The document discusses considerations for internal auditors evaluating vulnerability assessments and penetration test reports. It emphasizes the importance of understanding security vulnerabilities and their potential impacts. It provides an overview of the vulnerability assessment process, including evaluating risks, vendor selection, testing phases, data analysis, and required deliverables. The report recommends internal auditors be involved in planning assessments and understand vulnerability reports and how to remediate identified issues.

1. Over 700 Vulnerabilities Reported on My Penetration Test, Now What ? Be confident that the IT Security Assessment you present to the Audit Committee accurately represents your business. Michael Kamens, JD, CISM Accume Partners

2. Agenda Introduction Considerations for Evaluating Vulnerability Risk Assessment vs Vulnerability Assessment The Need for Vulnerability and Penetration Testing Internal Auditors’ Role Vulnerability and Penetration Assessment

3. Introduction Challenges Security reports indicate that your network is vulnerable to being exploited by “ hackers” On the other hand your IT people tell you how secure your network is Most IT Auditors are scared of the Network You have limited time to finish your audit Even if you go head to head with the IT team would be unproductive When the reports detail vulnerabilities, are they explained in a way that will make sense? Do you really understand what a “ false positive” is? How thorough is your understanding of the technology you are auditing?

4. Considerations for Evaluating Vulnerability Questions to Ask Can a “hacker” breach your network? Hint: Absolutely! Has the IT Department done everything to make your network more secure? Are there Policies and Procedures in place to ensure best practice standards are being practiced?

5. Considerations for Evaluating Vulnerability Trends Affecting Information Security Businesses have a tremendous opportunity to utilize information technology to expand their productivity. Many organizations will need to provide easier access by users to selected areas of their information systems, thereby increasing potential exposure. In taking advantage of all this increased connectivity, speed and data, securing information within their communications systems has to be a mandatory priority. Unfortunately, no one security device or procedure will ensure a risk free environment.

6. Risk Assessment vs Vulnerability Assessment IT Risk Assessment An IT Risk Assessment is designed to give a detailed analysis of how well a business is secured. Answers the question: How secure is your organization's information? -- A high-priority issue

7. Vulnerability Assessment A Vulnerability Assessment identifies weaknesses and vulnerabilities on the network that expose the business to risk Allows the business to diminish threats and take remedial actions before they occur Provides an analysis of businesses security Ensures that only authorized employees have access to critical corporate data Risk Assessment vs Vulnerability Assessment

8. Risk Assessment vs Vulnerability Assessment The Vulnerability Assessment allows the business to utilize their incident response capability by: Detailing the vulnerabilities of the business Developing response plans and procedures Improving capability of crisis management teams

9. The Need for Vulnerability & Penetration Testing Drivers Businesses continue to rely on the Internet to increase revenue, thereby exposing data to potential hackers Businesses are inadequately securing customer data ID theft is at an all-time high Consumers are inadequately educated about securing their own ID data

10. The Need for Vulnerability & Penetration Testing Challenges The demanding pace of business The need for speed can take precedence to logical security measures Corporate culture “ It will not happen to me” attitude Focusing resources only where it generates high visibility, high ROI Hesitance to commit valuable (human, financial) resources to protect client data

11. Internal Auditors’ Role Where are you? Are you part of your organization’s team in planning the IT Audit and what areas will be in scope? Is the attitude – “Well it’s not a key control so let someone else handle it”?

12. Internal Auditors’ Role What IA gains by being involved with Vulnerability and Penetration Testing Assurance that data has not been compromised Assurance that administrative rights are properly administered Request screenshots of ID login, password, user rights configurations, file shares, Process for how admin rights are granted Assurance that a Trojan Horse would not be able to take over the network Guest Account has no password Server has never been hardened

13. Internal Auditors’ Role What you should know Hardened Servers, Guest Accounts and Trojan Horses Hardened Servers – When new servers are purchased, every service by default has been activated regardless of the use of the server. The OS could be Windows/Linux/Unix etc Services can include Email/Web/SQL etc

14. Internal Auditors’ Role What you should know (cont’d) If the server is not running Email, Web, SQL why should those services be running? Turn them off. The Guest Account Is normally never used Is the most common entry for a Trojan Horse which contains a malicious program Just by having a Hardening Policy, the organization can eliminate many vulnerabilities

15. Internal Auditors’ Role Impact TJX lost 200M customers’ PII Cause: poor security from their wireless access points TSA lost 100K employees’ PII Cause: lost laptop Fidelity lost 196K customers’ PII Cause: lost laptop AIG lost 930K customers’ PII Cause: theft of a data-center server Bank of America lost 1.2M federal employees’ PII Cause: lost laptop Texas Guaranteed Student Loan lost 1.3M customers’ PII Cause lost computer tapes Q.: Can your organization survive the front page or the 6 o’clock news ? Note: PII = Personally Identifiable Information. Includes SSN, birth dates, addresses, drivers license or anything that identifies an individual.

16. Vendor Management Selecting a vendor Is a Vendor Management policy in place? The vendor should be qualified to Perform a simulated attack and penetration of your organization’s firewall from the Internet Assess your production servers

17. Vendor Management Selecting a vendor Vendor Criteria Good business dictates requesting 3 quotes Review the financials of prospective vendors to ascertain their solvency Review the firm’s history – How long has the firm business? How long have they been performing vulnerability and penetration Testing? Review staffing – Does the prospective vendor hire permanent staff or contractors? What are their credentials?

18. Vendor Management Selecting a vendor Vendor Criteria What insurance do they carry Who owns all the data – raw and finished Will the same team begin and finish Estimated project length References within your Industry is critical How do they present their evidence (reports)

19. Vulnerability and Penetration Assessment Testing IA should be part of the team that determines the scope of testing You will want to be able to read the Vulnerability and Penetration report to be satisfied that the organization is secure

20. Vulnerability and Penetration Assessment Phase – Assessment Areas When looking at areas of an Assessment there are various ways of categorizing the assessment areas For example: EXTERNAL -- Firewall, DMZ, Email, Web INTERNAL -- Hosts/Servers INTERNAL -- Network Devices INTERNAL -- PCs Phone Sweep Social Engineering

21. Vulnerability and Penetration Assessment Phase – Assessment Areas There are numerous areas to be considered for assessment The number of assessments (scans) increases based on frequency performed throughout the year. There are 2 mandatory (scans): EXTERNAL IPs -- Firewall, Email, DMZ, WEB Semi annual test INTERNAL IPs -- Hosts/Servers Semi annual test

22. Vulnerability and Penetration Assessment Phases – Assessment/Scans The PC scans provide a verification that they are patched and updated Identify accounts without passwords and Identify vulnerabilities from missing patches Usually performed annually Phone Sweep/War Dialing Scans your PBX to determine that users are not connecting modems to their PCs (optional) Social Engineering Attempt to gain client data from staff at remote sites (optional)

23. Vulnerability and Penetration Assessment Phases – Data Analysis Data analysis is the most critical stage of the assessment High vulnerability vs “false positives” The vendor has completed their scans Data need to be correlated, analyzed and ranked on importance

24. Vulnerability and Penetration Assessment Phase – Data Rating The Rating System is used to evaluate the criticality ECHO System E = Exposure C = Control Concern H = Housekeeping O = Okay

25. Vulnerability and Penetration Assessment Phase – Data Rating ECHO Rating System E – Exposure High Immediate corrective attention required C – Control Concern Medium Corrective action required H – Housekeeping Low Configuration enhancements recommended O – Okay Low Controls appear to be adequate

26. Vulnerability and Penetration Assessment Phase – Deliverables from Vendor You should be receive the following from the vendor CD/DVD containing all raw scan data from your assessment and supporting their conclusions/reports Complete detailed report explaining all vulnerabilities along with remediation and severity level Executive Summary which includes a condition of your organization, and managements responses. This is meant for the Audit Committee or Board Members

27. Vulnerability and Penetration Assessment Vulnerability Reports The report should identify each device with vulnerabilities. Some may have several vulnerabilities that need attention Each vulnerability should be defined with a description, reason, and CVE (Common Vulnerabilities & Exposures) note A CVE is a list of standardized names for vulnerabilities and other information security exposures CVE aims to standardize the names for all publicly known vulnerabilities and security exposures Risk rating Remediation -- There should be an explanation/ recommendation for how to remediate the vulnerability See examples

28. Vulnerability and Penetration Assessment Vulnerability Reports – Typical Detail Exchange XEXCH50 Remote Buffer Overflow vulnerability detected on port smtp (25/tcp) Vulnerability Description This system appears to be running a version of the Microsoft Exchange SMTP service that is vulnerable to a flaw in the XEXCH50 extended verb.This flaw can be used to completely crash Exchange 5.5 as well as execute arbitrary code on Exchange 2000. ECHO Rating /RISK ECHO Rating: E – Exposure; Immediate Corrective Attention Required Category – Type of Vulnerability SMTP Problems Additional Information NA Vulnerable System(s)02x.xxx.xxx.174 ServerRecommendation System administrators should apply the security patch to Exchange servers immediately.Refer to:http://www.microsoft.com/technet/security/bulletin/MS03-046.mspx Vulnerability Reference (CVE/CAN, BID) CVE : CVE-2003-0714 BID : 8838 Other references : IAVA:2003-A-0031, IAVA:2003-a-0016 Nessus ID : 11889

29. Vulnerability and Penetration Assessment Vulnerability Reports – Typical Detail Vulnerability Description The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access n the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. ECHO Rating /RISKECHO Rating: O – Okay; Controls appear to be adequate Category – Type of Vulnerability Useless Services

30. Vulnerability and Penetration Assessment How Could There Be 700 Vulnerabilities? Count each vulnerability once and not against each server For example, if you have 12 hosts that have not been patched, the scanner might generate 25 “ double buffer overflows” Once the server is patched, 25 vulnerabilities go away

31. Vulnerability and Penetration Assessment Four Most Common Causes of Vulnerabilities Lack of Housekeeping Not Hardening Servers Not updating/patching servers and PCs No follow up on previous Vulnerability and Penetration Assessments

32. Vulnerability and Penetration Assessment Additional Causes of Vulnerabilities Our tendency is to utilize scarce resources on the most publicized vulnerabilities rather than investing the effort on the vulnerabilities that pose the greatest risk to the enterprise. If we had unlimited resources and budgets, our first step would begin before a computer network becomes operational so that no flawed computers are introduced into the network. The network could then be probed for security vulnerabilities. Finally, the external network defense, the firewall, could be verified before any connection to the public network is allowed. In reality, we are under staffed, under budgeted and pressured for time to meet deadlines. This single step is the cause of the most significant number of known vulnerabilities.

33. Vulnerability and Penetration Assessment Sample Report Conclusion “ We have reviewed ACME Bank’s IT Policies and Procedures for safeguarding their network systems having an Internet presence.” “ Our vulnerability testing identified six vulnerabilities and security configuration issues. We recommend that ACME review their network patch management policies and procedures. Effective patch management policies, detailed procedures, and processes will improve the Bank’s overall security posture and provide adequate protection against known vulnerabilities and intruder attacks.” “ It is important to remember that security is a process, not a destination. New vulnerabilities are discovered on a daily basis, and without keeping abreast of the latest security information any network, regardless of how secure it is at present, has the potential to be compromised in the future.”

34. Vulnerability and Penetration Assessment Internal Audit Responsibilities Review report to ascertain just how secure your organization is Ensure that the vulnerabilities discovered and that agreed upon action plans and time frames for remediation are included as part of your audits (critical) Ensure remediation's are addressed within the set timeframe

35. Question and Answers Remember: Before you argue with someone, walk a mile in their shoes, that way you are a mile away and have their shoes. Author “ who knows “

36. Michael Kamens, JD, CISM Director, Information Technology mike@mikaassociates.com