DIA Network Device Security Management Performance Audit

Transcription

1 DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA, CGAP Robert Pierce, IT Audit Supervisor, CISA, CISSP Shannon Kuhn, Lead IT Auditor, CISA Nicholas Jimroglou, Senior IT Auditor Jacqueline Boline, Senior IT Auditor You can obtain copies of this report by contacting us at: 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:

3 City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado FAX Dennis J. Gallagher Auditor June 19, 2014 Ms. Kim Day, Manager of Aviation Department of Aviation City and County of Denver Dear Ms. Day: Attached is the Auditor s Office Audit Services Division s report of the audit of DIA Network Device Security Management. The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. The audit found that governance over the administration of network devices can be improved to increase the security and availability of DIA s network. Effective network device management helps minimize the risk of network disruptions that could impact business operations. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor DJG/sk cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Patrick Heck, Chief Financial Officer, Aviation To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation

4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of network device management configuration and controls at Denver International Airport (DIA). The purpose of the audit was to examine and assess whether network access control devices and hardware were configured to industry standards and vendor recommendations. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit found that network devices were adequately secured, however, process improvements could be made to improve DIA s network security and help ensure network availability. We extend our appreciation to Chris Larivee, Director of Operations, Technologies Division, Denver International Airport, and the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation

5 DRAF T City and County of Denver Audit Services Division REPORT HIGHLIGHTS DIA Network Device Security Management June 2014 The audit focused on a review of the network infrastructure controls supporting the Denver International Airport (DIA), including network equipment performance and design standards, administration, management, and overall network device security. Background Airports Council International ranks DIA as the eighteenth busiest airport in the world. Managing day to day network operations for a busy airport such as DIA requires a stable and secure network environment. DIA Technologies is responsible for supporting the DIA network including managing hundreds of network devices such as routers, switches, and firewalls. The division also provides network services to merchants and passengers within the airport. Purpose The purpose of the audit was to assess network device management and gain assurance that the DIA network is secure, available, and configured to industry standards. We assessed the administration of network devices and reviewed network device configurations based on DIA and manufacturer standards for network device configuration. We also reviewed the individuals who had access to configure network devices to ensure that they were current employees with access commensurate to job duties. Highlights DIA Technologies should continually update and adhere to their network administration standards to improve the overall security and availability of the DIA network. Our audit highlights that: Firewall rule sets are not consistently backed up Changes to network device configurations may be made that circumvent the formal change management process Administrative access to the management tool used to configure firewalls included individuals who no longer require access Passwords for network devices are not changed within the time frame required by DIA policy DIA Technologies does however appear to have strong controls in the following areas: Well documented network device daily operation procedures Standardized configuration and hardening network device rules Layered internal controls that strengthen network device security For a complete copy of this report, visit Or Contact the Auditor s Office at

6 TABLE OF CONTENTS INTRODUCTION & BACKGROUND 1 Denver International Airport s Data Network 1 Network Devices 1 Defense in Depth 2 SCOPE 5 OBJECTIVE 5 METHODOLOGY 5 FINDING 6 Process Improvements Are Necessary to Further Strengthen DIA Network Device Security 6 RECOMMENDATIONS 8 APPENDIX 9 Glossary of Technical Terminology 9 AGENCY RESPONSE 10

7 INTRODUCTION & BACKGROUND This audit of Denver International Airport s (DIA s) network device security management was performed as a subsequent audit to our DIA Network Security Management Performance Audit published in September The first audit focused on the physical security and environmental controls around storage of network equipment, whereas this audit focused on the internal controls and administration of the network devices themselves. Denver International Airport s Data Network The City and County of Denver operates a large and complex Metropolitan Area Network that supports City services throughout Denver, including the Denver International Airport (DIA). 2 Due to the diverse purposes and physical make-up of the City s networks, some portions of the network are managed by different agencies or departments. This audit focused on the portion of the network managed by the Technologies Department (Technologies) at DIA. DIA Technologies supports the data network infrastructure used by DIA business and security systems, such as, financial accounting, parking fees, access control and alarm monitoring, video surveillance, and emergency response. They also provide network services to some merchants, and facilitate, but do not manage, infrastructure used by other concessionaires, airlines, and Federal agencies, such as the Federal Aviation Administration (FAA) and the Transportation Security Administration (TSA). Network Devices Network devices are hardware components, including routers, switches, and firewalls, that are used to connect computers or other electronic devices to a network and control the flow of data on a network. 3 Device configurations within each network device are designed to distinguish authorized traffic from unauthorized traffic, as well as prevent unauthorized access to or from other networks or the Internet. Network devices can also be configured to allow or prevent certain Internet Protocol (IP) addresses and connection types from accessing the network. 4 In 2013, DIA Technologies provided data network and infrastructure services to more than 140 merchants 5 and 54 million passengers. 6 The DIA network infrastructure A Metropolitan Area Network connects offices distributed throughout the area of a large city. 3 This report contains a number of technical terms, which are described in the Appendix. 4 See additional technical definitions within the Appendix. 5 Denver International Airport Business Center website: accessed 5/8/ DIA, CM Mayor s Budget, pg. 684, accessed 5/8/2014. Page 1

8 supporting the network is stored in more than 150 locations throughout the airport. DIA s network environment has a complex architecture, in which hundreds of components are communicating and exchanging information twenty-four hours a day, seven days a week. Securing a large and complex network such as DIA s involves configuring devices based on agreed-upon hardening standards as well as a sound overall network governance strategy. 7 Defense in Depth One network security approach that is designed to help ensure network availability and manage security risks comes from a military strategy known as defense in depth. 8 A defense-in-depth approach to security spreads out defenses over a large area, rather than putting them all in one place. The concept of defense in depth applied to network security provides layers of security for a network environment so that if any one layer fails, there is another layer of security still in place to prevent unauthorized access. For example, sub-networks can be created within larger networks with their own unique security configurations that go above and beyond the normal network security. Any user or computer accessing the higher risk sub-network must comply with all of the security configurations of the larger network in addition to the security configurations of the subnetwork. This helps achieve the goal that if there is a security vulnerability with one area of the network, it does not lead to business interruption or widespread exposure to vulnerabilities throughout the rest of the network. Defense in Depth: A Layered Security Model Perimeter Network Secure Configuration Settings Monitoring and Blocking Auditing Authorization Authentication Source: Created by Audit Services Division Staff Organizations face both internal and external threats related to network security. As a result, Network Administrators have an enormous responsibility to stay up to date on 7 See additional technical definitions within the Appendix. 8 Ibid. City and County of Denver Page 2

9 emerging security vulnerabilities and attempt to stay ahead of attackers. Some network administration tasks related to security include keeping system software up to date, ensuring high availability, and detecting and responding to vulnerabilities or risks introduced into the environment. Leading industry breach analysis reports published by Verizon and the Ponemon Institute highlight a number of areas as having considerable risk associated with network device security and availability. The Verizon Data Breach Investigations Report (DBIR) is a comprehensive list of information technology threats facing global organizations. The report analyzes commonly observed incident patterns, as well as which industries face the biggest risk in particular areas. 9 Privileged access misuse was reported by the 2014 Verizon DBIR as one of the leading attack patterns for the transportation industry, specifically air transportation. Privileged access is elevated access that allows administrators to manage network devices, systems, applications, and network resources that require more permission than a typical user on a network. Authentication credentials, especially privileged credentials, can easily be exploited, if an employee s access remains active after employment has ended. The Verizon report illustrates how often privileged access was used to commit egregious acts against the global organizations polled by Verizon in As shown in Figure 1, out of 153 total incidents of insider misuse, 88% or 135 were found to be tied to privileged abuse. Figure 1: Top 10 threat action varieties within Insider Misuse for 2013 Embezzlement Unapproved software Theft Unapproved workaround Use of stolen creds Data mishandling misuse Bribery Unapproved hardware Privilege abuse Figure 1: Top 10 threat action varieties within Insider Misuse 0% 20% 40% 60% 80% 100% Source: Created by Audit Services Division Staff Recommended actions for minimizing privileged access misuse include regularly reviewing accounts that have privileged access and disabling network accounts when the account is no longer needed to perform job functions Data Breach Investigations Report, Verizon Website, accessed April 22, 2014, Page 3

10 Research performed by the Ponemon Institute on a sample of sixty U.S.-based organizations found that the three most costly cybercrimes that organizations deal with are denial of service attacks, malicious insiders, and web-based attacks. 10 Some risk associated with all three types of attacks can be mitigated through effective network device security governance. Figure 2 shows the cost associated with different types of cybercrime from 2010 through $250,000 Figure 2: Average annualized cybercrime cost weighted by attack frequency *The FY 2010 sample did not contain a company experiencing a DoS attack. $200,000 $150,000 $100,000 FY 2013 FY 2012 FY 2011 FY 2010 $50,000 $0 Denial of service* Malicious insiders Web-based attacks Source: Created by Audit Services division based on 2013 Ponemon Institute Report Network security and effective management of network devices is critical to protecting the infrastructure of an organization. As demonstrated by Figures 1 and 2, threats related to network attacks are a growing concern to organizations and can be costly. Good practices for ensuring overall network security and availability begin with strong network security governance and include hardening network devices, blocking unauthorized traffic, and validating that changes to network devices are documented and authorized. 10 See additional technical definitions within the Appendix. City and County of Denver Page 4

11 SCOPE This audit focused on the Denver International Airport (DIA) network segment managed by the DIA Technologies division, and excludes the portion of the DIA network that is partitioned to handle credit card payments. 11 In accordance with Generally Accepted Government Auditing Standards (GAGAS) the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings have been presented to the DIA Technologies Division Director of Operations. OBJECTIVE The objective of this audit was to evaluate whether network devices are protected and managed according to internal procedural standards, industry best practices, and vendor recommendations to ensure continued and secure operations. METHODOLOGY We used the following methodologies to meet our audit objective: Interviewing personnel on the responsibilities for supporting and managing network devices and firewalls Reviewing DIA policies pertaining to firewall hardening standards Reviewing documentation related to DIA s Information Security Monthly Backup Guide and Information Systems Security Operations Center Guide Evaluating a selected sample of critical network device configuration standards to equipment manufacturer configuration standards 12 Directly observing how DIA Technologies administrators log into network devices to manage and support the devices and firewalls Verifying the list of users who have administrative access to firewalls, switches and routers Determining whether network devices and firewalls have had updates installed Conducting interviews with DIA Technologies personnel to understand the network device security processes 11 See additional technical definitions within the Appendix. 12 Ibid. Page 5

12 Reviewing DIA Technologies organizational charts to determine whether administrative network management access is restricted to the appropriate personnel Performing tests of critical firewall, switch, and router security settings with a configuration analysis tool Interviewing DIA Technologies personnel to verify whether essential network device and firewall duties are being performed FINDING Process Improvements Are Necessary to Further Strengthen DIA Network Device Security The Denver International Airport (DIA) network is composed of hundreds of network devices, which are architected to allow computers and devices to pass data over data connections. Network devices, such as firewalls, routers, and switches, are used as the basic building blocks that connect computers together and restrict network access to authorized individuals only. We found that although DIA does have strong controls in a number of areas, DIA Technologies should continually update and adhere to its network administration standards to improve the overall security and availability of the DIA network. DIA has an effective defense-in-depth approach to securing the airport s network. The risk of any issues found during this audit was mitigated by other compensating controls that were operating effectively. Administrative Access to Configure Firewalls Should Be Further Restricted DIA Technologies uses two methods for restricting access to configure firewalls. Access is restricted with local user accounts on the devices themselves or through a centralized network device administration management server. Auditors tested both the network device administration management server and a central password repository, which contains the local user account credentials, to determine whether access to configure network devices was appropriately restricted. Two former employees and one employee who changed roles in IT Security retained accounts to configure firewalls through the management server. Additional audit work confirmed that compensating controls prevented these individuals from actually modifying firewalls settings. However, had those compensating controls failed as well, it is possible that the individuals could have configured firewalls when they were no longer authorized to do so. Inappropriate access to manage firewalls may result in unauthorized changes, which could impact the security and availability of DIA s network. A prolonged DIA network outage could impact internal DIA operations as well as cause flight information boards to not display or accurately reflect plane arrival and departure information. City and County of Denver Page 6

13 In addition to limiting firewall configuration to authorized users only, DIA further restricts access to the management server tool to explicitly authorized Internet Protocol (IP) addresses. Auditors inspected the IP addresses and determined that one IP address was no longer in use. Invalid IP addresses should be removed from the management tool to reduce the risk of unauthorized device configurations occurring from IP addresses that are no longer authorized. Auditors also reviewed the DIA IT Acceptable Use Policy and determined that the policy requires that passwords on all devices are changed a minimum of every ninety days. Through interviews with network services staff, auditors found that network device passwords had not been changed in accordance with the password expiration requirement outlined in the policy. Passwords that are not changed frequently increase the risk that passwords may be compromised over time. Accordingly, DIA should change passwords for network devices at least every ninety days as defined by the DIA Acceptable Use Policy. We also recommend that DIA Technologies implement a compensating control, such as a periodic password change alert, that is closed following completion of the password changes. Changes to Network Devices Are Not Consistently Monitored to Ensure that They Follow the Formal Change Management Process DIA Technologies has developed a formal change management process to help ensure that changes to network device configurations are documented, reviewed, tested, and approved prior to implementation. 13 The process is in place to require that changes are made in a controlled manner, and risks related to changes impacting DIA operations are limited. Auditors noted that although the formal change process exists, there are no controls in place to prevent an administrator from circumventing the change process. Auditors also noted that DIA Technologies has a process for tracing configuration changes to network devices in the Payment Card Industry (PCI) environment back to documented tickets, thus ensuring device configuration changes followed the formal process. 14 However, Auditor s were told there is no process to ensure that all changes to non PCI network devices have a corresponding change ticket. Monitoring changes and ensuring that they comply with the change management process helps ensure that no unauthorized changes are made. Modifications to devices implemented outside of the change management process may not be appropriately tested and could result in the introduction of security vulnerabilities impacting DIA operations. Emergency Backups for Network Device Configurations Were Not Performed Consistently Network devices at DIA have running configuration files that control who has access to configure the devices as well as what network traffic is allowed to pass through the devices. Backups of network configuration files should be made prior to making any changes to device configurations. If a backup occurs prior to a change being made 13 See additional technical definitions within the Appendix. 14 Ibid. Page 7

14 and that change causes a network outage, the change can be backed out and the prior running configuration can be used reducing the length of the network outage. Auditors reviewed the firewall backup directory which stores device backups to determine whether backups were being performed regularly and found that backups were not performed for firewalls for three months, although changes to the running configuration occurred during that time. Backups should be performed prior to making any configuration change to reduce the risk of prolonged network outages. RECOMMENDATIONS Audit work identified several process improvement recommendations that should be implemented to increase DIA s defense-in-depth posture and improve network availability, helping to ensure that the DIA network is secure and available. 1.1 The Director of Operations for the DIA Technologies division should ensure removal of the accounts for the individuals who are no longer authorized to configure firewalls and implement a periodic review process to ensure that unauthorized accounts are removed timely on an employee s last day or when an employee transfers to a new position. 1.2 The Director of Operations for the DIA Technologies division should ensure removal of the IP address that is no longer in use from the firewall management tool and implement a periodic review process to assess the IP addresses that are allowed to configure firewalls, removing any that are no longer needed. 1.3 The Director of Operations for the DIA Technologies division should ensure that passwords are changed for network devices at least every ninety days as required by the DIA IT Acceptable Use Policy and implement a compensating control such as a recurring notification that alerts administrators that passwords need to be changed. 1.4 The Director of Operations for the DIA Technologies division should ensure changes to network devices are periodically reviewed using a monitoring tool and that the changes correspond with an approved change ticket. 1.5 The Director of Operations for the DIA Technologies division should ensure that firewall backups are performed prior to every configuration change or at a minimum every 30 days. In the event that a previous configuration restoration point is needed to ensure continued operations. City and County of Denver Page 8

15 APPENDIX Glossary of Technical Terminology Change Management A method by which changes made to a computer system are formally defined, evaluated, and approved prior to implementation. Configuration Standards A process for establishing consistency, implementing security requirements, and ensuring systems work as intended when configuration takes place. Denial of service - An interruption in an authorized user s access to a computer network, typically one caused with malicious intent. Firewall - A software or hardware device that enforces security policies for traffic traversing to and from different network segments. Hardening - The process of securing a computer system by reducing its surface of vulnerability. Reducing the surface of vulnerability for network devices includes disabling unnecessary services and removing unnecessary usernames or logins. High Availability - The ability to define, achieve, and sustain target availability objectives across services and/or technologies supported in the network that align with the objectives of the business. Internet Protocol Address A numerical identifier assigned to each machine in a network used to send data to a specific computer. Network Segment Separates networks containing sensitive information from those that do not contain sensitive information. Network Switch Computer hardware that is used to connect devices together on a network. Payment Card Industry (PCI) - Compliance with the PCI DSS is required for all merchants who accept credit cards, online or offline, due to the sensitivity of payment card data and the risks associated with credit card fraud. Router - A networking device that can send (route) data between computer networks. Web based attack - An attack on a website or network that originates from the Internet or World Wide Web. Page 9

16 AGENCY RESPONSE City and County of Denver Page 10

17 Page 11

18 City and County of Denver Page 12

19 Page 13