Internal Audit Report 2010/11 North Norfolk District Council. February 2011

Transcription

1 Internal Audit Report 2010/11 North Norfolk District Council NN/11/17 Network Infrastructure, Security and Telecommunications February 2011 This report has been prepared on the basis of the limitations set out on page 26.

2 Contents Page No Executive Summary 1 s 8 Statement of Responsibility 26 Appendix A Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness 27 Appendix B Audit Objectives & Scope 30 Appendix C Audit Team & Staff Consulted 32 Appendix D Audit Timetable 33 This report and the work connected therewith are subject to the Terms and Conditions of the Contract dated 1 October 2007 between South Norfolk District Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is confidential and produced solely for the use of the above named Participating Council. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document.

3 Executive Summary Introduction Audit Opinion As part of the 2010/11 Internal Audit Plan, agreed by the Audit Committee, we have undertaken an audit of Network Infrastructure, Security and Telecommunications. All the issues identified in the Audit Brief approved in September 2010 have been addressed. This report sets out our findings from the audit and raises recommendations to address areas of control weakness and / or potential areas of improvement. Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance We categorise our opinions according to the assessment of the controls in place and the level of compliance with those controls. Audit opinions are defined in Appendix A Supporting Award of Opinion and Direction of Travel The audit work carried out by Internal Audit (the scope of which is detailed in Appendix A) indicated that there are weaknesses in the system of internal controls such as to put the client s objectives at risk. Although overall the Council s Domain Controller Configuration standards were on par with other local authority organisations, there are still a number of weaknesses which need to be addressed to meet good security practice and the Government Code of Connection (CoCo) requirements. A total of 15 medium priority and three low priority recommendations have been raised to lift controls to a good/leading practice standard; hence we have been able to provide a limited level of assurance. This system has not previously been audited, so there is no comparison possible with previous findings. 1

4 Hence no direction of travel indicator can be given. Summary of Findings In this section we set out a summary of our findings under each area of scope. This is a balanced summary where possible. Where weaknesses are identified, full details of these are included in the recommendations raised. Domain Account Policies this refers to the general practices that operate such as password policies, account lock-out policy etc. Password controls in this area are good, for example, complexity has been enabled and other available supporting controls are in place. There are a number of other controls that require review and recommendations on these have been raised. Audit Policy The majority of the available audit functionality has been utilised, although the logs created by the audit functionality are not reviewed. s around log review and bringing the audit functionality not currently being used to a good practice standard have been raised. Event Logs Event logs are equivalent to audit trails in the network domain. There are good controls in the configuration of event log settings. Security Options The majority of available controls in this area are in line with good practice, although it was also noted that some still require review. For example, it is not good practice to allow the username of the previous user of a PC or laptop to be displayed to the next user upon system start. User Accounts Good controls have been implemented, although the audit found that there appears to be a large number of user accounts with passwords set to never expire and/or do not require a password. The latter does not necessarily mean that no password is present, just that the accounts are allowed to have no password set. A recent Code of Connection onsite security IT Healthcheck found no accounts without passwords. Sample testing of the leavers process noted a minor weakness in that two accounts out of a sample of 22 over the period from July to September 2010 were still open. As the process clearly exists, the weakness was discussed with management and no formal recommendation has been raised here. However, recommendations on the accounts with no password expiry, and those which do not require a password, have been raised. Rights and Privileges It was found that rights to be granted to administrators only were configured in line with current good practice, although there are a number of rights to be granted to no one that have 2

5 been granted to users. There are also a number of Discretionary Access Control Lists ( DACL ) that have been created for individual users, that allow the users certain functionality within the system. s on this and the rights to be granted to no one have been raised. Trusted and Trusting Domains Trust relationships allow one Domain to trust the access rights given within another Domain (e.g. the network password would allow access to another domain). There are no such relationships in place on the network domain. Remote Access Service (RAS) The RAS service has been disabled and no RAS servers were defined within the domain. However, six supporting RAS services were still running on the Domain Controller and one administrator account has permission to dial in using RAS. s on stopping the services and reviewing the need to have an administrator account with this privilege have been raised. Services and Drivers The domain controller had 276 services available, of which 148 were running at the time of the audit. There is no regular review of the service to ensure that only required services are running. A recommendation on this has been raised. Updates and Patches It was found that the last time any patches or updates were installed was in January 2010 when Server 2003 Service Pack 2 was installed. There is no patch or update review process in place that ensures that the hardware is hardened to current patches and/or hotfixes. A recommendation on this has been raised. Logical Drives and Network Shares Logical drives are sections of physical drives that have been partitioned, whilst network shares are pieces of information that can be shared between users (e.g. shared files, shared printers). Good controls were noted here. Backup Good controls were noted here. Physical and Environmental Security Good controls were noted here. Disaster Recovery Plan (DR) Management have been working on drafting a Disaster Recovery Plan although it requires further review to lift it to current good practice. A recommendation containing suggestions for improvement has been raised. Network Topology (layout) and Resilience Single points of failure (which, if it failed, would mean that a significant part of the network would also fail) were noted at the Firewall and router switch. Spare devices are available to replace the active devices and management are confident in their ability to do so 3

6 with little delay. The Council s infrastructure is small and these controls have been considered to be adequate for their needs. Network Support The support team is small, although there is good cross training in place to help ensure adequate network management resourcing. However, there are weaknesses in terms of security alert management and the lack of regular review of service desk activities to identify any support trends that may require off line resolution. s on these have been raised. Network Device Security The CISCO switches allow connections between, and within the network. The CISCO switch configuration is such that one of the passwords has been encrypted using a CISCO Type 7 algorithm, which is known to be weak. A recommendation to harden this encryption to the stronger Type 5 encryption has been raised. The Council currently has no Intrusion Detection System in place. A recommendation to consider implementation of such a system has also been raised. Remote Virtual Private Network (VPN) Access These allow users to access the network from other locations, e.g. through the internet. Good controls were noted. A VASCO (a data security company) token 2-factor authentication mechanism is in place. Network Management and Administration Good controls have been noted in that there appears to be adequate budget and resource in place to manage the network infrastructure, although no Service Level Agreement between IT and the Business Areas is in place. In addition, there is no separate Network Strategy. s on these weaknesses have been raised. Firewall Good controls were noted in that there is evidence of regular (annual) penetration testing in place. Management use a range of different external vendors to implement these tests in order to get a cross section of opinion. Telecommunications Administration The Council uses older technology with a small amount of Voice-over IP (VOIP) technology, which is used internally only. There is a range of Disaster Recovery options available to management should such an event be invoked. Billing is handled by apportioning total amounts equally across the total number of Council employees. 4

7 Adequacy and Effectiveness Assessments (definitions are found in Appendix A) Area of Scope Adequacy of Controls Effectiveness of Controls s Raised* High Medium Low Domain Accounts Policy Amber Amber Audit Policy Amber Amber Event Logs Green Green Security Options Amber Amber User Accounts Amber Amber Rights and Privileges Amber Amber Trusted and Trusting Domains Green Green Remote Access Service (RAS) Amber Amber Services and Drivers Amber Amber Updates and Patches Amber Amber Logical Drives and Network Green Green Shares Backup Green Green Physical and Environmental Green Green Security Disaster Recovery Plan Amber Amber Network Topology and Green Green Resilience Network Support Amber Amber Network Device Security Amber Amber Remote Virtual Private Network Green Green (VPN) Access Network Management and Administration Amber Amber

8 Adequacy and Effectiveness Assessments (definitions are Area of Scope Adequacy of Controls Effectiveness of Controls s Raised* High Medium Low Firewall Green Green Telecommunications Green Green Administration Total * priorities are defined in Appendix A High Priority s We have raised no high priority recommendations as a result of this audit. Background Audit Objective The network infrastructure enables users to connect to servers and equipment which is not directly connected to their own physical PC or workstation. This could be on the next desk (as in printers), other rooms, other buildings or even other countries depending on the type of network. The Audit of the network infrastructure has looked at how the Council s network is accessed, how it is supported and monitored and how the network is secured against unauthorised access. As part of the audit a Computer Audit Tool called SekChek was used to look at the Network Server Operating System (O/S) configuration and logical access controls. The administration procedure in place for the maintenance and security for the Council s Voice network which runs alongside the Data network was also reviewed. The objective of the audit was to determine whether management has implemented adequate and effective controls over the Networks Infrastructure, Security and Telecommunications. The details of the areas covered are listed in Appendix B. 6

9 Acknowledgement We would like to thank the management and staff of North Norfolk District Council for their time and cooperation during the course of the audit. All staff consulted are included at Appendix C. 7

10 s Domain Accounts Policy 1. Domain Accounts Policy Medium priority Management should give consideration to amending the Domain Accounts Policy in the following ways to comply with current good practice: "Prevent transfer of password in clear text" should be set to Enabled; "Reset Lockout Counter in minutes" should be raised to 1440; and "Allow lockout of local administrator account" should be Enabled. The built in administrator account should also be renamed. The suggested enhancements will help to ensure that user accounts are managed as securely as possible. The audit noted that the following settings do not comply with current good practice: "Prevent transfer of password in clear text" is Disabled; "Reset lockout counter in minutes" is currently set to 30 minutes; and "Allow lockout of local administrator account" is disabled. The Built in Administrator account also carries its delivery name. A lack of adequate logical controls increases the risk of unauthorised access. Agreed. Responsibility Networks Manager Deadline 30 th April

11 Audit Policy 2. Audit Policy Medium priority In order to match good practice, management should look to change the current Audit Policy settings for Policy change events" and "Privilege use events" to Success/Failure. Agreed. Making the changes will help to ensure that changes requiring enhanced privileges can be tracked adequately. Currently "Policy change events" is set to Success only, which means that any failed attempts to make such changes are not recorded, and there is currently no auditing enabled for "Privilege use events". These settings do not comply with current good practice and increase the risk that unauthorised actions are not identified or cannot be investigated. Responsibility Networks Manager Deadline 30th June

12 3. Review of Audit Logs Medium priority Management should implement a process whereby audit logs undergo regular and documented review. Agreed. Regular documented reviews of audit logs will help to ensure that anomalies flagged in the logs can be investigated and unauthorised activity identified as a result. There is currently no regular process to review the audit logs, although management do conduct ad hoc reviews on management request. There is also work currently underway to bring a new log collation and reporting system (RSA Envision) online, which should assist the review process greatly. A lack of regular review increases the risk of unauthorised activity not being identified and dealt with in a timely manner. Responsibility Networks Manager Deadline 30 th June

13 Security Options 4. Security Options Medium priority Management should give consideration to changing the following settings: "Unsigned non driver installation" should be set to "Warn but allow"; and "Do not display last user name in logon screen" should be set to Enabled. Enhancing these security options will help protect the network from unauthorised access. The audit found that the following settings require review: "Unsigned non driver installation" is set to "Silently succeed"; and The user name of the last user that accessed a device is displayed to the next user on logon, which therefore only requires the entry of a correct password. There is an increased risk of unauthorised access and changes being made within the network. Agreed. We will need to look into this and implement if appropriate. Responsibility Networks Manager Deadline 30 th June

14 User Accounts 5. Null Passwords and Passwords that Never Expire Low priority Management should conduct a review of accounts where passwords are set to never expire and where null passwords are permitted as the numbers of these accounts appears to be high. Keeping the numbers of such accounts to a minimum helps to protect against unauthorised access. There are 42 accounts which belong to members and 33 belong to "Outside agencies" with passwords set to never expire. There are also 256 user accounts where passwords are not required, although this does not mean that there are actual accounts with no passwords, just that these accounts allow null passwords. A recent CoCo security assessment did not find any accounts without passwords. Weak user account controls increase the risk of unauthorised access into the network. Agreed. We review our accounts regularly and we are happy that there are legitimate business reasons for the accounts where passwords have been set to never expire. This part of the recommendation has therefore been implemented. We will review the accounts where null passwords are possible and revoke this setting where appropriate. Responsibility Networks Manager Deadline 31 March

15 6. Expired and Disabled User Accounts Medium priority Management should conduct regular reviews of expired and disabled accounts to remove any that are no longer deemed required. Agreed. Implemented. Performing a regular review of user accounts will help identify inactive accounts and by removing, prevent unauthorised access being gained through these accounts. The audit found that there were 46 expired and 332 disabled user accounts. There is a risk of unauthorised access through unused accounts and reduced management effectiveness. Responsibility Networks Manager Deadline 31 January

16 Rights and Privileges 7 Rights to be granted to no one Medium Priority We recommend that the powerful system rights which should be granted to no one should be reviewed and removed. These include: Adjust memory quotas for a process; Log on as a batch job; Log on as a service; and Replace a process level token. Removing the powerful system rights that should be granted to any one, will help minimise security exposure and increase stability of the system. There are a number of system rights that should not be granted to any user. The audit found that some of these rights have been assigned to user accounts. These are as follows: Adjust memory quotas for a process - 20 accounts have this right; Log on as a batch job - 9 accounts have this right; Log on as a service - 3 accounts have this right; and Replace a process level token - 2 accounts have this. Restricting the use of powerful systems rights reduces the risk of either accidental or deliberate misuse. Agreed. We will need to look into this and implement where appropriate. Responsibility Networks Manager Deadline 30 th June

17 8 Review of DACLs Medium Priority The Discretionary Access Control List (DACL) should be reviewed to ensure that the list is valid, current and that permissions granted through this route is appropriate. Agreed. We will need to look into this and implement any controls deemed appropriate at a later date. Reviewing the DACLs and the permissions granted will help ensure that the DACLs and the user permissions are current, valid and in line with users responsibilities. The audit noted that there are 14,119 DACLs defined within the domain of which 880 were granted by an individual user and 160 to the group Helpdesk. Weak controls in this area increase the risk that users may obtain powerful permissions which is not in line with their responsibilities. Responsibility Networks Manager Deadline 31 June

18 Remote Access Service (RAS) 9 Remote Access Service Medium Priority It is recommended that arrangements are made to stop the redundant Remote Access Service (RAS) services from the network and remove the permission from the identified user to dial in to RAS if no longer applicable. Removal of the redundant services and related permissions will help to ensure that no unauthorised, deliberate or accidental connection is made through this service and will also help in the maintenance of the domain network. The audit found that there are no RAS servers defined within the domain, although six RAS services (Rasacd, Rasauto, Rasl2tp, RasMan, Raspppoe, Raspti) were still found to be running. There is also one administrator account with permission to dial in using RAS. There is a risk of unauthorised access being obtained through RAS service as a result of unauthorised, deliberate or accidental connection. Agreed. We will stop this service but Remote Access is not configured and no modems exist. It is therefore a very very remote threat. Responsibility Networks Manager Deadline 31 December

19 Services and Drivers 10 Periodic Review of Services Low Priority Management should conduct periodic reviews of the services on the Domain Controller to ensure that only required services are available. Where services are not required, they should as a minimum be disabled, preferably removed. Agreed. Keeping services available to a minimum required for the server will help protect the security of the network and help maximise performance. The audit found that there are 276 services available on the Domain, of which 148 were running. A lack of review increases the risk that network security will be compromised. Responsibility Networks Manager Deadline 30 th September

20 Updates and Patches 11 Patches and Hotfixes Medium Priority It is recommended that a process should be put in place for regular review of patches released by Microsoft, and ensure that the necessary (Security and Vulnerability) patches have been applied as early as practicable. Where a patch or fix has not been applied, its reason or reasons should be documented. The Microsoft Baseline Security Analyser (MBSA) tool could be used to conduct the reviews. Agreed. We will look into this and implement appropriate processes. Ensuring and applying the relevant patches will help minimise any vulnerability that may exist on the Domain controllers and servers. Formalising the process will help ensure that in future all patches and fixes have been reviewed and a record maintained of those that have been applied as well as those that have not been applied. Additionally it will help ensure that a patch or fix has not been overlooked that may be important for the security of the network environment. The audit noted that the last time any patches or hotfixes were applied was in January 2010 when Server 2003 Service Pack 2 was installed. The Council does not make use of available tools such as MBSA to ensure that the network has been hardened appropriately. A lack of appropriate review increases the risk that the Council's network may be exposed to security vulnerabilities and/or inefficiencies. Responsibility Networks Manager Deadline 30 th June

21 Disaster Recovery Plan 12 Disaster Recovery Planning Medium Priority Management should review the Disaster Recovery plan as follows: Use a recognised DR standard (for example BS25777) to guide the DR planning process; Be clearer about how the list of priorities in section 4 was developed; Include a procedure for invoking and escalating the DR plan from an IT management perspective; and Have the plan formally signed off by the business and IT management. A robust and appropriately updated/documented/tested Disaster Recovery Plan will help to ensure that the plan is effective and meets business requirements in all respects. The audit noted that there is a disaster recovery plan, although it is not complete. For example, it is not clear that it is aligned to Business requirements, although a list of priority systems is present. There is no indication of the invocation and escalation procedures, no management signoff. A lack of relevant Disaster Recovery plan increases the risk that the Council cannot recover its systems as required by the business, which could result in a lack of priority service provision. We consider our current processes to be suitable for our needs, although we will review the plans based upon the recommendation. Responsibility Networks Manager Deadline 30 th June

22 Network Support 13 Security Alerts Contacts Medium Priority Management should ensure that all alerts that the various monitoring systems send are configured so that they are sent to multiple users in the IT team. Sending relevant alerts to multiple users will help to ensure that alerts are acted upon even when the primary responsible user is not present. The audit noted that there are a number of security alert s relating to Anti Virus and client machine management but that they were not all configured to be sent to multiple users. Sending relevant alerts to single users only increases the risk that certain alerts that require immediate attention are not acted upon in a timely manner. Agreed. Implemented. Critical anti-virus alerts and backup messages are now configured to go to multiple staff. Responsibility Networks Manager Deadline 31 January

23 14 Service Desk Reporting Medium Priority Management should restart the helpdesk reporting process and consider inviting users to suggest improvements that could be made to the reports to make them more relevant to their needs. Adequate reporting will help to ensure that the Service Desk activity is transparent to users and management and helps to ensure that trends and root causes can be easily identified and resolved. It was noted that IT Management used to produce activity reporting, but no longer does, due to a perception that the reports were not considered useful. Management have also indicated that users have not commented on the lack of reporting to date. A lack of reporting increases the risk that Council management are not able to accurately track the effectiveness of the service desk. Agreed in part. The reports will be used within ICT for monitoring calls as it is felt Users do not have time to read reports of this nature on a regular basis. This is a good sign that the quality of the ICT service is not an issue. Responsibility Networks Manager Deadline 30 th June

24 Network Device Security 15 CISCO Switch encryption strength Low Priority Management should review the CISCO switch configuration and ensure that all type 7 encrypted passwords are enhanced to type 5. Agreed. Implemented. Strong encryption helps to ensure the security of the relevant devices. It was noted that one of the passwords within the CISCO configuration was encrypted to type 5 standard, which is a CISCO proprietary standard and weaker than type 7. Weak password encryption increases the risk of unauthorised access to the device. Responsibility Networks Manager Deadline 31 December

25 16 Intrusion Detection System Medium Priority Management should give consideration to the implementation of a suitable Intrusion Detection System. Agreed. We will look into this and implement where appropriate though budget could be a barrier here. The deadline is for consideration, not implementation. Adequate Intrusion Detection will help to ensure the security of the network. The Council does not currently have Intrusion Detection installed on their network. A lack of adequate Intrusion Detection increases the risk of unauthorised access into the network. Responsibility Networks Manager Deadline 30 th June

26 Network Management and Administration 17 Service Level Agreement Medium Priority Management should give consideration to drafting and agreeing a Service Level Agreement with the Business Areas. Agreed. We will consider whether this is appropriate. A Service Level Agreement will help to ensure transparency in and accountability for the performance of the IT department. There is currently no formal Service Level Agreement in place between IT and the Business Areas. However, it is acknowledged that there are bi annual customer satisfaction surveys, which is a Performance Management requirement. A lack of formal Service Level Agreement increases the risk of a degradation of the IT service and reputational damage to IT management. Responsibility ICT Manager Deadline 31 st August

27 18 Network Strategy Medium Priority Management should draft and agree a Network Strategy to complement the existing ICT Strategy. The document should include reference to the timescales that the strategy covers, the level of current planned investment in the infrastructure and the aims of the strategy in terms of how it is aligned to identified business needs over the lifetime of the strategy. A formal Network Strategy will help to ensure transparency and accountability for the network and help to demonstrate how the IT area are supporting identified business objectives over time. There is currently no formal network strategy, although there are brief references to network plans within the main ICT strategy. A lack of formal Network Strategy increases the risk that the networks management will be ineffective and not support business objectives over time. Disagreed. However, we shall include a network plan as part of the ICT strategy instead of generating a separate document. This is to minimise the number of strategies. Responsibility Networks Manager Deadline 31 st August

28 Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. s for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St. Albans February 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 26