CUSTOMER Information Security Audit Report

Transcription

1 CUSTOMER Infrmatin Security Audit Reprt Versin 1.0 Date Wednesday, 18 January 2006 SafeCms Internet: Chartered Square Building. 20 th Fl, 152 Nrth Sathrn rd. Bangrak, Bangkk 10500, Thailand Telephne: +66(02) Fax: +66(02)

2 CUSTOMER Infrmatin Security Audit Reprt 18 January 2006 Acknwledgments Authrs: Reviewers: Publisher: Yannick Thevent CTO, SafeCms Jared Dandridge COO, SafeCms Bernard Cllin CEO, SafeCms SafeCms, 2001 Chartered Square Building Bangkk Cpyright 2006 SafeCms All rights reserved. This dcument is prduced fr the exclusive usage f the custmer and shuld nt be disclsed t unauthrised viewers. The distributin f this dcument is limited t the Management f the Custmer, the staff invlved in evaluating the recmmendatins and the staff implementing them. Distributin utside f this grup is nt authrised. Page 2 f 12

3 Table f Cntents EXECUTIVE SUMMARY. 4 CUSTOMER S CORE ASSETS AND RISKS 4 MANAGEMENT ATTITUDE, KNOWLEDGE AND AWARENESS 4 SUMMARY OF PRIMARY SECURITY THREATS.. 4 COMPILED RECOMMENDATIONS.. 8 SCOPE. 10 METHODOLOGY. 10 RISK SCORE CALCULATIONS:.. 10 NOTE ON SAFECOMS APPROACH:.. 11 CURRENT STATE 12 FINDINGS, RISKS, AND RECOMMENDATIONS SECURITY POLICY ORGANIZATION OF INFORMATION SECURITY ASSET MANAGEMENT HUMAN RESOURCES SECURITY PHYSICAL AND ENVIRONMENTAL SECURITY COMMUNICATIONS AND OPERATIONS MANAGEMENT ACCESS CONTROL INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE INFORMATION SECURITY INCIDENT MANAGEMENT BUSINESS CONTINUITY MANAGEMENT COMPLIANCE 51 Page 3 f 12

4 Executive Summary CUSTOMER s Cre Assets and Risks CUSTOMER s business depends heavily n reputatin and credibility in the industry. prducts frm clients are valuable, and must be handled apprpriately. Risks include: <Risk 1> <Risk 2> The cre prductin applicatin system is the nervus system f the entire CUSTOMER peratins. Cre activities include <mitted>. Risks include: <Risk 1> <Risk 2> <Risk 3> Peple, the prcesses they perfrm, and the expertise they acquire is critical t CUSTOMER (cmmunicatin, prject cntrls, delivery, etc). Risks include: <Risk 1> <Risk 2> Management Attitude, Knwledge and Awareness COMPANY Directrs have expressed firm cmmitment t implementing security in the rganizatin. There are slid intentins t secure the business and its peratins, and this cmmitment has served the cmpany well. <mitted> During the business and peratins analysis, there was a cmplacent feeling frm sme management and staff that we interviewed abut the security risks and liabilities at CUSTOMER. There is a mixed understanding f security and f security plicies and prcedures amngst the staff and management at CUSTOMER. The rganizatin wuld certainly benefit frm a sessin r wrkshp n security awareness. Managers need t review security risks in relatin t their divisin and respnsibilities. Summary f primary security threats A summary f the primary security threats, alng with their risk scres (1 lw t 45 high*), is utlined in the chart n the fllwing page. (*) The calculatins used t rate these threats is explained in Risk Scre Calculatins. Page 4 f 12

5 Scre Risk Level Issue 18 Medium Prir t Emplyment Emplyees are nt frmally ntified f their rle in infrmatin security, nr are they made aware f the ptential penalties fr nt cnfrming t cmpany standards. This becmes a liability t the cmpany, if any security incidents ccur 18 Medium Operatinal Prcedures and Respnsibilities Withut a list f standard sftware fr PC s and servers, bth staff and IT persnnel d nt have a clear understanding f what is cnsidered acceptable applicatins, and cnfusin and misunderstanding will fllw. Fr the weak cntrl n patching and change management, security vulnerabilities and unexpected results frm applicatins culd ccur withut the cntrl r knwledge f IT 18 Medium Backup Incnsistent prcedures fr backups culd lead t crrupted data, lst tapes, r the inability t restre lst data. It is nt knwn whether can be restred, as it has never been tested. Fr ther files, nly test files are restred, and n trial f prductin data is attempted 18 Medium Business Requirements fr Access Cntrl The lack f an access cntrl plicy leaves rm fr errr f bth users and IT staff. As there are n guidelines, changes t staffing r systems culd result in a security breach. This is already apparent in hw t many file servers are being established. This issue als cmpunds ther factrs such as server licenses (cst), patching issues (server management), and cnfiguratin and access issues (user management). <mitted> 36 High Infrmatin Security Plicy & Awareness Prgram As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). 36 High Internal Organizatin f Infrmatin Security A false sense f security with n directin r substance will cntinue, until a majr security event ccurs, r active steps are taken t implement security awareness in the rganizatin. The security crdinatr has nt had any frmal security training, and currently she nly has limited knwledge as t all the areas that her psitin is respnsible fr. 45 High Reprting Infrmatin Security Events and Weaknesses If emplyees are nt prperly trained, security incidents culd g unreprted and/r unnticed, causing increased risk fr the cmpany. Fr example, passwrds written n paper next t a mnitr, cnfidential dcuments left in a cpier, r ther blatant security breaches are items that shuld be alerted t the security crdinatr. Page 5 f 12

6 Cmpiled Recmmendatins A Prtect Cre Systems and Critical Data frm Ptential Hackers Objective Prevent unauthrized access and defend against pssible data manipulatin r lss. Due t mis-cnfiguratin f the firewall, gateway antivirus, and missing patches, there is a lgical path fr intruders t access cre systems and critical data. We believe this requires utmst attentin. Actin: Review all plicies and apprpriately recnfigure the firewall Recnfigure the Virus gateway scanner Recnfigure the spam filter Ensure all servers have all apprpriate patches applied Remve any unnecessary / unused shares Requirement - Immediate <mitted> D Gain Cntrl f Data & Defend Against Pssible Disasters Objective Guarantee that any incident culd be recvered frm, including virus, fire, and accidents n manipulatin f server, disks r data, prgrams, r HD crash. Ensure that infrmatin is apprpriately cntrlled, handled, and secured, by classifying and rganizing infrmatin in a structured manner. Actin: Implement a business cntinuity plan Step A Step B Step C Develp f a plicy fr infrmatin classificatin Step A Step B Step C Cntrl f effective backup and restre peratins Step A Step B Step C Encryptin shuld be applied t the backup f sensitive data Use f vault fr temprary strage befre transfer ff site Install an apprpriate cmputer rm fire suppressin system Requirement Immediate Page 6 f 12

7 Scpe CUSTOMER required that SafeCms perfrm an audit f their IT infrastructure. The audit must cver all aspects f the IT functin at CUSTOMER, including: IT plicy and prcedure Business cntinuity f the IT functin Physical security arund IT assets Hst-based security n IT assets Results f the audit shuld prvide CUSTOMER with an understanding f their infrmatin security psitining, as well as prviding recmmendatins n hw t imprve areas that have been identified as being high security risks t CUSTOMER. Methdlgy SafeCms cnducted its audit in cnfrmity with IS Infrmatin Technlgy Cde f practice fr infrmatin security management. The basis fr this is that ISO standard prvides a cmmn basis fr develping rganizatinal security standards and effective security management practice as well as prviding cnfidence in interrganizatinal dealings. The audit cnsisted f an interview f the Management Team and sme key staff. We als bserved the IT practice and reviewed apprpriate dcumentatin when available. Selected Wrkstatins and Servers were analyzed, and system sftware and anti-virus signatures cntrlled. A full vulnerability scan was cnducted, n all servers (bth public and private) in use at CUSTOMER. Reprts are attached. Varius recmmendatins in plicies and prcedures, including hardening recmmendatins, will be issued t imprve the verall security at CUSTOMER. Risk Scre Calculatins: In this dcument, yu will see ratings indicating the risk level f ur findings. There are tw variables used t determine risk, which are Business Impact and Level f Cntrl. Business Impact Hw bad culd it be? The first bx f rankings is an indicatin f benchmarks, industry standards, and the level f imprtance placed n this item, as identified during interviews with yur staff. T calculate the Business Impact f a given risk, the tw scres fr the Ptential Impact and the Prbability f Occurrence are multiplied tgether: Ptential Impact (The level f impact t the business, f a security breach) 3 High 2 Medium 1 Lw Prbability f Occurrence (The likelihd that a security breach might ccur) 3 High 2 Medium 1 Lw Page 7 f 12

8 Business Impact (The verall assessment f hw impacting this item culd be) By multiplying the abve items, we will get the result f the Business Impact. (Ptential Impact x Prbability f Occurrence = Business Impact) 7 ~ 9 High 3 ~ 6 Medium 1 ~ 2 Lw Level f Cntrl Hw much are yu ding t prevent it? Based n the findings frm the audit, a scre is assigned t identify what the business is ding t address and prevent security breaches frm this item. The amunt f cntrls r measures in place t mitigate the security breach are ranked as: 5 Nthing Being Dne 4 N Cntrls 3 Weak Cntrls 2 Nt Cnsistent 1 High Cntrl Risk Scre (*) What is the yur ver-all rating fr this item? By cmbining the ptential business impact with the cmpany s level f cntrl fr that item, we can identify the risk fr that item. Therefre: Business Impact x Level f Cntrl = Risk Scre; Risk Scre is divided int three pssible categries, as fllws: 31 ~ 45 High Risk 16 ~ 30 Medium Risk 1 ~ 15 Lw Risk Fr each finding abve, the fllwing table is used t represent the Risk Scre f that item: Indicatr Scre Lw Risk High Risk Business Impact PI x PO = BI (Level) Level f Cntrl LC (Level) Risk Scre RS (Level) 1~15 16~30 31~45 (*) T be issued a certificate f cmpliance, the cmpany must nly Rate in the Lw Risks. Nte n SafeCms apprach: IT Security is nt an abslute; that is t say that n rganisatin can be cmpletely secure. Further measures can always be taken t imprve the security f an rganisatin, and t minimise the risk t that rganizatin f an IT security breach. Hwever nt all security measures represent a gd investment f IT resurces. IT security is therefre a risk management prcess, which aims t reach a delicate balance between required functinality, security and cst. The SafeCms apprach t cnducting IT security audits is based n this philsphy. Page 8 f 12

9 Current State CUSTOMER has many services such as <mitted> that are handled by a cmputerized cntrl system. In additin, service time is ffered 24 hurs a day and 365 days a year t supprt the custmer needs. CUSTOMER gal is t be ne f the best service prviders in Asia with advanced technlgy and well-maintained facilities such as <mitted> n the Wrld Wide Web in rder t ensure that custmers will be able t access directly t receive real time infrmatin. Currently, there are a number f significant applicatins n the cmputer systems such as <mitted> that are running n UNIX and Windws Server 2003, respectively. Recgnizing the criticality f rle f the cmputer systems in the peratin f the cmpany, CUSTOMER management is cncerned with adequacy f cntrls t ensure accuracy, integrity and reliability f the cmputer systems. Findings, Risks, and Recmmendatins In cmpliance with ISO-17799, the audit results at CUSTOMER are rganized int the eleven security cntrl clauses f the ISO standard. Within each f the ISO clauses, the identified items are represented with their assciated findings, risks, and recmmendatins. The 11 security cntrl clauses are as fllws: 1. Security Plicy 2. Organizatin f Infrmatin Security 3. Asset Management 4. Human Resurces Security 5. Physical and Envirnmental Security 6. Cmmunicatins and Operatins Management 7. Access Cntrl 8. Infrmatin Systems Acquisitin, Develpment and Maintenance 9. Infrmatin Security Incident Management 10. Business Cntinuity Management 11. Cmpliance Nte: The rder f the clauses des nt imply their imprtance. Depending n the circumstances, all clauses culd be imprtant, therefre SafeCms will identify applicable clauses, hw imprtant these are and their applicatin t individual business prcesses. Page 9 f 12

10 1. Security Plicy Infrmatin Security Plicy Business Impact Objective: T prvide management directin and supprt fr infrmatin security in accrdance with business requirements and relevant laws and regulatins. Management shuld set a clear plicy directin in line with business bjectives and demnstrate supprt fr, and cmmitment t, infrmatin security thrugh the issue and maintenance f an infrmatin security plicy acrss the rganizatin. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence High Business Impact High Cntrl Infrmatin security plicy dcument An infrmatin security plicy dcument shuld be apprved by management, and published and cmmunicated t all emplyees and relevant external parties. <mitted> Finding There is n frmal, dcumented security plicy in existence at CUSTOMER. During interviews, sme staff assumed a plicy was in place, due t their understanding that security was nly abut passwrds. In the prcedure manuals, we fund that <mitted> Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls Risk As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin Immediate actin shuld be taken t develp and implement a cmprehensive infrmatin security plicy that will define and cmmunicate the management s cmmitment t infrmatin security t the entire rganizatin. Page 10 f 12

11 Secure Areas Business Impact 5. Physical and Envirnmental Security Objective: T prevent unauthrized physical access, damage, and interference t the rganizatin s premises and infrmatin. Critical r sensitive infrmatin prcessing facilities shuld be hused in secure areas, prtected by defined security perimeters, with apprpriate security barriers and entry cntrls. They shuld be physically prtected frm unauthrized access, damage, and interference. The prtectin prvided shuld be cmmensurate with the identified risks. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence Medium Business Impact Medium Cntrl Physical security perimeter Security perimeters (barriers such as walls, card cntrlled entry gates r manned receptin desks) shuld be used t prtect areas that cntain infrmatin and infrmatin prcessing facilities. <mitted> Prtecting against external and envirnmental threats Physical prtectin against damage frm fire, fld, earthquake, explsin, civil unrest, and ther frms f natural r man-made disaster shuld be designed and applied. Finding <mitted> A primary cncern is the fact that there is n fire suppressin system in the cmputer rm. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl Weak Risk A fire in the cmputer rm culd destry all current supprt activities, as well as destry the servers f the ther cmpany hsted in the CUSTOMER cmputer rm. CUSTOMER culd be liable fr damages incurred t bth cmpanies, including lst assets and time t recver frm the lss. Indicatr Scre Lw Risk High Risk Risk Scre 18 - Medium 1~15 16~30 31~45 Recmmendatin Cntinue regular maintenance n the perimeter, entry cntrls, and facilities. An apprpriate cmputer rm fire suppressin system shuld be installed as sn as pssible t prevent a fire disaster. <mitted> Page 11 f 12

12 7. Access Cntrl Netwrk Access Cntrl Business Impact Objective: T prevent unauthrized access t netwrked services. Access t bth internal and external netwrked services shuld be cntrlled. User access t netwrks and netwrk services shuld nt cmprmise the security f the netwrk services by ensuring: a) apprpriate interfaces are in place between the rganizatin s netwrk and netwrks wned by ther rganizatins, and public netwrks; b) apprpriate authenticatin mechanisms are applied fr users and equipment; c) cntrl f user access t infrmatin services is enfrced. Indicatr Scre Lw Risk High Risk Ptential Impact High Prbability f Occurrence High Business Impact High Cntrl Plicy n use f netwrk services Users shuld nly be prvided with access t the services that they have been specifically authrized t use. <mitted> Netwrk ruting cntrl Ruting cntrls shuld be implemented fr netwrks t ensure that cmputer cnnectins and infrmatin flws d nt breach the access cntrl plicy f the business applicatins. Finding Custmers and suppliers are able t access CUSTOMER data/applicatin. There is n cntrl r lgs mnitring n what they d remtely. PC Anywhere was still pened n a server during the audit when the supplier had requested t access during a previus timeframe. <mitted> Security breach pssible During an external scan, we fund that the Virus scanning interface is pen and available withut the need f a username r passwrd. We have access t cntrl this service. In additin, we believe that with a small amunt f effrt, we culd penetrate this machine and thereby gain access t the CORE system via a hle identified in the firewall. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls Risk Prductin systems are vulnerable t attack and security breaches frm multiple channels (Internet and Wireless) and there is n true cntrl r knwledge f what is passing thrugh the netwrk n a daily basis. Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin <mitted> Page 12 f 12