SlideShare a Scribd company logo

Cyber security series administrative control breaches

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits. Session 8 of 10 This Webinar focuses on Administrative Control Breaches • Security Administration • Purpose of Security Tools • Examples of Security Tools • Security Incident Manager (SIM) • Problems with Security Administration • Improving Administration

Related slideshows

Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
1 of 27
Download to read offline
8/1/2018 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series – Administrative Control Breaches About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2
8/1/2018 2 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 3 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 4
8/1/2018 3 The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC TODAY’S AGENDA • Security Administration • Purpose of Security Tools • Examples of Security Tools • Security Incident Manager (SIM) • Problems with Security Administration • Improving Administration 6
8/1/2018 4 STATE OF PLAY There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging in to one category; those that have been hacked and will be again. FBI Director Robert Mueller 2012 SYSTEM ADMINISTRATORS • Definition • Person responsible for the day-to-day operation of a technology system • First line of defense • System administrators secure critical information systems • May also be system security officers • Person responsible for writing, enforcing and reviewing security operating procedures • Some of the most important IT personnel in an organization • Keep IT humming 8
8/1/2018 5 CUSTODIAN OF MISSION CRITICAL INFORMATION RESOURCES Is the process of maintaining a safe computing environment. Security Administrator Implements approved mitigation strategies and adhere to information security policies and procedures to manage risk levels for information resources under their care. Implements monitoring techniques and procedures for detecting, reporting, and investigating incidents. INFORMATION SECURITY ADMINISTRATOR ROLE • Implements and complies with all information technology policies and procedures relating to assigned systems. • Assists Owners in performing annual information security risk assessment for Mission Critical Resources. • Reports general computing and Security Incidents to the Entity ISO. • Assists the ISO in developing, implementing, and monitoring the Information Security Program. • Establishes reporting guidance, metrics, and timelines for ISOs to monitor effectiveness of security strategies implemented in both the central and decentralized areas. • Reports to the ISO about the status and effectiveness of information resources security controls.
8/1/2018 6 COMMON SYSTEM ADMINISTRATION TASKS • Installation • Writing necessary data in the appropriate locations on a computer’s hard drive, for running a software program • e.g. • Installing operating system • Installing application programs • System administration challenge • Streamline process across thousands of computers in the organization • Consumers often believe • When in doubt, install • Professional system administrators believe • When in doubt, do not install 11 TASKS FOR MINIMUM SECURITY STANDARDS FOR SYSTEMS • System is set up in a protected network environment • Install OS and application services security patches expediently • Enable automatic notification of new patches • Disable/uninstall services/apps/user accounts not being used
8/1/2018 7 MORE TASKS • Limit connections to services running on host to authorized users only • Encrypt comms & storage of services/ apps for systems using Cat I data (confidentiality-integrity- availability) • Integrity checks of critical OS files & system accounts (user least privilege) • Warning banner required • Use of strong passwords TASKS FOR SECURITY MONITORING • Enable and test log activities • Document and routinely monitor/ analyze OS/service logs • Follow a documented backup strategy for security logs (e.g., acct mgmt, access control, data integrity, etc.) • Retain security logs 14-days minimum • Admin/Root Access must be logged • Use appropriate security tools
8/1/2018 8 SYSTEM ADMINISTRATION UTILITIES • Available for all enterprise software • Microsoft Windows • Systems Center • Configuration manager • Monitor installation and configuration of software across enterprise • Operations center • Monitor hardware status across enterprise • Unix/ Linux • Various utilities • Puppet, Oracle Jumpstart 15 PURPOSE OF SECURITY TOOLS • Combining text and visuals • Reporting • Monitoring • Correlating • Simplify the life of a Security Administrator
8/1/2018 9 COMBINING TEXT AND VISUALS • Size and complexity of networks • A System Administrator has a variety of responsibilities: install, configure, monitor, debug and patch • Visualization vs. Perl Scripts • VisFlowConnect-IP (who is connecting to whom on my network?) • Other tools (discuss later) REPORTING • Many security tools have an in built capability for reporting • Why is reporting important? • Examples: • Nessus (vulnerability information) • SIM (security incidents information)
8/1/2018 10 MONITORING • Monitoring • listening and and/or recording the activities of a system to maintain performance and security • Required continuously after installation and configuration • To ensure desired performance and security • Two kinds • Reactive monitoring • Detecting and analyzing failures after they have occurred • Problem notifications • Analyzing logs after failures • Identify modus-operandi • Identify affected systems • Proactive testing 19 MONITORING • Some security tools have live data feed for the network • Different types of monitoring • Network monitoring • Security event monitoring • Network Security Incident monitoring
8/1/2018 11 CORRELATION • Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are: • Real time events from heterogeneous devices • Results of vulnerability scans and other sources of threat data • The value of the host, database or application to the organization. SYSTEM ADMINISTRATION TASKS • Installation • Writing necessary data in the appropriate locations on a computer’s hard drive, for running a software program • e.g. • Installing operating system • Installing application programs • System administration challenge • Streamline process across thousands of computers in the organization • Consumers often believe • When in doubt, install • Professional system administrators believe • When in doubt, do not install 22
8/1/2018 12 MORE TASKS • Configuration • Selecting one among many possible combinations of features of a system • Has information security implications • Vulnerabilities can arise due to interactions among components • System administrators must comprehend the implications of these interactions • Challenge • Many software components desired by end users are not maintained by their creators • Resulting information security hazards must be controlled 23 EVEN MORE TASKS • Access control • Limiting access to information system resources only to authorized users, programs, processes, or other systems • And, establishing what authorized users can do on a system • Typically refers to • Files or directories a user can read, modify or delete • Can also include • Limiting access to network ports • Application level • Limiting rows and/or columns a user can see in a database • Available screens in a business application. 24
8/1/2018 13 USER MANAGEMENT • User management • Defining the rights of organizational members to information in the organization • Key component of access control • Creating and removing user accounts • Updating permissions when users change roles • Challenge • Managing large numbers of users • Commonly organized into groups • users with similar privileges • E.g., all faculty members in the Computer Science department • Members of the CompSci-Faculty group • Granted access to mailing list for email discussions. 25 TESTING • Proactive testing • Testing a system for specific issues before they occur • Vulnerability scanners • Access systems and look for potential vulnerabilities. • Prioritize and resolve identified vulnerabilities • Penetration testing • Usually carried out by a professional security firm • Actively exploiting vulnerabilities found • Assessing the level of access that is gained • Recent developments • Chaos Monkey • Deliberately destroy running systems • Promoted by Netflix 26
8/1/2018 14 UPDATING • Updates • Replacing defective software components with components in which the identified defects have been removed • Remove vulnerabilities detected during ongoing use and monitoring of software • Two categories • Operating system updates • Fix issues with the low-level components of the system software • Developed and released by the operating system vendor • All modern operating systems can automatically check for and install required security updates without system administrator intervention 27 MORE UPDATING • Application updates • Fix problems in individual applications • Typically involve more effort • Ensure functioning of plug-ins from other vendors • And in-house additions • Many customizations not well documented or tested • Impact of an application update on customizations not predictable • Manual updates often necessary to deploy application updates • Typical update procedure • Install update on a development server • Test all applications on the development system • If successful • Deploy update to production systems 28
8/1/2018 15 SYSTEM FAILURE • Single points of failure • A part of a system whose failure will stop the entire system from working is a single point of failure • Related to hardware • Availability implications • Standard solution • Redundancy • Surplus capability, which is maintained to improve the reliability of a system • E.g. spare power supply • Cold spares • Extra parts used when necessary • Involve down time • Hot spares • Redundant components already in operation that can replace the failed component • No downtime • Used in all mission critical components 29 Kizza - Guide to Computer Network Security 30 SOURCES OF VULNERABILITIES • There is no definitive list of all possible sources of these system vulnerabilities • Among the most frequently mentioned sources of security vulnerability problems in computer networks are • design flaws, • poor security management, • incorrect implementation, • Internet technology vulnerability, • the nature of intruder activity, • the difficulty of fixing vulnerable systems, • the limits of effectiveness of reactive solutions, • social engineering
8/1/2018 16 THE INSIDER THREATS Non-malicious actions include negligence and errors made by personnel in the course of executing their everyday responsibilities. Malicious actions include intentionally exceeding or misusing access in a manner that negatively affects the confidentiality, integrity, or availability of the Department's information or information systems. 31 OTHER SECURITY ADMIN TOOLS • Bro • Nessus • Symantec Anti-virus • Tripwire • Rootkit • Sebek
8/1/2018 17 BRO • Bro (http://www.bro-ids.org/) is a NIDS (Network Intrusion Detection System) • Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) • Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion. NESSUS • Nessus is a free (trial) comprehensive vulnerability scanning software. • Its goal is to detect potential vulnerabilities on the tested systems
8/1/2018 18 NESSUS SCREENSHOT - 1 NESSUS SCREENSHOT - 2
8/1/2018 19 NESSUS SCREENSHOT - 3 OTHER TOOLS • Security Incident Management System • ArcSight • Novell e-Security Sentinel • Network Incident Management System • Whatsup Gold • IBM Tivoli
8/1/2018 20 ARCSIGHT • Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex • ArcSight ESM is an event management tool • Different capabilities: filters, correlation, reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc. ARCHITECTURE - ARCSIGHT ESM • SmartAgents (residing on remote systems or on a separate layer) • Devices or Remote Systems (Firewalls, IDSs etc.) • Correlation engine • Central database • ArcSight Manager (console/browser)
8/1/2018 21 TESTING ARCSIGHT • Real strength - analyzing huge volumes at data • When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups. • Biggest advantage: Scaling ARCSIGHT SCREENSHOT 1
8/1/2018 22 ARCSIGHT SCREENSHOT 2 ARCSIGHT SCREENSHOT 3
8/1/2018 23 E-SECURITY SENTINEL • Competitor of ArcSight, Network Intelligence, Symantec Security Information Manager • Event collector • Analyses and correlates events to determine if an event violates a predetermined condition or acceptable threshold. • Control Center & Correlation Engine • Unlike Arcsight, e-Security Sentinel has an iScale Message Bus that is based on the Sonic JMS* bus architecture. • Highly scalable • Doesn’t rely on a relational database PROBLEMS WITH SECURITY ADMINISTRATION • Integration is required • From firewalls to IDSs to Websense to vulnerability information to KB • Challenges • Too much to look at • No single standard data format • Out of sync system clocks • Correlation becomes difficult
8/1/2018 24 PROBLEMS CONT. • Information asymmetry • Use of manual tools (location, address books, information directories) • Process is slow because of very little integration • A problem in times of actual attacks • Critical factor - “Time” • New vulnerabilities - proactive work pays • Administrator motto - “Know Thy Network” IMPROVEMENTS • New tools to help security administrators need to be developed • Standardization of event formats for easier integration • Application of data mining in event classification, analysis and noise reduction • Automated event stream processing • Improved information management tools
8/1/2018 25 POOR CONTROLS ON PRIVILEGED ACCESS: IT RISK AT ITS MOST FUNDAMENTAL • Two of the biggest challenges facing enterprises today are the management of security and the management of compliance. • The two are often interrelated, since compliance mandates frequently seek to bring regulated businesses to at least a minimum standard of security and risk control. 49 EQUIFAX BREACH  Occurred May – July 2017  Public notified September 2017  143 million individuals’ credit records  Included credit card numbers, drivers license numbers, social security numbers, addresses, birthdates  Check to see if you are impacted at: www.equifaxsecurity2017.com 50
8/1/2018 26 CYBERSECURITY WEBINAR SERIES • Sept 14 - Vulnerability Assessment • Sept 27 - Advanced Persistent Threats and targeted cyber attacks AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week
8/1/2018 27 THANK YOU! Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino

More Related Content

Cyber security series administrative control breaches

  • 1. 8/1/2018 1 Richard Cascarino CISM, CIA, ACFE, CRMA Cybersecurity Series – Administrative Control Breaches About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2
  • 2. 8/1/2018 2 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 3 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 4
  • 3. 8/1/2018 3 The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC TODAY’S AGENDA • Security Administration • Purpose of Security Tools • Examples of Security Tools • Security Incident Manager (SIM) • Problems with Security Administration • Improving Administration 6
  • 4. 8/1/2018 4 STATE OF PLAY There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging in to one category; those that have been hacked and will be again. FBI Director Robert Mueller 2012 SYSTEM ADMINISTRATORS • Definition • Person responsible for the day-to-day operation of a technology system • First line of defense • System administrators secure critical information systems • May also be system security officers • Person responsible for writing, enforcing and reviewing security operating procedures • Some of the most important IT personnel in an organization • Keep IT humming 8
  • 5. 8/1/2018 5 CUSTODIAN OF MISSION CRITICAL INFORMATION RESOURCES Is the process of maintaining a safe computing environment. Security Administrator Implements approved mitigation strategies and adhere to information security policies and procedures to manage risk levels for information resources under their care. Implements monitoring techniques and procedures for detecting, reporting, and investigating incidents. INFORMATION SECURITY ADMINISTRATOR ROLE • Implements and complies with all information technology policies and procedures relating to assigned systems. • Assists Owners in performing annual information security risk assessment for Mission Critical Resources. • Reports general computing and Security Incidents to the Entity ISO. • Assists the ISO in developing, implementing, and monitoring the Information Security Program. • Establishes reporting guidance, metrics, and timelines for ISOs to monitor effectiveness of security strategies implemented in both the central and decentralized areas. • Reports to the ISO about the status and effectiveness of information resources security controls.
  • 6. 8/1/2018 6 COMMON SYSTEM ADMINISTRATION TASKS • Installation • Writing necessary data in the appropriate locations on a computer’s hard drive, for running a software program • e.g. • Installing operating system • Installing application programs • System administration challenge • Streamline process across thousands of computers in the organization • Consumers often believe • When in doubt, install • Professional system administrators believe • When in doubt, do not install 11 TASKS FOR MINIMUM SECURITY STANDARDS FOR SYSTEMS • System is set up in a protected network environment • Install OS and application services security patches expediently • Enable automatic notification of new patches • Disable/uninstall services/apps/user accounts not being used
  • 7. 8/1/2018 7 MORE TASKS • Limit connections to services running on host to authorized users only • Encrypt comms & storage of services/ apps for systems using Cat I data (confidentiality-integrity- availability) • Integrity checks of critical OS files & system accounts (user least privilege) • Warning banner required • Use of strong passwords TASKS FOR SECURITY MONITORING • Enable and test log activities • Document and routinely monitor/ analyze OS/service logs • Follow a documented backup strategy for security logs (e.g., acct mgmt, access control, data integrity, etc.) • Retain security logs 14-days minimum • Admin/Root Access must be logged • Use appropriate security tools
  • 8. 8/1/2018 8 SYSTEM ADMINISTRATION UTILITIES • Available for all enterprise software • Microsoft Windows • Systems Center • Configuration manager • Monitor installation and configuration of software across enterprise • Operations center • Monitor hardware status across enterprise • Unix/ Linux • Various utilities • Puppet, Oracle Jumpstart 15 PURPOSE OF SECURITY TOOLS • Combining text and visuals • Reporting • Monitoring • Correlating • Simplify the life of a Security Administrator
  • 9. 8/1/2018 9 COMBINING TEXT AND VISUALS • Size and complexity of networks • A System Administrator has a variety of responsibilities: install, configure, monitor, debug and patch • Visualization vs. Perl Scripts • VisFlowConnect-IP (who is connecting to whom on my network?) • Other tools (discuss later) REPORTING • Many security tools have an in built capability for reporting • Why is reporting important? • Examples: • Nessus (vulnerability information) • SIM (security incidents information)
  • 10. 8/1/2018 10 MONITORING • Monitoring • listening and and/or recording the activities of a system to maintain performance and security • Required continuously after installation and configuration • To ensure desired performance and security • Two kinds • Reactive monitoring • Detecting and analyzing failures after they have occurred • Problem notifications • Analyzing logs after failures • Identify modus-operandi • Identify affected systems • Proactive testing 19 MONITORING • Some security tools have live data feed for the network • Different types of monitoring • Network monitoring • Security event monitoring • Network Security Incident monitoring
  • 11. 8/1/2018 11 CORRELATION • Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are: • Real time events from heterogeneous devices • Results of vulnerability scans and other sources of threat data • The value of the host, database or application to the organization. SYSTEM ADMINISTRATION TASKS • Installation • Writing necessary data in the appropriate locations on a computer’s hard drive, for running a software program • e.g. • Installing operating system • Installing application programs • System administration challenge • Streamline process across thousands of computers in the organization • Consumers often believe • When in doubt, install • Professional system administrators believe • When in doubt, do not install 22
  • 12. 8/1/2018 12 MORE TASKS • Configuration • Selecting one among many possible combinations of features of a system • Has information security implications • Vulnerabilities can arise due to interactions among components • System administrators must comprehend the implications of these interactions • Challenge • Many software components desired by end users are not maintained by their creators • Resulting information security hazards must be controlled 23 EVEN MORE TASKS • Access control • Limiting access to information system resources only to authorized users, programs, processes, or other systems • And, establishing what authorized users can do on a system • Typically refers to • Files or directories a user can read, modify or delete • Can also include • Limiting access to network ports • Application level • Limiting rows and/or columns a user can see in a database • Available screens in a business application. 24
  • 13. 8/1/2018 13 USER MANAGEMENT • User management • Defining the rights of organizational members to information in the organization • Key component of access control • Creating and removing user accounts • Updating permissions when users change roles • Challenge • Managing large numbers of users • Commonly organized into groups • users with similar privileges • E.g., all faculty members in the Computer Science department • Members of the CompSci-Faculty group • Granted access to mailing list for email discussions. 25 TESTING • Proactive testing • Testing a system for specific issues before they occur • Vulnerability scanners • Access systems and look for potential vulnerabilities. • Prioritize and resolve identified vulnerabilities • Penetration testing • Usually carried out by a professional security firm • Actively exploiting vulnerabilities found • Assessing the level of access that is gained • Recent developments • Chaos Monkey • Deliberately destroy running systems • Promoted by Netflix 26
  • 14. 8/1/2018 14 UPDATING • Updates • Replacing defective software components with components in which the identified defects have been removed • Remove vulnerabilities detected during ongoing use and monitoring of software • Two categories • Operating system updates • Fix issues with the low-level components of the system software • Developed and released by the operating system vendor • All modern operating systems can automatically check for and install required security updates without system administrator intervention 27 MORE UPDATING • Application updates • Fix problems in individual applications • Typically involve more effort • Ensure functioning of plug-ins from other vendors • And in-house additions • Many customizations not well documented or tested • Impact of an application update on customizations not predictable • Manual updates often necessary to deploy application updates • Typical update procedure • Install update on a development server • Test all applications on the development system • If successful • Deploy update to production systems 28
  • 15. 8/1/2018 15 SYSTEM FAILURE • Single points of failure • A part of a system whose failure will stop the entire system from working is a single point of failure • Related to hardware • Availability implications • Standard solution • Redundancy • Surplus capability, which is maintained to improve the reliability of a system • E.g. spare power supply • Cold spares • Extra parts used when necessary • Involve down time • Hot spares • Redundant components already in operation that can replace the failed component • No downtime • Used in all mission critical components 29 Kizza - Guide to Computer Network Security 30 SOURCES OF VULNERABILITIES • There is no definitive list of all possible sources of these system vulnerabilities • Among the most frequently mentioned sources of security vulnerability problems in computer networks are • design flaws, • poor security management, • incorrect implementation, • Internet technology vulnerability, • the nature of intruder activity, • the difficulty of fixing vulnerable systems, • the limits of effectiveness of reactive solutions, • social engineering
  • 16. 8/1/2018 16 THE INSIDER THREATS Non-malicious actions include negligence and errors made by personnel in the course of executing their everyday responsibilities. Malicious actions include intentionally exceeding or misusing access in a manner that negatively affects the confidentiality, integrity, or availability of the Department's information or information systems. 31 OTHER SECURITY ADMIN TOOLS • Bro • Nessus • Symantec Anti-virus • Tripwire • Rootkit • Sebek
  • 17. 8/1/2018 17 BRO • Bro (http://www.bro-ids.org/) is a NIDS (Network Intrusion Detection System) • Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) • Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion. NESSUS • Nessus is a free (trial) comprehensive vulnerability scanning software. • Its goal is to detect potential vulnerabilities on the tested systems
  • 18. 8/1/2018 18 NESSUS SCREENSHOT - 1 NESSUS SCREENSHOT - 2
  • 19. 8/1/2018 19 NESSUS SCREENSHOT - 3 OTHER TOOLS • Security Incident Management System • ArcSight • Novell e-Security Sentinel • Network Incident Management System • Whatsup Gold • IBM Tivoli
  • 20. 8/1/2018 20 ARCSIGHT • Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex • ArcSight ESM is an event management tool • Different capabilities: filters, correlation, reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc. ARCHITECTURE - ARCSIGHT ESM • SmartAgents (residing on remote systems or on a separate layer) • Devices or Remote Systems (Firewalls, IDSs etc.) • Correlation engine • Central database • ArcSight Manager (console/browser)
  • 21. 8/1/2018 21 TESTING ARCSIGHT • Real strength - analyzing huge volumes at data • When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups. • Biggest advantage: Scaling ARCSIGHT SCREENSHOT 1
  • 23. 8/1/2018 23 E-SECURITY SENTINEL • Competitor of ArcSight, Network Intelligence, Symantec Security Information Manager • Event collector • Analyses and correlates events to determine if an event violates a predetermined condition or acceptable threshold. • Control Center & Correlation Engine • Unlike Arcsight, e-Security Sentinel has an iScale Message Bus that is based on the Sonic JMS* bus architecture. • Highly scalable • Doesn’t rely on a relational database PROBLEMS WITH SECURITY ADMINISTRATION • Integration is required • From firewalls to IDSs to Websense to vulnerability information to KB • Challenges • Too much to look at • No single standard data format • Out of sync system clocks • Correlation becomes difficult
  • 24. 8/1/2018 24 PROBLEMS CONT. • Information asymmetry • Use of manual tools (location, address books, information directories) • Process is slow because of very little integration • A problem in times of actual attacks • Critical factor - “Time” • New vulnerabilities - proactive work pays • Administrator motto - “Know Thy Network” IMPROVEMENTS • New tools to help security administrators need to be developed • Standardization of event formats for easier integration • Application of data mining in event classification, analysis and noise reduction • Automated event stream processing • Improved information management tools
  • 25. 8/1/2018 25 POOR CONTROLS ON PRIVILEGED ACCESS: IT RISK AT ITS MOST FUNDAMENTAL • Two of the biggest challenges facing enterprises today are the management of security and the management of compliance. • The two are often interrelated, since compliance mandates frequently seek to bring regulated businesses to at least a minimum standard of security and risk control. 49 EQUIFAX BREACH  Occurred May – July 2017  Public notified September 2017  143 million individuals’ credit records  Included credit card numbers, drivers license numbers, social security numbers, addresses, birthdates  Check to see if you are impacted at: www.equifaxsecurity2017.com 50
  • 26. 8/1/2018 26 CYBERSECURITY WEBINAR SERIES • Sept 14 - Vulnerability Assessment • Sept 27 - Advanced Persistent Threats and targeted cyber attacks AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week
  • 27. 8/1/2018 27 THANK YOU! Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino