COMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA Ashish Kirtikar
Agenda Scope IS Audit High-level Strengths Weaknesses Recommendations. Network Architecture Review Weaknesses Recommendations. Vulnerability Assessment & Penetration Testing Q&A Findings Recommendations.
Scope
Scope Activities Assessment Activities: The Comprehensive Security Assessment Program was divided into three groups: Information Security Audit Internal Vulnerability Assessment & Penetration Testing Network Architecture Review Assessment Duration 6 th July 2011 to 14 th July 2011 Assessment Team Mr. Pramod Deshmane Senior Consultant, Project Manager Mr. Ashish Kirtikar Consultant, Team Leader Mr. Amit Gautam IS Consultant Mr. Vaibhav Mahadik IS Consultant
Scope Locations Locations in scope for the activity were taken on sampling basis, following were the sample locations advised by CTD to be assessed as a part of the audit: VTK-I, Gandhinagar Head Office State Data Centre (SDC) **, Computer Centre, VTK-I, Reliance Communications NOC, VTK-I DCCT(Audit)-13, Bangalore LVO-10, Bangalore NIC Data Center, Kormangla ** VTK-II, Kormangala
Scope Locations ADCOM (ENF), SZ, Bangalore JCCT(VIG), Bangalore JCCT(Appeals)5&6, Bangalore DCCT(Recovery)-2, Bangalore ACCT(LT)-2, Bangalore ETO-2, Bangalore PTO-1, Bangalore DCCT(Audit)-3, Mysore LVO-190, Mysore VSO-152, Ramanagara STCP(IN), Hosur Road, Attibele, Bangalore
Scope Locations STCP, Hosur Road (OUT),Attibele, Bangalore JCCT, DVO, Belgaum DCCT(ENF), Belgaum LVO-380, Belgaum PTO, Belgaum VSO-381, Sankeswara STCP(IN), Nippani ** - SDC & NIC Datacenters were assessed only for physical security w.r.t the CTD Devices as they are third party vendors and their entire infrastructure is out of scope and control of CTD.
IS Audit High Level Gaps
IS Audit - Introduction This activity was conducted to analyze the current composure of the Information Security Infrastructure in the Commercial Taxes Department office locations. Information Security Audit Checklist for the Commercial Taxes Department is based on the industry accepted security standards from SANS, ISO 27001, PCI DSS. The following areas have been covered in this audit: Information security policy Organization of information security Asset management Human resources security Physical Security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business Continuity Management Compliance
IS Audit Compliance Levels Compliance Level Marks (%ge) Explanation of Level Non Existence 0 Process Non Existent Informal 20 The process/activity exists without relevant documentation Ownership not defined, roles and responsibility not documented No records exist. No reports exist. Limited 40 The process/activity exists with some relevant documentation Ownership defined, roles and responsibility not documented Few records created, maintained Few reports created Partial 60 The process/activity exists with some additional relevant documentation Ownership defined, roles and responsibility not documented Records created, maintained, archived Few reports created Major 80 The process/activity exists with relevant documentation Ownership defined, roles and responsibility documented Relevant records created, maintained, archived Relevant reports created Full 100 All criteria satisfied.
Information security policy Organization of information security Asset management Human resources security Physical Security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business Continuity Management Compliance Compliance (%) IS Audit Compliance Summary (%age) 100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 30.00 56.36 12.00 71.11 36.00 14.81 34.28 4.00 8.00 12.00 30.00 1 2 3 4 5 6 7 8 9 10 11
IS Audit - Strengths Management willingness and commitment to optimize the current IT Infrastructure and ensure its security. Policies & Procedures for Information Security Management System have been defined. Centralized Anti-Virus Management is implemented. Contact with Authorities like NIC. Monitoring of the uptime and SLAs for the Third Parties like Reliance. Access Control & User Management followed for the web based applications. Privilege Management implemented for web-based applications.
IS Audit - Weaknesses Awareness about the policies & procedures at the user level. Implementation of the policies & procedures defined at the user level. Periodic Review meets of the management to review the status and composure of the implementation of Information Security in the organization. Asset Registry / Inventory not maintained. Asset Management Process not followed as per the defined policies and procedures. Lack of specific Information Security Awareness Trainings or programs. Improper equipment siting and placement in some of the locations
IS Audit - Weaknesses Patch Management is not centralized, hence patches are not updated on many systems. Anti-Virus Logs / Alerts are not monitored. Hardening standards or baselines for desktop systems or servers not implemented. User management non-existent for local desktop systems, network devices, servers and databases. Password Policy / Account Lockout Policy is not present on any systems. Change Control not followed for all the systems as per the defined policies & procedures Data transferred from the NIC datacenter to CTD and from CTD to State Data Center is on removable media, without any specific measures to protect the integrity / confidentiality of the data.
IS Audit - Weaknesses There is no IDS / IPS in the network to monitor all the traffic transmitted across the CTD environment. Network Devices configuration reviews are not done to ensure access is restricted only as per business requirements. Logging for any of the systems is not present. Use of public email accounts for business mails. Business Continuity & Disaster Recovery implementation / testing procedures are not documented. Incident Response Procedures / Trainings are not followed as per the defined policies. Risk Assessment Activity has not been carried out for the assets in CTD.
IS Audit - Recommendations Information Security Awareness trainings should be conducted for all the employees of CTD. It should be ensured that all employees read and understand the critical Information Security policies. Management should ensure and monitor on periodic basis that the policies defined are followed and implemented all across CTD. User Management should be centralized, CTD can consider use of technology like Domain based setup. Change Control Should be followed as defined and documented in policies. Patch Management should be centralized, CTD can consider the use of technologies like WSUS for centralized Patch Management. Anti Virus logs / alerts should be regularly monitored, follow ups should be done till closure of issue and Incident management procedures should be followed for the same if required.
IS Audit - Recommendations CTD should host its own internal mail server and provide CTD email access for all it employees for CTD business mails. Transfer of data from any location over removable media should be protected by methods like encryption, checksum to ensure its integrity and confidentiality is maintained. Also it should be ensured that transit is tracked. Asset Inventory and Register should be maintained for all the assets present in the CTD Network. Asset Management procedures should be followed. Hardening documents and baseline standards for all the assets should be maintained. It should be ensured that all the assets are configured based on this documentation.
IS Audit - Recommendations Password Policy & Account Lockout Policy as per industry best practices requirements should be followed for Windows, Linux Systems, Databases, Applications, Network devices. a. Set first-time passwords to a unique value for each user and change immediately after the first use b. Change user passwords at least every 90 days c. Require a minimum password length of at least seven characters d. Use passwords containing both numeric and alphabetic characters e. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used f. Limit repeated access attempts by locking out the user ID after not more than six attempts g. Set the lockout duration to thirty minutes or until administrator enables the user ID h. Session-time out must be set to 15 mins.
IS Audit - Recommendations Logging should be enabled on all the critical devices. These logs should be forwarded to central locations and regular log monitoring and analysis should be conducted and recorded. File Integrity Monitoring solutions can also be implemented for ensuring that the log files at central location are not tampered. Business Continuity/ Disaster Recovery procedures should be documented. Testing for the same should be conducted on periodic basis Incident Response procedures should be followed as per the defined policies. Incident Response procedures training to the designated members needs to be conducted. Risk Assessment for atleast all the critical assets should be conducted based on industry accepted standards like, ISO 27005, NIST or OCTAVE
Network Security Architecture Review High Level Gaps
Network Security Architecture Review - Introduction The Network Architecture Review was focused on assessing the Network Infrastructure in terms of design and configuration to assist in further optimization of the CTD Network. For this exercise, a detailed understanding of the network based on the network diagram was obtained. Then configuration from following sample network devices were analyzed for gaps: ASA 5510 Firewall - 1 Hub Routers (Primary & Secondary) - 2 Fibre Link Connectivity Location Routers 3 RF Link Connectivity Location Routers - 5
Network Security Architecture Review Weaknesses It was observed that no specific hardening process / document defined for any of the systems in the network. There is no backup connectivity for the ASA 5520 Firewall, in case of any failure or downtime for the firewall the entire network will not be able to communicate with internet which will stop their connectivity to the applications hosted at the NIC Data Center. It was observed that on some of the devices logging is not enabled for some of the network devices. Logging is not configured on any of the routers. It was observed that there is no Intrusion Prevention or Detection system to monitor the internal & external critical traffic.
Network Security Architecture Review Weaknesses As there is no VLAN configuration and a HUB based network is implemented, there is threat of Network ARP or MAC poisoning in the network. This has also been identified in the Vulnerability Assessment activity carried out in the internal network. Updated Network diagram is not present; the diagram provided still mentions the Fortinet Firewall which is not present in the network. Access-lists on the routers and firewalls should be optimized and access should be provided only on specific required ports. Inactive and unassigned access-lists are present on the firewall. It is strongly recommended to review all the ACL s on the firewall, routers and remove the legacy and unwanted rules. NTP configuration is missing on all the server machines, this needs to be configured to a centralized NTP server. The configuration of the Network Device NTP should be changed from the Reliance NTP servers to internal NTP servers. Unique users have not been created on any of the network devices
Network Security Architecture Review Recommendations There should be a backup firewall for the ASA 5520, the organization already has a firewall which is procured, the same firewall can be used as a hot standby or in HA mode. So, in case one firewall fails traffic can be routed through the other. CTD can consider implementing a centralized user management system like TACACS or Radius authentication for unique user ids on the network devices. Logging should be configured on all the devices and the logs should be forwarded to a centralized log server, and logs should be regularly monitored. The spoke location machines can directly access the HUB location and vice versa, this should be removed if not required and whatever access is necessary to be provided should be restricted on specific ports. Access-lists on the routers and firewalls should be optimized and access should be provided only on specific required ports.
Network Security Architecture Review Recommendations Inactive and unassigned access-lists are present on the firewall. It is strongly recommended to review all the ACL s on the firewall, routers and remove the legacy and unwanted rules.
Internal Vulnerability Assessment & Penetration Testing
Internal Vulnerability Assessment & Penetration Testing - Introduction All network vulnerability assessment was conducted from various locations of Commercial Taxes Department, Karnataka. The locations included Head Office, Field Offices, Check Posts, Divisions, and Datacenter. All testing was performed using a variety of industry leading security scanning tools and applications. The Internal network included hosts network IP list provided to ControlCase by Commercial Taxes Department, Karnataka. A firewall or other network traffic-filtering device restricted access to these hosts. ControlCase discovered seventeen high-risk and seventeen mediumrisk vulnerabilities associated with the Commercial Taxes Department, Karnataka s provided internal network segment.
Internal Vulnerability Assessment & Penetration Testing Test Gradings Grading Level Description Excellent A rating of excellent indicates that no high or medium-risk vulnerabilities were discovered, though low-risk vulnerabilities may be present. The implemented security measures match the very best of those implemented by other companies or organizations. Good A rating of good indicates that no high-risk vulnerabilities were discovered, though some medium and low-risk vulnerabilities may exist. The implemented security measures exceed those implemented bytypical companies or organizations. Average A rating of average indicates that few high-risk vulnerabilities were found, with a majority of findings being medium and low-risk vulnerabilities. The implemented security is comparable to that of the typical company or organization. Marginal A rating of marginal indicates that many high, medium, and low-risk vulnerabilities were discovered, and system compromise may be possible. The implemented security falls below that of the typical company or organization. Poor A rating of poor indicated that numerous high-risk vulnerabilities were found and/or direct system compromise is possible. These high-risk vulnerabilities may be accompanied by multiple medium and low-risk vulnerabilities as well. The implemented security is significantly below the industry standards followed by a majority of companies or organizations.
Internal Vulnerability Assessment & Penetration Testing Result Following expert analysis of data gathered during the assessment, which accounts for the actual findings, the restrictions on service accessibility, and the results of verification testing on vulnerabilities discovered, a rating of Poor has been assigned to the network security of the Internal network managed by Commercial Taxes Department, Karnataka. Testing Phase Notes Rating Internal VA and Network Penetration Test Seventeen high-risk and seventeen medium-risk vulnerabilities have been discovered Poor
Internal Vulnerability Assessment & Penetration Testing Summary The risks noted in Commercial Taxes Department, Karnataka s internal infrastructure are categorized into High, Medium and low depending upon the severity levels. Risk Severity Level No. of Findings High 17 Medium 17 Low 13 Total 47
Internal Vulnerability Assessment & Penetration Testing Findings The following generic categories of Vulnerabilities were found in the machines which were tested: Operating System/Patch Management/Password Policies - 13 Lack of Patch Management System (MS-08-067 Conficker Patch Missing) Windows Service Pack Out of Date Insecure Password Policy Network Misconfiguration 17 OpenSSL < 0.9.6j / 0.9.7b Multiple Vulnerabilities Anonymous FTP Enabled SNMP Default Community String Disclosure
Internal Vulnerability Assessment & Penetration Testing Findings Web / database Interfaces Discovery 13 Microsoft SQL Server Default Credentials Oracle Database Multiple Remote Vulnerabilities VNC Security Type Enforcement Failure Remote Authentication Bypass Web Server Unconfigured - Default Install Page Present Directory Listing enabled Common ports used by backdoors/viruses/worms/ - 1 Conficker Worm Detection - Conficker.C or lower detected DNS recursion/zone transfer/poisoning 3 MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution DNS Server Processes Unauthoritative Recursive Queries
Internal Vulnerability Assessment & Penetration Testing Recommendations All the systems should be updated with the latest patches. Systems should be hardened as per industry recognized baselines, to ensure all unwanted ports, protocols, services are disabled. Use of strong Password Policy & Account Lockout Policy. Hardening of Web Servers & databases as per industry recognized baselines and the defined policies of CTD.
Questions & Answers Any Questions??
Thank You Thank-You Incase of further queries kindly contact akirtikar@controlcase.com