components, protect integrity and confidentiality of network traffic
         Results: Router Benchmarks
Score Summary

#Rules    #Passed      Failed   %Passed
 37         15          22       40

Perfect Weighted Score Actual Weighted Score
     275                    109

%Weighted Score

Overall Score (0-10)
         Results: Router Benchmarks
   Strengths
      Router not exposed to the Internet
      All small TCP services and UDP services disabled on the router
            This prevents some denial of service vulnerabilities on the router
       SNMP is disabled on the router (prevents SNMP enumeration)
       Web server service is disabled
            Prevents router from being susceptible to a web-based attack
   Weaknesses
     Logging on router not being captured
     No access lists to prevent unneeded traffic from DR to Production
     RIP routing is enabled on the router
     Telnet access not restricted to allowable subset of IP addresses
     User logging not enabled
            Enable ID of any person who makes a configuration change
    Conclusions: Router Benchmarks
   Summary
      Routers connecting DR to Production are in secure location on
       network; thus security not under same scrutiny as devices that
       touch the internet
      However, taking further measures to lock down routers would
       require little effort, and would add additional security barrier in
       the event of a system exploit or virus infection
   Recommendations
      Add access lists to router to prevent unneeded traffic from
       passing through
      Disable RIP routing
      Enable logging on the router, to aid in troubleshooting
       configuration changes and preventing security breaches
      Enable user logins
    CIS Tools: Top Twenty Vulnerability Scanner

   Specific set of scans targeted at SANS Top 20
    Strengths
       Full protection

        from all Top 20
    Weaknesses
       None
          Initial Results Summary

   CIS "Windows 2000 Level I” benchmark
     Score: 1.7 (out of 10)

   CIS Cisco Router security benchmark
     Score: 4.4 (out of 10)

   CIS “SANS Top 20" vulnerability scanner
     Score: 100 (perfect score). No
            Next Steps (Remediation)
   Fix problems
       Follow benchmark results, which in some cases
        specify security actions to take
       Use expertise to interpret results
       Need to consider both business and technical
        constraints and make informed trade-offs
   Re-run the benchmark scoring tools!
      Post-Remediation: Final Results

   CIS "Windows 2000 Level I” benchmark
      Score: 6.5 (out of 10)

   CIS Cisco Router security benchmark
      Score: 7.2 (out of 10)

   CIS “SANS Top Twenty“ Vulnerability Scanner
      Score: 100 (perfect score)
             Final Overall Conclusions
   Although minor issues found, RDA was unable to penetrate any
    production host on the network
        Note: Application Layer security is a different story – but that’s a
         also a different presentation 
   Strong policies were in place covering most aspects of security
   Staff very security-conscious, security ingrained upon employees
   After remediation, firm was able to further increase security posture,
    and upon conclusion received a HIGH overall rating, above most
    other companies
   CIS leadership and tools a great boon to RDA and our customers
       Differentiates RDA in the security market
       Makes our security audit services and deliverables better
       Creates a sense of confidence for customer (esp. exec mgmt)

Todd Fine – RDA, Business Development Director

To top