1. Audit dan EvaluasiTeknologi Informasi Sesi 7 MTI-CIO 2012
2. Key to IT Fraud Initiatives: Tone at the Top• Standards and literature claim Tone at the Top is key to prevention of IT fraud• Study of IT audits showed that Tone at the Top is most important criterion in assessing IT security• Tone at the Top is more important than: – Software – Logical controls – Physical controlsSecurity Controls and Management ToneT. Kizinian and W. R. Leese, Internal Auditing, March/April 2004
3. Tone at the Top Options• Culture of fear – Responses triggered by events – Adopts a “fortress” strategy – Compliance is sufficient – CIO or CTO responsibility – Punishment oriented – requires monitoring and systems that may impede legitimate business• Culture of security – Motivated by desire for excellence – Holistic understanding of security – Aims to prevent fraud – Compliance is necessary but not sufficient for security – Organizational responsibility – Conscious strategy for Tone at the Top and culture
4. Problems with Culture of Fear• Fear is a short-term motivator• Responds to failures after the damage is done• Underestimates costs of failures and costs of prevention (e.g. time lost in dealing with security issues and systems)• Lowers morale and creates “us vs. them” mindset
5. Standards and Assessment Tools• COSO and SOX• Control Objectives for Information and Related Technology (COBIT) and Information Technology Control Guidelines (ITCG)• Need management and assessment tool specifically for Tone at the Top and Culture of Security
6. ACFE Report to the Nation Occupational Fraud and Abuse• 2 1/2 year study of 2608 Frauds – Fraud costs U.S. organizations more than $400 billion annually. – Fraud and abuse costs employers an average of $9 a day per employee – The average organization loses about 6 percent of its total annual revenue to fraud and abuse admitted to by its own employees
7. Two Types of Fraud• Fraud on behalf of an organization – Financial statement manipulation to make the company look better to stockholders – Also called management fraud• Fraud against an organization – Stealing assets, information, etc. – Also called employee or consumer fraud
8. Ernst & Young Fraud Study 2002 (Europe)• One in five workers are aware of fraud in their workplace• 80% would be willing to turn in a colleague but only 43% have• Employers lost 20 cents on every dollar to workplace fraud• Types of fraud – Theft of office items—37% – Claiming extra hours worked—16% – Inflating expenses accounts—7% – Taking kickbacks from suppliers—6%
9. Extent of Fraud• 10% of organizations suffer serious IT fraud each year• Damage to reputation due to IT fraud slices 8% to 13% off market value of public companies• Every survey shows IT fraud at top or near the top of CFOs concerns
10. But So Far?• Each firm seems to have different groups working on fraud detection – No best practices model has emerged• IT auditors perform control testing on company systems, not fraud detection
11. Why Don’t Auditors Find Fraud?• Limited time – Our most precious resource is our attention• History: Lack of historical fraud detection instruction• Lack of fraud symptom expertise• Lack of fraud-specific tools• Lack of analysis skills• Lack of expertise in technology• Auditors do find 20-30 percent of fraudACFE 2004 Report to the Nation
12. Common Fraud in USA• Top Sales VP Sponsors Award Event• High-priced Gifts Bought for Spouses and Guests• Cost Buried in Cost of Overall Event -Gift Items Not Identified• Voucher Meets Budget Projection
13. Ethical Standards Tested Every Day• Have to Take a Stand Based on Your Personal Ethics• Tested Every Day by Decisions Your People Make• Foreign Corrupt Practice is Rule of Law
15. What Next in IT Audit?• Prosecute??• Apply short-term solutions to contain an intrusion• Eliminate all means of intruder access• Return systems to normal operation• Identify and implement security lessons learned
16. What is a security audit?• Policy based• Assessment of risk• Examines site methodologies and practices• Dynamic• Communication"The world isn’t run by weapons anymore, or energy, or money. It’s run bylittle ones and zeros, little bits of data... There’s a war out there... and it’s notabout who’s got the most bullets. It’s about who controls the information.“Federation of American Scientists - Intelligence Resource Program
17. Why and What IT Security Audits?Why?• Information is power• Check and measure policy compliance• Assessing risk and security level or other specific information• Assessing potential damage and vulnerable areas• Security incident response to allow remediation• Ensure ongoing security and efficient system• Change management• ExpectationsWhat?• Host• Firewall• Networks• Large networks
18. Who Needs IT Security Auditing?• A security audit is necessary for every organization, especial with the utilization of Internet.• A ongoing process that must be tried and improved to cope up with the ever changing and challenging threats.• Should not be feared of being audited. Audit is good practice.
19. When to audit?• Emergency!• Before prime time• Scheduled/maintenance• Example schedules – Individual Host 12--24 months – Large Networks 12--24 months – Network 12 months – Firewall 6 months
20. IT Specific Audit Phases• External Audit – Public information collection – External Penetration • Non-destructive test • Destructive test• Internal Audit – Confidential information collection – Security policy reviewing – Interviews – Environment and Physical Security – Internal Penetration – Change Management• Reporting
21. Important Notes on External Audit• Do not make ANY changes to the systems or networks• Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods• Always get permission before testing• Be confidential and trustworthy• Do not perform unnecessary attacks
22. External Audit-Penetration Test• Plan the penetration process – Search for vulnerabilities for information gathered and obtain the exploits – Conduct vulnerabilities assessments (ISO 17799)• Non-destructive test – Scans / test to confirm vulnerabilities – Make SURE not harmful• Destructive test – Only for short term effect (DDOS….) – Done from various locations – Done only off-peak hours to confirm effect• Record everything – Save snapshots and record everything for every test done even it returned false result – Watch out for HONEYPOTS
23. Internal Audit• Conducted at the premises• A process of hacking with full knowledge of the network topology and other crucial information.• Also to identify threats within the organization• Should be 100% accurate.• Must be cross checked with external penetration report.
24. Internal Audit-Policy review • Everything starts with the security policy • If there is no policy, there is not need of security audit? Policy • Policies are studied properly and classified • Identify any security risk exist Standards within the policy • Interview IT staffs to gain proper understanding of the policiesProcedures, Guidelines • Also to identify the level of & Practices implementation of the policies.
25. Internal Audit-Information gathering• Discussion of the network topology• Placement of perimeter devices of routers and firewalls• Placement of mission critical servers• Existence of IDS• Logging• Always cross-check with security policy
26. Internal Audit-Environment and Physical Security– Locked / combination / card swipe doors– Temperature / humidity controls– Neat and orderly computing rooms– Sensitive data or papers laying around?– Fire suppression equipment– UPS (Uninterruptible power supply)– Always cross-check with security policySection 8.1 of the ISO 17799 document defines the concepts of securearea, secure perimeter and controlled access to such areas.
27. Internal Audit-PenetrationFor Internal penetration test, it can divided to few categories– Network– Perimeter devices– Servers and OS– Application and services– Monitor and response– Cross-check with security policy
28. Internal Audit-Network• Location of devices on the network• Redundancy and backup devices• Staging network• Management network• Monitoring network• Other network segmentation• Cabling practices• Remote access to the network• Cross-check with security policy
29. Internal Audit-Perimeter DevicesCheck configuration of perimeter devices like– Routers– Firewalls– Wireless AP/Bridge– RAS servers– VPN servers– Perform test • Egress and ingress communication • Firewall rules • Configuration access method • Logging methods– Cross-check with security policy
30. Internal Audit-Server and OS• Identify mission critical servers like DNS,Email and others..• Examine OS and the patch levels• Examine the ACL on each servers• Examine the management control-account and password• Placement of the servers• Backup and redundancy• Cross-check with security policy
31. Internal Audit-Application and ServicesIdentify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application– DNS • Name services(BIND)– Email • Pop3,SMTP– Web/Http– SQL– Others– Cross-check with security policy
32. Internal Audit-Monitor and ResponseCheck for procedures on• Event Logging and Audit – What are logged? – How frequent logs are viewed? – How long logs are kept?• Network monitoring – What is monitored? – Response Alert?• Intrusion Detection – IDS in place? – What rules and detection used?• Incident Response – How is the response on the attack? – What is recovery plan? – Follow up?
33. Internal Audit-Analysis and Report• Analysis result – Check compliance with security policy – Identify weakness and vulnerabilities – Cross check with external audit report• Report- key to realizing value – Must be 2 parts • Not technical (for management use) • Technical (for IT staff) – Methodology of the entire audit process – Separate Internal and External – State weakness/vulnerabilities – Suggest solution to harden security
34. Security Policies and DocumentationWhat is a security policy?• Components• Who should write it?• How long should it be?• Dissemination• It walks, it talks, it is alive..• RFC 1244• What if a written policy doesnt exist?• Other documentation
35. Components of a Security Policy• Who can use resources• Proper use of the resources• Granting access and use• System Administrator privileges• User rights and responsibilities• What to do with sensitive information• Desired security configurations of systems
38. How to do a Security Audit• Pre -audit: verify your tools and environment• Audit/review security policy• Gather audit information• Generate an audit report• Take actions based on the reports findings• Safeguard data and report
39. The Golden Rule of Auditing• Verify ALL tools used for the audit are untampered with. – Write them yourself – Find a trusted source (person, place) – Verify them with a digital signature (MD5)• If the results of the auditing tools cannot be trusted, the audit is useless• Platform – Should have extraordinary security – Submit it to a firewall+ type of audit – Physical access should be required to use – No network services running – Portable mobile secured and trusted hardware – Software: Secured OS, Audit tools, Development tools
40. Audit Tools - the Hall of Fame• SAINT/SATAN/ISS• Nessus• lsof /pff• Nmap, tcpdump, ipsend• MD5/DES/PGP• COPS/Tiger• CrackWeb security specific• Acunetix: http://www.acunetix.com• Web Sleuth: http://www.sandsprite.com/Sleuth• Paros Proxy: http://www.parosproxy.org• Web Inspect: http://www.spidynamics.com/products/webinspect• nikto: /http://www.cirt.net/code/nikto.shtml• XSS NASL plugin for Nessus: http://www.cirt.net/code/nessus.shtml• JMeter: http://www.jakarta.apache.org/jmeter
41. Audit/Review Security Policy• Utilize existing or use ``standard policy• Treat the policy as a potential threat• Does it have all the basic components?• Are the security configurations comprehensive?• Examine dissemination procedures
42. Security policy• Treat the policy as a potential threat• Bad policies are worse than none at all• Good policies are very rare• Look for clarity and completeness• Poor grammar and spelling are not tolerated
43. Does it Have All the Basic Components?• Who can use resources• Proper use of the resources• Granting access and use• System Administrator privileges• User rights and responsibilities• What to do with sensitive information
44. Security Configs Comprehensive?• Details are important!• Addresses specific technical problems (COPS-like tests, network services run, etc.)• Allowable trust must be clearly outlined• Should specify specific tools (The TCP wrappers, S/Key, etc.) that are used• Must have explicit time schedules of security• Audits and/or tools used• Logfiles must be regularly examined!
45. Examine Dissemination Procedures• Policies are worthless unless people read and understand them• Ideally it is distributed and addressed when people join organization• E-mail is useful for updates, changes• Written user acknowledgment necessary
47. Talk to/Interview people• Difficult to describe, easy to do• Usually ignored• Users, operators, sysadmins, janitors, managers…• Usage & patterns• Have they seen/read the security policy?• What can/cant they do, in own words• Could they get root/system privileges?• What are systems used for?• What are the critical systems?• How do they view the security audit?
49. Technical Investigation• Run static tools (COPS, Crack, etc.)• Check system logs• Check system against known vulnerabilities (CERT, bugtraq, CIAC advisories, etc.)• Follow startup execution• Check static items (config files, etc.)• Search for privileged programs (SUID, SGID, run as root)• Examine all trust• Check extra network services (NFS, news, httpd, etc.)• Check for replacement programs (wu-ftpd, TCP wrappers, etc.)• Code review ``home grown programs (CGIs, finger FIFOs, etc.)• Run dynamic tools (ps, netstat, lsof, etc.)• Actively test defenses (packet filters, TCP wrappers, etc.)
50. Test, Execution, and CheckStatic tools• Nmap• SAINT/SATAN/ISS• Crack• Nessus• COPS/TigerStartup execution/program• Boot (P)ROMS• init• Startup programs (rc.* like files)Check• Examine all config files of running processes (inetd.conf, sendmail.cf, etc.)• Examine config files of programs that can start up dynamically (ftpd, etc.)
51. Search for privileged programs• Find all SUID/SGID programs• Look at all programs executed as root• Examine: – Environment – Paths to execution – Configuration files• Examine all trust – rhosts, hosts.equiv – NFS, NIS – DNS – Windowing systems – User traffic and interactive flow
53. Check for Replacement Programs• wu-ftpd• TCP wrappers• Logdaemon• Xinetd• GNU fingerd
54. Code Review ``Home Grown/Non- Standard Programs/Custom• Network daemons• Anything SUID, SGID• Programs run as system account• CGIs• Bad signs: – external commands (system, shell, etc.) – /usr/ucb/mail – large size – No documentation – No comments in code – No source code available
55. Actively Test Defenses• Packet filtering• TCP wrappers• Other defense programs
56. Safeguard Data and Report• Save for the next audit• Do not keep on-line• Use strong encryption if stored electronically• Limit distribution to those who ``need to know• Print out report, sign, and number copies
57. Incident Response-PurposeMinimize overall impact Secure System• Hide from public scrutiny • Lock down all known avenues of attack• Stop further progression • Assess system for unseen vulnerabilities• Involve Key personnel • Implement proper auditing• Control situation • Implement new security measuresRecover Quickly and Efficiently Follow-up (A continuous process)• Respond as if going to prosecute • Ensure that all systems are secure.• If possible replace system with new one • Continue prosecution.• Priority one, business back to normal • Securely store all evidence and notes.• Ensure all participants are notified • Distribute lessons learned.
58. Incident Verification• How are we certain that an incident occurred?• Verify the Incident!• Where to find information? – Intrusion Logs – Firewall Logs – Interviews • Emails, Network Admin, Users, ISP, etc…
59. Verification: What do we know?• Three situations – 1. Verification without touching the system – 2. Verification by touching the system minimally. You have a clue or two where to look. – 3. Verification by full analysis of live system to find any evidence that an incident has occurred.
60. Secure Incident Scene• What exactly does this mean? – Limit the amount of activity on the system to as little as possible • Limit damage by isolating • ONE person perform actions • Limit affecting the crime environment • Record your actions
61. Preserve Everything!• Anything and everything you do will change the state of the system – POWER OFF? Changes it. – Leave it plugged in? Changes it. – Obtaining a backup will change the system – Unplug the network? Changes it. – Even Doing Nothing will ALSO change the state of the system.
62. Incident Scene Snapshot• Record state of computer – Photos, State of computer, What is on the screen? – What is obviously running on the screen? • Xterm? • X-windows? – Should you port scan the affected computer? • Pros: You can see all active and listening ports • Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad guy
63. Unplug Power from System?• This method may be the most damaging to effective analysis though there are some benefits as well – Benefits include that you can now move the system to a more secure location and that you can physically remove the hard drive from the system – Cons… you lose evidence of all running processes and memory
64. Unplug from Network?• Unplug from the network? – Unplug it from the network and plug the distant end into a small hub that is not connected to anything else. – Most systems will write error messages into log files if not on a network. – If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.
65. Intrusion Detection• Intrusion Detection is the process of monitoring computer networks and systems for violations of security.• An Intrusion – any set of actions that attempt to compromise the integrity, confidentially or availability of a resource.• All intrusion are defined relative to a security policy – Security policy defines what is permitted and what is denied on a network/system – Unless you know what is and is not permitted, its pointless to attempt to catch intrusion
66. Intrusion Detection Systems• Goal – To detect intrusion real time and respond to it• False positive – No intrusion but alarm – Too many make your life miserable• False negative – Intruder not detected – System is compromised
67. Intrusion Detection - Detection Schemes• Misuse Detection – The most common technique, where incoming/outgoing traffic is compared against well-known signatures. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan• Anomaly Detection – Uses statistical analysis to find changes from baseline behavior (such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research
68. Intrusion Detection - Detection• Misuse Detection • Detect Known Attack Signatures • Advantage: • Low False Positive Rate • Drawbacks: • Only Known Attacks • Costs for Signature Management• Anomaly Detection • Learn Normal Profiles from User and System Behavior • Detect Anomaly • Advantage • Detect Unknown Attacks • Drawbacks • Difficulty of Profiling • Profile can be controlled by intruders • High false positive rate