Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May 2011. Overall Opinion: Amber Green

Coleg Gwent Wireless Audit Internal Audit Report (2.10/11) 23 May 2011 Overall Opinion: Amber Green

Coleg Gwent CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations 10 Debrief meeting 10 December 2010 Auditors Helen Cargill, Associate Director Draft report issued 22 December 2010 Heather Wheatley, IA Manager Responses received 25 February 2011 Sheila Pancholi, ISA Associate Director Steve Snaith, ISA Associate Director Aaron Chu, Senior ISA Consultant Final report issued Revised final report issued: 28 February 2011 23 May 2011 Client sponsor Distribution Lynda Astell, Vice Principal (Finance, Estate and Information Services) Lynda Astell, Vice Principal (Finance, Estate and Information Services) Mike Holcombe, Head of IT This review has been performed using RSM Tenon s bespoke internal audit methodology, i-ris. The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist. This report is prepared solely for the use of Board and senior management of Coleg Gwent. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose. 2011 RSM Tenon Limited RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

Coleg Gwent 1 1 EXECUTIVE SUMMARY 1.1 INTRODUCTION A Wireless Audit was undertaken as part of the approved internal audit periodic plan for 2010/11. Coleg Gwent ( The College ) is the largest further education college in Wales, with five campuses and two Learn IT Centres across Gwent at Newport, Crosskeys, Ebbw Vale, Pontypool, Usk, Cwmbran and Monmouth. The College has deployed a centrally managed wireless network infrastructure manufactured by Trapeze. This infrastructure hosts two networks, with one for trusted users from the College, such as staff and students, and the other for guests. Authentication to the trusted network is based on Windows Active Directory. The guest network is open access, but it has not been designed with access to the Internet and the internal network. The College is currently engaging in a programme of investments to upgrade its IT infrastructure which includes the expansion of its wireless network coverage to its entire estate. To this end, it has commissioned a network consultancy firm LAN2LAN to devise an implementation strategy for additional wireless infrastructure. The proposal includes ways to manage guest access to the wireless network. The College had installed a new firewall as part of a trial process just before this review was performed, in order to determine the most suitable firewall solution to procure next year. The audit was designed to assess the controls in place to manage the following objectives and risks: Objective Risk To provide high level assurance that wireless network operates in a secure and controlled environment. Unauthorised access to data transmitted over the wireless network or to the wider wired network. Faults, failures or security incidents are not dealt with efficiently or effectively. 1.2 CONCLUSION Taking account of the issues identified, the Board can take reasonable assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective. However we have identified issues that, if not addressed, increase the likelihood of the risk materialising. The above conclusions feeding into the overall assurance level are based on the evidence obtained during the review. The key findings from this review are as follows: of control framework The following primary wireless network controls have been designed: Group policy has been designed to lock down wireless network settings on College workstations, reducing the risk of individuals gaining access to details of the security settings which may be exploited, compromising wireless network s integrity.

Coleg Gwent 2 Access points deployed in the public areas across the estate have been designed not to retain any network data and settings, reducing the risk of the network security configurations and related being compromised and exploited, adversely impacting the integrity of the wireless network. The trusted wireless network is designed with the WPA2/AES encryption standard, reducing the risk of the unauthorised interception of information transferred over the wireless network, adversely impacting information and network integrity. In addition, the wireless network for trusted users has been designed to require authentication using Active Directory. A contract has been established between the College and LAN2LAN to provide technical support to the wireless network, reducing the risk of issues not addressed in a timely manner that compromise the availability of the wireless network service. However, we did identify a number of weaknesses in the design of wireless network controls that impact network security, principally: The firewall has been designed with rules that that are not sufficiently restricted, increasing the risk of non-trusted individual obtaining network access. The procedure designed for revoking user accounts on Active Directory relies on monthly HR leavers reports, increasing the risk that redundant accounts are not disabled in a timely manner which may be targeted to gain unauthorised access. There is no arrangement in place to log user activities on the wireless network, including the audit policy on Active Directory, increasing the risk of the College not being able to trace security incidents retrospectively. Penetration tests are not performed periodically, increasing the risk that technical vulnerabilities on the wireless network are not identified and addressed in a timely manner. Application of and compliance with control framework We identified the following area for management attention that adversely impacts the integrity of the wireless network: The review on Active Directory found that 64 accounts had access to the wireless network management console server, increasing the risk of intruders targeting these accounts to gain access and make inappropriate changes to the configurations. Overall, we note that the College is taking actions to improve the existing wireless network infrastructure by with the development of an implementation strategy with the support from LAN2LAN. Our overriding recommendation is for the management to consider the recommendations identified in this report when finalising its implementation strategy to help strengthen the control framework that is already in place. Moreover, a number of weaknesses identified in this report require the immediate attention of the management, particularly the weaknesses in the firewall rules. 1.3 SCOPE OF THE REVIEW The objective of our audit was to evaluate the adequacy of risk management and control within the system and the extent to which controls have been applied, with a view to providing an opinion. Control activities are put in place to ensure that risks to the achievement of the organisation s objectives are managed effectively. When planning the audit, the following controls for review and limitations were agreed: Control activities relied upon: Security controls in place over the operation of wireless network; and Management monitoring controls over the wireless network. Limitations to the scope of the audit: This was a high level review of the control framework and detailed testing on the adequacy of individual components of this framework was not undertaken.

Coleg Gwent 3 We did not physically visit every wireless access point and location but we had undertaken base testing at the Pontypool campus as this was the location of the server hosting the management console and one of the two wireless network controllers. We did not carry out detailed firewall testing. The review of the procedure for granting student access on Active Directory was limited to the point when export files were made from the EBS enrolment database. We did not carry out a review on the process of importing student records onto EBS. Our work does not provide an absolute assurance that material errors, loss or fraud do not exist. The approach taken for this audit was a Risk-Based Audit. 1.4 RECOMMENDATIONS SUMMARY The following tables highlight the number and categories of recommendations made. The Action Plan at Section 2 details the specific recommendations made as well as agreed management actions to implement them. Recommendations made during this audit: Our recommendations address the design and application of the control framework as follows: Priority High Medium Low of control framework 0 4 6 Application of control framework 0 1 2 Total 0 5 8 The recommendations address the risks within the scope of the audit as set out below: Priority Ris k High Medium Low Unauthorised access to data transmitted over the wireless network or to the wider wired network. Faults, failures or security incidents are not dealt with efficiently or effectively. 0 4 6 0 1 2 Total 0 5 8

Coleg Gwent 4 2 ACTION PLAN The priority of the recommendations made is as follows: Priority Description High Medium Low Suggestion Recommendations are prioritised to reflect our assessment of risk associated with the control weaknesses. These are not formal recommendations that impact our overall opinion, but used to highlight a suggestion or idea that management may want to consider. Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible 1.9 Management should review the existing firewall rules to ensure that they are robust in blocking un-trusted users gaining access to the Internet without sufficient safeguards in place. Medium Y The firewall has been replaced and a review of firewall rules undertaken. Complete N/A 1.11 2.3 The accounts on Active Directory with access to the RingMaster server should be reviewed and remove all redundant access. Individual accounts should be set up on RingMaster and the generic accounts removed. Medium Y The new version release of Ringmaster provides for more granular user accounts. Increased security of Ringmaster Accounts will be implemented as part of this upgrade. May 2011 Head of IT 1.14 The IT Department should create a formal joint workflow process with HR to ensure that notifications from line mangers of Medium Y Management accept that user accounts should be de-activated on a timely basis when a July 2011 Head of IT

Coleg Gwent 5 Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible leavers are notified to both HR and IT concurrently to help facilitate the prompt deactivation of user accounts. As an additional control, the IT Department should perform a monthly analysis to identify and investigate accounts which have not been accessed for the past 90 days. member of staff leaves the College. The current practice can lead to a delay of up to 30 days although line managers of departments with higher risk users notify IT immediately on resignation or confirmation of leaving date. This approach balances practical consideration with risk and subject to audit committee agreement this approach will be formalised within the IT Security Policy. 1.18 Penetration tests should be carried out periodically to identify any security weaknesses in the wireless network infrastructure. Medium Y Proposals and costs have been obtained from suppliers. Tests are to be scheduled after the Firewall upgrade. June 2011 Head of IT 2.4 Audit policy should be enabled on Active Directory: Requirement Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Value Success and failure Success Success Success and failure No auditing Success No auditing No auditing Success Medium Y As stated in the main body of the report previous attempts to activate the audit policy have resulted in serious degradation of network performance under Windows Server 2003. The College is now cautiously turning on the audit policy element by element and assessing network performance each time. This will continue until the full audit policy is enabled subject to maintaining network performance. December 2011 Head of IT

Coleg Gwent 6 Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible 1.1 Management should enable the password complexity security setting in accordance with best practice. Low Y The College complies with best practice requirements with the exception of enabling password complexity. By Sept 2011 Head of IT The current version of Windows server does not support a granular password policy which means that all staff and students are covered by the same password policy. Due to the diverse mix of staff and students a single complex policy is not practical and is why it is not currently enabled. The College is on track to upgrade to a new version of Windows Server by September 2011 at which point will implement password complexity on a granular, risk related basis. 1.2 A procedure should be established to seek formal acceptance from Guest Users to abide by the College s acceptable terms of usage. Low Y This will be reviewed and a suitable solution implemented August 2011 Head of IT 1.3 The Wireless Network Security Policy should be finalised and be made available to all users. Low Y A final Wireless Network Security policy will be available by July 2011. July 2011 Head of IT However, it should be noted that all key IT security issues are included in the overarching IT

Coleg Gwent 7 Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible Security Policy. The Wireless Network Security Policy will address specific wireless deployment issues such as frequency management. The College is still in the process of rolling wireless access out across the College and the draft policy has been evolving during this period 1.4 The Trapeze Wireless Configuration Documentation should be maintained and updated on a regular basis to ensure that it remains current. This should include an up to date network diagram that incorporates both the wireless and the rest of the network infrastructure of the College. Version control should be included in the documentation to track the revisions and updates made. Low Y Whilst we agree that the documentation should be maintained we also believe that the current documentation is consistent with current requirements. However, documentation will be updated and amended as part of the upcoming wireless project. August 2011 Head of IT Auditors Comment Noted 1.5 Management should consider purchasing the required software license to enable the management of the two controllers as a cluster. Low Y The Licences have now been purchased and implemented. Complete. N/A As an interim measure, the IT Department should perform a review on a regular basis to ensure that the settings

Coleg Gwent 8 Ref Recommendation Categorisation Accepted (Y/N) Management Comment Implementation Date Manager Responsible applied between the two controllers are consistent. Each review should be documented to ensure the existence of audit trails. 1.13 Completed new user request forms should be retained for the duration when the accounts remain active to provide adequate audit trails. This should include the e-mails from line managers with the forms attached to confirm approval when the forms are not signed. A sample check should be performed on a monthly basis on the completed processed during the period to confirm that all fields have been completed accurately. Low Y Management does not accept that new user request forms need to be retained for the duration of an user account remaining active. However, it is agreed that request forms should be maintained for 12 months and that high risk users accounts should be subject to checking 1 month after set up. This will be implemented. July 2011 Head of IT 2.2 An arrangement should be established to capture activities on the College s wireless networks. Low Y This will be reviewed and an appropriate solution implemented as part of the wireless roll out project. December 2011 Head of IT 2.5 The IT Department should configure its existing alerting system to report faults developed in the wireless network infrastructure. Low Y Email notification has been implemented within Ringmaster to alert IT Staff of any AP or controller failures. Completed N/A

Coleg Gwent 9 3 FINDINGS AND RECOMMENDATIONS Risk 1: Unauthorised access to data transmitted over the wireless network or to the wider wired network. 1.1 Over-arching IT Security Policy The College has designed an IT Security Policy which is available on the Intranet, which applies to both staff and learners. It encompasses a number of security areas in particular: Reference to relevant legislation; and The acceptable use of the Internet. Password security settings. Yes The most recent version of the IT Security Policy was reviewed and approved following minor amendment. It was noted that the most recent version had not been uploaded on the intranet but were advised that this had been addressed following completion of our audit fieldwork. Although the Policy requires all passwords not to be shared and complies with best practice it does not meet best practice in terms of enabling password complexity Management should enable the password complexity security setting in accordance with best practice. Low Furthermore, there is a requirement for the Policy to be reviewed on a two yearly basis. The Policy was reviewed and agreed at both F&E Committee (20/07/10) and HR&R Committee (02/11/10).

Coleg Gwent 10 1.2 Guest Acknowledgement to Usage Terms and Conditions There is no arrangement in place for guest classified users to acknowledge formally the acceptance to abide by the terms and conditions on acceptance use of the wireless network. No Visitors, who may not have access to the IT Security Policy, may not know of their obligations and the acceptable use of the wireless network, increasing the risk of inappropriate use that compromise network security. In addition, the College may be liable for any inappropriate and illegal activities over the guest wireless network. A procedure should be established to seek formal acceptance to abide by the College s acceptable terms of usage. Low 1.3 Wireless Network Security Policy A draft Wireless Network Policy has been documented since March 2008, but it has not finalised. It applies to all users including visitors, and it has defined the following principal requirements: No The lack of a wireless network strategy increases the risk of the inconsistent application and implementation of the wireless network security and infrastructure, adversely impacting the wireless network integrity. The Wireless Network Security Policy should be finalised and be made available to all users. Low the use of encryption; unique authentication for each user or session login for visitors; the authorisation from the IT Department before any new wireless network can be installed; installation must comply with the wireless network architecture and standards;

Coleg Gwent 11 and staff and students may access the wireless network using their standard Windows credential. The policy does not set out the physical access control requirements, and the arrangements for guests connecting to the guest wireless network. Nonetheless, there is a guide for visitors on how to gain access to the guest wireless network. 1.4 Trapeze Wireless Configuration Documentation A Trapeze Wireless Configuration documentation is in place which defines the following settings: RingMaster server; Wireless Controller; VLAN; SSID; and Access point locations in each campus. No Without current standard configuration documentation for the wireless network, there is a risk that the infrastructure may be implemented inconsistently, resulting in security vulnerabilities that compromise network integrity. The Trapeze Wireless Configuration Documentation should be maintained and updated on a regular basis to ensure that it remains current. This should include an up to date network diagram that incorporates both the wireless and the rest of the network infrastructure of the College. Version control should be included in the documentation to track the revisions and updates made. Low This was prepared in August

Coleg Gwent 12 2010 but it is not up to date, for example the location of the wireless access points is not current. In addition, the documentation lists only 26 access points out of the 59 access points reported on the central management console called RingMaster. 1.5 RingMaster (Central Console) The College has deployed the software Trapeze RingMaster for managing the wireless networks centrally, including the two wireless network controllers. We have been informed by the Assistant Head of IT that due to the lack of additional software licence, the College has been prevented from managing the two controllers as a cluster. No Managing the two controllers separately increases the risk of inconsistency in the configurations, adversely impacting the integrity of the wireless networks. Management should consider purchasing the required software license to enable the management of the two controllers as a cluster. As an interim measure, the IT Department should perform a review on a regular basis to ensure that the settings applied between the two controllers are consistent. Each review should be documented to ensure the existence of audit trails. Low As a result, the current design requires the IT Department to managing the two separately on RingMaster.

Coleg Gwent 13 1.6 Wireless Network Controllers The College has deployed two wireless network controllers at Pontypool and Cross Key. They are designed to connect and manage a series of access points on the wireless network infrastructure. Each access point has been designed not to store any data, encryption keys or security credentials locally. 1.7 Network Identifier (SSID) There are two SSIDs currently in use with one for the trusted users, such as learners and staff, while the other is designed for guests. 1.8 Wireless Network Encryption The trusted network is encrypted to the WPA2/AES standard. However, the guest network is unsecured. Yes Yes Yes The design of a centrally configured wireless network solution with access points that do not retain network data was found to be adequate and reduce the risk of the security settings being compromised if access points are stolen. It was observed at the Pontypool campus that both SSIDs are observed to broadcast to the public. On discussion it was noted that this is in line with best practice advice provided to the College by experts in this area. Although the trusted network has been designed to encrypt data using the WPA2/AES encryption standard, the guest wireless network is unsecured. On discussion it was ascertained that the College had taken guidance from Wireless experts on making this decision.

Coleg Gwent 14 1.9 Segregation of the Wireless Networks Each wireless network has been designed as a virtual LAN (VLAN) that is separate from the internal network. For the trusted VLAN, a connection has been designed to gain access to the internal network resources. No Without keeping the network diagram up to date, there is a risk of inappropriate changes to the network infrastructure, adversely impacting network integrity. A firewall that does not contain robust rules increases the risk of un-trusted users gaining access to the Internet from the wireless network, increasing the risk of inappropriate use that may adversely impact network integrity. Management should review the existing firewall rules to ensure that they are robust in blocking un-trusted users gaining access to the Internet without sufficient safeguards in place. Medium The design of the guest VLAN is restricted with no access to the internal network and the Internet access is blocked by the FortiGate firewall, which has only been installed the day before our review on site. However, the following issues exist: The VLAN arrangements have not been documented in the current network diagram. The high-level review of the rules designed for FortiGate firewall showed that a rule had been defined to deny all outward traffic from all internal network addresses. However, in contradiction,

Coleg Gwent 15 there were rules designed allowing services from all internal network addresses to all external destinations. While some of these rules had a pre-requisite requirement for Active Directory authentication before traffic was permitted, it was observed that access could be gained external access using a network file transfer protocol on the guest wireless network with no authentication or encryption designed. Note: The network will revert to the legacy firewall from 16 December 2010. 1.10 Lockdown of Network Settings Group policy has been configured to prevent users from gaining access to network connection properties, and access to the advanced configuration settings. Yes The design of using group policies to lockdown network configurations was found to be adequate and reduce the risk of users gaining access to and making inappropriate changes to the wireless network settings, compromising the end-point wireless network security integrity.

Coleg Gwent 16 1.11 Logical Access Control RingMaster There are three levels of logical access controls designed for RingMaster: Active Directory authentication to gain access to the dedicated server hosting RingMaster; restrictions of memberships on Active Directory with access to the RingMaster server; and RingMaster authentication itself. Yes The design of the three-level logical access controls for the access to RingMaster was found to be adequate and reduce the risk of unauthorised changes to the wireless network configurations that adversely impact the wireless network s integrity. We reviewed the list of user access on Active Directory and found that 64 accounts had access to the RingMaster server: User Group No. IT Support 39 Users 22 Business Systems 2 Network Admin 1 Total 64 The number of accounts with access at the server level is considered excessive. In addition, we reviewed the list of accounts on RingMaster and found that two generic accounts had been set up rather than accounts for each individual as expected. One of the accounts provided the full administrator access while the other was view only. The accounts on Active Directory with access to the RingMaster server should be reviewed and redundant / not necessary access removed. Individual accounts should be set up on RingMaster and the generic accounts removed. Medium Overall, the control is not operating as intended, increasing the risk of unauthorised access to RingMaster through the exploitation of Active Directory and

Coleg Gwent 17 1.12 Logical Access Control Trusted Users The College has designed the wireless access points to require Active Directory authentication to gain access to the trusted wireless network. Yes RingMaster accounts. The design of using Windows Active Directory user authentication as a way to control the logical access to the trusted wireless network was found to be adequate and reduce the risk of unauthorised access by an unauthorised individual, compromising the integrity of the trusted wireless and internal network. 1.13 Two arrangements have been designed to grant user access on Active Directory: Staff: A completed New User Request Form with line manager authorisation and a valid staff number is required before an account can be set up by the IT Department. Students: Student records are retrieved from the EBS enrolment database by the IT Department in CSV format which is then uploaded manually to AD Manager to create student user accounts in batches. Yes The design of the arrangement for granting user access on Active Directory was found to be adequate and reduce the risk of inappropriate access which may be exploited, adversely impacting network integrity. To validate controls operation, we selected a sample of 10 student accounts from the network Active Directory and found that all had records on the EBS student enrolment database. A sample of 10 staff accounts were selected from Active Directory, and found that only the forms completed in 2010 were retained. As a result, we selected an additional 5 accounts which were created in 2010 for testing. Completed new user request forms should be retained for the duration when the accounts remain active to provide adequate audit trails. This should include the e-mails from line managers with the forms attached to confirm approval when the forms are not signed. A sample check should be performed on a monthly basis on the completed processed during the period to confirm that all fields have been completed accurately. Low In all we found the following:

Coleg Gwent 18 Result No. of cases Forms missing due to 8 accounts created prior to 2010 Accounts created in 2010 with 6 forms retrieved Account created in 2010 but 1 form was missing Total 15 For the 6 forms found, 3 were fully completed. For the remaining samples, two were submitted to the IT Department by e- mail and they were not retained along with the forms, and one was found to have the employment status box incomplete. Overall, the control is not operating as intended, increasing the risk of accounts created inappropriately and without accountability on Active Directory, compromising the integrity of the trusted wireless network.