COMPLIANCE AND CONTROL AUDIT REPORT

Transcription

1 COMPLIANCE AND CONTROL AUDIT REPORT State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies A Report to the Legislative Post Audit Committee By the Legislative Division of Post Audit State of Kansas December 2011 R

2 Legislative Post Audit Committee Legislative Division of Post Audit THE LEGISLATIVE POST Audit Committee and its audit agency, the Legislative Division of Post Audit, are the audit arm of Kansas government. The programs and activities of State government now cost about $14 billion a year. As legislators and administrators try increasingly to allocate tax dollars effectively and make government work more efficiently, they need information to evaluate the work of governmental agencies. The audit work performed by Legislative Post Audit helps provide that information. We conduct our audit work in accordance with applicable government auditing standards set forth by the U.S. Government Accountability Office. These standards pertain to the auditor s professional qualifications, the quality of the audit work, and the characteristics of professional and meaningful reports. The standards also have been endorsed by the American Institute of Certified Public Accountants and adopted by the Legislative Post Audit Committee. The Legislative Post Audit Committee is a bipartisan committee comprising five senators and five representatives. Of the Senate members, three are appointed by the President of the Senate and two are appointed by the Senate Minority Leader. Of the Representatives, three are appointed by the Speaker of the House and two are appointed by the Minority Leader. Audits are performed at the direction of the Legislative Post Audit Committee. Legislators or committees should make their requests for performance audits through the Chairman or any other member of the Committee. Copies of all completed performance audits are available from the Division s office. LEGISLATIVE POST AUDIT COMMITTEE Representative John Grange, Chair Representative Tom Burroughs Representative Ann Mah Representative Peggy Mast Representative Virgil Peck Jr. Senator Mary Pilcher-Cook, Vice-Chair Senator Terry Bruce Senator Anthony Hensley Senator Laura Kelly Senator Dwayne Umbarger LEGISLATIVE DIVISION OF POST AUDIT 800 SW Jackson Suite 1200 Topeka, Kansas Telephone (785) FAX (785) LPA@lpa.ks.gov Website: Scott Frank, Legislative Post Auditor HOW DO I GET AN AUDIT APPROVED? By law, individual legislators, legislative committees, or the Governor may request an audit, but any audit work conducted by the Division must be directed by the Legislative Post Audit Committee, the 10-member joint committee that oversees the Division s work. Any legislator who would like to request an audit should contact the Division directly at (785) The Legislative Division of Post Audit supports full access to the services of State government for all citizens. Upon request, Legislative Post Audit can provide its audit reports in large print, audio, or other appropriate alternative format to accommodate persons with visual impairments. Persons with hearing or speech disabilities may reach us through the Kansas Relay Center at Our office hours are 8:00 a.m. to 5:00 p.m., Monday through Friday.

3 LEGISLATURE OF KANSAS LEGISLATIVE DIVISION OF POST AUDIT 800 SOUTHWEST JACKSON STREET, SUITE 1200 TOPEKA, KANSAS TELEPHONE (785) FAX (785) December 8, 2011 To: Members, Legislative Post Audit Committee Representative John Grange, Chair Representative Tom Burroughs Representative Ann Mah Representative Peggy Mast Representative Virgil Peck Jr. Senator Mary Pilcher-Cook, Vice-Chair Senator Terry Bruce, Senator Anthony Hensley Senator Laura Kelly Senator Dwayne Umbarger This report contains the findings, conclusions, and recommendations from our completed compliance and control audit, State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies. We include several recommendations for each of the agencies in their individual confidential report. We would be happy to discuss the findings presented in this report with any legislative committees, individual legislators, or other State officials. Scott Frank Legislative Post Auditor

4 This audit was conducted by Nathan Ensz and Stan Wiechert. Justin Stowe was the audit manager. If you need any additional information about the audit s findings, please contact Nathan Ensz at the Division s offices. Legislative Division of Post Audit 800 SW Jackson Street, Suite 1200 Topeka, Kansas (785) Website:

5 Table of Contents Do Selected State Agencies Adequately Manage Software Installed On Staff Laptops And Desktops? We Looked For Unpatched Or Unauthorized Software At Five Agencies... page 6 Three Of Five Agencies Had Significant Vulnerabilities Because Of Inadequate Workstation Patching Processes... page 7 Agencies Had Few Problems With Unauthorized Software, But Two Still Need To Improve Their Process... page 9 Conclusion... page 11 Recommendations... page 11 List of Figures Figure OV-1: Layered Approach to Network Security... page 5 Figure 1-1: Vulnerability Scan Results and Patching Practice By Agency... page 7 Figure 1-2: Software Scan Results and Preventing Unauthorized Software Policy and Practice By Agency... page 10 List of Appendices Appendix A: Scope Statement... page 12 Appendix B: Agency Response... page 13

6 State Agency Information Systems: Reviewing Selected Systems Operation Controls In State Agencies Each year, many State agencies collect and process sensitive and confidential data in their computer systems. One major responsibility for these agencies is to safeguard that data through the implementation of adequate security controls. Those controls include keeping agency computer networks up to date with security patches and controlling the software staff can install on their computers. Missing security patches and use of unauthorized software increase the risk that sensitive agency information could be comprised by allowing outsiders access to agency systems and networks. Currently, there is limited oversight of agencies security controls to monitor whether these security risks are adequately managed. This information system audit answers the following question: Do selected State agencies adequately manage software installed on staff laptops and desktops? A copy of the scope statement for this audit approved by the Legislative Post Audit Committee is included in Appendix A. To answer the question, we selected five State agencies and reviewed these agencies policies and practice regarding patching software and preventing unauthorized software. We compared those agencies efforts to best practices, reviewed documentation, and conducted vulnerability scans to determine how well agency staff followed policies in actual practice. The Enterprise Security Office within the Department of Administration conducted the vulnerability scans for us and helped us interpret the results. We conducted this information system audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. This audit report provides a summary of our findings across all five agencies, but does not describe the findings for the individual agencies. Because those specific findings contain information that PERFORMANCE AUDIT REPORT 1 Legislative Divison of Post Audit

7 could jeopardize the agencies security, we are keeping those findings confidential under K.S.A (12). Instead, we provided each agency with a separate, confidential report to address any agency specific problems we identified through our work. Our findings being on page 6, following a brief overview. PERFORMANCE AUDIT REPORT 2 Legislative Divison of Post Audit

8 PERFORMANCE AUDIT REPORT 3 Legislative Divison of Post Audit

9 Overview of Agency Software Management Multiple Layers of Protection Help Ensure Strong Network Security Often, multiple network security layers are used to protect agency data and computers from cyber or physical attack. As Figure OV-1 on the next page shows, multiple layers of security are available to agencies to help protect agency information technology systems. It s important that each layer is independently secure to minimize security risks. Some of the layers of security available include physical security, perimeter security, and host security. Because no one layer can protect an agency against all threats, it is important to have multiple layers that complement each other. Weak or missing layers could create cracks in the agency s overall security which create opportunities for hackers. As such, it is important that each layer of security be strong. Agency officials make choices regarding how much risk they are willing to assume, given their business needs. In an ideal network environment, each security layer would be as strong as possible. However, it s not always feasible to implement all of the possible security measures that are available. Sometimes imposing strict security standards inhibits employees from doing agency business. For example, laptops used by staff who travel in the field typically are going to have administrative rights to install software because there are no IT staff readily available to take care of software installations and updates. Furthermore, agency officials may think certain layers of security cost too much or are unnecessary given their needs. As such, officials must decide how much risk they are willing to assume, given the agency s business needs. Appropriate Software Management Is an Important Layer Of Network Security As Figure OV-1 shows, although agencies rely on multiple layers of security, this audit focuses specifically on software and patch management on agency workstations. Keeping patches updated helps prevent someone from compromising an agency s network. Over time, vulnerabilities in computer software are discovered that could allow someone to break into or otherwise harm an agency s network. Software manufacturers are constantly developing fixes, or patches, for vulnerabilities as they are discovered. Vendors often can create a single patch that is able to fix multiple vulnerabilities. It is up to each agency s information technology staff to install the patches in order to keep their systems up to date and secure. PERFORMANCE AUDIT REPORT 4 Legislative Divison of Post Audit

10 Figure OV-1 Layered Approach to Network Security Policies & Procedures (security awareness training, backup and restore plans) Physical Security (guards, safes, locks, visitor logs) Perimeter Security (firewalls, virtual private networks) Host Security (software & patch management, anti-virus protection, intrusion prevention) Source: LPA network security layers adapted from Cisco. Preventing unauthorized software helps mitigate the risk of vulnerabilities. Because agency workstations are for agency business, agencies should control what is installed on them. Allowing staff to add software creates some problems: Some software drains resources or creates cracks in the security which can be exploited. For instance, peer-to-peer applications used to download music or videos may monopolize agency bandwidth, and chat programs like Skype can easily cross firewalls allowing users to talk with and transmit files from others without scanning the files for viruses. IT staff must maintain more software. Even if the software is generally safe, it is on the workstation and must be patched. Having all of this additional software can make it hard for IT staff to manage. In general, agencies should limit software to what they conclude is necessary and acceptable for their business needs. PERFORMANCE AUDIT REPORT 5 Legislative Divison of Post Audit

11 Question: Do Selected State Agencies Adequately Manage Software Installed on Staff Laptops and Desktops? Answer in Brief: We looked for unpatched or unauthorized software at five agencies. Three of the five agencies had significant vulnerabilities because of inadequate workstation patching processes, and all five could make some minor improvements to their patching process. Agencies had few problems with unauthorized software, but two still need to improve their software management process. These and related findings are discussed in the sections that follow. We Looked For Unpatched or Unauthorized Software At Five Agencies To answer the question we looked for vulnerabilities caused by unpatched software and unauthorized software installed on workstations in five agencies. The five agencies we looked at and the number of workstations we scanned at each agency are listed below. Department of Health and Environment (219 workstations) Department of Commerce (139 workstations) Kansas Secretary of State (91 workstations) Kansas Insurance Department (74 workstations) Kansas Board of Emergency Medical Services (12 workstations) The primary tool we used to examine agency workstations was a vulnerability scan. This type of scan identifies vulnerabilities and categories them as low, medium, or high. In addition to identifying vulnerabilities, this scan also lists the software installed on the workstations. We tried to scan all workstations at each agency, except for the Department of Health and Environment and Department of Commerce because they had so many. For these two agencies we scanned a selection of the workstations, but because of technical limitations, the results aren t projectable. We have provided each agency a confidential report with their specific findings. Because of security concerns, those findings are not publicly available. What follows is a summary of the findings across the five agencies. The identities of the agencies are not disclosed in this report so that the agencies security is not jeopardized. PERFORMANCE AUDIT REPORT 6 Legislative Divison of Post Audit

12 Three of Five Agencies Had Significant Vulnerabilities Because of Inadequate Workstation Patching Processes As discussed in the Overview, patching workstations is important to help prevent someone from breaking into, or otherwise harming, an agency s network. It is good practice to protect workstations by patching workstations frequently, and to run a vulnerability scan which identifies any needed patches. We evaluated how well agency officials kept their software up to date by running a vulnerability scan on all, or a selection of their workstations. All of the scans were done with the full knowledge and cooperation of the agencies. The vulnerability scans produced volumes of information about potential vulnerabilities and categorized them as low, medium, and high. We provided the detailed results with all the vulnerabilities to each agency, but limited our analyses to high vulnerabilities. We categorized the results of our vulnerability scan into two general categories of software: Microsoft and non-microsoft. The results for each agency are summarized in Figure 1-1 below. Agency Install Patches? Figure 1-1 Vulnerability Scan Results and Patching Practice By Agency Microsoft Software Non-Microsoft Software Did the agency Did the agency Scan for Vulnerabilities? Avg # of Vulnerabilities per Workstation Install Patches? Scan for Vulnerabilities? Avg # of Vulnerabilities per Workstation Avg # of Vulnerabilities per Workstation All Software % of All Workstations with Vulnerabilities 1 (a) % 2 (a) % % % % (a): These agencies were installing Microsoft patches, but as discussed in the report, had configuration problems. Source: LPA analysis of vulnerability scans and agency practice. All five agencies proactively patched Microsoft software, but two agencies had configuration problems that resulted in some vulnerabilities being missed. Microsoft vulnerabilities include unpatched software applications (such as Excel or Word) and operating systems (such as Windows 7 and XP). In general, Microsoft software is easier to keep up to date because Microsoft pushes out new patches on a regular basis and it provides free software to manage these patches automatically. Although Microsoft software is relatively easy to patch, we did find problems in two agencies: Agency 1 did not have its patching system setup correctly to identify all available Microsoft patches. Officials told us they have since reconfigured their patching system to identify additional Microsoft patches. PERFORMANCE AUDIT REPORT 7 Legislative Divison of Post Audit

13 Agency 2 did not have all of its workstations identified in its patching system in order to send out the patches. Officials told us they have already identified five workstations that were not originally included in their patching system, and are taking steps to determine if other workstations are missing. As a result of these configuration problems, and as is shown in Figure 1-1, Agency 1 and Agency 2 had far more unpatched Microsoft vulnerabilities (4.0 and 4.2 per workstation) than the other three agencies (all less than 0.2 per workstation). Three of five agencies did not adequately patch non-microsoft software. Non-Microsoft software applications include products from companies such as Adobe (Reader, Flash Player, Shockwave), Sun Microsystems (Java, OpenOffice), and Apple (itunes, QuickTime). These software products are far more difficult to patch than Microsoft products because the companies are less proactive in pushing out patches, and few agencies have software to automatically manage the patches. Our review of the five agencies found that: Two agencies have not attempted to systematically install non- Microsoft patches. Officials from Agency 1 told us they do not install non-microsoft patches because it would be too costly to do so. Officials from Agency 2 told us their patching software does not identify non-microsoft software patches. As a result of not patching non-microsoft vulnerabilities, Agency 1 and Agency 2 had far more unpatched non-microsoft vulnerabilities (35.3 and 26.3 per workstation) than the other three agencies (see Figure 1-1). These two agencies were also the same two that had configuration problems with Microsoft patches. Agency 3 patched non-microsoft software, but did not scan its workstations to ensure that vulnerabilities were not missed. Clearly, making an effort to patch non-microsoft software improved this agency s results. Still, the lack of a scan allowed several vulnerabilities to get past the patching process. Patching non-microsoft software is difficult, especially for large organizations. However, it is important to patch all software, to prevent hackers from potentially exploiting those vulnerabilities. In the profile box on the next page we discuss the instance when RSA, an IT security company, had a non-microsoft vulnerability exploited that cost them $66 million to remediate. PERFORMANCE AUDIT REPORT 8 Legislative Divison of Post Audit

14 An Unpatched Vulnerability Allowed a Security Breach at RSA, Costing the IT Security Company $66 Million to Remediate RSA is an IT security company that sells several data security-related products to other companies to protect their data. One of its big products is the SecurID authentication product a small piece of hardware which provides users with a code that changes every 30 to 60 seconds. This code, tied with the user s personal identification number, creates a unique one-timeuse passcode that is used to positively identify the user and allow them access to the data. In March 2011, attackers gained access to RSA s network by sending infected attachments that exploited an unpatched vulnerability in Adobe Flash. Using this vulnerability, the attackers stole confidential information from RSA, including its SecurID authentication product code, compromising the product for all the clients. To replace the compromised security products sold to customers, RSA reported that it spent $66 million as a result of this breach. The three agencies that did not scan their workstations had the highest proportion of vulnerabilities. Based on agency results summarized in Figure 1-1, scanning appears to be an effective way to help ensure that workstation software is patched. Moreover, it is a relatively inexpensive option. For example, Agency 5 scans its workstations and servers on a quarterly basis for about $400 a year and had the lowest number of vulnerabilities per workstation. All five agencies could make some minor improvements to their patching process. All agencies were taking steps to patch their workstations, but none of the agencies had a comprehensive patching policy covering all of their current patching practices. In addition to lacking policy, two of the five agencies did not test the patches they installed to ensure they ran correctly, and one agency did not keep a log of all patches they installed on their workstations. Agencies Had Few Problems with Unauthorized Software, But Two Still Need To Improve Their Process As discussed in the Overview, controlling unauthorized software is important to make it easier to identify and minimize vulnerabilities. We looked for two general approaches that agencies could use to prevent unauthorized software: Deny users administrative rights and have a policy that prohibits installing unauthorized software. This is the strongest approach because without administrative rights, there is very little a user can install on their workstation. Allow users administrative rights, but adopt appropriate safeguards. These safeguards include having a policy that prohibits installing PERFORMANCE AUDIT REPORT 9 Legislative Divison of Post Audit

15 unauthorized software, adopting a formal approval process for new software installations, and periodically scanning workstations to monitor for potential abuse by employees. To evaluate how well agency officials controlled unauthorized software, we looked at the software installed on workstations using the same scan that identified vulnerabilities. We identified software that we thought may not have a reason to be installed on workstations, but had agency officials determine if it was allowable or not. None of the agencies had significant numbers of unauthorized software relative to the total number of software applications installed. Through our scans, we found that the five agencies workstations had only a handful of software applications that were unauthorized. Examples of unauthorized software included Coupon Printer for Windows, My Photo Adventure, Amazon Kindle, Yahoo Messenger, and Turbo Tax. Figure 1-2 below shows the instances of unauthorized software per workstation for each agency. Agency officials told us that they have since uninstalled, or intend to uninstall, almost all of these software applications. Agency Figure 1-2 Software Scan Results and Preventing Unauthorized Software Policy and Practice By Agency Have a Policy Preventing Unauthorized Software? Did the agency Restrict Administrative Rights? Have a Software Approval Process? Scan for Software? Instances of Unauthorized Software Per Workstation A 0.25 B 0.14 C N/A 0.02 D N/A 0.00 E N/A 0.00 Source: LPA analysis of software scans and agency practice. The two agencies with the most software problems allowed users to have administrative rights on their workstations without appropriate safeguards. As Figure 1-2 shows, both Agency A and Agency B allow most of their users to have administrative rights on their workstations. As we noted earlier, this is an acceptable practice, provided the agency adopts the appropriate safeguards (strong policies, a formal process for adding software, and periodic scans). However, neither agency scans workstations, and as a result had the most unauthorized PERFORMANCE AUDIT REPORT 10 Legislative Divison of Post Audit

16 software (0.25 instances per workstation for Agency A; 0.14 instances per workstation for Agency B). The other three agencies (C, D, and E) restricted administrative rights for most users and had a policy prohibiting unauthorized software. Agency C did have some pieces of unauthorized software. According to agency officials, these were add-ons that were accidently included during authorized software installations. For example, Apple itunes was inadvertently installed when they installed another Apple product, QuickTime. All five agencies could make minor improvements in how they standardize and track software. Standardizing and consistently tracking software would not necessarily prevent users from installing unauthorized software, but it should make it easier for IT staff to identify and remove any unauthorized software. We found that none of the agencies had a comprehensive software policy covering all of their current software practices and only two were using a standardized system image and inventorying all of their software. Conclusion State agencies make enticing targets for hackers because of the wide range of sensitive information they maintain. Typically, agencies focus on network perimeters such as firewalls, anti-virus programs, and spam filtering to protect their networks. But unintentional or malicious acts from inside state government are potentially just as dangerous as external breaches. A significant threat to securing agency data is failure to comply with basic security procedures such as installing software patches and controlling the software on computers. The agencies we reviewed had taken steps to patch software on their workstations and to prevent unauthorized software. However, several agencies still had a significant number of vulnerabilities because of missing software patches vulnerabilities that potentially could be exploited to gain access to sensitive data. Periodic network scans are a low-cost, highly effective tool for identifying these vulnerabilities. For the agencies we looked at, those that scanned their networks had very few vulnerabilities, while those that did not scan had a lot. Recommendations for Executive Action To ensure all software on workstations is patched and authorized, the five agencies we reviewed should implement all recommendations provided to them in their respective confidential reports. PERFORMANCE AUDIT REPORT 11 Legislative Divison of Post Audit

17 APPENDIX A Scope Statement This appendix contains the scope statement for this audit of selected information technology security controls. This audit was conducted as part of the ongoing information system security audit work authorized by the Legislative Post Audit Committee. State Agency Information Systems: Reviewing Selected Systems Operation Controls in State Agencies Each year, many State agencies collect and process sensitive and confidential data in their computer systems. One major responsibility for these agencies is to safeguard that data through the implementation of adequate security controls. Those controls include keeping agency computer networks up to date with security patches and controlling the software staff can install on their computers. Missing security patches and use of unauthorized software increase the risk that sensitive agency information could be comprised by allowing outsiders access to agency systems and networks. Currently, there is limited oversight of agencies security controls to monitor whether these security risks are adequately managed. The Legislative Post Audit Committee approved information system audits as an adjunct to the Division s compliance and control audits. This information system audit provides an overview of agencies policies and procedures related directly to protecting agency computers from known vulnerabilities and unauthorized software. An information security audit in this area would answer the following question: 1. Do selected State agencies adequately manage software installed on staff laptops and desktops? For a sample of agencies, we would review policies and procedures related to downloading and installing software, and installing security patches on agency operating systems and applications. Specifically, we would determine the extent to which agency staff are given administrative rights to install software on their computers, and whether agencies have an automated process for patching computers. We would also determine how well agency policies and procedures are being followed in practice by performing a vulnerability scan on staff laptops and desktops to identify missing security patches and unauthorized software applications. For any problems or deficiencies we found, we would attempt to determine the cause by conducting interviews with agency officials and staff, and by reviewing agency documents. We would perform additional work in this area as needed. Estimated resources: 3 staff for 12 weeks (plus review) PERFORMANCE AUDIT REPORT: 12 Legislative Division of Post Audit

18 APPENDIX B Agency Responses On October 26 we provided draft copies of the public and agency-specific confidential audit report to the Kansas Department of Health Environment, the Department of Commerce, the Kansas Secretary of State, the Kansas Insurance Department, and the Kansas Board of Emergency Medical Services. Because the response from the audited agencies contained confidential information, we have summarized them below. The agencies generally concurred with the report s findings, conclusions, and recommendations and many have already started addressing the recommendations. PERFORMANCE AUDIT REPORT: 13 Legislative Division of Post Audit