Network Security Management Phase 2 Performance Audit

Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Co-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA Stephen E. Coury, IT Audit Supervisor, CISA Roman Bukhtiyar, Senior IT Auditor, CISA Ketki Dhamanwala, Senior IT Auditor, CIA, CISA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, 80202 (720) 913-5000 Fax (720) 913-5247 Or download and view an electronic copy by visiting our website at: www.denvergov.org/auditor

City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor Dennis J. Gallagher Auditor July 19, 2012 Mr. Chuck Fredrick, Chief Information Officer Technology Services City and County of Denver Dear Mr. Fredrick: Attached is the Auditor s Office Audit Services Division s report of their audit of Network Security Management Phase 2. This report summarizes the second and final phase of our audit of the City s data network that is managed by the Technology Services Department. The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. I am concerned that portions of our data network are vulnerable to attack or abuse that are neither prevented nor detected. I know that you share my concerns as I understand that you have already taken corrective actions to eliminate some of the risks we identified, and that you have plans to address those that require more time to resolve. A common theme in both phases of our audit is that periodic user security awareness training is key to helping all our employees know the role they have in protecting the City s data. Your challenge to establish an information security governance program will be to ensure that the controls you have in place continue to operate as intended. So many times we can have the best of intentions, yet to find that a control we thought was working has become obsolete or has evaporated into the ether. We must remain diligent in ensuring we are always protecting the City s information. On a final note, as you consider the benefits of cloud computing for the City, please see our short treatise on Cloud Computing Considerations in this report. I think you will find it supports a careful and thoughtful approach to this new era of computing. If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5000. Sincerely, Dennis J. Gallagher Auditor DJG/sec To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Janice Sinden, Chief of Staff Ms. Stephanie O Malley, Deputy Chief of Staff Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Beth Machann, Controller Mr. Doug Friednash, City Attorney Ms. Janna Bergquist, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Ethan Wain, Deputy Chief Information Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor AUDITOR S REPORT We have completed an audit of Network Security Management Phase 2. This report summarizes the second and final phase of our audit of the City s data network that is managed by the Technology Services Department. The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The findings from the second phase not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. The Chief Information Officer has recognized the gravity of the issues identified in both our Phase 1 and Phase 2 audit reports and has already taken actions to eliminate or mitigate some of the risks identified. Where risk mitigation requires a more strategic solution, the Chief Information Officer has responded that he will develop appropriate plans to reduce the identified risks. We extend our appreciation to the Chief Information Officer and his staff who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

TABLE OF CONTENTS EXECUTIVE SUMMARY 1 INTRODUCTION & BACKGROUND 2 Information Technology Governance 2 Process Maturity Model 3 Defense in Depth and Basic Controls 3 SCOPE 5 OBJECTIVE 5 METHODOLOGY 5 FINDING 8 City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity 8 RECOMMENDATIONS 13 OTHER PERTINENT INFORMATION 15 Cloud Computing Considerations 15 APPENDICES 17 Appendix A Network Security Management Phase 1 Performance Audit 17 Appendix B News Story of Email Virus Impacting a Federal Agency 50 AGENCY RESPONSE 52

EXECUTIVE SUMMARY This report summarizes the second and final phase of our audit of the City and County of Denver s network security. 1 The findings from the second phase not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. 2 This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. This indicates that information technology (IT) governance needs to be strengthened not only in the risk management domain, but also in the resource management domain. 3 Examples of specific weaknesses include the following: Six of ten essential information security duties are not being performed Antivirus controls are not always effective in preventing malware from entering the email system or from being saved and backed up on network storage Key information security policies are missing or outdated Network admission controls do not detect unauthorized devices Portions of the City network are vulnerable to attack or abuse The general public has inappropriate access to portions of the City s internal data network On a positive note, the audit identified areas where controls have been implemented and are especially strong. Specifically, change control over firewalls and routers are automated and at a high process maturity. Additionally, authentication controls over administrative access to both firewalls and routers are strong. Lastly, the Technology Services strategy to take advantage of cloud computing still needs to significantly develop and increase the maturity of its information security posture in preparation for the implementation of a cloud computing delivery strategy. Our thoughts on the City s preparedness for cloud computing can be found in Other Pertinent Information Cloud Computing Considerations. 1 The audit scope is limited to the portions of the network specifically managed by the Technology Services Department. Refer to the Introduction & Background of the Phase 1 report contained in Appendix A Network Security Management Phase 1 Performance Audit for additional details. 2 Please see the Introduction & Background section of this report for more information on the Process Maturity Model. 3 Please see the Introduction & Background section of this report for more information on IT governance domains. P a g e 1 Office of the Auditor

INTRODUCTION & BACKGROUND Information Technology Governance The overall governance of the City includes several disciplines of which Information Technology (IT) is a significant part. Accordingly the governance of IT is not the sole responsibility of one agency, but rather a collaborative effort between the City s top leadership, i.e., the Mayor and City Council, working closely with the leadership of the IT organization. The Technology Services Department is responsible for managing IT risks and determining which resources are necessary to mitigate those risks. However the City s top leadership has ultimate authority over IT resources. Accordingly, when City leadership is faced with financial challenges, budget decisions should include consideration of the IT risk impact that may result from those choices. A role of the Chief Information Officer (CIO) as the IT leader is to advise the Mayor and City Council on the IT risks threatening the City s network so that management may make informed decisions regarding risks and the resources to mitigate those risks. When presented with IT risks, City leadership has the option to either mitigate those risks by implementing controls, transferring risks, such as through insurance, or accepting risks through formal acknowledgement. If there are significant IT risks that the City cannot mitigate or transfer, the acceptance of that risk must come from an appropriate level of authority the City s top leadership and be disclosed to stakeholders and citizens. IT Governance Domains IT governance consists of the five major domains of strategic alignment, value delivery, risk management, resource management, and performance measurement. 4 Two areas of concern in this audit are risk management and resource management. Risk Management The risk management domain addresses the safeguarding of IT assets and disaster recovery. Risk management also includes regular self-testing to ensure established controls are operating as intended and continuous assessment of emerging risks in light of an ever changing threat landscape. 4 Board Briefing on IT Governance, 2 nd Edition, IT Governance Institute, http://www.itgi.org City and County of Denver P a g e 2

Risk management concerns are raised in both phases of this audit. The phase one report is included in Appendix A. Resource Management The resource management domain addresses optimizing IT knowledge and infrastructure, in particular people, technology tools, and the management of outsourced services. It is the resource management domain that promotes workforce planning for adequate staffing and training in order to retain skilled IT staff. Resource management also includes aligning the IT budget to support business operations. Resource management concerns are raised in this second phase of the audit. Process Maturity Model The degree to which an organization can effectively manage its IT risk depends largely on the maturity of its IT governance system. The maturity level can be determined by evaluating the organization s key information security policies, standards, and procedures against an industry standard IT governance maturity model, or process maturity model. As illustrated below the model establishes a method to rank a process along a six-point scale ranging from 0 Nonexistent to 5 Optimized. 0-Nonexistent Management processes are not applied at all 1-Initial Processes are ad hoc and disorganized 2-Repeatable Processes follow a regular pattern 3-Defined Processes are documented and communicated 4-Managed Processes are monitored and measured 5-Optimized Best practices are followed and automated Information security controls need to be repeatedly verified over time to ensure they are continuing to operate as intended. Constantly monitoring the effectiveness of controls, such as through a manual or automated compliance program, is considered to be at maturity level 4. Processes that are automated and include an aspect of continuous improvement are at maturity level 5. Defense in Depth and Basic Controls Best practices promote the concept of defense in depth or security in layers. Specifically, IT security programs should protect information through the use of multiple layers including physical, policy, and technical controls. Physical controls primarily protect access to computing equipment. Policy controls include all aspects of security, such as review of logs, compliance programs, and employee security awareness training. Technical controls are mostly automated and include firewalls, intrusion prevention appliances, and antivirus software. The technical controls should not be overly reliant on P a g e 3 Office of the Auditor

limited defenses or overly dependent on a single person to review security alerts. Physical Controls Physical controls include the protection of physical access to facilities, the protection of network equipment within those facilities, and environmental (temperature and humidity) controls. As with all controls, physical controls must be regularly tested to insure they are operating as intended. Policy Controls Information security policies are the basis for defining management s commitment and the organization s approach to managing information security. Information security policies must be reviewed periodically as the rapid change in technology could render a policy inadequate to control the risk it was intended to prevent. Consider password length and complexity as a policy that has evolved over the years. Ten years ago, a fourdigit password would have been considered adequate, but by today s standards a fourdigit password would be considered weak and one that could be easily compromised. It is common today to see password requirements of eight characters with the inclusion of capital letters, numbers, special characters, expiring every ninety days or so, and users reminded not to use easily guessed mnemonics, family or pet names, dates, or the names of sports teams or their mascots. Technical Controls Technical controls include some of the basic controls that most users are familiar with, such as antivirus software or system patching. Often these controls are automated and are assumed to be working properly. An important study of system intrusions and data breaches, the 2012 Data Breach Investigations Report, highlights that 97 percent of data breaches were avoidable through simple or intermediate controls. 5 The report also points out that the largest threat actions came from hacking and malware. 6 Hackers strive to get the most reward or benefit from the least amount of work or investment. The data show that an attacker will try the simplest techniques to break into a system before engaging more sophisticated techniques. This emphasizes the need for organizations to remain vigilant in providing basic controls, such as end user information security awareness training, antivirus software, network segmentation, and password protocols and to engage in continuous monitoring to ensure that basic controls are operating as intended. 5 The 2012 Data Breach Investigations Report was prepared by the Verizon RISK team with cooperation from the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-crime Unit of the London Metropolitan Police. The report spans eight years and the breach database includes well over 2,000 breaches and information on greater than one billion compromised records. http://www.verizonbusiness.com/resources/search 6 In this report we will use the term malware to refer to computer software that is designed with malicious intent, such as computer viruses, Trojans, and spyware, which are intended to cause harm, disruption, or provide surreptitious access to computer resources and data. City and County of Denver P a g e 4

Antivirus controls are especially important, since malware is one of the main attack vectors or ways that systems are compromised. Earlier this year, the Washington Post (and other print and online sources) featured a story about a federal agency that was the victim of a computer virus outbreak that arrived via email. The malware posed a high enough threat that the agency disconnected its computers from the network to prevent the malware from spreading to other agencies. 7 We contacted the affected agency directly to vet the accuracy of the news story. Although the agency has not issued publicly its own account of the incident, they did confirm occurrence and that it was still under investigation. SCOPE This report summarizes the second and final phase of our audit of the segments of the City and County of Denver s Metropolitan Area Network that are managed by Technology Services, which excludes the portions of the network that are managed by other agencies, such as the Denver International Airport, Denver District Attorney s Office, and Denver County Courts. In accordance with Generally Accepted Government Auditing Standards (GAGAS) the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings, however, have been presented to the City s Chief Information Officer. As part of our regular follow-up for audit issues, we will return at a future date to ensure that all findings have been addressed. OBJECTIVE The purpose of the audit was to determine whether the City s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability. METHODOLOGY We utilized several methodologies to achieve the audit objective. Our evidence gathering techniques included, but were not limited to, the following: Examining existing information security policies, procedures, and standards 7 Please see Appendix B, News Story of Email Virus Impacting a Federal Agency, to view the article. P a g e 5 Office of the Auditor

Consulting best practices standards for information security policies and procedures from sources such as the International Organization for Standardization publication Information technology Security techniques Code of practice for information security management (ISO 27002:2005), the National Institute of Standards and Technology special publication Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53), the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures Version 2.0 (PCI DSS), and as a point of local reference, the security policies of the State of Colorado Governor s Office of Information Technology (OIT) Consulting best practices for routing device configurations from organizations such as the Center for Internet Security (CIS), NIST, the National Security Agency (NSA), and an equipment manufacturer (Cisco) Consulting authoritative reports on data breaches such as Verizon s 2012 Data Breach Investigations Report Conducting interviews with Technology Services personnel to clarify our understanding of its network security processes Reviewing Technology Services organization charts and job descriptions to determine whether an information security management structure has been established Examining vulnerabilities associated with opportunistic cyber attacks, as well as those for advanced persistent threats (APT) Performing testing of the antivirus controls to determine whether the antivirus tool is effective in protecting the network against malware Examining the vulnerabilities associated with generic user IDs having e-mail accounts and the use of web-based email Verifying the status of issues noted in the City s PCI self-assessment questionnaire and attestation of compliance to determine remediation progress Examining vulnerability scans to determine whether non-pci portions of the network are susceptible to cyber threats Performing tests to determine whether technical controls are in place to enforce the City s remote access policy Reviewing the effectiveness of incident management policies and procedures Evaluating the effectiveness of the use of security information and event management (SIEM) software, particularly the Cisco Security Monitoring, Analysis and Response System (MARS) product Determining whether a strategy exists to replace MARS as the City s SIEM in light of the product s end-of-life announcement by the vendor City and County of Denver P a g e 6

Interviewing Technology Services management to verify whether essential information security duties are being performed Reviewing training records of key information security personnel to determine whether training is current Performing a physical security walkthrough of the data center to verify whether physical security, equipment protection, and environmental controls are adequate for critical firewalls and routers Reviewing network architecture diagrams to identify critical firewalls and routers Performing tests of critical firewall and router security settings with the Titania Nipper configuration analysis tool Testing change management and configuration backup controls for critical firewalls and routers using the Solarwinds Orion and Network Configuration Manager (Cirrus-NCM) tools Evaluating the password configuration settings for the City s Authentication, Authorization, and Accounting (AAA) protocol implemented through the Cisco Terminal Access Controller Access Control System Plus (TACACS+) server Verifying the list of users who have administrative access to firewalls and routers Evaluating staff competency to operate network software tools and explain network configuration settings Consulting best practices for cloud computing from organizations including the Cloud Security Alliance (CSA) and NIST P a g e 7 Office of the Auditor

FINDING City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity The results of our work from the second and final phase of this audit not only reinforce the information security governance issues identified in the first phase, but further highlight a disturbing concern that key information security controls are not operating as a result of gaps in Information Technology (IT) Governance. Specifically, the Technology Services Department is insufficiently staffed, which places an over reliance on key personnel; key policies and procedures have not been developed; and there is a low process maturity environment where critical processes are ad hoc and disorganized. This condition results in a security environment where portions of the City network are vulnerable to attack or abuse that are neither prevented nor detected. This indicates that information technology (IT) governance needs to be strengthened not only in the risk management domain, but also in the resource management domain. Examples of specific weaknesses follow. Six of ten essential information security duties are not being performed We identified ten essential information security duties that were being performed by personnel in Technology Services in order to ensure the proper functioning of security controls. Although subject matter experts should develop and document key information duties, those duties should be performed by operations staff or automated. Contrary to best practice, six of the ten essential information security controls were being performed by subject matter experts and their procedures were not documented or otherwise operationalized. As a result, these six controls ceased operating and some have not been performed for over eight to twelve months when the personnel performing them left the city workforce or were reassigned to different projects. For security reasons we have not listed the essential duties that are no longer being performed. This condition illustrates the importance of resource management in the governance of information technology. The CIO should ensure that adequate qualified staffing exists to perform essential security tasks. Critical security tasks should be documented and transferred to network operations personnel to ensure that essential information security controls continue to operate in the event of staff turnover. In the event that employment market conditions significantly challenge the ability to maintain staffing, the CIO should consider outsourcing network security monitoring to ensure continuous monitoring of network security controls. City and County of Denver P a g e 8

Antivirus controls are not always effective in preventing malware from entering the email system or from being saved and backed up on network storage To test the City s antivirus controls we attempted to introduce, after informing IT management about the test, a pseudo-malware file into the City network, both through email and through a file transfer. The pseudo-malware file was not detected through either delivery method by the City s antivirus software, which should have triggered an alert if the file had been properly detected. 8 In the absence of proper detection controls or an alert, we were able to place the file on the City s network. Additionally, the file was successfully backed up and subsequently restored from network backups without prevention or detection of the pseudo-malware. The outcome of our test illustrates an initial and subsequent risk to the City s network. Not only can a potential attacker store malware undetected on the City s network, but the malware can be backed up and enabled for future use. If the malware were used in an attack on the City network and the initial attack was detected and stopped, the attacker may be able to subsequently restore the malware tools stored during backup and attempt the attack again. We concluded that we were able to upload the pseudo-malware file due to the way the antivirus software was configured. We also identified several control points where the pseudo-malware could have been stopped, had the antivirus strategy been properly integrated between various system services, including backup and restore. We attempted the same test using a common email system available to the public (Gmail). However, we were unsuccessful since Gmail would not allow us to upload the pseudo-malware file. The City email system, on the other hand, not only allowed the upload of the pseudo-malware file, but allowed us to email it from one account to another account, save it on the network, have it backed up, and restore it on demand. We were also able to store the pseudo-malware file through a common type of file transfer used by City employees when working outside of the City network and connecting through a secure connection. This test not only demonstrated the same antivirus weakness as our City email system test, but it also highlighted the fact that the City s IT security policy is antiquated and relies on employees to abide by rules that are not enforced through technical controls. Specifically, the policy requires employees to sign a statement when they are hired that they will keep their personal computers free from malware before remotely connecting to the City network. Employees are not reminded of this agreement after they are hired. In the event that employees neglect to keep their home systems protected or choose not to pay for antivirus software, connecting remotely to the City s network from these computers poses a risk to the City. 8 The pseudo-malware file we utilized was an industry standard file that is used to test antivirus software. This file is commonly referred to as an EICAR file and is published by the European Institute for Computer Antivirus Research (EICAR). The file contains a special string of characters that all antivirus software will identify and raise an alert when scanned. The file is safe, as it does not contain any malicious code. It is a file used to assure system owners that their antivirus software is active. If one is able to pass the file through systems, it is an indication that the antivirus software is not running or is configured incorrectly. P a g e 9 Office of the Auditor

Should these home systems become compromised, they can serve as a conduit for malware to be introduced to the network. Technology currently exists to interrogate remote systems to determine if they are safe before allowing them to connect to the network. This type of technical control may prove more effective at preventing the introduction of malware onto the network than relying on employees to abide by the agreement they signed at the time of employment. Technology Services should revise the antivirus configurations to prevent the introduction of malware into the City network. The overall deployment of antivirus should be reviewed to prevent and detect the introduction of malware through the City s email system, and during storage, backup and restore of data files. Technology Services should also adopt technical controls to interrogate remote systems to determine if they are safe before allowing them to connect to the network. Key information security policies are missing or outdated As a means to evaluate the maturity of the City s information security policies, we identified twelve key information security policies that are considered best practices and are accepted standards in the IT industry. The sources of the policies include the International Organization for Standardization publication Information technology Security techniques Code of practice for information security management (ISO 27002:2005), the National Institute of Standards and Technology special publication Recommended Security Controls for Federal Information Systems and Organizations (NIST SP800-53), the Payment Card Industry Data Security Standard (PCI DSS), and the State of Colorado Governor s Office of Information Technology security policies, which we used as a point of local reference. Of the twelve critical information security policies reviewed, eight were not incorporated into the City s overall security policy strategy. Although the City has defined twenty-one information security policies, fourteen of those have not been updated for more than two years. Table 1, Information Security Policy Analysis, shows which of the twelve critical policies have been adopted by the City and which have not. Of those that have been adopted, the table shows when the policy was defined and how well it was reviewed or kept current over the past ten years. For security reasons, the names of the policies are not included in the chart. However, some of the polices included in the list of twelve address areas such as risk assessment, security training and awareness, disaster recovery, physical security, acceptable use, wireless access, mobile computing and teleworking, social media, and incident response. City and County of Denver P a g e 10

Priority 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Table 1 - Information Security Policy Analysis 1 2 3 4 5 6 7 8 9 10 11 12 Legend Policy is defined or updated Policy has not been updated Policy is missing Policy not required The priority column noted in Table 1 indicates the relative importance of the policy according to best practices. For items 3 and 8 in the table, two rows are shown for each, indicating that there were two defined policies addressing a similar topic. The City does not have eight of twelve critical information security policies in place to protect the network from malicious attack. Of the four policies that are in place, three have not been regularly evaluated or updated. This analysis supports the conclusions reached in the first phase of this audit where we identified the need for an information security governance program that includes the development of information security policies. Network admission controls do not detect unauthorized devices The City does not have technical controls or policies in place to prevent the connection of unauthorized wireless routers to the City s internal network. We found a City agency that stores sensitive personal information as part of its daily operations. In order to better protect that information, the agency has a portion of its network segmented away from the City s internal network thus creating a private network that can only be accessed by computers located physically within the agency. However, to meet one of its business needs, the agency from time to time uses two consumer / home grade wireless routers and connects one to its private network and connects the other to the City s internal network. The agency has configured the routers similar to how a consumer / home wireless network would be set up with the router broadcasting its name making it conveniently detectable by anyone with a mobile device such as a smart phone. These P a g e 11 Office of the Auditor

consumer / home grade routers also grant a connection to any device where the user has correctly entered the password; no user ID is required. In contrast, wireless access points supported by Technology Services employ rigorous security configurations that limit access to pre-authorized users, use strong session encryption, and do not broadcast their network name to avoid advertising the wireless network s presence to the general public. Connecting consumer / home grade equipment to the City s network weakens the defense in depths controls as the wireless routers rebroadcast the contents of both the agency s private network and the City s internal network making both networks accessible outside of the intended physical access areas. Technology Services should adopt technical controls, such as network admission controls (NAC), which can detect and prevent the connection of unauthorized wireless routers and other devices to the network. Further, policies prohibiting the attachment of unauthorized devices should be developed and communicated through periodic user security awareness training to educate agencies and users regarding the risks of attaching devices such as wireless routers to the network. The general public has inappropriate access to portions of the City s internal data network During the first phase of this audit, we performed site visits to various City facilities and tested for both wireless networks and computer connections that the general public could use to access the City s internal network. The connections we found could be used by an outsider to launch a cyber attack against the City s network from inside the network without having to contend with the defenses the City has in place to protect the network from an attack originating from the outside. For security reasons, we communicated those locations confidentially to Technology Services management and did not list them in the audit report. In the second phase of this audit, we further examined whether there were any technical controls that Technology Services had available that could be used to mitigate the risk of inappropriate access by the general public through those previously identified connections. We found that Technology Services currently has the technical controls available to prevent those publicly accessible areas from accessing the City s internal data network. Access to the City s internal network should be limited to authorized persons in order to prevent a cyber attack from within the City network by outsiders. We recommended in the first phase of our audit that an information security governance program be put into place that would include the assessment of risks associated with various technology deployments, such as granting the public access to computers connected to the City network. Since this second phase of the audit further highlights the risk that these computers and connections could be used to launch an imminent cyber attack from within the City network, Technology Services should move expeditiously to segregate publicly accessible computers and connections from the City s internal network. City and County of Denver P a g e 12

Strong controls found for firewall and router change control and administrative access On a positive note, the audit identified areas where controls have been implemented and are especially strong. Specifically, change control over firewalls and routers are automated and at a high process maturity. Further, authentication controls over administrative access to both firewalls and routers are strong. RECOMMENDATIONS Throughout the course of this audit we were continually reminded of the underlying cause for the lack of effective information security controls that serve to prevent or detect an attack or abuse of system vulnerabilities. At the conclusion of the first phase of this audit we recommended that the City s Chief Information Officer (CIO) establish an information security governance program. This will also aid in addressing the concerns noted in this final phase of the audit over missing and outdated information security policies. Additionally, at the conclusion of the first phase of this audit we recommended that the CIO ensure the information security governance program has the full support for authority and funding from the Mayor and City Council. Both of these recommendations were agreed to with an expected implementation date of October 15, 2012. As part of our follow-up process we will be addressing the recommendations provided in the first phase of this audit along with the following recommendations offered by the Auditor s Office to improve IT governance and process maturity. 1.1 The Chief Information Officer should strengthen the resource management governance domain within the Technology Services Department to ensure that adequate qualified staffing exists to perform essential security tasks. Critical security tasks should be documented and transferred to network operations personnel to ensure that essential information security controls continue to operate in the event of staff turnover. In the event that employment market conditions significantly challenge the ability to maintain staffing, the CIO should consider outsourcing network security monitoring to ensure continuous monitoring of network security controls. 1.2 Technology Services should revise the antivirus configurations to prevent the introduction of malware into the City network. The overall deployment of antivirus should be reviewed to prevent and detect the introduction of malware through the City s email system, and during storage, backup and restore of data files. 1.3 Technology Services should also adopt technical controls to interrogate remote systems to determine if they are safe before allowing them to connect to the network. P a g e 13 Office of the Auditor

1.4 The Technology Services Department should adopt network admission control technologies in order to detect and prevent the attachment of unauthorized wireless routers to the City s network. 1.5 The Technology Services Department should communicate necessary information regarding security policies to end users through periodic user security awareness training to educate agencies and users about their role in protecting the City s network, including the risks of attaching devices such as wireless routers to the network. 1.6 The Technology Services Department should move expeditiously to segregate publicly accessible computers and connections from the City s internal network. City and County of Denver P a g e 14

OTHER PERTINENT INFORMATION Cloud Computing Considerations One of the latest trends in modern computing is the adoption of vendor-provided service technologies collectively referred to as cloud computing. 9 The Technology Services Department has adopted a cloud first long term strategy and is in the early stages of evaluating cloud services for City technology needs. However, Technology Services needs to significantly enhance its cloud services selection criteria for information security as cloud services pose their own types of security concerns. The growing interest in cloud computing can be attributed to the potential for financial economies of scale making cloud-based solutions more affordable than traditional computing models. Other reasons for interests in cloud computing come from the capability to utilize new hardware or software functionality that would be too cumbersome or expensive to develop with existing personnel and equipment. Cloud computing essentially entails renting an outside vendor s software and computers. For example, in a software as a service model, a vendor provides access to its software over the Internet on a subscription-type fee schedule. With subscription to the service, the customer gains quick access to software that can provide enhanced capabilities without having to buy new servers, hire new staff, or install software. On the other hand the customer no longer has control of where the data and servers are located or how they are maintained. With these benefits, the customer is giving up storing data on premises and maintaining the servers on which the data is stored. Sometimes the loss of control over the computing environment can pose information security risks. For example, in the non-cloud environment, the customer may know that only authorized individuals have access to their data center. In a cloud environment, the customer may not have the right to know who has data center access, leaving the customer to trust that the service provider has strong security practices. By contrast, customers that currently have poor or weak information security practices may be able to significantly improve their security posture by utilizing a cloud service provider with strong security practices. As a result, customers must carefully evaluate their security requirements to ensure their security needs can be met by the cloud service provider. Customers should ensure their service agreements allow them the right to audit or otherwise verify that the service provider is indeed providing the security controls it claims to have in place. Cloud computing is at its early stages of development and is becoming more competitive as more service providers enter the market. It is possible the customer may 9 This discussion is intended as a high level summary of cloud computing. Please refer to Cloud Computing Synopsis and Recommendations (Special Publication 800-146), published by the National Institute of Standards and Technology (NIST), for an explanation of cloud computing concepts, including security risks. http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf P a g e 15 Office of the Auditor

wish to switch providers in the future as new capabilities become available or more affordable. An aspect that must be considered before entering into a cloud computing agreement, is how the customer s data will be backed up and returned to the customer should they terminate their service. Of similar importance, the agreement must specify that the provider will destroy and certify the destruction of the customer s data it previously stored before the services were terminated. Situations could arise where the customer loses all of its previously stored data because provisions for data handling at the termination of service were not considered in advance. City agencies use a request for proposal (RFP) process when seeking vendors to provide or bid on system solutions. The system requirements are specified in an RFP and vendors can competitively bid on providing their solutions. The bids are scored and the vendor best meeting all the criteria is selected. To help City agencies evaluate their security requirements, one of the first steps Technology Services took was to augment the RFP process to include criteria for evaluating cloud-based solutions. Our review of the initial cloud computing criteria for RFPs indicates that the information security criteria is rudimentary and does not sufficiently address basic information security concerns for cloud computing. The RFP criteria for cloud computing could be significantly enhanced by incorporating security considerations from the NIST guide Cloud Computing Synopsis and Recommendations and the Security Guidance for Critical Areas of Focus in Cloud Computing developed by the Cloud Security Alliance. 10,11 Responsibility and accountability for information security never transfers to a cloud service provider or to any third party, for that matter; it always remains with the City. As a result, decisions to adopt cloud computing solutions must carefully consider the information security impact alongside other business considerations. 10 Ibid. 11 The Cloud Security Alliance is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. https://cloudsecurityalliance.org/ City and County of Denver P a g e 16

APPENDICES Appendix A Network Security Management Phase 1 Performance Audit P a g e 17 Office of the Auditor

City and County of Denver P a g e 18

P a g e 19 Office of the Auditor

City and County of Denver P a g e 20

P a g e 21 Office of the Auditor

City and County of Denver P a g e 22

P a g e 23 Office of the Auditor

City and County of Denver P a g e 24

P a g e 25 Office of the Auditor

City and County of Denver P a g e 26

P a g e 27 Office of the Auditor

City and County of Denver P a g e 28

P a g e 29 Office of the Auditor

City and County of Denver P a g e 30

P a g e 31 Office of the Auditor

City and County of Denver P a g e 32

P a g e 33 Office of the Auditor

City and County of Denver P a g e 34

P a g e 35 Office of the Auditor

City and County of Denver P a g e 36

P a g e 37 Office of the Auditor

City and County of Denver P a g e 38

P a g e 39 Office of the Auditor

City and County of Denver P a g e 40

P a g e 41 Office of the Auditor

City and County of Denver P a g e 42

P a g e 43 Office of the Auditor

City and County of Denver P a g e 44

P a g e 45 Office of the Auditor

City and County of Denver P a g e 46

P a g e 47 Office of the Auditor

City and County of Denver P a g e 48

P a g e 49 Office of the Auditor

Appendix B News Story of Email Virus Impacting a Federal Agency City and County of Denver P a g e 50

Appendix B News Story of Email Virus Impacting a Federal Agency (continued) P a g e 51 Office of the Auditor

AGENCY RESPONSE City and County of Denver P a g e 52

P a g e 53 Office of the Auditor

City and County of Denver P a g e 54

P a g e 55 Office of the Auditor