Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Security Auditing
1. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
INFORMATION SECURITY AUDIT REPORT
BLUE TEAM
NIKITA K. KOTHARI
JIGISHAARYYA
ZDENEK R. JAKS
2. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
ABSTRACT
This outline gives an investigation of the approach and offers proposals to improve the
arrangement have security. To compress, the arrangement lessens security breaks and makes the
framework more secure with records and passwords for care. It ensures the information of the
client and the organization because exclusive individuals with records and passwords in the
organization can login and get to the information. The strategy helps in setting the benefits of
clients considering their approval level. It is found that the secret key length and the multifaceted
nature of passwords shifted for various clients, which helped in setting their approval level.
A survey of the standard arrangement of "Client Account and Password Management" and
standard approach of "Secret word Complexity" was finished. The standard strategy was then
contrasted with the University of Florida approach and upgrades that could be made to the
current UF arrangement was found. Proposals include:
● Improve the openness of clients by helping them login in various stages in the meantime.
● Improve security by rolling out client’s improvement passwords often.
● Improve security by making clients with more approval experience a larger number of steps as
opposed to simply making them utilize a more drawn out or a more intricate secret key.
● Improve security by every now and again going-over strategies and making overhauls.
In short,to have security.
.It ensures security of
access.
3. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
EXECUTIVE SUMMARY
A record review was performed for the University of Florida Health Care Information Security
Department. The strategy that was evaluated was the User Account and Password Management
approach under the Technical Security classification. The purpose of the review is to enhance the
arrangement that the University of Florida (UF) utilizes for their User Accounts and Password
Management. Here is the rundown of goals that ought to be secured:
● Improve secret word qualities.
● Assign distinctive parts to clients.
● Assign benefits to clients considering parts.
● Use the Policy standard to advance enhance current arrangement.
This review will give a correlation with the present approach and the models. Inability to
recognize and execute the exhortation of the review can prompt to information ruptures of
touchy data.
# BS ISO IEC 17799: 2005 Section Level of Compliance
1. Security Policy Compliant
2. Organization of Information Security Compliant
3. Asset Management Compliant
4. Human Resources Security Compliant
5. Physical and Environmental Security Compliant
6. Communications and Operations Management Partially compliant
7. Access Control Partially compliant
8. Information Systems Acquisition, Development and
Maintenance
Compliant
9. Information Security Incident Management Compliant
10. Business Continuity Management Partially compliant
11. Compliance Compliant
4. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
BACKGROUND
USER ACCOUNT AND PASSWORD MANAGEMENT
PURPOSE:
To set up a standard for client record and secret word administration. Client confirmation is a
way to control who has admittance to an IT Resource. Get to picked up by a non‐authorized
element can bring about loss of data secrecy, uprightness and accessibility. This may bring about
loss of income, obligation, loss of trust, or it can make shame HSC. Here is the rundown of
norms that ought to constantly be utilized.
1. Records and passwords should not be shared.
2. Confined or Sensitive data should have a programmed log-off element.
3. Pointless pre-arranged or default accounts must be expelled or changed.
4. Passwords to essential default accounts must be changed before joining the framework to the
system.
5. For circumstances including the utilization of passwords as a confirmation system, UFHSC
Units must embrace a secret word design intelligent of the way of the data or data asset got to.
6. Put away passwords might be scrambled or generally defended with non-reversible hash or
another comparative component.
7. Clients must not evade secret word passage with auto logon, utilization of uses recollecting
passwords, inserted scripts or hard coded passwords in customer programming.
PASSWORD COMPLEXITY
PURPOSE:
To determine if the proper prerequisites were met in the complexity of new and in-use
passwords.
1. Password development qualities for every secret key strategy level are chosen to accomplish
the predetermined least entropy.
5. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
2. Password rules require the incorporation of 3 of the 4 taking after character sets: lowercase
letters, capitalized letters, numerals and uncommon characters.
3. For all approach levels, the determination of a passphrase of no less than 18 characters kills
the secret word synthesis standards and lexicon check. Passphrases are liable to insignificant
tests to counteract utilization of basic or trifling expressions.
4. Multi-Factor Authentication (MFA) might be offered for use with strategy levels P3-P5, and is
required for P6.
While secret word is the most ordinarily utilized strategy for confirming clients entering PC
frameworks, passwords are every now and again focused by assailants needing to break into
frameworks. It is important that this first line of guard against unapproved get to is successful by
thoroughly rehearsing great secret key administration arrangements. Diverse passwords ought to
be utilized for various frameworks concerning the security prerequisites and the estimation of
data resources the should be ensured. Make utilization of different get to control components to
encourage secret word administration and decrease the exertion required by clients in retaining
an extensive number of passwords. This ought to be upheld with great security arrangements and
rules, bolstered by client mindfulness preparing and instruction on the prescribed procedures in
picking and taking care of passwords.
What's more, for viable data security administration, thought ought to likewise be given in zones
including yet not constrained to physical security, information and application security, organize
security, and advancements for reinforcing security insurance, for example, firewalls, VPN and
SSL.
Distinctive data frameworks will have diverse security prerequisites, contingent upon the
utilitarian qualities and arrangement of information on every framework. When in doubt,
validation components ought to be conveyed with various levels of modernity, proportionate
with the estimation of data resources that should be secured. For example, an inward application
taking care of grouped data requires tight get to control, while an Internet application for general
data seeking may permit mysterious logins.
6. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
FINDINGS OF FACTS
AUDIT QUESTIONNAIRE AND RESPONSES
RATING SCALE: 1 =YES 2 = Being Implemented 3 = In Development 4 = NO
Response items: Preliminary Score, Action Item, Final score, Notes (if any)
Password Management Audit questions and findings
➔ Are passwords difficult to crack?
Rate: 1 – final score
Note: Highly restricted rules are in place for making passwords difficult to crack
➔ Are adequate cryptographic tools in place to govern data encryption, and are tools
properly configured?
Rate: 1 – final score
Note: Link to policies in place - http://www.it.ufl.edu/policies/web-related/develop-applications-
for-secure-deployment/
➔ Are passwords and accounts being shared?
Rate: 1 – final score
Note: Passwords are encrypted and not shared or stored in scripts or unprotected configuration
files.
➔ Have employees been trained on proper password management?
Rate: 4 – interim score
Note: No clear indication of password management training to employees.
➔ Are users of all company-provided network resources required to change the initial
default password?
Rate: 1 – final score
Note: Properly specified in the guideline:
7. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and-Password-
Management-Standard.pdf
➔ Are the passwords required to use current tools as secure as the tools allow them to be?
Rate: 1 – final score
Note: There are 9 total guidelines for creating strong passwords. Without meeting those the
passwords are not accepted by the system.
➔ Do terminating employees have their calling cards and voice-mail passwords disabled?
Rate: 1 – final score
Note: Calling cards are returned and voice mail passwords are terminated after 90 days.
➔ Does the organization has a published policy on prosecution of employees and outsiders
if found guilty of serious premeditated criminal acts against the organization?
Rate: 4 – interim score
Note: No policy specifying that.
➔ Are employees made aware of their responsibility to keep remote access codes secure
from unauthorized access and usage?
Rate: 1 – final score
Note: As per project doc. “Policy will be implemented to minimize the number of laptops
authorized for use with confidential data. Full disk encryption will be required on all laptops
used with confidential data. Remote data destruction and tracking software will also be required.
Policy implementation will be verified at least annually”.
Source: http://www.it.ufl.edu/wp-content/uploads/2012/10/risk-assessment-standard.pdf
Application code and network security
➔ Are there access control lists (ACLs) in place on network devices to control who has
access to shared data?
Rate: 1 – final score
8. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
Note : Clear definitions available at icc.ifas.ufl.edu/ITAC/.../Lenel-IT-Standards-and-
Procedures(rev2).doc
➔ Are there audit logs to record who accesses data?
Rate: 4 – final score
Note: No evidence that user name or ID is logged.
➔ Are audit logs reviewed?
Rate: 1 – final score
➔ Have custom-built applications been written with security in mind?
Rate: 1 – final score
➔ How have custom applications been tested for security flaws?
Rate: 1 – final score
Note: Automation and documented code for testing and review are in place.
➔ How are configuration and code changes documented at every level?
Rate : 1 – final score
➔ How are these records reviewed and who conducts the review?
Rate: 1
Note: With parsed log files. Application Developers and System Administrators review the code.
➔ Are the desktop platforms secured?
Rate: 1 – final score
Note: Automated tools for review and testing used to detect vulnerabilities in desktops and
servers.
➔ Are host systems and servers as well as application servers secured?
Rate: 1 – final score
9. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
Note: Both are connected to networks and are secured with authentication, encryption and using
temporary files.
Account Management audit
➔ Are unsecured user accounts (e.g., guest) still active?
Rate: 1 – interim score
Note: Guest accounts are automatically deleted after 7 calendar days. Process for getting a
temporary guest account:
http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest-account/
➔ Are temporary user accounts restricted and disabled in a timely fashion?
Rate: 4 for restricted access and 1 for disabling in a timely fashion
Reason: No proper guidelines and description has been mentioned for restricted access provided
to guest account holders, but they are disabled after a fixed amount of time.
Storage backup and business continuity audit
Purpose:
The purpose of this policy is to protect University Data from loss or destruction by specifying
reliable backups that are based upon the availability needs of each unit and its data.
➔ How is backup media stored? Who has access to it? Is it up-to-date?
Rate: 1 – final score
Note: System administrators. http://www.it.ufl.edu/wp-content/uploads/2012/10/user-removable-
media-guidelines.pdf
➔ Is there a disaster recovery plan?
Rate: 1 – final score
➔ Have the participants and stakeholders ever rehearsed the disaster recovery plan?
Rate – 1 final score
10. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
Policy
➔ Is there an information security policy in place?
Rate: 1 – final score
Note: Covers almost all the aspects in detail.
➔ Does the policy state what is and is not permissible?
Rate: 1 – final score
➔ Does the scope of the policy cover all facets of information
Rate: 1 – final score
Note: “Guidelines provide additional information for handling information and information
systems in a secure manner to insure confidentiality, integrity and availability of data and
information..”
➔ Does the policy define and identify what is classed as "information"
Rate: 1 – final score
Note: there is a Data classification policy in place.
➔ Does the policy support the business objectives or mission of the enterprise?
Rate: 1 – final score
Note: This is available in the home page of the official website
➔ Does the policy identify management and employee responsibilities?
Rate: 1 – final score
➔ Does the policy make clear the consequences of non-compliance?
Rate: 4 – final score
Note: Not available readily.
11. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
CONCLUSIONS AND RECOMMENDATIONS
Overall, our team feels that The University of Florida Information Security Department has some
very good policies in place, but there are many policies in several areas that need to be addressed
for several important reasons. We feel that attending to some policies that may be outdated, not
complete, or not thorough enough are of vital importance to the university’s operations going
forward.
There are key aspects of UF’s contingency planning that pass with an appropriate policy, but
there are many that fail.
There needs to be better and more recently revised policies for all of those that were stated
above, as contingency planning is a crucial aspect when disaster strikes, or when something
unprecedented happens in the organization.
There is an effective storage and backup plan, with only the right system administrators who
would need access to that information, have access.
There is an not appropriate recovery plan in the event of a system-wide emergency. It does not
explicitly state what steps would be taken in the event of an emergency shutdown or data loss.
The human resource policy for taking appropriate corrective actions against those violating the
policies is also not specified very clearly in the policies.
Hence we recommend to add policies in the above mentioned areas.
12. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
APPENDICES
Reference documents:
1. https://www.sans.org/media/score/checklists/ISO-17799-2005.pdf
2. http://www.it.ufl.edu/policies/web-related/develop-applications-for-secure-
deployment/
3. http://identity.it.ufl.edu/identity-coordination/training/creating-a-gatorlink-guest-
account/
4. https://security.ufl.edu/wp-content/uploads/2013/09/TS0005.02-User-Account-and-
Password-Management-Standard.pdf
Terms and definitions:
1. Risk management is the way toward distinguishing, evaluating and controlling dangers to
an association's capital and earnings. These dangers, or dangers, could originate from a wide
assortment of sources, including budgetary vulnerability, lawful liabilities, vital
administration blunders, mishaps and normal debacles. IT security dangers and information
related dangers, and the hazard administration systems to lighten them, have turned into a top
need for digitized organizations. Therefore, a hazard administration arrange progressively
incorporates organizations' procedures for recognizing and controlling dangers to its
computerized resources, including exclusive corporate information, a client's by and by
identifiable data and scholarly property. Risk administration norms have been created by a
few associations, including the National Institute of Standards and Technology and the ISO.
These guidelines are intended to help associations distinguish particular dangers, evaluate
one of a kind vulnerabilities to decide their hazard, recognize approaches to lessen these
dangers and after that actualize chance decrease endeavors as indicated by hierarchical
system.
2. Intellectual property alludes to manifestations of the astuteness for which a restraining
infrastructure is relegated to assigned proprietors by law. Intellectual property rights (IPRs)
are the securities conceded to the makers of IP, and incorporate trademarks, copyright,
licenses, modern plan rights, and in a few locales exchange insider facts. Creative works
including music and writing, and in addition disclosures, developments, words, expressions,
images, and plans can all be ensured as protected innovation.
13. INFORMATION SECURITY AUDIT REPORT - UNIVERSITY OF FLORIDA HEALTH SCIENCE CENTER
While protected innovation law has developed over hundreds of years, it was not until the
nineteenth century that the term licensed innovation started to be utilized, and not until the
late twentieth century that it got to be distinctly typical in most of the world. The expressed
target of most protected innovation law (except for trademarks) is to "Advance progress."By
trading constrained restrictive rights for exposure of innovations and imaginative works,
society and the patentee/copyright proprietor commonly advantage, and a motivator is made
for designers and creators to make and reveal their work. A few pundits have noticed that the
goal of licensed innovation officials and the individuals who bolster its execution gives off an
impression of being "supreme assurance". "In the event that some protected innovation is
alluring in light of the fact that it supports advancement, they reason, more is better. The
reasoning is that makers won't have adequate motivating force to imagine unless they are
lawfully qualified for catch the full social estimation of their developments". This supreme
insurance or full esteem see regards licensed innovation as another sort of "genuine"
property, commonly receiving its law and talk. Other late improvements in protected
innovation law, for example, the America Invents Act, stretch worldwide harmonization. As
of late there has likewise been much verbal confrontation over the allure of utilizing licensed
innovation rights to secure social legacy, including immaterial ones, and additionally over
dangers of modification got from this possibility. The issue still stays open in lawful grant.