Implementing Enterprise Security

Published on June 2016 | Categories: Types, Instruction manuals | Downloads: 52 | Comments: 0 | Views: 215
of 5
Download PDF   Embed   Report

Implementing Enterprise Security

Comments

Content

Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Implementing Enterprise Security:
A Case Study (Part 2)
By Ken Doughty, CISA, CBCP
This article is part two of a two-part series. The first part was published in the Journal volume 2, 2003. In part one, the need for organizations to implement an enterprise security framework was outlined. To demonstrate how this framework can be implemented, the case study walked the reader through a strategic and tactical approach to implementation and outlined the lessons that were learned (figure 1). While part one addressed organizational security, part two covers: • Operating system security • Database management system security (DBMS) • Telecommunications security • Access security—information assets Figure 1—Security Tactical Framework were common security weaknesses across the server platform for each type of operating system. An action plan was developed to address the deficiencies and it was included in a centralized record (security register) to ensure that appropriate action was taken in a timely manner. The recently appointed data security officer had the responsibility and accountability to maintain this register, which was in an Access database. For example, the type of security weaknesses identified for NT included those listed in figure 2. Figure 2—NT Security Weaknesses
Description A large number of user passwords was broken using a freely available password program. Guest account The guest account was not disabled and the default password was not changed. Shut down the Unauthorized users had the privilege system to shut down the server. Legal notice No legal notice was displayed at the logon screen. Account lockout Accounts were not set to lock out in the event of multiple (five) incorrect password attempts. Account reset Accounts were automatically reset after 20 minutes. Password age No maximum password age was set (e.g., 30 days) and the minimum password age was set to 0 days. Password history The password history was not set (e.g., remember the last 15 passwords). Password never The option had not been disabled; therefore, expired users were not asked to change their password at regular intervals. Password Default system passwords were not changed, complexity and the system allowed blank passwords. Issue Guess password

Operating System Security Organizational Security Telecommunications Security

DBMS Security

Access Security— Information Assets

Operating System Security
The case study organization had various operating systems across the three towers: • Mainframe—OS/390 • Mid-Range—AIX • Server/Desktop—NT 4, Windows 2000 and Solaris (UNIX) The tactical strategy for each platform was to have a security audit performed on the operating system. Given the large number of servers, it was decided to select a sample of critical servers (e.g., primary domain controllers, exchange servers and applications servers) for audit on the basis of cost and the likelihood of common security weaknesses. External security consultants were engaged to conduct the security audits for each type of operating system. The audits identified a range of security weaknesses. As predicted, there

Database Management Systems (DBMS)
The tactical strategy was for each of the DBMS to have a security audit. The organization had four DBMS to support across its hardware platforms: • DB2 • MS SQL Server • Oracle • Lotus Notes There was a large number of DBMS spread out across the various hardware platforms. Given the budget constraints, and the likelihood that there would be common security weaknesses

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

within the SQL Server DBMS for the server platform, only the critical servers were targeted. After discussions with the application owners, the critical DBMS servers were selected. External security consultants were engaged to conduct the DBMS security audits. The audits identified a range of security weaknesses. As predicted, there were common security weaknesses across the server-based DBMS. Common DBMS security weaknesses detected included those listed in figure 3. Figure 3—DBMS Security Weaknesses
Description • Users with inappropriate privileged access to the database and operating system installation and source files • Developers with inappropriate privileged access to the production environment, including acting as database administrators (DBAs) in the production environment Passwords • Usernames and passwords which had been embedded into scripts to support backup procedures • Default accounts and passwords enabled on the database • Minimum password length set to one digit • Passwords identical to user names Unauthorized users • Terminated users remaining in the system Account lockout • User account lockouts not enabled Privileged access • Tools in use in one database environment, which allowed privileged access to databases outside of the application Issue User access

• A change request was created to change the configuration of the existing software (including updating the configuration database) and tested before implementation. • The organization’s users had to be issued a copy of the e-mail usage policy and sign a document acknowledging their acceptance of policy conditions. • The intranet site was updated to inform e-mail users: – The date that the e-mail content filtering was being “switched on.” – An explanation that the IT department would not be “reading” e-mails, but rather a software product with defined parameters would determine an e-mail’s acceptance (e.g., e-mails containing profanity would not be accepted). This was necessary to elevate any concerns e-mail users had regarding privacy. – E-mails and associated attachments that failed to pass the filtering would be quarantined and the e-mail sender and the intended recipient would be advised accordingly. • Processes for escalation and investigation of e-mail abuse were developed. Due to careful planning, there was complete acceptance among e-mail users of the introduction of e-mail content filtering. However, minor problems were experienced during its initial implementation due to the content filtering parameters. For example, e-mails were being quarantined where it found “XXX” within the e-mail. “XXX” often is a shortcut for kisses, however, it also is used as an indication of pornography. URL Content Filtering The organization’s policy for Internet usage allowed users limited private use of the Internet outside of business use. The gap analysis identified that there was no URL filtering to prevent users from visiting web sites that were considered to be inappropriate (e.g., pornographic, promotion of racial hatred, etc.). The organization had purchased software for URL filtering but the software was not deployed. One of the servers found during the IT asset audit (refer to part one of this article) was allocated for the software installation. Before the Internet content filtering could be “switched on,” a number of tasks had to be performed: • A change request was created to install the hardware in the data center with the URL software and tested. • The organization users had to be issued a copy of the Internet usage policy and sign a document acknowledging their acceptance of policy conditions. • The intranet site was updated to inform Internet users: – The date Internet content filtering was being “switched on” – That if they attempted to visit inappropriate Internet sites, they would receive a message that their attempts had been detected and they would be reported for follow-up disciplinary action • Processes for escalation and investigation of Internet abuse were developed. Processes had to be developed in consultation with the organization’s human resources department for the reporting of Internet use that was not in accordance with the policy. Initially, there was a larger-than-expected reporting of attempts

An action plan was developed to address the deficiencies (included in the security register) identified by the DBMS security audits. Processes were reviewed and revised to strengthen the procedures to minimize the likelihood of the recurrence of security weaknesses.

Telecommunications
• • • • The telecommunications tactical strategy was to address: E-mail content filtering URL content filtering Intrusion detection system External gateways security

E-mail Content Filtering The organization’s policy for e-mail use allowed users limited private use of e-mail. The gap analysis identified that there was no content filtering of e-mails received from or sent outside of the organization. The organization had a software product (located within the DMZ) that was used for scanning the e-mails for viruses. This software had a limited capability for filtering content. Due to budgetary constraints, it was decided to switch on this limited capability. In the next budgetary cycle, the organization planned to purchase a dedicated e-mail content filtering product (e.g., Surf Control). Before the e-mail content filtering could be “switched on,” a number of tasks had to be performed:

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

by staff to gain access to sites that were deemed to be inappropriate (e.g., pornographic). Rather than take a heavy-handed approach, it was decided to allow it to self-correct by placing on the organization’s intranet site an advice that URL monitoring and logging had been “switched on” and in the very near future a review of these logs would occur. After placing this message on the intranet site, there was a significant reduction in attempts to gain access to those sites deemed inappropriate. Intrusion Detection System (IDS) The gap analysis identified that there was no intrusion detection system. It was determined that a solution was required to meet the organization’s requirements. After a preliminary analysis, three products were chosen for detailed analysis. After careful consideration, it was determined that the CISCO IDS gave the best solution to meet the organization’s specific requirements. A detailed plan was prepared to: • Determine the appropriate configuration • Implement and test the solution before deployment • Train operational staff to monitor for alerts • Develop and document escalation processes in case of attack, such as a denial of service The IDS was implemented with only minor issues encountered, which were quickly addressed. External Gateway Security The organization did not have the necessary expertise to perform this security risk assessment itself. Therefore, an external security consultancy was engaged to undertake this work. The tasks performed included: • Footprinting and host discovery—The objective of this task was the creation of a catalog of network devices. The catalog detailed: – IP addresses and DNS name – Operating systems – Applications and DBMS – Protocols • Automated network scanning—The objective of this task was to highlight common vulnerabilities that could be exploited by a threat source. Component devices identified during the host discovery were tested against: – Common vulnerabilities and exposures databases – Other new or not well known vulnerabilities in the security consultants’ body of knowledge • Vulnerability assessment—The objective of this task was to assess: – The feasibility of exploiting an identified vulnerability and the skills and tools necessary for success – The impact of exploiting an identified vulnerability The risk assessment of security of the external gateways identified a number of security vulnerabilities. For the critical security exposures, immediate action was taken to plug the security holes. For the other security exposures, a detailed action plan (included in the security register) was developed to implement the agreed-upon recommendations by the security consultants.

What was surprising was the small number of security weaknesses detected, which was less than expected given the complexity of the network.

Access Security—Information Assets
The gap analysis identified that there was no security monitoring software across the server tower platform to ensure that only authorized users were accessing the organization’s information assets. The tactical plan executed included: • A review of current user access privileges • Selection of security software to monitor, alert, track, audit and report on security violations • Installation of a security logging server • Deployment of security software • Development of processes for the review of security logs, escalation and actioning of security violations The review of the user access privileges required a compilation of production application. As part of the IT asset audit, applications installed on the hardware were identified. A listing of users’ current access privileges was forwarded to the application owners for assessment of the appropriateness of access privileges, given their roles and responsibilities. It was discovered that a number of users had access privileges that were considered inappropriate. A review indicated that this had occurred because there was no formal process to advise the IT department of changes in roles and responsibilities. Additionally, the IT department had not regularly required the application owner to reconfirm the user application access privileges. An action plan, included in the security register, was developed to address these security process weaknesses. The organization previously had purchased a limited number of copies of a security software product designed to audit and log security violations, but the software had not been deployed. After performing a pilot using the security software product, it was decided to purchase additional licenses. The IT asset audit assisted in determining the number of additional licenses required, and a plan was developed and executed for the deployment of the software across the server platform. Processes were developed and documented and training was provided to the data security officer for effective management and utilization of the security products.

Security—Keeping It Alive
After implementing the enterprise security framework, infrastructure and processes, a “Keeping-it-Alive” program was developed. Support was obtained from executive management, both on financial and manpower terms, to ensure the program would actively maintain a secure environment in the future.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

Conclusion
Implementing enterprise security is an enormous task, but it is very rewarding when it all comes together. The security project was delivered on time and within budget. This was possible only through the dedication of the IT department staff and continued support of the organization’s IT auditor. The IT auditor performed a quality assurance role throughout the life of the project and provided a number of recommendations that led to an improvement in the quality of the deliverable, and minimized the likelihood of security weaknesses not being adequately addressed. Figures 4, 5 and 6 provide information about the different components of the ITIL Service Management model. Figure 4—ITIL Service Support Process Model

Ken Doughty, CISA, CBCP has more than 20 years’ experience in IT auditing within the public and private sectors. He has an accounting degree and post-graduate qualifications in internal auditing. He has lectured part-time at the University of Technology, Sydney, Australia, and has had many papers published in auditing and business continuity journals, including a book on business continuity. Doughty was a recipient of ISACA’s John Kuyer’s Best Speaker Award for 2002.
© Copyright K. Doughty 2003

Figure 5—ITIL Service Delivery Process Model

The Organization, Customers and Users

The Organization, Customers and Users

Service Level Management

Availability Management

Capacity Management

Incident Management

Problem Management

Change Management

Financial Management

IT Service Continuity

Release Management

Configuration Management

ITIL Component Service level management

Goal To maintain and gradually improve business-aligned IT service quality through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service To optimize the capability of IT infrastructure and supporting organization to deliver a cost-effective and sustained level of availability that enables the business to satisfy its objectives To understand the future business requirements (the required service delivery), the organization’s operation (the current service delivery), the IT infrastructure (the means of service delivery), and to ensure that all current and future capacity and performance aspects of the business requirements are provided cost effectively To provide cost-effective stewardship of the IT assets and the financial resources used in providing IT services To support the overall business continuity management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales

ITIL Component Incident management

Goal

To restore normal service operation as quickly as possible with minimum disruption to the business, thus ensuring that the best achievable levels of availability and service are maintained Problem management To minimize the adverse effect on the business of incidents and problems caused by errors in the infrastructure, and to proactively prevent the occurrence of incidents, problems and errors Change management To ensure that standardized methods and procedures are used for efficient and prompt handling of all changes, to minimize the impact of any related incidents upon service Release management To take a holistic view of change to an IT service and ensure that all aspects of a release, technical and nontechnical, are considered together. Configuration management To provide a logical model of the IT infrastructure by identifying, controlling, maintaining and verifying the versions of all configuration items in existence

Availability management

Capacity management

Financial management for IT services IT service continuity

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

Figure 6—Additional Components to ITIL Service Management Model
ITIL Component Service desk Goal To act as the central point of contact between the user and IT service management. To handle incidents and requests, and provide an interface for other activities, such as change, problem, configuration, release service level and IT service continuity management. Process of managing defined level of security on information and IT services

Security

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2003

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close