Auditing: Measuring something against a standard How do you know you…?

Objectives The student shall be able to: Define audit, vulnerability, threat, policy, procedure, baseline, auditor, audit exception, and audit exception root cause. Describe the purpose of a baseline, and the contents of a Network Traffic Baseline and System Baseline. Define the terms detective, corrective, and preventive controls, and correctly classify a control into one of these categories. Define detection time, response time, and exposure time, given an example time-based security situation. Describe the purpose of the audit plan’s scope, purpose, checklist, policy resource guideline, audit strategy. Write an audit plan. Describe the purpose of each stage of an audit. Describe important points of staying out of jail while doing an audit. Conduct a complete audit, procedurally. Develop a mini-audit plan and audit report based on logs and security configuration (Lab). There is no reading this week. Work on your audit plan/report

Parts of Audits Security Audit: Measures how well our security policies/procedures are relative to best-in-class Assessment or Verification: Analysis of security improvements. Are our procedures effective? Conformance Audit: Measures how well a system or process conforms to policies/procedures Validation: How well are we following our guidelines? Firewall example: Verification: Is our plan effective? Validation: Is it really protecting us?

Vocabulary Vulnerability: An unlocked door in infrastructure or organization Vulnerability Assessment: An evaluation of potential vulnerabilities related to the described scope Threat: An action that exposes a vulnerability Examples: File deletion, information exposure, improper use of assets, malware attack Intentional versus Accidental Threat: Both have same effect Exposure = Vulnerability + Threat Threat agent: burglar Threat: burglary Vulnerability: open door

IT Control Classifications Time of Event After Event Before Problematic Event Corrective Controls: Fix problems and prevent future problems Includes: Rebuilding PC Backup procedures Reruns Detective Controls: Detecting problem when it occurs Includes: Intrusion Detection System Error messages Check against baseline Past-due account reports Review of activity logs Preventive Controls*: Preventing problems Includes: Firewall Intrusion Prevention System Programmed edit checks Encryption software Well-designed procedures, policies Physical controls Employ qualified personnel Preventive Controls are most important, since they prevent an attack from occurring. Don’t you want to catch the attack before it occurs? Therefore, if you are given a choice of a preventive, detective or corrective control, select the preventive if you can only implement one.

Time Based Security Can we react to an attack quickly enough to control it? Defense in Depth requires multiple layers Exposure = Detection + Response Protection > Detection + Response Estimate Best and Worst Detection and Response Time to get Exposure

Time-Based Examples Example 2: Home Alarm Example 1: Defending a Castle Example 2: Home Alarm On a hill or mountain Has a moat Has an outer wall Trees cut down around the wall Protection: How long will it take to get through the multiple layers of defense? Detection: How long will it take for us to recognize an attack? Response: How long will it take to react to an attack? An apt. alarm beeps for 15 seconds waiting for a passcode to be entered The alarm takes 15 seconds to dial the security company The security company takes 30 seconds to inform the police It takes the police 2-5 minutes to arrive at the site Protection: It takes one minute to empty a jewel box in the bedroom and walk out It takes n minutes to steal all expensive appliances in a home with one person

More Examples Example 3: USS Cole Example 5: Network Traffic Baseline USS Cole Attack Response: Move all US military vessels out of foreign ports and onto the open sea Example 4: Edge router, IDS, Firewall Shadow IDS measures traffic and reports hourly of traffic against a baseline. What is best and worst Detection times? Example 6: Sluggish Web service What is best and worst Detection times? Implementation: Measure D + R using stopwatch

Security Documentation Policy: Requirements Rule: Describes ‘what’ needs to be accomplished “Only students currently enrolled in computer science courses shall have access to the computer science lab” Policy Objective: Describes why the policy is required Policy Control: Technique to meet objectives May include a procedure Example 1: Policy Objective: Reduce highway deaths Policy Control: Set speed limit to 55   Example 2: Policy Objective: Differentiate between different users on a system Policy Control: Logon restrictions, smart card, biometric authentication Discussion: Are these effective controls by themselves?

Procedure Procedure: Outlines ‘how’ the Policy will be accomplished “The CS System Administrator shall provide a list of student IDs to the lab entrance system by running the XXX program using the YYY file one week before classes begin.” “Students must slide their student ID card through the card reader and enter the last four digits of their SSN to gain entry at the CS lab door”

Baseline Baseline: Snapshot of a system in a Known Good State Is a static measure of a system Enables recognition of changes in system via activity profiles Enables description of how a system has changed Most useful when generated automatically

Example Baselines Example Baselines: Network Traffic Baseline: Shows traffic volume per hour of day (Wireshark, Shadow/NFR IDS, etc.) System Baseline: Shows OS version, available disk space, description of system files, size of different major directories… Start-> Run-> winver: Prints the version of OS Start-> Run-> psservice > Export: Saves system baseline info

Preparing a Baseline Best: Take a copy of a new system or To achieve Known Good State: Update virus signatures Ensure system fully patched Do comprehensive virus scan Check all files (not just system files) Turn on heuristic virus scanning, which recognizes suspicious patterns in addition to signatures Save baselines to CD for offline storage

Auditor Responsibilities Responsibilities include: Measure and report on risk Raise awareness of security issues in order to reduce risk Often provide input to policies and procedures Raising Awareness: It’s not ‘if’ we’ll be hacked but ‘when’. You can never be too secure…

Audit Plan Outline Objective: What do we hope to accomplish or measure through the audit? Scope: What part of the organization are we auditing? Can audit a process, a technology, a department/division Example: “Enumerate vulnerabilities for X web server” Can include: Validation: Are rules implemented correctly? Baseline Comparison: Measure conformance to policy Measure if system has been compromised

Audit Plan Outline Cont’d Policy Resource Guidelines: Documentation for existing and recommended security guidelines Audit Strategy: A definition of how the audit will occur. What tools and techniques will best meet the objectives? Checklist: Each policy has a number of checklist line items Each checklist line item describes a procedure of what and how to measure a policy Signatures: On cover page request signature of the audit team, the instructor, and the team from the audited company. Make sure that both you and company have signed copy of Audit Plan

Policy Resource Guidelines Company policies: Statement in full or summary Best Practice references: Center for Internet Security: www.cisecurity.org Provides documents that can easily be used as part of an audit checklist, including procedures, standards, tools, benchmarks ISO/IEC 27001:2013 and 27002:2013 Information technology -- Security techniques -- Code of practice for information security management. International Standard COBIT: Control OBjectives for Information and related Technology: www.isaca.org IT-oriented framework for control and mgmt of corporations Adherence to Sarbannes Oxley (SOX) NIST: National Institute of Standards and Technology www.nist.gov Set of Standards (FIPS) and Guidelines (Special Publications) Adherence to FISMA: Federal Info Security Mgmt Act.

Audit Process Outline Audit Process includes: Audit Planning: Create Audit Plan Entrance Conference: Inform people of process Fieldwork: Measurement of the system Report Preparation: Complete report Exit Conference: Discuss report with affected personnel Report to Management: Provide revised report to management

Step 1: Audit Planning Auditor works with contracting individual to determine scope/purpose of audit Research corporate policies, industry best standards Prepare audit strategy, checklist, and audit procedures

Step 2: Entrance Conference Auditor meets with all people involved in the audit Mgmt schedules the meeting, including mgmt, security, system administrators, users being audited (e.g., if random workstations are being audited, those users shall attend) Manager introduces you and explains purpose of audit and discusses his/her support for audit Auditor then takes control over meeting to discuss: Audit Scope/Objectives Auditor’s role Role of others Audit Process Timeframes: Make appointments with all parties you need to during the meeting. Take team approach: Do not offend anyone or play power games. People should be excited, not intimidated by you.

Step 3: Fieldwork Auditor performs audit (often with worker) Report facts as you find them – as a detective would Even if a security vulnerability is fixed when found, still report the vulnerability and the fix

Results and Recommendations Audit Exceptions: Items that fail to meet the audit criteria Mitigation: Recommendation to reduce loss/harm Remediation: How to fix an Audit Exception, by policy, procedure, best practice Root Cause: Why is there an audit exception? Treat the illness, not the symptom

Step 4: Report Preparation Include Objective/Scope of audit Develop technical write-up of report first What organization does well What organization needs to do better If system administrator patched a hole, mention that Organize findings in a logical way. Write Executive Summary last Put Executive Summary as first section in Report Executive Summary should be understandable to non-technical executive manager Describe good and bad points in bullets (Make people look competent) Your report must be written professionally, if it is to be credible. Have another writer/auditor proofread

Step 5: Exit Conference Auditor communicates findings to entire team Exit Conference Team = Entrance Conference Team Go over Executive Summary first Then give a copy of Audit Report to the team Team may defend themselves in meeting. Discussion (not argumentation) is healthy Amend report after meeting if new information arises Be careful in wording: “Best Practices include …” NOT “Most administrators know better than …” Stay out of arguments if you can

Step 6: Report to Management Prepare PowerPoint Presentation (Plan for 60 minutes) Power Point should include: Audit purpose, scope, goals Executive Summary: Positive and Negative points Schedule 2-hour meeting

Meeting Pointers Have highest executive schedule the meeting Highest executive kicks off the meeting. Auditor then takes over Give out copies of power point slides – executives love them Present for ½ hour Give full report out and take 15 minute break. This break gives mgmt a chance to talk to technical staff and ask questions After 15 minutes, start promptly again (or try to) Complete report Put a list of names of people who did exceptionally well – and should be encouraged and retained Answer additional questions when report is complete

Additional Recommendations Clear up scope/purpose in one meeting (You will look unprofessional if you keep returning for clarification) Do not test/venture beyond what is agreed will be done. Extraneous information is not always welcome Do not go beyond scope – do not demonstrate vulnerabilities for legal reasons Always maintain a professional demeanor – not too chummy or informal Always have company representative present who is most knowledgeable about the matter being validated Company retains control: No surprises in tests, results Work together: Two heads are better than one Work with in-house expert. Involve them. Be humble Teach each other: Teach someone to fish is better than giving them a fish Discuss your findings with the in-house experts as you find them. There should be no surprises in the exit conference Oh yeah – dress well!

Audit Report Outline Audit Objective Scope Executive Summary Results References

Audit Report Example Audit Purpose: Determine amount of traffic not related to business goals. Identify potential risks and additional controls. Scope: Determine the internet traffic at headquarters, including which applications are run, by whom, and when. Determine which web pages are accessed both internally and externally. The time frame for measurement is one week.

Audit Report Example (2) Executive Summary: “At least M% of bandwidth is used for chat, external email, SSL, streaming media. N% of web references are for non-business use. External email is prone to viruses not protected by company email screeners. Most illegal web use comes from Building 205, 206, and in particular, the Sales department.” Recommendation: Block chat IP/port addresses in firewall. Train management on handling inappropriate use of time.

Audit Report Example (3) Results –Verification: Best-in-class standards (i.e., COBIT) define that policies should be written and communicated to employees relating to what they can and cannot do [1]… Results - Validation: This section shows line charts demonstrating usage for each protocol type per hour of working day (on average). It also shows pie charts showing usage of different categories of web page accesses. Actual results are provided in Appendix A.

Changes for University Environment SANS recommends providing a technical summary of the results of the checklist tests. However, the professor needs to see more detail Each checklist item must describe: 1) the procedure of how to measure the policy 2) the outcome of the test 3) any recommendations arising from the audit step. This technique allows the instructor and the organization to learn how the auditor arrived at his or her conclusions, and determine the validity of the report.

Audit Report Example (4) References: IT Control Objectives for Sarbanes-Oxley, 2nd Ed., Exposure Draft, IT Governance Institute, April 30, 2006.

How to Stay Out of Jail! Audits often require scanning a network to determine open ports, open applications. Results can include: Aborted production systems VERY upset administrators and managers The difference between a hacker and a security analyst is PERMISSION!! Your written permission is your GET OUT OF JAIL card.

To stay out of jail and keep your job Get permission in Writing! Plan to scan one subnet at a time! Pick an off-peak time in case something does go wrong. Publicize the scan! The managers and system administrators must know the exact date and time of the scan. Eventually something will go seriously wrong, so always take precautionary steps. System administrators who go into panic mode for hours over your audit will not appreciate you! Be present! Be available for the entire duration of the scan, in case something does go wrong or you do get questions. Also, expect to answer questions up to a few days later. Be persistent! Be careful to check all devices within the scope. False positives and false negatives occur, so be extra careful. Provide Feedback! When the audit is complete, report to the system administrator or network manager and help them fix vulnerabilities. Complete the cycle within schedule, then begin scanning the next subnet. Note: If a host reboots due to an audit scan, it would have happened with a hacker – just a matter of time.

Example Written Notice Subject: Security Audit Tuesday Oct 10   Next Tuesday, Oct 10, from 4-6 PM we will be conducting an audit of the firewall. We plan to validate the services that the firewall allows to pass through, both inbound and outbound. As part of this audit’s scanning process, a significant number of TCP and UDP packets will be generated, and some ICMP packets. Specifically, we will be scanning ports 1-NNNN with a UDP scan, a SYN half-open scan and a full tcp-connect scan. In order to try to minimize any significant impact to the firewall operations, we will generate packets slowly, at the rate of 1 packet every X seconds. During the scan period, I will be available in room XXXX. I will also be reachable via phone: 255-5466; via pager 262-445-9933; or email: youraddress@cs.uwp.edu. I will be happy to reply to any questions or concerns, and provide more detail about our audit if necessary.

Summary Stay out of Jail: Get signature on audit plan Broadcast what you plan to do when Only do what is in the audit plan For this class: Be very specific about what tests you did and what results you got Be sure you have a member of the organization with when you do audit – allow them to see all problems at time of audit Double-check with me before submitting proposal or report to your customer – submit most professional document

Summary Review Security Cycle Review Plan Security Implement Security Test (Audit) Security Verification: Is our plan effective? Validation: Is it really protecting us? Controls (Preventive, Detective, Corrective) Policies & Procedures Baseline Security Plan Security Report