Auditing Internet Security AUD11

Transcription

1 Auditing Internet Security AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 1

2 Session Objectives IS Auditors have enough confidence to use ITGC skills to audit Internet security to a medium assurance level AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 2

3 Internet Security Audit = 1. IT General Control + 2. Access control audit of the Internet gateway vis AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 3

4 Agenda What is Internet security Internet security technology Common IT General Controls Specific Internet security controls AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 4

5 Agenda AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 5

6 Cisco Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 6

7 Internet security - Goals Secure connection to the Internet Block access to internal systems Protect Web Applications Control internal personnel use of the Internet Secure remote access AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 7

8 Threats and Risks Threats Hackers extract and publish sensitive information Databases Executive files, negotiation strategies Legal files IP Staff publish sensitive info Risks x x x x Damages litigation Loss of business position Breach of legal duties Loss of competitive advantage Denial of service x Cash flow loss of sales x Reputation Theft of credit card details x Liability to bank Spoofing of your x Damages and litigation Staff and porn x Damages and litigation AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 8

9 Network Layers OSI Model TCP/IP Model Application Presentation Session Transport Network Data Link Physical Application (HTTP, FTP) Host-to-host (TCP, UDP) Network (IP) Network Access 10

10 The IP packet AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 11

11 Filtering Layers Cyberguard Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 12

12 Filtering Layers Cyberguard Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 13

13 IP Types IP Basic type Competitor to IPX, SNA, Decnet, etc ICMP Internet Control Message Protocol Used for flow control, pinging TCP Transmission Control Protocol 3-way handshake Starts with a SYN synchronise request State maintained in the kernel UDP Universal Datagram Protocol stateless Application maintains state Copyright (c) Infosec Services Pty Ltd

14 A look back to 2002 Rating Maturity Objective Controls Gateway User 1 Initial Basic filtering, block incoming Home user, SOHO 2 Repeatable Customised filtering, good technician SME 3 Defined Content scanning, change control, logging Major companies and Government 4 Managed Risk management, compensating controls, monitoring, CSIRP, Industry evaluated products 5 Optimised ISO Evaluated products, formal accreditation process Banks, high information asset companies Sensitive Government AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 15

15 Auditing Context Review enterprise security policy, network security standards Identify regulatory information security requirements Review security incident history Review service provision model In house Outsourced IAAS, PAAS, SAAS, etc Determine assurance requirements AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 16

16 Network access control AKA packet filtering Basic packet filtering Rare these days Filtering on Destination IP address Source IP address Destination port (AKA service, eg, HTTP, telnet) Source port Trust destination only trust your own source AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 17

17 Network Access Control Stateful Most common, Checkpoint, Cisco Adaptive Security Appliance, PIX, e.g. Recent outgoing DNS name lookup Permit the DNS response Firewall understands network sessions Application level 18

18 Network Access Control Application Level Application protocol compliance and misuse Enforce protocol rules E.g. Only DNS over the DNS port Block risky but compliance protocol options, e.g. SMTP - EXPN Content filtering Filter on the data part of the IP packet AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 19

19 Filtering What to look for Ingress Very restricted rules Restricted access to DMZ resources No access direct to internal networks No blanket access for remote access DMZ to internal networks only essential connections Egress Enforcement of use of proxies, e.g. SMTP = enforce use of corporate HTTP = enforce use of content filter DNS = enforce use of trusted DNS server AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 20

20 Content Inspection Malware Viruses, worms Buffer overflow attemtps Other exploitations Unauthorised content Keywords, e.g. F**K Images skin tones, etc Dedicated servers support firewalls AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 21

21 Intrusion Prevention Systems Evolution from Network IDS Historically separate IDS with feedback to the firewall Now mostly part of a firewall but licensed separately Requires annual subscription IDS engine dynamically writes firewall rules Detection techniques Signatures Anomaly / Heuristics Blacklists Disclosure Loss Prevention tools (DLP) (rarely tuned well) AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 22

22 Field Work AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 23

23 Testing - Passive Ask the administrator to show you the settings Less audit risk than accessing the admin account yourself Inspect key controls Applicable security policy Technical configuration settings Logging and incident response capability Review the firewall ruleset Inspect the IDS/IPS console Do they review or monitor suspect events? AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 24

24 Testing Review Firewall Rules Default deny policy? Permit risky protocols? Protocols with plaintext passwords Protocols permitting remote control or access Decisions based on untrustworthy source information? Rules match authorised usage Rule documentation Get the hidden (implied) rules on Firewall-1 AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 25

25 Testing Passive (3) Documentation Network diagrams Secure architecture? Ruleset descriptions? Maintainable? Periodically reviewed? Infrastructure inspection Patch cables Match diagrams? Software flaws patch plans/records Check for evidence of control effectiveness Test reports (including regression testing) System logs Incident reports AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 26

26 Testing Passive (4) Change Control Security risk Normal ITIL controls Administrator Authentication and logging From a trusted location Skills Access via secure interface AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 27

27 DMZ Servers Operating Systems Use standard server security checklist At the high security level Vendor security manual, ASD or AusCERT list, Center for Internet Security Inspect Usual ITGC Running network services netstat a rpcinfo p (on unix) Patching Malicious software controls Logging sent to a separate trusted repository? Multiple homed DMZ servers get the admin to show it is not a router Get the admin to run the vendor s security tools for you 28

28 DMZ Middleware Often the weakest point Web services access control Middleware containers have access control list Inspect Web services access control Authentication to access web services? Logging? Databases Dust off your database audit program 29

29 DMZ Servers Continued Backed up? Part of an IT Disaster Recovery Plan? Tested? Increasing using High Availability and auto failover 30

30 ASD s Top 35 Mitigations Firewalls, network segmentation, proxy enforcement Host and network IPS, centralized network logging spoof controls Sender Policy Framework Block certain file types and Web content filtering, malware controls Web domain whitelisting, blacklist known malicious domains Patching Dynamic analysis of and web - sandbox Server OS exploit mitigation, server application hardening 31

31 Testing Active Check control effectiveness Scan accessible ports does the admin have the tools? Tools: nmap Scan application vulnerabilities Tools: nessus, acunetix, Appscan, Burp Suite, Hailstorm, NTO Spider, Qualsys, WebInspect Penetration tests by service provider? CREST Australia AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 32

32 Testing Analysis v s Pen Tests Pen tests and scans great for obvious stuff ups Weaknesses hard to find by pen tests Rules with source network filters Rules for decommissioned servers (firewall rule reuse) No filtering from DMZ to internal networks No egress filtering Messed up firewall object definitions Firewall software flaws and patches E.g. Cisco Pix ACL bypass AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 33

33 Finifter and Wagner, UC Berkley Scope: code review Used with permission.

34 ? Analysis? Testing

35 Web Deployment Trends Virtualisation, virtualisation, virtualisation Co-hosting with other s web services Server virtualisation Storage virtualization Voice over IP security Phone toll fraud

36 Trends - Storage Virtualisation Alternative routes into the inside Shared server virtualization infrastructure Stretching of SANs into the DMZ All of an organisation s data in one place SAN controls Zoning, with Host Bus Adapters LUN masks or Access Control Lists Virtual servers can have very broad SAN access Use a separate SAN

37 Trends - Server Virtualisation Internet servers on the internal VM farm, but mainly separate VM farms Several key controls not on by default ARP spoofing MAC changes Many DOS controls Persistent log files OWASP

38 Trends - Server Virtualisation (2) Sprawl Duplicates running AV forgotten on virtual server clones Copies of other system snapshots Clones of insecure development configurations VM Snapshots unprotected on file system References Vmware Security Hardening Guides Microsoft Security Compliance Manager (Hyper-V) OWASP

39 Corrective Controls Incident Response Is there an incident response plan? Does the CSIRP cover management processes and technical responses? Is evidence protected? Does the plan have management authority? 17 September 2002 CACS

40 Controls Effectiveness Logs Are they protected? Are they stored on a separate server? Is it the only gateway? Wireless Modems 17 September 2002 CACS

41 Controls Effectiveness Malicious content scanning Frequency of signature updates Quality of tool Scan by heuristics and signatures Additional scanning on server or desktop Inspection regardless of file type Inspection inside of archive files HTTPS scanning HTTPS whitelisting, or blacklisting Independent expert review 17 September 2002 CACS

42 Internet Routing Authenticity BGP authentication Border router outside the firewall Reference, NIST SP Real world attacks and accidents China Telecom advertised unowned networks 2010 Pakistan Telecom blocks YouTube 2008 Malaysian ISP blocks Yahoo 2004 Turkish ISP takes over the Internet 2004, TTNet sent out a full table of Internet routes via BGP that routed most Internet traffic through Turkey for several hours AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 54

43 Standards and Guidelines ISO 27002, Australian Government Information Security Manual Security Vendor Guides COBIT NIST csrc.nist.gov Center for Internet Security (SANS) O Reilly & Assoc publications Spafford Cheswick AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 55

44 Questions 56

45 Threats, Vulnerabilities and Risks Risks Assets (incl Business Processes) Threats exploit Vulnerabilities expose Value 57