228 Managing Network Vulnerability Assessment
CLIENT security architecture does not provide, by design, any means of limiting
these individual’s or group’s network infrastructure access. CLIENT tends to accept
the risks associated with having a completely open internal architecture in order
to accommodate the fluid and changing nature of the environment. However, a
documented rationale should accompany any risks that are accepted.
CLIENT has several knowledgeable and skilled individuals in the Informa-
tion Technology department. These individuals are aware of security-related
issues and understand that their internal systems are completely open and
accessible. They differ in their opinions as to the severity of this situation.
The situation entrusts a great deal of power and responsibility, to the point
that any one of a handful of administrators, acting independently, has the
capability to compromise a system without any of the other administrators
being aware that any misuse has occurred. This requires a great deal of trust
in these administrators, which is evidently well placed; however, future
employees who may hold these positions may not be as trustworthy. Without
measures in place to monitor the activity of such individuals, current or future
intrusions or compromises may not be detectable.
Policies and Procedures
CLIENT has several policies and procedures in place to inform its users of
the responsibilities and obligations associated with the use of information
resources. While the policies in place are adequate in regard to what they
address, there appear to be several missing policies, either policies that are
referenced and then are not readily available, or policies considered necessary
that do not appear to be present. These policies would generally indicate how
standards and procedures are to be created and how compliance with the
existing policies, standards, and procedures would be monitored. Your Com-
pany also observed and was told through interviews that there is uneven
compliance and nonexistent auditing of these policies.
Critical Vulnerabilities
The large number of vulnerabilities discovered, both those that are critical in
and of themselves as well as those that can be exploited in concert to become
critical vulnerabilities, leave many of the most sensitive systems at CLIENT
exposed to internal users. The firewall and perimeter devices are configured
in such a way that it would be very difficult for an outside user to successfully
attack one of the sensitive systems. This is not the case for an attacker on
the inside. Any knowledgeable user could gain complete access to all of the
critical systems of the infrastructure, including the Sun Development Servers
and the core network components themselves.
Identification and Authentication
CLIENT does not have an Identification & Authentication (I&A) process. With
the absence of an I&A service, it becomes very difficult to correlate events
Sample NVA Report 229
across multiple platforms and link them to a single entity. It would also be
nearly impossible to trace an event to an individual or group. These events
are occurring, as Your Company noted, during some of the VULNERABILITY
ASSESSMENT tests. User IDs and passwords only provide single-factor iden-
tification. In systems where the value of the resource justifies stronger
authentication and the ability to trace a user identity, there must be at least
two-factor authentication: one that is unique to the individual and one
generated randomly at the time credentials are presented. An I&A service,
with a time service such as the one CLIENT already has, can also address
one of the more difficult problems that exists in modern networked envi-
ronments, the issue surrounding time of a change in privilege versus the
time of privilege usage.
The problem, known as TOCTOU (Time of Change versus Time of Use)
comes from a practice during the old mainframe days where the privilege a
user has is granted at log-in. The user privileges were managed by the systems
Reference Monitor, which was an integral part of the operating system.
Therefore, any change in the user’s privilege level was immediately enforced
by the operating system, so there was period of time when the user’s privileges
that were in effect did not match the privileges that the user was invoking.
In networked environments, the practice still exists of granting privilege at
the time of log-in. However, because there is no centralized Reference Monitor
that is directly tied into each and every operating system on the network, a
change in the user’s privilege level is not registered until the user logs off the
network and then logs back on. This is the TOCTOU problem. Identification
and Authentication services, when coupled with a time service, can resolve
this issue in that they force users to present their credentials before accessing
any resource on the network. This provides a chance for the privileges to be
checked, as well as ensuring the authenticity of the identity of the user ID
accessing the resource.
Intrusion Detection
Because of CLIENT’s open and fluid environment and the fact that new
network-based threats are identified almost daily, an effective means to detect,
react, and manage events is necessary. An IDS (intrusion detection system)
to identify suspect activity and alert someone of the risk is becoming an
increasingly critical part of security architecture. In most environments, this
would be coupled with segmentation of network resources across internal
firewalls or centralized I&A services. While segmentation may not be feasible
within the current CLIENT trust model and architecture, I&A services as well
as increased auditing is possible.
An IDS hat can conduct profiling as well as one that utilizes signatures
would most likely be the best fit for CLIENT. The profiling of users, especially
after the implementation of an I&A service, would allow for anomalous activity
to be detected immediately and would allow for an automated review of
various system logs that are not being properly reviewed at this time.
230 Managing Network Vulnerability Assessment
Conclusion
Regardless of the frequency of vulnerability testing, no critical system can be
considered acceptably protected unless both the network segments and the
critical hosts/servers are monitored constantly for signs of abuse and intrusion
attempts. Because new exploits and vulnerabilities within devices and network
operating systems are discovered regularly, it is impossible to test a network
completely, giving 100 percent assurance of being impervious to penetration
either from within or from outside. Additionally, CLIENT has chosen a trust
model in which the application of stronger internal controls is more difficult
than in a more restrictive trust model. Therefore, the easiest method of
detecting misuses would be some type of intrusion detection system that is
both network based and can do user profiling. Without appropriate identifi-
cation and authentication of users, referencing abuses to specific individuals
becomes unreliable. Without appropriate audit controls to ensure compliance
with policies, the policies and procedures themselves become untenable.
Your Company believes the corrective actions and recommendations in this
report will improve CLIENT’s ability to avoid breaches of information security.
However, Your Company strongly recommends that an Intrusion Detection
and Identification and Authentication capability be added to the network to
detect misuses and intrusions and provide the information necessary to support
forensic investigations. It is also recommended that additional audit controls
such as compliance testing, independent log review, or configuration audits
be implemented, with the results of these controls incorporated with the results
of the IDS capability. A policy and procedure review, combined with a risk
analysis, would also be very beneficial at this point in time to streamline and
reiterate those policies that are critical to the functioning of the enterprise.
3.0 Finding Rating Levels
In the following Findings section, Your Company uses a rating system using
stars (*) to indicate the level of severity of our findings. All findings are
vulnerabilities that have a business risk to the client.
5 Stars ***** Critical importance This needs immediate attention.
4 Stars **** Important This should be addressed as soon as
is practical.
3 Stars *** Moderately important Address this at your convenience but
do not ignore it.
2 Stars ** Moderately important Address this the next time you
perform minor reconfiguration of the
host.
1 Star * Information only at
this time
Address this the next time you perform
major reconfiguration of the host.
Sample NVA Report 231
4.0 Findings
Security Management
Finding 1: Policy and Procedure Enforcement
CLIENT has various policies designed to protect the information assets of the
company. Many of these policies reference other policies that were not readily
available to be delivered to PA. Interviews of employees indicated that the
existence of some of these policies was unknown. Interviews indicated that
compliance with policies was not audited or measured except in extreme and
obvious instances of flagrant violations.
The following policies were provided to PA:
Commitment to Professional Conduct. A general guide to professional
conduct within CLIENT. This document was not formatted as a usual policy
and was presented more as an awareness document.
Internet Acceptable Use Policy. A policy that also contained procedures and
guidelines for usage.
Confidential, Computer Responsibility, and Professional Certification Agree-
ment. This policy is actually three policies in one, including a Confiden-
tiality Agreement, a Computer Responsibility Policy, and a reference to the
Commitment to Professional Conduct.
E-Mail Acceptable Use Policy. This policy detailed the acceptable use of
e-mail.
Policies referenced but not provided include:
Systems Security Policy and Standards
Human Resources Manual
Internet Access Policy
Policies that were not found include:
Information Classification Policy
Encryption Policy
External Network Access Policy
Operating System Hardening Policy
Password Policy
Remote Network Access Policy
Security Change Management Policy
Security Organization Roles and Responsibilities
Separation of Duties Policy
Strong Authentication Policy
System Access Policy
User Identity Policy
Virus Detection and Management Policy
232 Managing Network Vulnerability Assessment
Other policies were mentioned by employees in interviews but were not
presented directly or as references to Your Company’s team.
Urgency Rating*****
Risk
Policies define the business rules around a particular area, in this case
information protection. Procedures tell employees how to operate within those
business rules. They define the boundaries in within which people are to
operate. Failure to have policies or procedures, or uneven compliance with
the existing policies and procedures, can result in legal liability as well as
lower employee morale. It will also result in an increased probability of an
incident occurring, as people do not know what is expected of them.
Recommendations
Review existing policies and procedures then update them as necessary for both
clarity and completeness, followed by the institution of an Information Security
Awareness Program so that employees understand their responsibilities. Addi-
tional policies addressing deficit areas mentioned above need to be addressed.
Finding 2: Log Review and Auditability
The review of logs is an integral part of an information security program. Logs
produced by systems and applications provide detailed information to the
owners of the data as to what has occurred with the data for which they are
responsible. Your Company’s tests showed that many logs, such as the appli-
cation logs on the Solaris systems and the event logs on the Web servers,
were not collected or reviewed on a routine basis. The employee resources
dedicated to this task did not appear to be sufficient to adequately examine
all the necessary logs.
Urgency Rating*****
Risk
Failure to properly review log entries presents an opportunity for malicious
actions to occur. Many systems are not built to resist malicious actions but
they do record the results of those actions in their log files. If the files are
not reviewed, then the actions can continue.
Recommendations
Implement an intrusion detection system (IDS) that can review log entries to
automate the tedious task of log review. Most IDS systems can accomplish
this and then generate an alert when anomalous activity is detected.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.