External Penetration Assessment and Database Access Review

Similar documents
Payment Card Industry Data Security Standards

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Passing PCI Compliance How to Address the Application Security Mandates

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Application Security in the Software Development Lifecycle

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Risk Assessment Guide

External Supplier Control Requirements

Securing Database Servers. Database security for enterprise information systems and security professionals

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS)

Office of Inspector General

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Auditing in the New Millennium:

Information Blue Valley Schools FEBRUARY 2015

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Office

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Goals. Understanding security testing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Reducing Application Vulnerabilities by Security Engineering

Introduction to Cyber Security / Information Security

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Windows Operating Systems. Basic Security

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Thoughts on PCI DSS 3.0. September, 2014

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Information and Communication Technology. Patch Management Policy

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Critical Controls for Cyber Security.

McAfee Database Security. Dan Sarel, VP Database Security Products

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Achieving Compliance with the PCI Data Security Standard

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

INFORMATION SECURITY California Maritime Academy

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Five keys to a more secure data environment

Security Controls What Works. Southside Virginia Community College: Security Awareness

05.0 Application Development

Penetration Testing Report Client: Business Solutions June 15 th 2015

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Managing internet security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

A Decision Maker s Guide to Securing an IT Infrastructure

Practical Guidance for Auditing IT General Controls. September 2, 2009

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Guide to Vulnerability Management for Small Companies

Vulnerability Management Policy

ISO Controls and Objectives

Information Technology Cyber Security Policy

Four Top Emagined Security Services

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SANS Top 20 Critical Controls for Effective Cyber Defense

IT Security Standard: Computing Devices

Data Management Policies. Sage ERP Online

Information Technology General Controls (ITGCs) 101

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Better secure IT equipment and systems

March

Cloud Computing Governance & Security. Security Risks in the Cloud

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Attachment A. Identification of Risks/Cybersecurity Governance

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Patch and Vulnerability Management Program

Information Technology Auditing for Non-IT Specialist

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Security aspects of e-tailing. Chapter 7

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Directory and File Transfer Services. Chapter 7

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Cisco Advanced Services for Network Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

AUDIT REPORT. The Energy Information Administration s Information Technology Program

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

CONTENTS. PCI DSS Compliance Guide

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Transcription:

External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management and Audit Committee of the City of Minneapolis and is not to be used or relied upon by others for any purpose whatsoever.

Agenda 1. Introductions 2. Assessment/Review Area a. External Penetration Assessment b. Database Access Review Agenda For Each Area Overview, Technology Background & Risks Approach Positive Observations/Observed Vulnerabilities 3. Questions 2

Protiviti Overview Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. We have more than 2500 employees in 70 offices that have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Internal Audit & Financial Controls Finance & Accounting Excellence Business Operations Improvement Audit Committee Advisory Information Technology (IT) Audit Services Internal Audit Co-Sourcing Internal Audit Full Outsourcing Internal Audit Quality Assurance Reviews Internal Audit Technology & Tool Implementation Internal Audit Transformation Start-up & Development Advice High Value Auditing Data Mining & Analytics Financial Controls & Sarbanes-Oxley Compliance J-SOX Compliance Transaction Services Merger and Acquisition Services Public Company Transformation Performance & Information Management Finance Process Optimization Financial Reporting Remediation & Compliance International Financial Reporting Standards (IFRS) Financial Controls & Sarbanes-Oxley Compliance Enterprise Risk Management Litigation, Restructuring & Investigative Services Corporate Restructuring & Recovery E-Discovery Financial Investigations Fraud Risk Management Litigation Consulting Supply Chain Capital Projects & Contracts Loss Prevention Revenue Risks AP Recovery Services Risk & Compliance Risk Strategy & Management Compliance Information Technology Consulting Managing the Business of IT Managing Applications & Data Managing IT Security & Privacy 3

Protiviti Team 4

IT Audit Universe The IT audit universe is made up of applied technology (applications, supporting infrastructure), IT processes, and significant IT projects/initiatives. Processes that enable IT to deliver service to its end users based on existing frameworks like COBIT, ITIL, ISO. For example: Change Management Disaster Recovery IT Shared Services Manage IT Assets Manage Infrastructure PMO Manage Security Vendor Management Applied Technology IT Processes IT Projects Applications (i.e.; PeopleSoft) Databases (i.e.; Oracle) Operating Systems (i.e.; Microsoft Windows) Infrastructure Components (i.e.; Servers, Firewalls) Any in-process or planned IT project (including new applications, changes to IT processes, data center moves, other strategic initiatives, etc.) 5

Rating Definitions Risk Level = High = Medium = Low Significance Observed vulnerabilities assigned a high risk level are considered to present an imminent and significant threat and should be addressed as soon as possible. Observed vulnerabilities assigned a medium risk level do not pose an immediate threat, but could likely cause a noticeable impact. These should be addressed in a timely manner once high level risks have been addressed. Observed vulnerabilities assigned low risk level are considered to present threats that are unlikely to occur and would have a smaller impact. These should receive the lowest priority when being addressed. These observed vulnerabilities are assigned a subjective rating and provide management with information about the condition of risks and internal controls at a point in time. Future changes in environmental factors and actions by personnel may adversely impact or enhance these risks and controls in ways that this assessment did not and cannot anticipate. 6

External Penetration Assessment Overview Attempted to find commonly known vulnerabilities that a person outside of the organization with malicious intent ( attacker ) would try to exploit against the City of Minneapolis network. 7

Example External threat example The hacking group Anonymous recently made the news by attacking several government and corporate systems in an attempt to steal data and strong-arm organizations. Obtained and publicly released user information, credit card data and other private data What are attackers after? Private Data (Credit Card Numbers, Social Security Numbers, Financial Data) Control of Organizations Money: proprietary and private data is valuable 8

Risks Risks Unauthorized access to data classified as not public and internal systems Loss of availability of services relied upon by people and organizations Modification of data including falsifying records and defacement of public facing websites and services Implications Loss of user trust and harm to the City s brand and image Financial loss and responsibility to clean up and repair any internal and external damages 9

Overview 10

Assessment Approach Objective Assess the external security posture of the network and users 1. Discovered external hosts External Network Approach 2. Scanned and tested for common vulnerabilities 3. Attempted to exploit vulnerabilities with a focus on obtaining unauthorized access Social Engineering Approach 1. Selected a sample of 20 employees to call 2. Called employees and attempt to gain information deemed not public such as passwords 11

Positive Observations Several positive attributes of the control environment were observed. Positive Observations 1. Unauthorized access to systems or services was not obtained. 2. Default and/or weak passwords were not found. 3. Firewalls prevented access to internal networks. 4. Unnecessary services were not listening on the internet. 12

Observed Vulnerabilities Observed Vulnerability Criticality Expected Completion Date 1 Security Awareness = Medium 12/31/2013 2 Missing updates and patches = Medium 12/31/2012 3 Improper Output Sanitization = Medium 12/31/2012 4 External FTP (File Transfer Protocol) = Medium 12/31/2012 5 Web Platform Configuration = Low 12/31/2012 6 Insecure SSL (Secure Sockets Layer) Configuration = Low 12/31/2013 13

Database Access Review Overview Reviewed the controls in place for access to data used by Oracle PeopleSoft systems to identify any potential for inappropriate access to systems and data. PeopleSoft PeopleSoft is an Enterprise Resource Planning (ERP) application made by Oracle which can manage information for many different parts of an organization. 14

Overview Applications use databases to access, organize and store data. A Database Management System (DBMS) is used to actually manage the data and communicate with the application. The DBMS is installed on an Operating System (OS, such as Microsoft Windows). Both the OS and DBMS have users and access control configurations. 15

Oracle PeopleSoft Overview Examples of not public data stored in these databases; Employee Data Citizen Data Payroll Data Financial Data 5 different environments; Production Production-DR (Disaster Recovery) QA (Quality Assurance) Development Training/QA PeopleSoft uses Oracle DBMS. The Oracle PeopleSoft DBMS is installed on Microsoft Windows as the OS. 16

Risks Risks Unauthorized access to view or modify data Employees (Active and Terminated) Third-Party Vendors or Contractors Shared Accounts (Single account for multiple users) Inappropriate access for authorized users Access to data classified as not public which is beyond the scope of job role Extraneous administrative privileges Implications Exposure of data classified as not public such as employee personal information or financial data Tampering with or modification of data Modification of systems including loss of availability 17

Approach The following items were reviewed for both the OS and DBMS associated with each PeopleSoft implementation: Reviewed how authentication and access controls are implemented and restrict access Reviewed the account management process including user approval, creation, maintenance, tracking, and removal Verified that an account review process has been properly implemented Reviewed current user and administrator account access rights for appropriateness 18

Positive Observations Several positive attributes of the control environment were observed. Positive Observations 1. Privileges assigned to users were appropriate for the associated job functions. 2. Secure authentication mechanisms were in place. 3. Logging and monitoring of access related events were being performed. 19

Observed Vulnerabilities Observed Vulnerabilities Criticality Expected Completion Date 1 Incomplete Policy and Procedure Documentation = Medium 12/31/2012 2 Lack of Formalized Account Management Process = Medium 12/31/2012 3 Shared and Unknown Database Accounts = Medium 12/31/2012 20

Questions? 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information