Auditing Internet Security AUD11

Auditing Internet Security

1

Session Objectives

IS Auditors have enough confidence to use ITGC skills to audit Internet security to a medium assurance level

Internet Security Audit =

1. IT General Control

+

2. Access control audit – of the Internet gateway vis

3

Agenda

 What is Internet security  Internet security technology  Common IT General Controls  Specific Internet security controls

Agenda

Internet security - Goals

 Secure connection to the Internet

 Block access to internal systems

 Protect Web Applications

 Control internal personnel use of the Internet  Secure remote access

Threats and Risks

Threats Risks

 Hackers extract and publish sensitive information

 Databases

 Executive files, negotiation strategies

 Legal files  IP

 Staff publish sensitive info

x Damages – litigation x Loss of business position x Breach of legal duties x Loss of competitive

advantage

 Denial of service _{x Cash flow – loss of sales}

x Reputation

 Theft of credit card details x Liability to bank

 Spoofing of your email x Damages and litigation  Staff and porn x Damages and litigation

10

Network Layers

Filtering Layers

AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services ₁₂

Filtering Layers

Copyright (c) Infosec Services

Pty Ltd 2008 14

IP Types

 IP

 Basic type

 Competitor to IPX, SNA, Decnet, etc

 ICMP – Internet Control Message Protocol

 Used for flow control, ‘pinging’

 TCP – Transmission Control Protocol

 3-way handshake

 Starts with a ‘SYN’ synchronise request  State maintained in the kernel

 UDP – Universal Datagram Protocol

 ‘stateless’

A look back to 2002

Rating Maturity

Objective

Controls

Gateway

User

1 Initial Basic filtering, block incoming Home user, SOHO

2 Repeatable Customised filtering, good technician SME

3 Defined Content scanning, change control, logging Major companies and Government 4 Managed Risk management, compensating

controls, monitoring, CSIRP, Industry evaluated products

Banks, high information asset companies

5 Optimised ISO 15408 Evaluated products, formal accreditation process

Sensitive Government

Auditing

 Context

 Review enterprise security policy, network security standards  Identify regulatory information security requirements

 Review security incident history  Review service provision model

 In house

 Outsourced – IAAS, PAAS, SAAS, etc

 Determine assurance requirements

16

Network access control – AKA packet

filtering

 Basic packet filtering

 Rare these days  Filtering on

 Destination IP address  Source IP address

 Destination port (AKA service, eg, HTTP, telnet)  Source port

Network Access Control

 Stateful

 Most common, Checkpoint, Cisco Adaptive Security Appliance, PIX, e.g.

 Recent outgoing DNS name lookup  Permit the DNS response

 Firewall understands ‘network’ sessions

 Application level

Network Access Control – Application Level

 Application protocol compliance and misuse

 Enforce protocol rules

 E.g. Only DNS over the DNS port

 Block risky but compliance protocol options, e.g. SMTP - EXPN

 Content filtering

Filtering – What to look for

 Ingress

 Very restricted rules

 Restricted access to DMZ resources  No access direct to internal networks  No blanket access for remote access

 DMZ to internal networks

 only essential connections

 Egress

 Enforcement of use of proxies, e.g.

 SMTP = enforce use of corporate email  HTTP = enforce use of content filter  DNS = enforce use of trusted DNS server

20

Content Inspection

 Malware

 Viruses, worms

 Buffer overflow attemtps  Other exploitations

 Unauthorised content

 Keywords, e.g. F**K  Images – skin tones, etc

Intrusion Prevention Systems

 Evolution from Network IDS

 Historically separate IDS with feedback to the firewall

 Now mostly part of a firewall but licensed separately

 Requires annual subscription

 IDS engine dynamically writes firewall rules

 Detection techniques

 Signatures

 Anomaly / Heuristics  Blacklists

 Disclosure Loss Prevention tools (DLP)

 (rarely tuned well)

22

Testing - Passive

AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services ₂₄

Ask the administrator to show you the settings

 Less audit risk than accessing the admin account yourself

 Inspect key controls

 Applicable security policy

 Technical configuration settings

 Logging and incident response capability

Review the firewall ruleset

Inspect the IDS/IPS console

Testing – Review Firewall Rules

 Default deny policy?

 Permit risky protocols?

 Protocols with plaintext passwords

 Protocols permitting remote control or access

 Decisions based on untrustworthy source information?

 Rules match authorised usage

 Rule documentation

Testing – Passive (3)

AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services ₂₆

Documentation

 Network diagrams

 Secure architecture?

 Ruleset descriptions? Maintainable? Periodically reviewed?

Infrastructure inspection

 Patch cables

 Match diagrams?

Software flaws patch plans/records

Check for evidence of control effectiveness

 Test reports (including regression testing)

 System logs

Testing – Passive (4)

 Change Control

 Security risk

 Normal ITIL controls

 Administrator

 Authentication and logging  From a trusted location  Skills

DMZ Servers Operating Systems

 Use standard server security checklist

 At the high security level

 Vendor security manual, ASD or AusCERT list, Center for Internet Security

 Inspect

 Usual ITGC

 Running network services

 “netstat –a”

 “rpcinfo –p” (on unix)

 Patching

 Malicious software controls

 Logging – sent to a separate trusted repository?

 Multiple homed DMZ servers – get the admin to show it is not a router

 Get the admin to run the vendor’s security tools for you

DMZ Middleware

 Often the weakest point

 Web services access control

 Middleware ‘containers’ have access control list – Inspect  Web services – access control

 Authentication to access web services?  Logging?

 Databases

DMZ Servers Continued

 Backed up?

 Part of an IT Disaster Recovery Plan ?

 Tested?

 Increasing using “High Availability” and auto failover

ASD’s Top 35 Mitigations

 Firewalls, network segmentation, proxy enforcement

 Host and network IPS, centralized network logging

 Email spoof controls – Sender Policy Framework

 Block certain file types

 Email and Web content filtering, malware controls

 Web domain whitelisting, blacklist known malicious domains

 Patching

 Dynamic analysis of email and web - sandbox

Testing – Active

AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services ₃₂

 Check control effectiveness

 Scan accessible ports – does the admin have the tools?

 Tools: nmap

 Scan application vulnerabilities

 Tools: nessus, acunetix, Appscan, Burp Suite, Hailstorm, NTO Spider, Qualsys, WebInspect

 Penetration tests by service provider?

Testing – Analysis v’s Pen Tests

 Pen tests and scans great for obvious stuff ups

 Weaknesses hard to find by pen tests

 Rules with source network filters

 Rules for decommissioned servers (firewall rule reuse)  No filtering from DMZ to internal networks

 No egress filtering

 Messed up firewall object definitions  Firewall software flaws and patches

Finifter and Wagner, UC Berkley

Scope: code review

http://www.cs.berkeley.edu/~daw/papers/webapps11.pdf

?

Analysis

Testing

Web Deployment Trends

 Virtualisation, virtualisation, virtualisation

 Co-hosting with other’s web services  Server virtualisation

 Storage virtualization

 Voice over IP security

Trends - Storage Virtualisation

 Alternative routes into the inside

 Shared server virtualization infrastructure  Stretching of SANs into the DMZ

 All of an organisation’s data in one place

 SAN controls

 Zoning, with Host Bus Adapters  LUN masks or Access Control Lists

 Virtual servers can have very broad SAN access  Use a separate SAN

OWASP

Trends - Server Virtualisation

 Internet servers on the internal VM farm,

 but mainly separate VM farms

 Several key controls not on by default

 ARP spoofing  MAC changes

 Many DOS controls  Persistent log files

Trends - Server Virtualisation (2)

 Sprawl

 Duplicates running

 AV forgotten on virtual server clones  Copies of other system snapshots

 Clones of insecure development configurations

 VM Snapshots unprotected on file system

 References

 Vmware Security Hardening Guides

17 September 2002 CACS 2002 48

Corrective Controls

 Incident Response

 Is there an incident response plan?

 Does the CSIRP cover management processes and technical responses?  Is evidence protected?

Controls Effectiveness

 Logs

 Are they protected?

 Are they stored on a separate server?

 Is it the only gateway?

 Wireless  Modems

17 September 2002 CACS 2002 53

Controls Effectiveness

 Malicious content scanning

 Frequency of signature updates  Quality of tool

 Scan by heuristics and signatures

 Additional scanning on server or desktop  Inspection regardless of file type

 Inspection inside of archive files  HTTPS scanning

 HTTPS whitelisting, or blacklisting

Internet Routing Authenticity

 BGP authentication

 Border router outside the firewall

 Reference, NIST SP800-54

 Real world attacks and accidents

 China Telecom advertised 37 000 unowned networks 2010  Pakistan Telecom blocks YouTube 2008

 Malaysian ISP blocks Yahoo 2004

 Turkish ISP takes over the Internet 2004,

 TTNet sent out a full table of Internet routes via BGP that routed most Internet traffic through Turkey for several hours

Standards and Guidelines

 ISO 27002, 27005

 Australian Government Information Security Manual Security

 Vendor Guides

 COBIT 

 NIST

 csrc.nist.gov

 Center for Internet Security (SANS)

 www.cisecurity.org

 O’Reilly & Assoc publications

 Spafford  Cheswick

55

Threats, Vulnerabilities and Risks

57

Threats exploit Vulnerabilities expose

Value

Assets

(incl Business Processes)