Your SlideShare is downloading. ×
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
It For Dummies Kamens 081107
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

It For Dummies Kamens 081107

587

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
587
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IT FOR DUMMIES Michael Kamens, JD,CISM Accume Partners Director, IT Audit Copyright Accume Partners 2007
  • 2. Introduction
    • Challenges
    • Security reports indicate that your network is vulnerable to being exploited by “ hackers”
    • On the other hand your IT people tell you how secure your network is
    • Most IT Auditors are scared of the Network
      • You have limited time to finish your audit
      • Even if you go head to head with the IT team would it be productive
      • When the reports detail vulnerabilities, are they explained in a way that will make sense?
      • Do you really understand what a “ false positive” is?
      • How thorough is your understanding of the technology you are auditing?
    Copyright Accume Partners 2007
  • 3. Agenda
    • Considerations for Evaluating Vulnerability
    • Risk Assessment vs Vulnerability Assessment
    • The Need for Vulnerability and Penetration Testing
    • Internal Auditors’ Role
    • Vulnerability and Penetration Assessment
    Copyright Accume Partners 2007
  • 4. Considerations for Evaluating Vulnerabilities
    • Questions to Ask
    • Can a “hacker” breach your network?
      • Hint: Absolutely!
    • Has the IT Department done everything to make your network more secure?
    • Are there Policies and Procedures in place to ensure best practice standards are being practiced?
    Copyright Accume Partners 2007
  • 5. Considerations for Evaluating Vulnerabilities (cont)
    • Trends Affecting Information Security
    • Businesses have a tremendous opportunity to utilize information technology to expand their productivity.
    • Many organizations will need to provide easier access by users to selected areas of their information systems, thereby increasing potential exposure.
    • In taking advantage of all this increased connectivity, speed and data, securing information within their communications systems has to be a mandatory priority.
    • Unfortunately, no one security device or procedure will ensure a risk free environment.
    Copyright Accume Partners 2007
  • 6. Risk Assessment vs Vulnerability Assessment Copyright Accume Partners 2007
  • 7. IT Risk Assessment
    • An IT Risk Assessment is designed to give a detailed analysis of how well a business is secured.
    • Answers the question: How secure is your organization's information? -- A high-priority issue
    Copyright Accume Partners 2007
  • 8. Vulnerability Assessment
    • A Vulnerability Assessment identifies weaknesses and vulnerabilities on the network that expose the business to risk
    • Allows the business to diminish threats and take remedial actions before they occur
    • Provides an analysis of businesses security
    • Ensures that only authorized employees have access to critical corporate data
    Copyright Accume Partners 2007
  • 9. The Need for Vulnerability & Penetration Testing
    • Drivers
    • Businesses continue to rely on the Internet to increase revenue, thereby exposing data to potential hackers
    • Businesses are inadequately securing customer data
    • ID theft is at an all-time high
    • Consumers are inadequately educated about securing their own ID data
    Copyright Accume Partners 2007
  • 10. The Need for Vulnerability & Penetration Testing (cont)
    • Challenges
    • The demanding pace of business
      • The need for speed can take precedence to logical security measures
    • Corporate culture
      • “ It will not happen to me” attitude
      • Focusing resources only where it generates high visibility, high ROI
      • Resistance to commit valuable (human, financial) resources to protect client data
    Copyright Accume Partners 2007
  • 11. Where is IA Positioned
    • Where are you?
    • Are you part of your organization’s team in planning the IT Audit and what areas will be in scope?
    • Is the attitude – “Well it’s not a key control so let someone else handle it”?
    Copyright Accume Partners 2007
  • 12. Internal Auditors’ Role
    • What IA gains by being involved with Vulnerability and Penetration Testing
    • Assurance that data has not been compromised
    • Assurance that administrative rights are properly administered
      • Request screenshots of ID login, password, user rights configurations, file shares,
      • Process for how admin rights are granted
    • Assurance that a Trojan Horse would not be able to take over the network
      • Guest Account has no password
      • Server has never been hardened
    Copyright Accume Partners 2007
  • 13. Internal Auditors’ Role (cont)
    • What you should know
    • Hardened Servers –
      • When new servers are purchased, every service by default has been activated regardless of the use of the server.
      • The OS could be Windows/Linux/Unix etc
      • Services can include Email/Web/SQL etc
      • Wireless Access Points
    Copyright Accume Partners 2007
  • 14. Internal Auditors’ Role (cont)
      • Impact
    • TJX lost 200M customers’ PII
        • Cause: poor security from their wireless access points
    • TSA lost 100K employees’ PII
        • Cause: lost laptop
    • Fidelity lost 196K customers’ PII
        • Cause: lost laptop  
    • AIG lost 930K customers’ PII
        • Cause: theft of a data-center server
    • Bank of America lost 1.2M federal employees’ PII
        • Cause: lost laptop
    • Texas Guaranteed Student Loan lost 1.3M customers’ PII
        • Cause lost computer tapes  
    •     
    • Q.: Can your organization survive the front page or the 6 o’clock news ?
    • Note: PII = Personally Identifiable Information. Includes SSN, birth dates, addresses, drivers license or anything that identifies an individual.
    Copyright Accume Partners 2007
  • 15. Vendor Management
    • Selecting a vendor for a Vulnerability and Penetration Security Assessment
    • Vendor Criteria
      • What insurance do they carry
      • Who owns all the data – raw and finished
      • Will the same team begin and finish
      • Estimated project length
      • References within your Industry is critical
      • How do they present their evidence (reports)
    Copyright Accume Partners 2007
  • 16. Criteria for Selecting a Vendor
    • Selecting a vendor
    • Vendor Criteria
      • Good business dictates requesting 3 quotes
      • Review the financials of prospective vendors to ascertain their solvency
      • Review the firm’s history –
        • How long has the firm business?
        • How long have they been performing vulnerability and penetration Testing?
      • Review staffing –
        • Does the prospective vendor hire permanent staff or contractors?
        • What are their credentials?
    Copyright Accume Partners 2007
  • 17. Vulnerability and Penetration Assessment
    • Testing
    • IA should be part of the team that determines the scope of testing
    • You will want to be able to read the Vulnerability and Penetration report to be satisfied that the organization is secure
    Copyright Accume Partners 2007
  • 18. Vulnerability and Penetration Assessment (cont)
    • Phase – Assessment Areas
    • When looking at areas of an Assessment there are various ways of categorizing the assessment areas
    • For example:
      • EXTERNAL -- Firewall, DMZ, Email, Web
      • INTERNAL -- Hosts/Servers
      • INTERNAL -- Network Devices
      • INTERNAL -- PCs
      • Phone Sweep
      • Social Engineering
    Copyright Accume Partners 2007
  • 19. Vulnerability and Penetration Assessment (cont)
    • Phases – Assessment/Scans
    • The PC scans
      • provide a verification that they are patched and updated
      • Identify accounts without passwords and
      • Identify vulnerabilities from missing patches
      • Usually performed annually
    • Phone Sweep/War Dialing
      • Scans your PBX to determine that users are not connecting modems to their PCs (optional)
    • Social Engineering
      • Attempt to gain client data from staff at remote sites (optional)
    Copyright Accume Partners 2007
  • 20. Vulnerability and Penetration Assessment (cont)
    • Phase – Data Rating
    • ECHO Rating System
      • E – Exposure High
        • Immediate corrective attention required
      • C – Control Concern Medium
        • Corrective action required
      • H – Housekeeping Low
        • Configuration enhancements recommended
      • O – Okay Low
        • Controls appear to be adequate
    Copyright Accume Partners 2007
  • 21. Vulnerability and Penetration Assessment (cont)
    • Phases – Data Analysis
    • Data analysis is the most critical stage of the assessment
      • High vulnerability vs “false positives”
    • The vendor has completed their scans
      • Data need to be correlated, analyzed and ranked on importance
    Copyright Accume Partners 2007
  • 22. Vulnerability and Penetration Assessment (cont)
    • Vulnerability Reports
    • The report should identify each device with vulnerabilities.
      • Some may have several vulnerabilities that need attention
    • Each vulnerability should be defined with a description, reason, and CVE (Common Vulnerabilities & Exposures) note
      • A CVE is a list of standardized names for vulnerabilities and other information security exposures
      • CVE aims to standardize the names for all publicly known vulnerabilities and security exposures
    • Risk rating
    • Remediation -- There should be an explanation/ recommendation for how to remediate the vulnerability
    • See examples
    Copyright Accume Partners 2007
  • 23. Vulnerability and Penetration Assessment (cont)
    • Vulnerability Reports – Typical Detail
        • Exchange XEXCH50 Remote Buffer Overflow vulnerability detected on port smtp (25/tcp)
        • Vulnerability Description
        • This system appears to be running a version of the Microsoft Exchange SMTP service that is vulnerable to a flaw in the XEXCH50 extended verb.This flaw can be used to completely crash Exchange 5.5 as well as execute arbitrary code on Exchange 2000.
        • ECHO Rating /RISK ECHO Rating: E – Exposure; Immediate Corrective
        • Attention Required Category – Type of Vulnerability SMTP
        • Problems Additional Information NA Vulnerable System(s)02x.xxx.xxx.174
        • ServerRecommendation System administrators should apply the security patch to Exchange servers immediately.Refer
        • to:http://www.microsoft.com/technet/security/bulletin/MS03-046.mspx
        • Vulnerability Reference (CVE/CAN, BID)CVE : CVE-2003-0714 BID : 8838 Other references : IAVA:2003-A-0031, IAVA:2003-a-0016 Nessus ID : 11889
    Copyright Accume Partners 2007
  • 24. Vulnerability and Penetration Assessment (cont)
    • Vulnerability Reports – Typical Detail
    • Vulnerability Description
    • The Terminal Services are enabled on the remote host.
    • Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access n the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server.
    • ECHO Rating /RISKECHO Rating: O – Okay; Controls appear to be adequate Category – Type of Vulnerability Useless Services
    Copyright Accume Partners 2007
  • 25. Vulnerability and Penetration Assessment (cont)
    • Four Most Common Causes of Vulnerabilities
    • Lack of Housekeeping
    • Not Hardening Servers
    • Not updating/patching servers and PCs
    • No follow up on previous Vulnerability and Penetration Assessments
    Copyright Accume Partners 2007
  • 26. Vulnerability and Penetration Assessment (cont)
    • Additional Causes of Vulnerabilities
    • Our tendency is to utilize scarce resources on the most publicized vulnerabilities rather than investing the effort on the vulnerabilities that pose the greatest risk to the enterprise.
    • If we had unlimited resources and budgets, our first step would begin before a computer network becomes operational so that no flawed computers are introduced into the network.
      • The network could then be probed for security vulnerabilities.
      • Finally, the external network defense, the firewall, could be verified before any connection to the public network is allowed.
    • In reality, we are under staffed, under budgeted and pressured for time to meet deadlines. This single step is the cause of the most significant number of known vulnerabilities.
    Copyright Accume Partners 2007
  • 27. Sample Report
    • Sample Report Conclusion
    • “ We have reviewed ACME Bank’s IT Policies and Procedures for safeguarding their network systems having an Internet presence.”
    • “ Our vulnerability testing identified six vulnerabilities and security configuration issues. We recommend that ACME review their network patch management policies and procedures. Effective patch management policies, detailed procedures, and processes will improve the Bank’s overall security posture and provide adequate protection against known vulnerabilities and intruder attacks.”
    • “ It is important to remember that security is a process, not a destination. New vulnerabilities are discovered on a daily basis, and without keeping abreast of the latest security information any network, regardless of how secure it is at present, has the potential to be compromised in the future.”
    Copyright Accume Partners 2007
  • 28. Internal Audit Responsibilities
    • Review report to ascertain just how secure your organization is
    • Ensure that the vulnerabilities discovered and that agreed upon action plans and time frames for remediation are included as part of your audits (critical)
    • Ensure remediation's are addressed within the set timeframe
    Copyright Accume Partners 2007
  • 29. Question and Answers
    • Remember:
      • Before you argue with someone, walk a mile in their shoes, that way you are a mile away and have their shoes.
            • Author “ who knows “
    Copyright Accume Partners 2007
  • 30. Copyright Accume Partners 2007
  • 31. Copyright Accume Partners 2007
  • 32. Copyright Accume Partners 2007
  • 33. Copyright Accume Partners 2007
  • 34. Copyright Accume Partners 2007
  • 35. Where to Get More Information
    • Other training sessions
    • List books, articles, electronic sources
    • Consulting services, other sources
    Copyright Accume Partners 2007

×