Sample NVA Report 233
Finding 3. Risk Analysis Procedure
In an open model where the internal users are assumed to be trusted, it is
imperative that there is a process by which any additional protection measures
are applied to resources. This process must include a risk analysis to determine
the value of the resource and the cost of the protection measure in order to
justify the imposition of additional controls on a user community that is
normally trusted. When questioned in interviews, it became apparent that
there was no risk analysis occurring prior to the imposition of controls.
Urgency Rating****
Risk
Without performing at least a basic risk analysis, controls may be placed on
systems that do not need them, and needed controls may not be applied
where necessary. Also, without a formalized process, the existing trust model
cannot be accurately evaluated to determine if it is still appropriate, given the
level of controls placed upon resources.
Recommendations
Develop a formalized risk analysis procedure and add it to the change control
process. Subject all changes to security configurations through some variant
of the change control process.
Finding 4: Incident Management and Response
CLIENT has an Emergency Response Team designed to respond to critical
situations. From the description provided, the team acts more as an Environ-
mental Disaster Team designed to respond to events affecting the core business
of the company such as a fire or other natural disaster. It was stated that this
team was designed for anything that had “a major impact on user operations.”
As such, there is no formalized method for dealing with intrusions or other
security-related incidents. There is no one designated with the responsibility
of collecting and preserving evidence in the event of a computer crime, and
there is no one designated to evaluate an event and determine if it is malicious
or nonmalicious. Further, there is not a formalized process to determine who
will respond to an incident and what the recovery path should be.
Urgency Rating****
Risk
In the event of an intrusion or computer crime, CLIENT would be unable to
properly collect and protect evidence necessary for either termination or
prosecution of the offending party. Likewise, failure to protect in the event
234 Managing Network Vulnerability Assessment
of a computer crime can have a negative impact on a company and also
exposes the company to legal liability. In the event of a nonmalicious,
noncriminal event, CLIENT would not have the formalized capability to
recover, collect the evidence of what happened, and apply that evidence to
the prevention of the event reoccurring.
Recommendations
Develop a formalized incident management and response plan. The plan can
include the development of a team internally or a contract with an external
entity to provide the necessary services.
Finding 5: Information Awareness Program
CLIENT does not appear to have an Information Awareness Program designed
to remind all employees of existing policies and procedures, and to promote
the proper use and protection of computing resources.
Urgency Rating***
Risk
Every study has shown that between 75 and 80 percent of all computer-related
losses are caused by internal users. The development of an effective Infor-
mation Awareness Program has traditionally been one of the most effective
expenditures for the protection of information assets and, outside of basic
security services, one of the greatest methods of reducing computer-related
incidents.
Recommendations
Develop an effective Information Security Awareness Program in conjunction
with the other recommendations in this report.
Security Architecture
Finding 1: Intrusion Detection System
Although a system or network can be tested and made secure, new vulnera-
bilities are discovered almost daily. Regardless of the amount of time and
effort spent correcting configuration errors, it is still possible for an intruder
to discover a new intrusion technique and attempt it on the system. Addition-
ally, internal abuse is very difficult to guard against, and there must be some
method of full-time monitoring implemented to catch and appropriately log
intrusion attempts.
Sample NVA Report 235
Urgency Rating*****
Risk
There is no way to guarantee through testing that a system is secure. The
best that testing can provide is a snapshot of the security of the system at the
time of the tests. Therefore, it is critical, especially for sensitive systems, that
full-time monitoring be employed. Only through full-time intrusion detection
can CLIENT be certain that the vulnerability assessment majority of attack and
abuse attempts, either external or internal, can be caught and traced. More
important, should an attempt succeed, only complete intrusion detection will
allow the ability to track the root cause that permitted the intrusion, repair
the problem, and ensure that it does not happen again.
Recommendations
Proposed intrusion detection systems (IDSs) will be presented as a part of the
Facilitated Risk Analysis Process, which is to follow the Vulnerability Assess-
ment and is indicated as Milestone II in the Engagement Agreement under
which this document was produced.
Finding 2: Security Architecture
As discussed throughout this document, the CLIENT trust model is one
designed for both rapid changes, resource reallocation, and fluidity in business
processes. Of the classical information security triad — confidentiality, integrity,
and availability — the CLIENT network is designed for availability of resources
above all else. Beyond the concepts of the CLIENT trust model, a true
formalized Security Architecture does not exist. At this point, it is a nebulous
idea that is shared by the IT staff, but it has not progressed beyond that.
Urgency Rating**
Risk
The security trust model is the basis for the entire information security
infrastructure. The focus on availability in the CLIENT infrastructure results in
the integrity and confidentiality of other components not being addressed.
This presents the possibility for vulnerabilities to be present that will not be
detected because of the infrastructure itself. Without a formalized architec-
ture, future decisions about information protection will be made based on
the current view of the information to be protected, which may not accurately
reflect the true situation. A formalized architecture provides a framework
upon which all security controls can be based, allowing logical decisions to
be made based on the direction chosen as opposed to reacting to existing
circumstances.
236 Managing Network Vulnerability Assessment
Recommendations
There are three things the client can do:
1. Install an IDS to monitor the users of the network to be aware of potential
intrusion attempts.
2. Consider the risks of the existing business risk model and decide if changes
need to be made.
3. Evaluate the existing architecture and make any necessary changes to bring
it in line with the business risk model if it is found to be out of line
Access Control Methodologies
Finding 1: User Identification and Authentication
The identification of who is using a resource is a critical component in an
information security infrastructure. Having two-factor authentication typically
does this. A user presents his identification, usually a user ID, and then asserts
who he is, usually through a password or passphrase. This is the system used
by CLIENT.
Urgency Rating*****
Risk
Failure to have adequate user Identification and Authentication (I&A), espe-
cially where a single ID is used by multiple people — as in the case of the
XXX Admin account — causes the situation where an individual cannot be
traced to an action. Additionally, CLIENT policy states that users are responsible
for the actions taken by their account. If a user cannot be proven to be who
he is through a nonreputable method, then that policy cannot be enforced.
In the case of a common use account, there is no way for this policy to be
legally enforced without additional evidence to determine the individual using
the account. Finally, because CLIENT has multiple platforms in use, there is
no centralized repository of user information that ties an individual to multiple
user IDs as they pass from system to system. A central I&A system provides
this capability to map user IDs on different systems to a single individual and
therefore trace the actions of that individual if necessary.
Recommendations
CLIENT should install a single Identification and Authentication system that has
the capability to authenticate user access across not only all platforms, but also
their networking equipment. Such a system would need to be RADIUS or
TACACS+ compliant, and would need to use biometrics, a token, or both. Adding
a second authentication factor — either through biometrics or a one-time pass-
word (such as token devices/software like SecureID or a CryptoCard) — would
Sample NVA Report 237
ensure that the user is who he asserts himself to be. This meets the legal
requirements for nonrepudiation that is the basis for any action taken in
response to an incident.
Finding 2: Password Strength
Within the CLIENT architecture, user passwords are the primary method of
authenticating an asserted identity. Therefore, the security of user passwords
is critical. CLIENT policy even states that users will be held responsible for
the actions of their accounts based on their passwords. Your Company
conducted two types of password reviews. One was an attempt to try a basic
dictionary attack against passwords sniffed from the wire with tools that any
CLIENT employee could download, and the other was a detailed analysis on
policies specified within the systems themselves to see if they match CLIENT
policy.
Urgency Rating*****
Risk
Compromise of a user password will allow an attack to masquerade as the
user. Your Company was able, in a two-hour period, to crack XXX percent
of the passwords captured off the wire. A majority of the passwords were the
same as the username. Additionally, a point test on the XXX Admin account
(named as such) was successful in 12 hours. Finally, it was discovered that
password changes are not required and that many of the admin account
passwords have not been changed in a significant amount of time.
Recommendations
The following changes need to be implemented immediately:
Force an immediate change of all passwords.
Institute a policy of periodic password changes.
Additionally, the following changes need to occur:
Install an Identification and Authentication (I&A) system.
Install an intrusion detection (IDS) system.
Finding 3: Unencrypted Passwords
CLIENT has several systems that utilize the Telnet protocol. This protocol
sends usernames and passwords, or the hash of the password, in cleartext
across the network.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.