Auditing in the New Millennium:

Transcription

1 : Information Technology Controls and Network Vulnerability Assessments Ernie Barany, CPA, CPT, CEH Principal Auditor Dan Altobelli, CPA, CISA, CEH Principal Auditor 1

2 When you think of IT auditing, is this what you think of? 2

3 When you think of IT auditing, is this what you think of? 3

4 Why you have to know some IT: - Most controls are handled by the application - Everyone has a web application now - Why steal, when you can get the computer to do it for you? - Information is one of the most valuable assets - Those pesky auditing standards 4

5 Overview 1. The OSA IT Controls Framework 2. What the heck is a network vulnerability assessment (NVA)? 3. The purpose of information security 4. Scope and objectives of a NVA 5

6 Overview 5. Criteria/benchmarks 6. Audit procedures and testing 7. Reporting the results 8. Audit Findings 6

7 OSA IT Controls Framework Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 7

8 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 8

9 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations - Documenting of the business processes and controls the organization uses. General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Used to help in determining risk areas - Testing of controls focused only on the business processes in the audit scope. Application Controls - Includes manual and automated controls and their interaction. Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 9

10 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - General controls audit work is limited by the scope of the audit - Agency vs OIT - Third-party vendors - Authorization is limited to controls that appear in the business process being audited. - No OS or network 10

11 Application Audit Network Security Controls Perimeter Security Internal Network Operations - ALL business processes are in the scope of the audit General Controls - Testing of system controls will include point-in-time as well as past transactions Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Often will utilize a test environment - Focuses on the automated controls: is the application operating as intended Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 11

12 Application Audit Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - All general controls are covered, unless previously audited - Does not matter who is responsible for the control - Authorization is a complete review of all users and their access - May touch on server configuration and some network as they relate to the application and its data. 12

13 Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 13

14 Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Focus is on network security controls Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) - General controls are selected based on preliminary work for impact on the network not all general controls are included. Business Process Controls (Manual and/or Automated) - Logical access = network logon, and falls in the Internal Operations area. 14

15 What is a Vulnerability Assessment? The process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region). Our focus is on computer networks, though infrastructure and facility do come into play 15

16 Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium A Network Vulnerability Assessment is designed to yield a prioritized list of vulnerabilities For an organization that is not sure where they are Verify results and report may not exploit Prioritize vulnerabilities by risk and provide remediation 16

17 Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium Penetration Test has the goal of breaching security. For organization comfortable with security posture Report every instance where security was breached May not identify and exploit all weaknesses 17

18 The Purpose of Information Security It s all about loss. Reputation, financial assets, citizen goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection Personally Identifiable Information (PII) of citizens would open the liability of lawsuits and expose the state to excessive costs Confidential Information (CI) of state operations could expose any number of risks 18

19 The Purpose of Information Security Public entities are charged with protecting their information assets from unauthorized disclosure, modification, or loss. To this end, state entities spend taxpayer dollars on information technology security infrastructure, personnel, training, etc. Our reviews assess the effectiveness and efficiency of that infrastructure in achieving its goals. 19

20 Possible scope items: NVA Scope All entity information technology resources and other resources that the entity has stewardship over, both on the perimeter and internal. IT strategic planning and other aspects of Security Management like policies and procedures. The change control process of the entity, focused on network configuration changes. 20

21 Possible scope items: NVA Scope Business Continuity/Disaster Recovery plans in place in the event of processing disruptions. Physical security in place to protect the entity s IT infrastructure. 21

22 Audit Objectives Overall: To determine the adequacy of security controls over the entity s computer network by: 1. Evaluating the security planning and management process of the entity. 2. Determining the risk of unauthorized logical access to devices on the network. 22

23 Audit Objectives 3. Evaluating the adequacy of the entity s business continuity plan to ensure continued operations. 4. Verifying that changes to the network and its devices are properly implemented and documented. 5. Evaluating the adequacy of physical security controls that protect network devices. 23

24 Criteria and Benchmarks There is no one agreed upon standard for performing NVAs this makes it the hardest part of evaluating. We have developed a standard which is a combination of OSSTMM, PTES, FISCAM, CObIT, Yellow Book standards, etc (ABCDEFGHIJKLM..) Private companies performing these services do not have the audit documentation requirements that we do. 24

25 Criteria and Benchmarks OSA process to determine criteria for an NVA: Is it a credible/ adequate standard? Y Measure performance vs their standard Report deficiencies in performance Document policies and practices in place Does the entity follow a standard? N Y Do their policies and practices satisfy industry standards? N Y N Report deficiencies in standard Report deficiencies in policies Measure performance vs industry standards 25

26 Audit Procedures and Testing Preliminary Work Survey Work Risk Assessment Audit Testing and Discussion with IT Management Conclusion Finding Development 26

27 Audit Procedures Approach - We re from the government, and we re here to help - Have continued communication with auditee during testing - High-level issues are brought to management s attention immediately for remediation - Review with auditee prior to finalizing the work to see the status of remediation efforts 27

28 Public Report Reporting the Results Summarizes sensitive findings in less detail than will be reported in the Management Letter. Detailed findings in non-sensitive areas. Auditee response in the sensitive areas is also generalized (detailed remediation is provided separately) 28

29 Management Letter Reporting the Results Not a public document due to the sensitive nature of the contents (vulnerability detail) Used internally by IT management. Because the management letter items are included in summary in the report, they are included in follow up compliance. 29

30 Audit Findings Most Common Audit Findings - Unnecessary ports and services - Unpatched or obsolete software or hardware - Improperly configured devices - Insecure coding - Secure Socket Layer (SSL) issues 30

31 Audit Findings Most Common Audit Findings - Information disclosure - Insecure wireless networks - Network ID maintenance issues - Outdated, untested, or missing disaster recovery documentation - Inadequate policies and procedures 31

32 Questions 32