The Mythical Audit, IT Security Conf., Oct. 2002

The Mythical Audit, IT Security Conf., Oct. 2002

-

English
15 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

The Mythical Audit PointMignona CoteSenior Manager,Security VulnerabilitiesNortel NetworksWhy this Topic?Agenda• The Control Expert• One Size Fits All• The Real World• A Case Study• Let’s ProgressThe Control Expert• Knowledge• Training• Experience• ChecklistsFirewallDatabaseApplication ServersRemote AccessKnowledgeBusiness Back Office ApplicationsPartnerRASFront Office SystemsWireless AccessUNIX, Windows NT,VPNOutlook, DevelopmentInternetRemote UsersDo we know the controls tosecure this environment?TrainingHave we been trainedto understand themagnitude of risk?ExperienceWhere do we draw the line?Does our experience within technologylet us know the acceptable risk?let us know the acceptable risk?ChecklistsMAJOR CONTROL CATEGORIES BaaN SAP 1.5 Security AdministrationDocumentation Process and Standards XX XCorporate ProceduresCorporate StandardsLogin Controls XPracticesChange Control ProceduresOS Controls X Verify UNIX Directory Structure1.6 AuthenticationVerify root login disabledChange Control XX Xroot login limited to console on HP systemsIdentify users with root accessDisaster Recovery Planning XDatabase Management / Controls XTransport of Data XX XDeveloper Access Controls XExemptions XApplication Auditing Processes XX XNext Scheduled Revalidation 28-Dec-02 28-Aug-02One Size Fits AllAudit ReportPerform Any Function ApplicationWe recommend:– Privileged access be limitedto a prime and a backup– DRP be ...

Subjects

Informations

Published by
Reads 19
Language English
Report a problem

The Mythical Audit Point
Mignona Cote
Senior Manager,
Security Vulnerabilities
Nortel Networks
Why this Topic?Agenda
• The Control Expert
• One Size Fits All
• The Real World
• A Case Study
• Let’s Progress
The Control Expert
• Knowledge
• Training
• Experience
• ChecklistsFirewall
Database
Application Servers
Remote Access
Knowledge
Business
Back Office ApplicationsPartner
RAS
Front Office Systems
Wireless Access
UNIX, Windows NT,VPN
Outlook, DevelopmentInternet
Remote Users
Do we know the controls to
secure this environment?
Training
Have we been trained
to understand the
magnitude of risk?Experience
Where do we draw the line?
Does our experience within technology
let us know the acceptable risk?let us know the acceptable risk?
Checklists
MAJOR CONTROL CATEGORIES BaaN SAP
1.5 Security AdministrationDocumentation Process and Standards XX X
Corporate Procedures
Corporate Standards
Login Controls X
Practices
Change Control Procedures
OS Controls X Verify UNIX Directory Structure
1.6 Authentication
Verify root login disabledChange Control XX X
root login limited to console on HP systems
Identify users with root access
Disaster Recovery Planning X
Database Management / Controls X
Transport of Data XX X
Developer Access Controls X
Exemptions X
Application Auditing Processes XX X
Next Scheduled Revalidation 28-Dec-02 28-Aug-02One Size Fits All
Audit Report
Perform Any Function Application
We recommend:
– Privileged access be limited
to a prime and a backup
– DRP be tested
– All vulnerabilities be corrected
– System comply to all standards
Mythical Audit Point #1
• Common Issue
– “We recommend administrative
access be limited to a prime and a
backup.”
• Typical Exposure
– Accountability
– “Keys to the Kingdom”
– Logging of ActivityMythical Audit Point #1
• Real World
– 7x24 support
– Global Operations–
– Small IS shop
– System Installations
– Reboots
– Reduced Workforces
– Mergers, Acquisitions, Divestitures
Mythical Audit Point #2
• Common Issue
– “DRP be tested”
• Typical Exposure
– Unable to recover
– Loss of critical data
– Business not able to operate–Mythical Audit Point #2
• Real World
– Failover systems
–– 1400 applications
– 300+ data feeds
– Dispersed operations
– Mirroring
– Walkthrough vs. Live Tests
Mythical Audit Point #3
• Common Issue
– “All vulnerabilities must be
corrected.””
• Typical Exposure
– Systems may be easily hacked
–– Unauthorized AccessMythical Audit Point #3
• Real World
– False Positives
– “Genius” to exploit– “Genius”
– Can we expose/exploit
– Compensating Controls
– NIPC, CERT
– Patch Availability
– SNMP
Perimeter Router Disable Patch
Mythical Audit Point #4
• Common Issue
– “We recommend all systems
comply with Standards.””
• Typical Exposure
– Systems may be compromised
–– Systems are unsecuredMythical Audit Point #4
• Real World
– 200+ Unix OS Configurations
– Application Dependencies
– Required Services
– Implementation Cost
Reality vs. Over ControlA Case Study
• Situation:
– IS received over 50 audit points over 8
audits resulting in bad ratings
– 40% were the same issue
– Were these a real threat?
A Case Study
• Remediation
– Accountability model for Issues
–– Root Cause
– Hardening Plan
– Improved Audit Practices