Auditing Internet Security AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 1
Session Objectives IS Auditors have enough confidence to use ITGC skills to audit Internet security to a medium assurance level AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 2
Internet Security Audit = 1. IT General Control + 2. Access control audit of the Internet gateway vis AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 3
Agenda What is Internet security Internet security technology Common IT General Controls Specific Internet security controls AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 4
Agenda AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 5
Cisco Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 6
Internet security - Goals Secure connection to the Internet Block access to internal systems Protect Web Applications Control internal personnel use of the Internet Secure remote access AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 7
Threats and Risks Threats Hackers extract and publish sensitive information Databases Executive files, negotiation strategies Legal files IP Staff publish sensitive info Risks x x x x Damages litigation Loss of business position Breach of legal duties Loss of competitive advantage Denial of service x Cash flow loss of sales x Reputation Theft of credit card details x Liability to bank Spoofing of your email x Damages and litigation Staff and porn x Damages and litigation AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 8
Network Layers OSI Model TCP/IP Model Application Presentation Session Transport Network Data Link Physical Application (HTTP, FTP) Host-to-host (TCP, UDP) Network (IP) Network Access 10
The IP packet AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 11
Filtering Layers Cyberguard Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 12
Filtering Layers Cyberguard Diagram AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 13
IP Types IP Basic type Competitor to IPX, SNA, Decnet, etc ICMP Internet Control Message Protocol Used for flow control, pinging TCP Transmission Control Protocol 3-way handshake Starts with a SYN synchronise request State maintained in the kernel UDP Universal Datagram Protocol stateless Application maintains state Copyright (c) Infosec Services Pty Ltd 2008 14
A look back to 2002 Rating Maturity Objective Controls Gateway User 1 Initial Basic filtering, block incoming Home user, SOHO 2 Repeatable Customised filtering, good technician SME 3 Defined Content scanning, change control, logging Major companies and Government 4 Managed Risk management, compensating controls, monitoring, CSIRP, Industry evaluated products 5 Optimised ISO 15408 Evaluated products, formal accreditation process Banks, high information asset companies Sensitive Government AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 15
Auditing Context Review enterprise security policy, network security standards Identify regulatory information security requirements Review security incident history Review service provision model In house Outsourced IAAS, PAAS, SAAS, etc Determine assurance requirements AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 16
Network access control AKA packet filtering Basic packet filtering Rare these days Filtering on Destination IP address Source IP address Destination port (AKA service, eg, HTTP, telnet) Source port Trust destination only trust your own source AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 17
Network Access Control Stateful Most common, Checkpoint, Cisco Adaptive Security Appliance, PIX, e.g. Recent outgoing DNS name lookup Permit the DNS response Firewall understands network sessions Application level 18
Network Access Control Application Level Application protocol compliance and misuse Enforce protocol rules E.g. Only DNS over the DNS port Block risky but compliance protocol options, e.g. SMTP - EXPN Content filtering Filter on the data part of the IP packet AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 19
Filtering What to look for Ingress Very restricted rules Restricted access to DMZ resources No access direct to internal networks No blanket access for remote access DMZ to internal networks only essential connections Egress Enforcement of use of proxies, e.g. SMTP = enforce use of corporate email HTTP = enforce use of content filter DNS = enforce use of trusted DNS server AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 20
Content Inspection Malware Viruses, worms Buffer overflow attemtps Other exploitations Unauthorised content Keywords, e.g. F**K Images skin tones, etc Dedicated servers support firewalls AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 21
Intrusion Prevention Systems Evolution from Network IDS Historically separate IDS with feedback to the firewall Now mostly part of a firewall but licensed separately Requires annual subscription IDS engine dynamically writes firewall rules Detection techniques Signatures Anomaly / Heuristics Blacklists Disclosure Loss Prevention tools (DLP) (rarely tuned well) AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 22
Field Work AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 23
Testing - Passive Ask the administrator to show you the settings Less audit risk than accessing the admin account yourself Inspect key controls Applicable security policy Technical configuration settings Logging and incident response capability Review the firewall ruleset Inspect the IDS/IPS console Do they review or monitor suspect events? AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 24
Testing Review Firewall Rules Default deny policy? Permit risky protocols? Protocols with plaintext passwords Protocols permitting remote control or access Decisions based on untrustworthy source information? Rules match authorised usage Rule documentation Get the hidden (implied) rules on Firewall-1 AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 25
Testing Passive (3) Documentation Network diagrams Secure architecture? Ruleset descriptions? Maintainable? Periodically reviewed? Infrastructure inspection Patch cables Match diagrams? Software flaws patch plans/records Check for evidence of control effectiveness Test reports (including regression testing) System logs Incident reports AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 26
Testing Passive (4) Change Control Security risk Normal ITIL controls Administrator Authentication and logging From a trusted location Skills Access via secure interface AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 27
DMZ Servers Operating Systems Use standard server security checklist At the high security level Vendor security manual, ASD or AusCERT list, Center for Internet Security Inspect Usual ITGC Running network services netstat a rpcinfo p (on unix) Patching Malicious software controls Logging sent to a separate trusted repository? Multiple homed DMZ servers get the admin to show it is not a router Get the admin to run the vendor s security tools for you 28
DMZ Middleware Often the weakest point Web services access control Middleware containers have access control list Inspect Web services access control Authentication to access web services? Logging? Databases Dust off your database audit program 29
DMZ Servers Continued Backed up? Part of an IT Disaster Recovery Plan? Tested? Increasing using High Availability and auto failover 30
ASD s Top 35 Mitigations Firewalls, network segmentation, proxy enforcement Host and network IPS, centralized network logging Email spoof controls Sender Policy Framework Block certain file types Email and Web content filtering, malware controls Web domain whitelisting, blacklist known malicious domains Patching Dynamic analysis of email and web - sandbox Server OS exploit mitigation, server application hardening 31
Testing Active Check control effectiveness Scan accessible ports does the admin have the tools? Tools: nmap Scan application vulnerabilities Tools: nessus, acunetix, Appscan, Burp Suite, Hailstorm, NTO Spider, Qualsys, WebInspect Penetration tests by service provider? CREST Australia AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 32
Testing Analysis v s Pen Tests Pen tests and scans great for obvious stuff ups Weaknesses hard to find by pen tests Rules with source network filters Rules for decommissioned servers (firewall rule reuse) No filtering from DMZ to internal networks No egress filtering Messed up firewall object definitions Firewall software flaws and patches E.g. Cisco Pix ACL bypass AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 33
Finifter and Wagner, UC Berkley Scope: code review http://www.cs.berkeley.edu/~daw/papers/webapps11.pdf Used with permission.
? Analysis? Testing
Web Deployment Trends Virtualisation, virtualisation, virtualisation Co-hosting with other s web services Server virtualisation Storage virtualization Voice over IP security Phone toll fraud
Trends - Storage Virtualisation Alternative routes into the inside Shared server virtualization infrastructure Stretching of SANs into the DMZ All of an organisation s data in one place SAN controls Zoning, with Host Bus Adapters LUN masks or Access Control Lists Virtual servers can have very broad SAN access Use a separate SAN
Trends - Server Virtualisation Internet servers on the internal VM farm, but mainly separate VM farms Several key controls not on by default ARP spoofing MAC changes Many DOS controls Persistent log files OWASP
Trends - Server Virtualisation (2) Sprawl Duplicates running AV forgotten on virtual server clones Copies of other system snapshots Clones of insecure development configurations VM Snapshots unprotected on file system References Vmware Security Hardening Guides Microsoft Security Compliance Manager (Hyper-V) OWASP
Corrective Controls Incident Response Is there an incident response plan? Does the CSIRP cover management processes and technical responses? Is evidence protected? Does the plan have management authority? 17 September 2002 CACS 2002 48
Controls Effectiveness Logs Are they protected? Are they stored on a separate server? Is it the only gateway? Wireless Modems 17 September 2002 CACS 2002 52
Controls Effectiveness Malicious content scanning Frequency of signature updates Quality of tool Scan by heuristics and signatures Additional scanning on server or desktop Inspection regardless of file type Inspection inside of archive files HTTPS scanning HTTPS whitelisting, or blacklisting Independent expert review 17 September 2002 CACS 2002 53
Internet Routing Authenticity BGP authentication Border router outside the firewall Reference, NIST SP800-54 Real world attacks and accidents China Telecom advertised 37 000 unowned networks 2010 Pakistan Telecom blocks YouTube 2008 Malaysian ISP blocks Yahoo 2004 Turkish ISP takes over the Internet 2004, TTNet sent out a full table of Internet routes via BGP that routed most Internet traffic through Turkey for several hours AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 54
Standards and Guidelines ISO 27002, 27005 Australian Government Information Security Manual Security Vendor Guides COBIT NIST csrc.nist.gov Center for Internet Security (SANS) www.cisecurity.org O Reilly & Assoc publications Spafford Cheswick AUD11 SPEAKER: Gary Gaskell (QLD), Infosec Services 55
Questions 56
Threats, Vulnerabilities and Risks Risks Assets (incl Business Processes) Threats exploit Vulnerabilities expose Value 57