AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR
Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY Introduction Audit Scope/Methodology Audit Conclusion SECTION II DETAILED FINDINGS and BUSINESS UNIT RESPONSE 1.0 Portal Security Policies and Procedures 2.0 Physical security 3.0 Logical Access Administrative Accounts of Portal Servers 4.0 Network Security 4.1 Firewall Systems 4.2 Network-Based Intrusion Detection Software 5.0 Server Security 5.1 Anti-Virus Software 5.2 File Integrity Software 5.3 Host-Based Intrusion Detection Software 5.4 Operating Systems 5.5 Internet Access 5.6 Testing in the Production Environment 6.0 Application Security 6.1 Plumtree Software 6.2 User Access Privileges 7.0 Business Continuity Plan Page 2 of 26
Web Portal Security Review Page 3 SECTION I 8.0 Contractual Agreement EXECUTIVE SUMMARY Introduction This audit, which is part of the City Auditor s annual plan of audits for 2003, was undertaken to determine the effectiveness of processes for managing the Business Licence function. A key methodology for gathering facts was a process questionnaire and staff feedback on process issues. Business Licence is a division of the Development and Building Approvals Business Unit (DBA). It is responsible for issuing business licences and enforcing licence bylaws. Council had reviewed and approved an Administration report (FB94-60 Review of the Purpose of the Business Licensing Function issued in July 1994) which included six basic reasons for licencing businesses: Where there is clear danger to the public. Where the licensing function clearly assists in legislative compliance such as crime prevention and recovery of stolen property. Where some form of consumer protection is warranted such as supplier qualifications, or limitations on the business that are conducted at the potential consumer s residence. Where the operation of the business rather than its location can cause negative spillover effects into the neighbourhood. Where business activity clearly conflicts with the moral values of citizens of Calgary. Where an alternative to the business tax is needed so that some businesses that do not pay the tax do not have an unfair advantage over those that do. Page 3 of 26
Web Portal Security Review Page 4 Since the approval of these six basic reasons, the Business Licence function has undergone several reviews, and organization and management changes, including: Amalgamation of Licence with DBA, in early 2001; Licence processes were merged with POSSE and PACE systems. Integrating the processing of applications within the DBA Customer Services Division to provide a one window service approach to the public (December 2002). Due to these changes, DBA requested an external consultant review the Licence operating structure. This study was completed in January 2003. Soon after the study s completion, the Business Unit initiated a further study on a cost recovery and best practices model, and new technologies and risk management strategies. The external consultant s recommendations were put on hold pending the outcome of this study. The table below provides the key financial and operational data for licence services. 2003 Budget 2002 Actual Revenues $000 3.2 3.0 Operating Costs $000 2.4 2.6 # of employees 20 20 # of Licences projected 35,000 31376 Incoming Inquiries 28,238* 38,137 Outgoing Calls 28,253* 31,701 Complaints 245* 406 Inspections 6548* 7148 *at October 2003 Audit Conclusions Page 4 of 26
Web Portal Security Review Page 5 The Business Licence function requires improved processes to ensure the function is effectively performed and managed, and the one window concept is successfully implemented. Page 5 of 26
Web Portal Security Review Page 6 Basis For Conclusions The Business Licence role have evolved to an extent where it is increasingly difficult to effectively meet is obligations. Since 1994, greater responsibilities have been assumed for investigating business crime and facilitating land use compliance. Council needs to review and reconsider the implications from this expanded role. The philosophy, rationale, staff roles and requirements for licensing businesses and setting approval conditions are not clear and transparent. Both customers and staff are clearly frustrated with the time and effort required to approve many applications. Licence systems and approval processes need to be better coordinated and aligned to the Land Use, Building Safety Code, and other coordinating agency requirements. This change is critical to the One Window concept being successfully implemented and for maximizing effective understanding of conditions to be met; information sharing; communication on the status of outstanding conditions; and timely resolution of outstanding issues. Performance management capabilities also need to be enhanced by redesigning computer systems and processes to support risk and performance management applications. Currently, it is extremely difficult to assess staff efforts in resolving issues and assessing risks resulting from unlicenced businesses. Business Unit General Comment Generally, the recommendations regarding improvements are supported. It has been 10 years since the General Business Licencing bylaw was reviewed with Council, and discussions regarding the evolving mandate in Business Licencing would be appropriate. As noted in the covering letter, concurrent with the audit of Business Licencing, structural changes were underway. During the course of change in 2003 and the beginning of 2004, the following was accomplished: Page 6 of 26
Web Portal Security Review Page 7 a) consistent with the one window approach, the management of land use and activity related to our business community is now consolidated with leadership in the Development and Business Licencing Division as of January 2004; b) issues management, including the coordination of occupancies for new business through licencing and permitting processes, are scheduled to be addressed in 2004; and c) as a single point of first contact, our Customer Service counter operations now accepts all licencing as well as development and building permitting applications related to our business community as of 2003. Page 7 of 26
Web Portal Security Review Page 8 SECTION II DETAILED FINDINGS 1.0 PORTAL SECURITY POLICIES AND PROCEDURES The Portal Security Committee established a set of security administrative policies and standards for implementing security procedures and achieving compliance. A. Security policies and standards were not complied as: Vulnerability assessments were not performed quarterly or after significant changes had occurred to the Portal infrastructure. Security procedures were not reviewed a minimum of twice a year. Not complying with these policies can result in security weaknesses not being identified on a timely basis, nor prompt, corrective actions taken. B. Security policies were incomplete as: There was no Application Service Provider/Trading Partner Policy stipulating security requirements a service provider or trading partner must meet to gain access to the City s Portal. The Information Sensitivity Policy lacked a classification system for the different types of portal information to be assigned appropriate security measures. Page 8 of 26
Web Portal Security Review Page 9 Recommendation A process should be established to ensure critical policies are: Developed for performing and reporting on essential operations. Monitored for compliance. IT agrees with the recommendation and is in the process of hiring a limited term Security Policy Analyst to ensure critical security policies and procedures are developed. Compliance monitoring will be done on a regular basis. 2.0 PHYSICAL SECURITY The Data Center housing the Portal's computing equipment must be secured to prevent unauthorized access to data, systems and equipment. The physical security of the Data Centre is compromised as some of the 200 individuals with card access to the facility were: Former employees/contractors. Given access previously for specific reasons which are now not required. Page 9 of 26
Web Portal Security Review Page 10 We also noted that cabinets housing computing equipment were left open and keys unsecured. Recommendations I. A process should be developed to monitor the granting, updating and deleting of staff/contractor access to the Data Center. II. The Portal's computing equipment should be secured from unauthorized access. I. IT agrees with the recommendation and has begun to define a process to limit access. This process will be complete by the end of Q2, 2004. II. IT agrees with the recommendation and has taken steps to physically secure the equipment. Page 10 of 26
Web Portal Security Review Page 11 3.0 LOGICAL ACCESS Administrative Accounts Of Portal Servers Administrative accounts and their passwords must be secured as these accounts have powerful privileges, e.g. setting up or deleting user accounts, files and directories, and controlling computer operations. Protective measures identified in the Web Portal Password Policy include: Administrators cannot use a generic administrator account. Administrative passwords be changed every 45 days. Passwords must be at least 10 characters in length and should contain numeric values, special characters, etc. Accounts must be locked out after 5 bad attempts, with lockout durations lasting for 15 minutes. There was non-compliance with the password policy as: Administrative accounts were shared among system administrators. Simple passwords were used. Passwords have no expiry date and have not been changed for over a year. Accounts were set up with blank passwords. Accounts would be locked out after 10 bad attempts with lock out durations lasting 5 minutes. Recommendation Supervisors should review and document, system administrators compliance with the Portal's Password Policy. Page 11 of 26
Web Portal Security Review Page 12 IT agrees with the recommendation and has conducted a compliance review. Changes to the portal infrastructure may be required, technical issues preclude implementation until Plumtree 5.0 is installed (scheduled for Q4, 2004). 4.0 NETWORK SECURITY 4.1 Firewall Systems Firewall systems prevent unauthorized access, mainly from the Internet to/from the City s private networks, by blocking messages which fail to meet specified security criteria. Firewalls are a critical layer of defense and must be properly configured and administered. Our review indicated that improvements were needed in configuring and administering the firewall, as: Firewall configurations included IP addresses and services which were installed during system set-up. These are no longer required and should be removed to prevent unauthorized use. Firewall passwords have been changed only twice since the system was set-up. Page 12 of 26
Web Portal Security Review Page 13 The contractor sent City staff the firewall password in clear text via the Internet. This delivery method could result in information being intercepted. Portal password policy requires that the highest level of encryption must be used to encrypt passwords. ITS Security management had not been provided with security event reports, e.g. firewall statistics, critical events, warnings, etc. for planning and monitoring. Recommendation A process should be established to ensure: Firewall configuration is reviewed periodically for validity. Password policy is complied with. Firewall monitoring and control reports are produced for review and follow-up. IT agrees with the recommendation and will establish processes to address the above by May 15, 2004. 4.2 Network-Based Intrusion Detection System A network-based intrusion detection system automatically detects, blocks and logs attacks by inspecting all inbound and outbound information to the network. It is important to ensure the system was installed with the proper configurations, password setups complying with the password policy, and that effective security violation reports are regularly produced for review. Page 13 of 26
Web Portal Security Review Page 14 The system s security could be better managed as ITS Security management and network staff had not been provided with analytical reports on intrusion detection data. Also, the system's password has not been changed since the system was installed. Recommendation A process should be established to ensure: Web Portal password policy is complied with. Monitoring and control reports are produced for review and follow-up. IT agrees with the recommendation and will establish processes to address the above by May 15, 2004. 5.0 SERVER SECURITY 5.1 Anti-Virus Software Corporate standards require that all Portal servers have anti-virus software with current definition files. One virus-infected computer could halt all Portal operations. Page 14 of 26
Web Portal Security Review Page 15 We noted up-to-date anti-virus definition files had not been installed in: One server in the production environment. Two servers in the test environment. Recommendation All servers should have anti-virus software with the most upto-date anti-virus definition files installed. IT agrees with the recommendation. An automated process has been created to ensure that the definition files are upto-date. 5.2 File Integrity Software File integrity software is vital to ensure accountability for system changes and to improve system availability, if recovery is required. It is important that the file integrity software, i.e. Tripwire, is used effectively for recording, monitoring, and reporting changes. The contractor s staff did not understand the software s configuration and required training to interpret Tripwire reports. As a result, file integrity software data was not analyzed, nor had ITS Page 15 of 26
Web Portal Security Review Page 16 Security management and staff been provided with Tripwire reports. Recommendations I. Training should be provided to staff and contractors in the use of Tripwire. II. Monitoring and control reports should be produced regularly for management s review. I. IT agrees with the recommendation, IT Security, HP and Windows Server Administration staff will be trained in the use of Tripwire by May 15, 2004. II. IT agrees with the recommendation and will create a reporting process by May 15, 2004. 5.3 Host-Based Intrusion Detection Software The Network Device Hardening Policy states that every server must be protected with a host-based intrusion detection software. This software must be properly configured if it is to block and report server attacks on a timely basis. On some servers, the software was not effectively used as it was not installed or was improperly configured. We found that: Page 16 of 26
Web Portal Security Review Page 17 In the production environment, at least six servers did not have the software installed, with at least ten servers not having the application protection feature turned on. Page 17 of 26
Web Portal Security Review Page 18 The software had not been installed or activated in the test environment. Password had not been changed since installation. ITS Security management has not been provided with intrusion detection analysis reports. Recommendation A process should be established to ensure: The configured host-based intrusion detection system is reviewed periodically for validity, with monitoring and control reports produced for review and follow-up. Password policy is complied with. IT agrees with the recommendation and will create a process to ensure review and reporting is carried out. This process will be in place by May 15, 2004. 5.4 Operating Systems An operating system is critical to a server as it controls such computer operations as scheduling jobs, input, output, and security. To prevent exploitation of operating system security weaknesses, the Portal security policy stipulates that the operating system be properly configured with timely update of security patches from vendors. Page 18 of 26
Web Portal Security Review Page 19 Our review indicated: A formal security baseline was not in place. Servers were thus configured with minor modifications from the vendor s standard installation, and unnecessary ports and services with well-known vulnerabilities remained active. This exposed servers to misuse. Three servers were configured with the auditing function disabled; unauthorized activities could occur and not be monitored or reported. Recommendations I. A formal security baseline should be established for configuring Portal servers. II. Auditing function should be activated for Portal servers. I. IT agrees with the recommendation and will create a baseline configuration which will be reviewed by IT Security. Review will be completed by May 15, 2004. II. IT agrees with the recommendation and has implemented auditing on all servers. Page 19 of 26
Web Portal Security Review Page 20 5.5 Internet Access Except in specific circumstances, Portal servers should not be configured with Internet access. This is to prevent unauthorized individuals from using these servers to launch attacks on external websites. The Portal s production environment could be exploited by intruders. We noted that: An external consultant had developed a script to send e-mails from a Portal server to external websites, thereby placing this server at risk. At least three Portal servers were configured with Internet access. Recommendation A process should be in place to ensure Portal servers are not configured with Internet access. IT agrees in principle with the recommendation and has strictly limited Internet access. However, due to Web Portal functionality requirements one server must be configured with Internet access. Page 20 of 26
Web Portal Security Review Page 21 5.6 Testing in the Production Environment Testing system patches and security updates in the test environment minimizes the risk of disrupting current operations in the event patches or updates fail to perform as expected. We found that security patches were installed and tested in the production environment rather than in the test environment. Recommendation Testing of security patches should be conducted in the test environment. IT agrees with the recommendation, all patches have been and will continue to be tested in the test environment. Please note that should a critical patch be required the test period may, of necessity, be shortened. Page 21 of 26
Web Portal Security Review Page 22 6.0 APPLICATION SECURITY 6.1 Plumtree Software Access to authorized Portal applications provide external users a legitimate channel to pass through the City's firewall. It is important for such applications, e.g. Plumtree, to have user accounts with powerful privileges secured with strong passwords. Portal password policy has not been complied with, as: Passwords for administrative accounts have not been changed since the system went live in 2002. Administrators Group account names equal their passwords. The effect of this weakness enabled the auditor to use, via the Internet, two Administrators Group accounts to log on to the Plumtree application. We then seized the administrative authority for setting up and deleting accounts, deleting files and directories, etc. The Administrators Group account for a contractor was not removed from the system after the contract's completion. The Plumtree administrative account password was simplistically created. As a result, we cracked the password in about one hour. Recommendation The Portal's password policy should be complied with. IT agrees with the recommendation and has taken steps to ensure compliance. IT has also reduced the number of users with Administrative access to Plumtree. Page 22 of 26
Web Portal Security Review Page 23 6.2 User Access Privileges The Portal's Access Levels Policy identifies the principle of least privilege, i.e. Portal personnel should have minimum access and rights to data, applications, processes, and equipment. We noted non-compliance with policy in that: Some users were assigned more privileges than needed. Formal guidelines for granting user access had not been established. Reports were not produced for periodic review of powerful Plumtree accounts, e.g. administrators group and portal publishers, for continued validity. Recommendation A process for granting, updating, and deleting users should be formalized for compliance with the Access Levels Policy. IT agrees with the recommendation and has reviewed current access rights. A process will be created and implemented by May 15, 2004. Page 23 of 26
Web Portal Security Review Page 24 7.0 BUSINESS CONTINUITY PLAN A business continuity plan enables The City to restore, in the event of a system outage, the Portal s operation with minimum disruption and delay. These plans must be comprehensive, with risks identified, evaluated, prioritized, and mitigated. While some backup procedures are in place, a meaningful business continuity plan has yet to be developed. Audit Comment A Corporate initiative, the Risk Management Framework Project, is currently in progress which will include business continuity. ITS Security should participate, with other Portal stakeholders, in developing the Web Portal business continuity plan. IT agrees in principle with the Audit Comment. Page 24 of 26
Web Portal Security Review Page 25 8.0 CONTRACTUAL AGREEMENT The City engages a contractor to remotely manage the Portal's production environment. To avoid misunderstandings and establish proper accountability, service contracts should clearly specify roles and responsibilities for both parties. Our review indicated the contract should be strengthened in the following areas for accountability: Requiring the contractor to provide regular analysis and reporting of security events. For example, an irregularity we created during the audit had not been reported by the contractor (we created an IP address to scan the network and servers, and to conduct file and directory analysis). Reporting incidents where either party s system security had been compromised. Requiring the contractor to notify the City of changes in personnel providing services to the Portal. The City receiving: A third party security review report on the contractor's practices to ensure compliance with best industry practices. Security documentation on the contractor's remote access to the City network. Recommendation Contracts for managing the Portal s production environment should be reviewed for completeness to ensure the contract provides proper accountability. Page 25 of 26
Web Portal Security Review Page 26 IT agrees in principle with the recommendation and will undertake a review of the contracts to be completed by May 15, 2004. R.D. MacLean BL/mic-g Date Preliminary Report Issued: 2004 January 16 cc. O. Tobert, A/Chief Executive Officer C. Good, General Manager, Corporate Services B. Brunton, Computer & Information Security Officer, ITS D. Ryan, Manager, Infrastructure & Desktop Management, ITS Wes Koehn, A/City Treasurer, Finance and Supply Audit Committee External Auditor Page 26 of 26