Accidental Error Messages & Overflow Vulnerabilities | Web Application Vulnerability Assessments

Accidental Error Messages
It is not unusual for Web servers to mishandle unanticipated user input. They fail to adequately address incorrect input and frequently provide verbose error messages that can provide valuable information to an attacker. For example, if a user incorrectly entered her user name information, the system might respond with an error message such as We were unable to find an account for this user name, click here to enroll. If the user inputs an incorrect password, the system might respond with an error message such as You have entered an incorrect password, you can reset it by clicking here.

Attackers can use overly informative error messages to either launch a denial-of-service attack or attempt to engage a brute-force attack against the password entry. A more appropriate error message is one similar to: There has been a user error; please provide the correct input. Auditors must be mindful that authorized user logons should never be the same as the user names used by the organization's e-mail naming conventions. From an attacker's point of view, the e-mail user naming convention being the same as the user name logon is having half the problem solved for a successful attack.

Some Web sites permit an unlimited number of failed sign-on attempts without being locked out. The vulnerability in this flawed practice is that user accounts can be compromised via brute-force attacks targeting the Web site's password entry.

Brute-force attacks are either manually or automatically performed where alphabetical and numerical combinations are tried as data entries to gain entry. From a preventive control stance, the sign-in policy should be that the user is locked out for a specified time after three failed sign-on attempts.

Experience Note Remember, even this policy is not without a threat potential in that an attacker can target the sign-on with incorrect data entry and lock out a legitimate user when she attempts entry. Having a viable and acceptable user reactivation policy is an important aspect of this preventive control.


There is a useful password-guessing tool to be found at www.tlsecurity.net/windows/cracker/webcracker.htm. This tool will automatically brute-force passwords in HTTP basic authentication and form-based authentication. Auditors should attempt to gain entry through brute-force methods as a means of testing entry security.

Another method that may have some success in defeating brute-force entry tools is to avoid direct linking to the sign-on function. For example, Web pages found behind the sign-on function should have a referrer field where the originating Web page of the user is checked against the allowed Web page URL, uniform resource locator.

Another method defeating some attacks is the error message, "inactivity timeout." This action causes the user's session to be terminated after a predefined period of inactivity. Auditors may test and verify this procedure by opening a Web page session in a sensitive area such as an E-commerce site where financial or personal information is collected. The server should terminate the session after predetermined period of user inactivity. This step prevents someone from hijacking the user's session.

More Unexpected User Input

There are a variety of ways that user input can be different from what was anticipated by the Web page developers. The size of the input can be too large, or too small. The input's content can be inappropriate in that alternate characters or executable scripts may be used causing the server to execute the input. Developers should incorporate user input screening in their programming routines. These are the types of input that should be filtered:

  • Metacharacters are special characters that represent something other than what they are themselves. For example, the ; (semicolon) is a command separator and the ? (question mark) is a match for a single character.

  • HTML delimiter characters such as "<" and ">".

  • Path redirection such as "/../" or ".." indicate the user is attempting to access the directory structure outside the Web server's Web page. These are known as regular expressions and must be screened before being processed by the server.

    Experience Note User input must always be screened with all improper input denied.


    Overflow Vulnerabilities
    Improperly validated user input to the Content-Type header can cause a buffer overflow condition. As a result of nonvalidated user input, excessive data copied onto the data stack can overwrite critical parts of the stack frame such as the calling function's return address, potentially permitting remote code execution with root privileges on the Web server. It is important for auditors to determine if user input is checked for correctness and any input other than the expected input merely returns an error message.

    Additionally, it is important that not only user-supplied input is screened and verified, but everything coming from the user's browser to the Web server should be filtered. Users can put executable code within the URL address and without proper filtering, it is possible that user input may be executed by the server.
  • HTML Examination & Web Server Examination | Web Application Vulnerability Assessments

    One of the most attractive business frontiers is E-commerce. For the first time in history, a business can have its doors open to the entire world where users can make purchases with nothing more than their credit cards in hand. Businesses are drawn to E-commerce to disseminate company information, sell products and services, provide customer service, and gain a competitive advantage. Most organizations with a presence on the World Wide Web have installed preventive and detection controls in the form of installing DMZs, firewalls, and intrusion detection equipment, and hiring competent employees. Senior managers are surprised at what an attacker can do with a Web-browser and a little creativity.

    Auditors must be aware there are logical steps in reducing risks, but the majority of vulnerabilities are found in faulty programming, misconfiguration, and absent systems monitoring.

    Auditors must be aware that risks are controlled by:

  • Knowing the organization's critical assets

  • Knowing threats and vulnerabilities

  • Implementation and compliance with policies, procedures, and standards; primary concerns include but are not limited to:

  • Change control management

  • Code development and maintenance

  • Quality assurance testing

  • User acceptance testing


  • Effective and continuous audits

  • Continuing risk management

    HTML Examination
    As a logical first step, auditors should carefully examine the HTML, HyperText Markup Language, composition of the organization's Web site. Attackers examine the Web page coding as one of their first steps to gaining as much knowledge as possible about their targets. Basically, auditors should download all the pages comprising the organization's Web site and examine the HTML coding. Often there are valuable programmer comments, passwords, telephone numbers, names, contractor's information, and business addresses, commonly placed within the HTML. For example:



    Welcome to the XYZ Corporation HomePage
    BGCOLOR = "#0000FF" TEXT = #FFFFF">


    San Diego, CA, XXX-555-1234 or e-mail me at alicedoe@ABCWebDe-
    sign.com — >
    An examination of this Web page HTML reveals the XYZ Corporation is using an outsource Web design firm, and the page designer has listed her name and contact information. This information could be very useful to an attacker who was interested in doing a bit of social engineering with Alice Doe or her employer.

    Testing for Indexed Directories
    Auditors should obtain a list of the indexed Web page directories. The manual process is a slow one, where the browser is used to request specific directories. For this reason, it is more expeditious for the auditor to obtain a list of indexed directories from the Web page administrator. However, if a true outside view is sought, the auditor can deploy her browser in this fashion (http://www.xyzcorporation.com/images).

    If the browser returns the images directory, it is important for the auditor to examine each and every file related to the Web site. More than once, auditors have discovered files that were not innocent files.

    Experience Note While conducting an audit of a client's Web site, the auditor began to survey the files accessible from the URL address line of the browser, using the format of www.xzycorporation.com/files. After downloading the files, it was discovered that one of them contained personally identifiable employee information.


    Web Server Examination
    Auditors may frequently access a company's Web site and determine the presence of specific Web servers. In UNIX and Windows environments, auditors may use the telnet client. By requesting a bogus file, the server file returns an error message and often the Web server will be correctly named. With this knowledge, an attacker merely researches the Internet for known vulnerabilities and executes them. For example:

    # telnet www.xyzcorporation.com 80
    Trying 275.xxx.xxx.xxx
    Connected to
    XYZCorporation.
    Escape character is ^
    GET/no-such-page.html HTTP/1.0 (At this time the auditor presses
    the Enter key twice)
    HTTP/1.0 error 404 Not Found
    Server: IIS-1.0 (This is the Internet Information Server version
    1.0)
    Content-Type: text/html
    Content-Length: 295
    Another useful tool for auditors is found at the Web site www.netcraft.com. This tool is useful whether Web sites are SSL, Secure Sockets Layer, enabled. By completing a few entries, the netcraft tool will display information about the particular Web site of interest including the Web server and operating system.

    Experience Note It is possible that savvy administrators have changed the banners in their server responses, so it is beneficial to verify the information before listing it as a possible finding.


    Although this is not considered a high-risk vulnerability, but there are many advantages in concealing system information from attackers. Attackers using techniques to identify the Web server and its version will browse the Internet in an effort to obtain vulnerability information that can be used to exploit the server. So, if they do not have accurate information, they must resort to another means to identify the Web server. It is not a perfect remedy. Efforts to conceal information will often discourage the casual attacker but probably will not dissuade the more-motivated ones.

    In a Window's environment, the HTTP server field may be edited via a hex editor in the W3SVC.DLL file and in a UNIX environment, the TCP/IP stack may be changed following the instructions at http://ippersonality.sourcefourge.net. It is suggested that the Web server response should be changed to reflect something nonsensical such as Vital O/S 2003.

    There are many advantages in the practice of security through obscurity. Auditors have a variety of tools available when mirroring a Web site. The advantage of mirroring a Web site is that auditors can view it at their leisure and conduct an in-depth review of the HTML as well as its construction. There are Web site mirroring tools at www.webstripper.net, www.esalesbiz.com/extra, and www.softbytelabs.com.

    Web site mirroring software will generally follow all links on a Web site and copy discovered files to the auditor's hard drive. In configuring them, rules can be set limiting the software to specific domains or preventing downloading certain file types.

    Experience Note WGET is a UNIX tool to mirror Web sites and may be found at http://wget.sunsite.dk.


    Once a Web site has been downloaded, the auditor can open the pages in a simple text editor application, such as Notepad or Vi, and review the HTML content. Auditors should review coding for e-mail addresses, names, addresses, passwords, and other information useful to an attacker.
  • Tools | Auditing

    This is a good place to discuss tools such as SamSpade, and the audit features they offer. Most of these tools offer similar features and prove to be invaluable during a vulnerability assessment. SamSpade provides a GUI (graphical user interface) that expedites its configuration. It runs on Windows 9X, ME, NT, and XP. As part of its functionality, it performs queries such as whois, ping, DNS Dig (Advanced DNS request and zone transfer), traceroute, finger, SMTP mail relay checking, and Web site crawling. Using SamSpade and similar tools are intuitive and self-explanatory so it would be a waste of time to fully describe their features and configuration. However, before using this tool, and others, auditors are cautioned to become familiar with their capabilities and risks. Additionally, all the tools listed below include very well written help files as part of their product


    SamSpade

    Similar tools are easily found on the Internet, caution is urged in making certain with whom you are doing business, make certain the tools come from reputable vendors and locations. Examples of similar tools may be located at www.ipswitch.com (WS-Ping ProPack) and www.nwpsw.com (NetScan Tools).

    Attentive auditors review the domain registration and notice the technical contact is not located at the same address and telephone exchange as the target enterprise. Several conclusions may be drawn from this information.

    The Web host is a contractor or the company that has its hosting facilities located outside its headquarters.

    The response also gives some insight into the e-mail naming conventions for the target. This information could be useful if an attacker wanted to find e-mail addresses she could target.

    In discovering more of the audit target, the auditor will look to the Internet for more information. Using such resources as www.google.com or www.hotbot.com will locate information about the target, its employees, and publicly available information. Google may also be used to query newsgroups for postings made by employees using the organization's domain name. This technique can be useful if employees are posting information about their company's vulnerabilities while using the organization's e-mail system.

    Frequently, attackers publish the company's network vulnerabilities in newsgroups or chat rooms. Experienced auditors will query newsgroups and participate in chat rooms to determine if relevant system vulnerabilities are available.

    Auditors often search public information areas such as the Securities Exchange Commission database known as EDGAR (www.sec.gov) for information about the target's filings. Two of the most informative filings are the 10K and 10Q. The form 10Q provides visibility into the company's activities in the last quarter, while the 10K is an annual filing describing the company's previous year. Reviewing these documents can provide information about recent mergers and acquisitions. It is possible the entities recently blended to form today's organization may allow the auditor to discover already documented vulnerabilities and permit unauthorized entries.

    Additionally, SEC filings and posted annual company reports provide a wealth of information for the attacker. It is not unusual for attackers to collect personal information about owners and senior managers, including private e-mail addresses, residences, financial holdings, automobile ownership, marital status, social security numbers, credit histories, etc.

    In the case of smaller organizations, auditors may purchase subscriptions to services that provide detailed information about individuals on a query-fee basis. If the rules of engagement allow this type of review, the type of information available about the target's senior management is almost limitless. These agencies collect information from magazine subscriptions, real estate transactions, driver's permits, professional organizations, clubs, and innocuous areas such as dog and cat licensing. Companies using this type of information collection are legitimate and are easily locatable on the Internet. Not all companies use legal means of information collection; so be wary and deal only with reputable agencies.

    Auditors must be fully aware that collecting private information is sensitive, but if the auditor can find the information, so can those who intend harm. It should be within the rules of engagement to discover available information. Auditors must make appropriate recommendations as to the information disclosed by employees that could result in jeopardizing their safety. If a regulatory agency or law does not require disclosure of information, do not do it. Making it a matter of audit programs will ensure its compliance with policy and procedures.

    Auditors should carefully document their public information discoveries in a detailed schedule as part of their final report. Making a printout and including it as part of the work papers is an accepted practice. This information will become very useful as the vulnerability assessment continues.

    If the rules of engagement permit the auditor to travel where attackers venture, it would be wise to enter the world of chat. Downloading a shareware chat client from, www.mirc.com will provide the means to speak with others about their knowledge of the audit target's vulnerabilities. Using this vehicle requires a fair degree of skill and is not going to be valuable unless the auditor has used this communication medium previously. However in the hands of a skillful professional, chatters frequently know an organization's critical asset vulnerabilities and exploits.

    Experience Note At a credit card clearinghouse, an auditor discovered several chat rooms and Web pages providing free scripts targeting the clearinghouse's Web site as well as open chats about the audit target's credit card network vulnerabilities. These scripts were designed to verify credit card information using the clearinghouse's computing facilities. When the auditor queried the persons chatting and the persons supporting the Web pages, it was discovered they were located virtually everywhere: Brazil, Russia, Philippines, Malaysia, and the United States. Auditors should not underestimate the value of chat rooms in determining an organization's vulnerabilities.

    IP Address Confirmation & Assessment Safety (Network Vulnerability Assessments)

    IP Address Confirmation
    In this step, business functions must be mapped to physical system and information about how the systems operate must be recorded. It is a wise audit step to obtain a list of the organization's IP addresses, to whom they are assigned, and where they are assigned, including the type of device. DNS name resolution can be used, but if something happens to the name server, or if the IP address resolution is incorrect, the actions taken by the auditors could be slowed or result in the wrong systems being audited.

    Ownership of the IP addresses should verified and confirmed before beginning the assessment. A very simple, but effective tool for IP resolution having a host of other features is available from: www.samspade.org. This tool is very intuitive, easily configurable, and will automatically select the correct Internet registration authority reflecting IP address ownership. Confirming IP addresses is good audit practice and serves to verify whether the organization has accurately completed their asset inventory.

    Assessment Safety
    Although auditors will have the best intentions, it is a wise practice to have a safety protocol for those moments when adverse things happen. When auditors download freeware/shareware or purchase their tools, it is a wise procedure to scan these utilities for malware being present. It only takes a moment to update the antivirus software and scan the product for worms, viruses, and Trojans.

    During the audit is not the time to experiment with a new tool. An audit tool should be carefully exercised to ensure the auditor has a thorough knowledge of its use before using it in an audit. Additionally, assessment tools should be updated, as new versions become available. Newer versions will likely address newly announced weaknesses that may be missed by older pieces of software.

    Auditors should have emergency contact information for appropriate management levels for each of the sections they are evaluating. These contacts must be 24/7. It is the experience of most system auditors that if anything can go wrong, it will at the least opportune moment.

    Experience Note Murphy's Law will be in full effect during every audit step; plan on it.



    Auditors should document all their actions and information captured during the assessment. Notes should be recorded to a central file for each member of the audit team. Some auditors go so far as to enable keystroke logging on their workstations to record all their actions. Record all IP addresses and netmasks targeted by your scanner tools. It is important to note when your system's IP address changes at any time during the assessment. This will help you keep directed and on track when performing the assessment. Additionally, it will simplify configuring the scanning tools. Using the IP addresses from the organization's inventory will shorten the time scanning tools are run. In this fashion, auditors only have to cover the territory once. Auditors should document the start and stop times of their tools. These documents will comprise a section in the auditor's work papers and will be referenced in the audit report.

    Discovering the Character of the Audit Target
    As a general first step, auditors will research public source information about the audit target. One of the most logical steps is to look up the domain registration information of the audit target. There are many manual Web sites providing Internet domain registration. These are just a few:

    www.arin.net

    www.networksolutions.com

    www.allwhois.com

    Social Engineering (Network Vulnerability Assessments)

    Social engineering is the tactic of having contact with the organization or persons associated with the organization and through ruse, pretext, or misdirection, attempt to gain information that would facilitate an unauthorized intrusion. It is possibly the least most popular means of auditing a system and must be thoroughly addressed as a tenet in the rules of engagement for the vulnerability assessment. Social engineering tests employees and their training.

    Experience Note When organizations suffer a successful social engineering attack, it makes banner headlines. Employee training and compliance auditing will help in avoiding these disasters.

    Auditors and senior managers must be mindful that attackers are employing these tactics, so using them in a measured fashion has great benefits in probing vulnerabilities. In essence, social engineering involves getting employees to voluntarily surrender information that can be used to gain an advantage that would not be available without it. It can be as easy as a telephone conversation, going through someone's wastepaper basket, or using an unprotected workstation.

    The primary tool of the social engineer is the telephone. Typically, a talented auditor can obtain more critical information and cause greater damage by working making a few telephone calls than the best network attacker. Among the most common approaches are:

  • Posing as a member of the target organization's technical support staff

  • Playing the role of a disgruntled customer/user seeking a password change

  • Calling the technical support staff and enlisting their aid in getting a workstation connected to their network

  • Going through the waste paper baskets located in open office areas after work hours and before it is collected

  • Using unattended workstations or servers

  • Going through the trash collected by the maintenance staff

  • Going through the organization's dumpster (consider this a major undertaking and avoid unless deemed necessary)

  • Making copies of notes and other materials left out on desks after hours

    Experience Note One of the most interesting, inventive, and legendary social engineering activities was the new maintenance employee who was seen posting small signs around an office area. These signs announced a new telephone number for the company's technical support unit. When one of the senior managers asked the employee who it was that requested he post the signs, she responded that she was new and did not know the person who asked. The manager did not follow it up any further. After about a week, the company's technical support staff sent an e-mail to their manager asking what happened to all their calls. They had not received a trouble call in several days. It was discovered that when calls were made to the "new" telephone number for the technical support unit, a recorded message stated that all agents were busy; and requested the caller to verify his identity with network logon name and password. It was discovered that the callers' network accounts had been accessed and sensitive information taken through terminals located inside the company during off-duty hours. Additionally, the organization had not verified the identity and background of the maintenance person.



    If the rules of engagement permit, auditor's can use social engineering for gaining access to the company's systems. For example, an auditor, not previously introduced to the target organization arrives early at the organization and loiters near the entrance. When an employee passes security and enters the office space, the auditor, acting as a new employee, offers the excuse they are new and have forgotten their identification badge, and follows the employee inside. Or an auditor telephones the network administrator and misrepresents himself as a member of the management staff and asks the administrator for her e-mail account password to be reset. The administrator provides a one-time use password without verifying the caller's identity and the auditor accesses the manager's e-mail account. Should such tactics be allowed? If the audit is going to test the risk management training provided to the employees, the answer is yes. Regardless, the use of social engineering tests must be addressed in the rules of engagement. If auditors do not test the system's vulnerabilities, attackers will. Again, it is not a matter of if an attacker attempts this type of intrusion; it is only a matter of when.

    Senior managers and auditors must arrive at a level of understanding of whether the employees are going to be advised of the system testing or not. If employees are aware of system testing, they will likely be on guard and on their best behavior. However, if the rules of engagement allow the auditors to fully explore and exploit if the system crashes due to an attack, the administrators can take appropriate action without panic. But, not advising employees has advantages, in that auditors will observe the true performance of how employees react to system attacks and how recovery efforts are brought to pass. Obviously, telling or not telling employees of the system assessment is a matter for careful consideration by senior managers with the matter fully documented in the rules of engagement. Safeguards are typically deployed in the event of electing not to notify employees to avoid having embarrassing calls made to law enforcement.

    The last area of preparation includes the area of permission. Appropriate levels of permission must be obtained before conducting this type of system vulnerability assessment. This is an area of good judgment. Auditors must do a thorough job, but they cannot damage any critical assets in any fashion including employee morale. On the other hand, the more realistic these tests are, the more useful will be their results. Use good judgment in crafting the rules of engagement and obtaining the appropriate levels of permission.
  • Tools (Network Vulnerability Assessments)

    This is a good place to discuss tools such as SamSpade, and the audit features they offer. Most of these tools offer similar features and prove to be invaluable during a vulnerability assessment. SamSpade provides a GUI (graphical user interface) that expedites its configuration. It runs on Windows 9X, ME, NT, and XP. As part of its functionality, it performs queries such as whois, ping, DNS Dig (Advanced DNS request and zone transfer), traceroute, finger, SMTP mail relay checking, and Web site crawling. Using SamSpade and similar tools are intuitive and self-explanatory so it would be a waste of time to fully describe their features and configuration. However, before using this tool, and others, auditors are cautioned to become familiar with their capabilities and risks. Additionally, all the tools listed below include very well written help files as part of their product (Exhibit 1).


    Exhibit 1: SamSpade

    Similar tools are easily found on the Internet, caution is urged in making certain with whom you are doing business, make certain the tools come from reputable vendors and locations. Examples of similar tools may be located at www.ipswitch.com (WS-Ping ProPack) and www.nwpsw.com (NetScan Tools).

    Attentive auditors review the domain registration and notice the technical contact is not located at the same address and telephone exchange as the target enterprise. Several conclusions may be drawn from this information.

    The Web host is a contractor or the company that has its hosting facilities located outside its headquarters.

    The response also gives some insight into the e-mail naming conventions for the target. This information could be useful if an attacker wanted to find e-mail addresses she could target.

    In discovering more of the audit target, the auditor will look to the Internet for more information. Using such resources as www.google.com or www.hotbot.com will locate information about the target, its employees, and publicly available information. Google may also be used to query newsgroups for postings made by employees using the organization's domain name. This technique can be useful if employees are posting information about their company's vulnerabilities while using the organization's e-mail system.

    Frequently, attackers publish the company's network vulnerabilities in newsgroups or chat rooms. Experienced auditors will query newsgroups and participate in chat rooms to determine if relevant system vulnerabilities are available.

    Auditors often search public information areas such as the Securities Exchange Commission database known as EDGAR (www.sec.gov) for information about the target's filings. Two of the most informative filings are the 10K and 10Q. The form 10Q provides visibility into the company's activities in the last quarter, while the 10K is an annual filing describing the company's previous year. Reviewing these documents can provide information about recent mergers and acquisitions. It is possible the entities recently blended to form today's organization may allow the auditor to discover already documented vulnerabilities and permit unauthorized entries.

    Additionally, SEC filings and posted annual company reports provide a wealth of information for the attacker. It is not unusual for attackers to collect personal information about owners and senior managers, including private e-mail addresses, residences, financial holdings, automobile ownership, marital status, social security numbers, credit histories, etc.

    In the case of smaller organizations, auditors may purchase subscriptions to services that provide detailed information about individuals on a query-fee basis. If the rules of engagement allow this type of review, the type of information available about the target's senior management is almost limitless. These agencies collect information from magazine subscriptions, real estate transactions, driver's permits, professional organizations, clubs, and innocuous areas such as dog and cat licensing. Companies using this type of information collection are legitimate and are easily locatable on the Internet. Not all companies use legal means of information collection; so be wary and deal only with reputable agencies.

    Auditors must be fully aware that collecting private information is sensitive, but if the auditor can find the information, so can those who intend harm. It should be within the rules of engagement to discover available information. Auditors must make appropriate recommendations as to the information disclosed by employees that could result in jeopardizing their safety. If a regulatory agency or law does not require disclosure of information, do not do it. Making it a matter of audit programs will ensure its compliance with policy and procedures.

    Auditors should carefully document their public information discoveries in a detailed schedule as part of their final report. Making a printout and including it as part of the work papers is an accepted practice. This information will become very useful as the vulnerability assessment continues.

    If the rules of engagement permit the auditor to travel where attackers venture, it would be wise to enter the world of chat. Downloading a shareware chat client from, www.mirc.com will provide the means to speak with others about their knowledge of the audit target's vulnerabilities. Using this vehicle requires a fair degree of skill and is not going to be valuable unless the auditor has used this communication medium previously. However in the hands of a skillful professional, chatters frequently know an organization's critical asset vulnerabilities and exploits.

    Experience Note At a credit card clearinghouse, an auditor discovered several chat rooms and Web pages providing free scripts targeting the clearinghouse's Web site as well as open chats about the audit target's credit card network vulnerabilities. These scripts were designed to verify credit card information using the clearinghouse's computing facilities. When the auditor queried the persons chatting and the persons supporting the Web pages, it was discovered they were located virtually everywhere: Brazil, Russia, Philippines, Malaysia, and the United States. Auditors should not underestimate the value of chat rooms in determining an organization's vulnerabilities.

    Rules of Engagement (Network Vulnerability Assessments)

    Rules of engagement govern the level and extent of vulnerability assessment efforts. Develop a written agreement between the audit manager and appropriate levels of senior management, as the vulnerability assessment process is extremely invasive. In this statement the questions of who, what, when, where, and how should be thoroughly, but briefly addressed. For example, the purpose of this vulnerability assessment will be to test the effectiveness of procedures ensuring that attackers cannot obtain unauthorized access to the organization's critical assets of human resources, data, and physical resources.

    Assessment procedures define the methods and means by which the various evaluation events will take place. These procedures can be expressed in the following areas:

  • Assessment standing. Determine and define when the assessment will begin, the scope of the assessment, and when the assessment will end.

  • Vantage point. What will be the vantage point of the assessment? Should the auditors consider themselves as outside the organization, or inside the organization? Obviously, the vantage point will affect the assessment objectives and the time involved. In the insider vantage point, the auditors are provided as much pertinent information as possible. For example, auditors will have the source code for CGI scripts, network topology and architecture, IP addresses, etc. With this degree of information, the auditors may test the system more thoroughly looking for subtle flaws that might otherwise escape notice. Besides, this approach saves time and resources.

    On the other hand, outsider testing provides little, if any, relevant system information to the auditors in the anticipation their stance is that of an outside attacker. This approach requires a great deal of time and effort to complete an accurate and meaningful assessment. Proponents of this type of assessment claim it provides a realistic approach to system evaluation in light of the fact outside attackers will not have insider information. The fact of the matter is with the large number of attacks attempting to gain access, or extinguish services, this approach requires a significant time investment, and it is likely that new vulnerabilities will be discovered before they can be tested against the system.

    There are two more vulnerability modes, passive and aggressive. Passive testing means the auditor can take only a distant view, essentially a "looking glass" approach. This is a safe way of testing, but it is not going to provide the type of detail that should be narrated in the "findings" section of an audit report. The auditor discovers a system's vulnerability and reports findings without further exploration and system exploitation. Aggressive testing takes the approach of exploiting all discovered vulnerabilities and exploring just how far the auditor can penetrate the system before coming to an end.

    How far should the auditor pursue an exploit? The answer should be explicitly detailed in the rules of engagement. However, it is recommended that the auditor pursue a vulnerability to the extent possible without doing damage to the system. Only in this fashion can the risk potential be measured and reported. It is further recommended that in a system vulnerability assessment, the procedure should be to locate a weakness, exploit it, and leverage that weakness to gain wider access to the target system
  • The Practical Examination of Your System (Network Vulnerability Assessments)

    Network vulnerability assessment is a hands-on approach in ascertaining your system's obvious vulnerabilities and their locations. There are many risks that are associated with these types of audits that go largely ignored by senior managers.

    Experience Note An auditor was examining the business' network software development process for compliance to the company's policy and procedures. She discovered the programmers and engineers were not observing any of the policy requirements and were basically approaching their development phases in a haphazard fashion. She detailed her findings in a preliminary report to senior managers who told her that they had evolved past the SDLC and other quality methods. Instead, they were writing their code, installing it, and using the network vulnerability assessment as a quality control to determine any weaknesses existing in their software. Her audit report findings were lengthy and specific.


    In conducting network and other types of practical vulnerability assessments, it is paramount that auditors adopt a holistic view of auditing. Auditing is the process by which prohibited, abusive, and irregular activities are found and reported. If a concerted auditing effort is adopted, the entire system consisting of the three pillars of human resources, data and physical facilities will be measured as part of risk management and operational efficiency.

    Vulnerability assessments only measure those vulnerabilities that are within the scope of the rules of engagement, the knowledge of the auditors, and those system vulnerabilities that are present at the time of the assessment. It should be made clear that network vulnerability assessments must be considered as part of the whole audit picture. They are not a substitute for poor systems design and management.

    Network vulnerability assessments are the part of the audit program whose purpose is the practical identification of system vulnerabilities. If vulnerabilities are found, and they will be found, they will be reported as findings, accompanied by recommendations in the audit report. It is a fair statement that you cannot repair system weaknesses, unless you locate them first. If during a comprehensive audit, senior managers fail to locate and repair system vulnerabilities, it is a safe bet that attackers inside and outside the organization will find and exploit them. The general goals and objectives of system vulnerability assessments are as follows:

  • Measure levels of system risks.

  • Ascertain practical compliance with organization's policies and procedures. (This usually involves a high-degree of employee and senior manager embarrassment.)

  • System vulnerability assessments comprise an important part of the comprehensive auditing effort and clearly demonstrate professional due diligence.

    Audit team members should be carefully selected for their experience, people skills, communications skills, good judgment, system knowledge, and knowledge of software and intrusion and attacker tactics. It is recommended they have a good knowledge of programming in languages such as C, C++, Java, and PERL. Programming skills and network knowledge enable auditors to review open source tools, fix or modify them, and write their own programs, if necessary. It is worth remembering that running automated tools without an understanding of the underlying protocols and issues is dangerous and generally will not provide sufficient insight when documenting findings in the audit report. Skills such as persuasive sales are a valuable commodity if the audit team is going to engage in social engineering. Often the question is asked if this is "white-hat," "black-hat," or "gray-hat" system attacking.

    Experience Note Personally, the author thinks the "hat" business is a bit of nonsense. Some organizations are caught up in the idea of hiring individuals of questionable character, but who have a great deal of skill. Many are convicted felons. Think of this example, "Would you hire a professional thief to make a security survey of your business?" Prudent business managers should engage professionals of known abilities with impeccable references, not soon-to-be indicted attackers.


    Questions arise whether organizations should outsource system vulnerability assessments or develop the skills internally. Correct answers are not easily decided as there are advantages and disadvantages to both sides. There is some degree of risk in outsourcing vulnerability assessments unless a significant amount of research is done.

    Experience Note There are many outside "system security consultants" that are reformed attackers. Some have even spent time in prison for their criminal behavior, while others have been defendants in lawsuits centered in their unlawful behavior.


    So before contracting outside vulnerability auditors, it is prudent to discuss their backgrounds, experience, bonding, the length of time they have been in business, and references. Demand they provide a long list of satisfied clients and a few that were not so satisfied. Contracts should be carefully crafted enumerating liabilities and responsibilities.

    It is strongly recommended that several lawyers, having experience with services of this nature, review the details of the contract before being finalized.

    It is the practice of most consultants to spend an inordinate amount of time keeping skills current to explore and exploit system weaknesses. For some, their skills' improvement and bragging rights are something that borders on obsession. On their own time, they explore system weaknesses to the exclusion of other pursuits. Many consultants can tell you about successfully gaining root access to systems that were considered impregnable by its owners. Regardless, if the decision is made to use contractors, your sensitive assets are subject to capture by the outsiders. You are giving them the key to the business' crown jewels.

    Experience Note It is quite likely that today's system audit consultant will not be employed by the firm for more than a short time. She knows your system's vulnerabilities when she decides to exploit them.


    If the organization decides to develop inside talents, there are many suitable training courses available that can provide the skills necessary to perform a respectable system vulnerability assessment. Training of this nature is valuable and can be used as part of an employee development program. It is important to note that systems auditing skills are a serious commitment in that they require constant upgrading and expansion as new technologies emerge and new weaknesses are announced.
  • Specialized Auditing Matters - UNIX Shadow Password File

    On a UNIX/Linux system without a shadow password file installed, user password information is stored in the /etc/passwd file. Although popular literature will state passwords are encrypted, technically they are actually encoded rather than encrypted. The algorithm used to encode the password is a one-way hash function, ensuring that the encoded password cannot be feasibly decoded. Essentially, this means the algorithm encodes the password in one direction, but makes it mathematically infeasible to reverse the process. When a UNIX user uses an authorized password, it is encoded in a randomly generated value sometimes referenced as the "salt."

    This means the password could be stored in 4096 different combinations. When a user logs into the system and provides a password, the salt is first retrieved from the encoded password. The salt value supplied password is encoded with the retrieved salt value, and then compared with the encoded password. If the two values match, the user is authenticated and permitted to access the system.

    Password cracking software programmers know all this and simply encrypt a dictionary of words using all possible 4096 salt values and compare them to the already encoded passwords. They will compare the encoded passwords in the /etc/passwd file with the cracker's database. Once they find a match, they have the password for the account. This is known as a dictionary attack.

    Think of it in terms of an eight-character password encoded to 4096 times 13 character strings. A dictionary of about 400,000 words, names, common passwords, and simple variations easily fit in a hard drive of 5GB. The program needs only to sort and check for matches.

    Along with passwords, the /etc/passwd file contains user IDs and group IDs that are used in the systems programs. In order for UNIX to function, the /etc/passwd file must be read by everyone. If you were to change the file so no one can read it, the first command of ls -l will display all the user and group IDs.

    Having a shadow password file solves the problem by relocating the passwords to another file, /etc/shadow, with access privileges set to root. By moving the passwords to the /etc/shadow file, administrators are effectively keeping attackers from having access to the encoded passwords with which to perform a dictionary attack.

    Format of the /etc/passwd File

    A nonshadowed /etc/passwd file has the following format:

    user name:passwd:UID:GID:full_name:directory:shell
    where

    user name = the user (login) name

    passwd = the encoded password

    UID = numerical user ID

    GID = numerical default group ID

    full_name = the user's full name is held here in this field that can also store information other than just the full name

    directory = user's home directory (full path name)

    shell = user's login shell (full path name)


    For example:

    user name: Tbge08pfz4wuk:503:100:Full Name:/home/user
    name:/bin/sh


    where Tb is the salt and ge08pfz4wuk is the encoded password. The encoded salt/password could just as easily have been kbeMVnZM0oL7I and the two are exactly the same password. As was stated earlier, there are 4096 possible encoding combinations for the same password.

    Once the shadow password file is installed, the /etc/passwd file would instead contain the entry:

    user name:x:503:100:Full Name:/home/user name: /bin/sh
    The x in the second field in this case is a place-holder. The format of the /etc/passwd file did not change. It no longer contains the encoded password. This means that any program that reads the /etc/passwd file does not actually need to verify passwords and it will operate correctly. The passwords are now relocated to the shadow file /etc/shadow.

    Format of the Shadow File
    The /etc/shadow file contains the following information:

    user name:passwd:last:may:must:warn:expire:disable:reserved

    where

    user name = the user name

    passwd = the encoded password

    last = days since Jan. 1, 1970 that password was last changed

    may = days before password may be changed

    must = days after which password must be changed

    warn = days before password is to expire that user is warned

    expire = days after password expires that account is disabled

    disable = days since Jan. 1, 1970 that account is disabled

    reserved = a reserved field

    Auditors must review the implementation of shadow password files in UNIX/Linux implementations. It is important to note that this UNIX audit guide is intended only to spur auditors to look at the potential areas that should be reviewed because there are many versions of UNIX as well as a great number of applications supported by it. Here are three specialized Web sites that may provide some guidance on auditing UNIX password files:

    www.ISACA.org

    www.sans.org

    www.auditnet.org

    Specialized Auditing Matters - Protecting against DNS Cache Corruption

    DNS servers can operate in one of two ways when responding to queries:

    1. Recursive queries are used when a client makes a request to a DNS server and the name server is expected to traverse the DNS hierarchy to locate the answer. At that time, the name server will make a nonrecursive query to locate the requested information.

    2. Nonrecursive queries are used when a name server asks another name server for information. The queried server will return an answer or make a referral to another name server or the name server will indicate an error that the queried name server has no information to fulfill the request. As a default configuration, most name servers allow recursive inquiries from any source. DNS servers that provide recursive resolution services to the Internet may be susceptible to cache corruption. Cache corruption happens when name server caches erroneous data for a domain name. This results in denial of service or man-in-the-middle attacks.


    By making a recursive query to a DNS server that provides recursion, an attacker can cause the name server to look up and cache information contained in zones under their control. In this fashion, the victim-name server is forced to query their malicious name servers resulting in the victim caching and retrieving bogus data. There are essentially four steps available to BIND and other types of DNS servers:

  • Disable recursion entirely

  • Restrict IP addresses that are allowed to make any type of queries

  • Restrict IP addresses that are allowed to make recursive queries

  • In BIND versions before version 9 disable fetching of glue records
  • Specialized Auditing Matters - Domain Servers

    Domain name servers (DNSs) literally translate names suitable for understanding by most people into network addresses. For example, www.myexample.com is sent to a DNS and translated to the numeric address of 192.165.23.22. Of course, the latter address is one that is routable and understood by computer networks. Essentially, DNS is a database of network addresses visited by network users. If the local DNS is not able to resolve the URL, Uniform Resource Locator, it will query the next highest domain server and eventually resolve the alphabetical URL to the familiar numeric network address before being routed.

    Because DNS servers are frequently exposed to open-ended networks, such as the Internet, they are subject to a wide variety of attacks. For example:

  • Attacks targeting the name server software allowing an intruder to compromise the server and take control of the DNS host

  • Denial-of-service attacks directed to a single DNS server affecting an entire network by preventing users from translating host names into IP addresses

  • Spoofing attacks trying to induce a DNS server to cache false resource records leading users to unintended sites

  • Information leakage from zone transfers exposing internal network information that could be used to plan and execute future attacks

  • A DNS server could be an unwitting participant in attacks on other sites


  • As any software application, DNS software evolves with each version release. Essentially, all older DNS versions have widely known vulnerabilities that attackers will exploit. In most cases, vulnerabilities that appear in one version are patched in subsequent releases. Running the latest version of DNS software does not guarantee security; however, it will minimize the likelihood of exploitation.

    Auditors should be mindful there are steps that can be taken to secure a DNS server that only as to deliver DNS to a single audience and it can be optimized for that particular function. It is useful to use separate DNS servers configured to play specific roles. It is a useful procedure to have different security policies applied to servers respective to their function. For example, having an external DNS server used only as an external name server is a sound business procedure. This DNS server should provide resolution for zones for which it has authoritative information. In other words, it provides DNS services for Internet or open-ended networks and your internal network's users.

    Exterior DNS servers should not contain any information about your internal network addressing or topology. It should be located in the Demilitarized Zone, DMZ, meaning it is behind a packet screen firewall facing the open-ended network and in front of the application firewall that protect the sensitive interior network. Architectures of this nature look like a sandwich with the DMZ located between the slices. DMZs are the areas where Web servers, outside e-mail services, and name servers reside.

    Having an internal DNS server is commonly used to provide name resolution services to internal network clients. This DNS server is configured to provide query answers from trusted internal hosts and not from the Internet. It is located behind the packet screen, the DMZ, the application firewall as a member of the internal network. Adopting these security procedures will result in the external DNS server configured to provide little resolution service other than answering queries for which it is authoritative. Internal DNS servers can be protected by restricting the server to respond only to known and trusted hosts. In this fashion, if the resolving server was compromised or its cache corrupted, the outside DNS server's authoritative zone information would not be affected, thereby limiting the potential for damage. In this same vein, if the internal DNS server were also configured to be authoritative for internal zones only, a compromise of the external DNS server would not affect the normal name service operation of the internal network.

    As a matter of network security and protection, organizations operate their DNS servers on dedicated hosts. Hosts that run the DNS services do not provide other services; consequently, there is no need for them to respond to non-DNS traffic. In such a dedicated DNS host configuration, it reduces the possibility of the DNS server being compromised by a weakness in any other piece of software located on the same host as the DNS. As a further sound security procedure, administrators disable or remove any unnecessary software or hardware features from the DNS host. The logic supporting this procedure is if unnecessary software and hardware are not present, attackers cannot exploit them.

    For DNS servers providing external name resolution, everything but traffic from the Internet to port 53 UDP and port 53 TCP on the DNS server can be safely filtered and denied entry. Similarly, internal network DNS servers can be filtered allowing only internal clients access to ports 53 UDP and TCP on the name server and allowing the internal DNS server to make outbound queries to other internal DNS servers.

    TCPdump is a network information capture program developed at Lawrence Berkeley National Laboratory. It is a UNIX-based program consisting of an executable with a network capture driver program. The purpose of this utility is the interception, capture, and display of information packets passing through the network. If TCPdump were installed on computer connected to the target network, it will capture all passing information packets. The Windows version of TCPdump is called Windump. [8]

    Attackers will typically attempt to exploit packet-screening flaws.

    Zone transfers are used to transfer DNS information from one DNS server to another. Restricting zone transfers is a significant step in security DNS services. Implementing restrictive zone transfers has the secondary benefit of preventing others from taxing your system's resources as it prevents intruders from gaining a list of the contents of DNS zones. Zone transfers are the delivery of the cached information held in the DNS service. Attackers obtaining zone transfers from your internal DNS server will allow them to see the IP addresses as well as the architecture of your internal network. Denying attackers this type of information raises your internal network's security. An attacker who is able to complete a zone transfer can use that information to identify new targets on your internal network such as routers, mail servers, other DNS servers, file servers, databases, and anything else in your DNS records.

    A common administrator mistake is to restrict zone transfers from the primary master DNS server only, while neglecting to restrict transfers from slave servers. Because it is possible to obtain a zone transfer from a slave server, it is important that auditors ensure that all authoritative DNS servers have restrictions placed on zone transfers.

    In BIND 8 or 9, use the allow-transfer substatement:

    options {
    allow-transfer {192.168.4.154;};
    };
    or specific to a zone:

    type master;
    zone "my example.com" {
    file "db.myexample.com";
    allow-transfer {192.168.4.154;};
    };

    Specialized Auditing Matters - Database Concurrency Controls in a Distributed Environment

    Databases stored at multiple sites are deemed to be in a distributed environment. In one configuration, a replicated database copy is stored at all sites, and in another configuration, pieces of a database can be stored in different partitions with each partition stored at one site. Data concurrency and deadlocking problems are usually addressed by a two-step process. First step, before a transaction can read data, it must establish a read-lock on the data item. In like fashion, before a transaction can write to a data item, it must establish a write-lock on the data item. Second step, different transactions are not allowed to establish conflicting locks simultaneously. Essentially, this two-step rule means that two transactions can own read-locks on the same data item, but a read-lock and a write-lock or two write-locks are not permitted at the same time. Until a transaction releases the lock, it cannot establish additional locks. Releasing a lock provides another transaction — the opportunity to obtain control over the data item. For this reason, a transaction must commit its database changes before releasing its locks to avoid inconsistent results.

    Database concurrency and deadlock problems can become serious threats to distributed database integrity unless the database management system has appropriate control levels. With replicated and distributed databases, the system must ensure that all accessible database versions are kept in a consistent state. There are some replicated database procedures that require that all data items are locked before update operations proceed. Auditors must determine the locking and updating protocols that ensure data integrity is established and maintained in a distributed environment. Further, it is important that auditors ascertain the procedures by which database administrators handle data error and conflict reports.

    Audit Trail Controls
    Audit trails or logs are electronic records reflecting the chronology of events occurring in the database or the database definition. Most systems require a complete set of events to be recorded such as, creation, deletions, modifications, and specific records accessed. If audit trails do not exist, it is be impossible to determine how the database arrived at its current state, who retrieved a record or who executed a specific transaction.

    There are several important characteristics of audit trails. All transactions must have a unique time stamp confirming that a transaction was directed to the database definition or the database itself. Time stamps identify the unique time that the transaction caused a series of events to take place so a documented history is created. It is important to note that audit trails must record not only the time and the transaction, but also the user account from which the transaction occurred. Auditors must be mindful of the length of time that audit trails must be retained. In many cases, laws and regulations applicable to the specific industry or type of data strictly mandate how long an audit trail will be retained.

    Object Reuse
    It is important for auditors to address issues concerning object reuse in the database management system and operating system. Operating systems are responsible for deallocating system resources, such as files used to store tables. In order to maintain confidentiality and integrity, data stored in these resources and objects must be zeroed or replaced with random information before being reassigned.

    Database Existence Controls
    Existence controls in the database subsystem must be able to restore the database in the event of loss or corruption. All backup procedures involving the maintenance of a previous version of the database and corresponding audit trails. Recovery procedures generally take two forms. The first is the current state of the database must be restored if the entire database or a portion of the database is lost or corrupted. This activity involves a "roll-forward operation" where a prior correct version of the database is restored along with the log of transactions or changes that have occurred to the database since its last backup copy was made.

    The "roll-back operation" is where the current invalid state and the updates are rolled back undoing the updates that caused the database to be corrupted. The log of database changes is used to restore the database to the prior valid state. Auditors must carefully examine the possibility of fraudulent behavior in rolling back database operations, making changes to the database; allowing the database to process the data, then rolling back the database to its prior state, without error report generation and audit trail recording.

    Specialized Auditing Matters - Access Controls

    Access controls in the database subsystem have the function of denying unauthorized access and data manipulation. In the case of discretionary access control, DAC, users can specify who can access data they own and what action they have with respect to that data. Conversely, mandatory access control, MAC, requires an administrator to assign security attributes, such as object classifications and employee clearances. These classifications are fixed and cannot be changed by database users.

    Discretionary Access Controls
    With discretionary access controls, a typical user may be authorized to perform the following functions within the database:

  • Create a schema.

  • Create, modify, or delete views associated with a schema.

  • Create, modify, or delete relations associated with the schema.

  • Create, modify, or delete tuples in relations associated with the database schema.

  • Retrieve data from tuples in relations associated with the schema.


  • These are privileges granted to users who are designated as the owners of a particular schema along with its related views. There is an important type of privilege, that of a user granting their privileges, or a portion of them, to another user. Privilege propagation is the case of a user granting privileges to another user, who in turn grants privileges to another user.

    In the propagation of privileges, it is important for an auditor to determine the allowable degree of privilege propagation. It is equally important for an auditor to examine the degree of privilege revocation. For example, if it is discovered a user has abused her privileges, what affirmative steps were taken to revoke her access privileges?

    Mandatory Access Controls
    In MAC, database user access to a resource is governed by a strict security policy. Database resources in the way of data-objects/attributes and record/relations are assigned classification levels. It is also a common practice to assign a classification level to each record/relation equal to the highest classification level assigned to a data/item/attribute in the record/relation. When differing levels of classification are present in the database, users are not allowed to view all the data present in the database. They may view only those items they care cleared to see.

    Managing access control rules are often done through the operating system and the database management system. For example, the operating system permits only authorized users to access the database subsystem, while the database management system restricts access and the degree of user data manipulation. Auditors must be aware this is somewhat of a redundant security procedure, but one that safeguards database contents.

    When a database is distributed, it is even more difficult to ensure that database access and integrity are maintained and that complete and consistent access rules are enforced throughout the enterprise. It does not matter if the database is replicated at multiple sites, or if a different database is distributed to different sites from a central location, auditors should collect evidence that multiple access control mechanisms are implemented and are universal in supporting replication.

    In any processing subsystem, the issue of data integrity is one of the primary audit concerns. In database management systems, the application software directly accesses and updates the database, however, the database management system depends on the application software to pass across the correct sequence of commands and update parameters taking appropriate actions when certain types of exceptions arise.

    Software Controls and Update Protocols
    Application software update protocols ensure that changes to the database reflect changes to entities and associations in data the database is supposed to reflect.

  • Ensure all records are processed correctly. If a master file is in sequential order, correct end of file protocols must be followed in an update program to make certain records are not lost from either a transaction or master file. Designing and implementing correct end of file protocols can be complex if multiple sequential transaction files and multiple sequential files are concurrently processed. Auditors should collect evidence that these protocols have been designed where they can detect, prevent, and correct end of file errors.

  • Sequence check transaction and master files. During batch update processes, the transaction file is often sorted prior to the update of the database master file or the database tables. There are times when the master file or tables, intended to be updated, might be sorted in a particular order. It may seem duplicitous for the update program to check the sequence of the transaction as it processes each record. Regardless, there are situations that occur resulting in records on the transaction or master file that are out of sequence.

  • Single-record multiple-transaction processing order. Database programs frequently receive multiple transactions targeting a single master record, also known as a tuple. The order in which transactions are processed against the master record is important. Different types of transactions must be given transaction codes resulting in them being sorted in correct order before being processed against the master record.

  • Suspense accounts. Suspense accounts are essentially a file for monetary transaction where a master record could not be located at the time the update was attempted. Monetary transactions, for which a master record cannot be located, must be charged to a suspense account. If they are lost because someone fails to correct their mismatch, someone may receive a product rebate payment to which they were not entitled. Auditors must be mindful that suspense accounts, relating to data mismatches, must exist and any suspense accounts with more than a zero balance show there are processing errors needing correction.
  • Specialized Auditing Matters - Auditing Databases

    Today's database subsystems are applications providing functions related to defining, creating, deleting, modifying, and reading data in an information system. By way of review, the principal components of a database subsystem are the database management system, DBMS, used to manage data; the application programs performing operations on the data, central processor in which operations are performed and the storage media maintaining copies of the database. The database subsystem is also called a knowledge base reflecting the power of the data maintained in the database.

    As in all auditing practices, the overarching controls design stem from CIA, confidentiality, integrity, and availability.

    Auditing database subsystems is an examination of the controls governing the database, beginning with policies and procedures where access to the database is controlled preventing unauthorized access. Auditors must examine the implementation of the various types of integrity controls. There are many good texts about database design and implementation. Before an auditor attempts to engage a review of database operations, it is strongly suggested she have sufficient training and experience. As in all audit practices, auditors should not audit areas where they do not possess expertise.

    Database Definitions
    Before the discussion travels too much farther, here are some definitions that may be needed by an auditor engaged in database subsystem examination:

    Accountability is achieved with two types of access restricting mechanisms, user identification and user authentication controls. Compliance with these controls is achieved through auditing. Major auditing concerns for databases are directed to information security events including logins, granting and revoking access privileges to relations, user activity logs, etc.

    Several years ago a government worker, having broad access to databases containing extremely sensitive information, decided to illicitly sell his knowledge and services. He was aware that his database activities were logged, but he was equally aware those logs were infrequently reviewed. The database was configured in such a fashion that anyone with access to the database was capable of viewing and copying information outside the their assigned duties. Over a period of years, he accessed information for which he did not have a need to know and sold it. The employee was discovered through exterior means and subsequently prosecuted for his criminal activities.


    These are a few definitions that should help the auditor in database assessments:

  • Aggregation: The result of combining distinct units of data when handling information. Aggregation of data at one level may result in the total amount of data being designated at a higher privilege level.

  • Data manipulation: Populate and modify the contents of a database by adding, modifying, deleting, and creating rows and columns.

  • Discretionary Access Control: DAC is a method by which access to objects is restricted to authorized users or groups of users. Access is discretionary in that access privileges may be passed to users either directly or indirectly by the object's owner.

  • Inference: Derivation of new information from known information. An inference problem refers to derived information that may be classified at a level for which the user does not have privileges and a need to know. The inference problem is that of users deducing unauthorized information from information they have legitimately acquired. The problem of database inference has significant consequences. For example, physicians specialize in the treatment of specific diseases. It is possible for healthcare provider staffs to infer a patient's ailment by identifying the attending doctor. This type of information could be easily gleaned by viewing the patient information accompanied by the doctor's name. Drugs are also generally associated with a particular disease consequently; it is possible for staff members to infer a patient's ailment by identifying prescriptions.

  • Mandatory Access Control: MAC is a procedure of established access controls relating to resources assigned a classification level and users are assigned clearance levels. For example, users are not allowed to read a resource classified at a certain level, unless their clearance level is equal or greater than the resource's classification.

  • Referential integrity: A database has referential integrity if all foreign keys reference existing primary keys.

  • Schema definition: Used to define the structure of the database, integrity constraints, and access privileges.

  • Schema manipulation: Modify the database structure, integrity constraints, and privileges associated with the tables and views within the database.

  • Transaction management: The ability to define and manage database transactions.
  • Vulnerability Self-Assessments

    Audits are generally very time consuming and require a great degree of planning and coordination before they can be successfully completed. Comprehensive audits consist of thorough review controls detailed in policies, procedures, standards, and vulnerability testing. These steps are expensive and for this reason audits are generally performed annually at best. Many organizations need to design more expedient methods by which they can assess their risks, enter the self-assessment. Self-assessments can be used as checklists helping senior managers address vulnerability elements during systems design phases and after the system goes into production, before they become findings in the next audit.

    In the perfect world, application vulnerability assessments actually begin in the planning stages of the Systems Development Life Cycle. When the system design phase begins, vulnerabilities should be identified and addressed before the system goes through the acquisition and implementation phases.

    Vulnerability Self-Assessment


    It is important in vulnerability self-assessments that all steps document policies and procedures addressing risk-elements. It is also important that if system vulnerabilities are identified during the course of the self-assessment, they should be made part of the company's risk management and audit processes.

    The following discussion is a checklist that can be used in system vulnerability self-assessment.

    Hardware
  • Describe the system infrastructure. Is there a diagram illustrating the topology? Is there an organizational chart reflecting job description and hardware responsibilities?

  • Document and describe the data outlets for servers, workstations, printers, modems, video cameras, CSU/DSU (network interface equipment), switches, hubs, load balancing, routers, firewalls, gateways, VPN appliances, etc.

  • Document and describe the cabling between the major hardware components.

  • Describe the location, organization, and person responsible for the relevant hardware documentation.

  • When was the date of the last hardware inventory? Was all hardware accountable? Were there any instances of unauthorized hardware installed?

  • Is all hardware authorized?

  • Is there a policy addressing official use of personal equipment?

  • Document and describe all pertinent hardware components that have software installed with default configurations. Why?

  • Document and describe access control lists, ACLs, for the firewall configurations including interior and exterior firewalls.

  • Document and describe perimeter router filtering policies, rules, and enforcement.

  • Document and describe the standard software installation policies and procedures for each hardware platform.

  • Document workstation access measures such as: BIOS passwords, Screensaver Passwords, Tokens, Biometrics, and Smart Card requirements.

    Physical Security
  • Document and describe the location of fire suppression equipment.

  • Document any and all equipment that is not physically secure. Why?

  • Describe server and workstation boot processes. Do these equipment configurations have floppy drives (A) disabled for booting processes?

  • Are there BIOS, Basic Input/Output Information System, passwords? Do workstations have screensaver passwords? Are hard drives of mobile computing devices encrypted? Does mobile equipment have antitheft devices?

  • Are hard drives and removable media, containing sensitive information, secured in approved receptacles during idle periods?

  • Describe safeguards protecting equipment/media from theft.

  • Describe the location and safeguards of all publicly accessible equipment, including mobile units, e.g., laptops, PDAs, cellular telephones, PBX (Telephone Branch Exchange) equipment.

    Emergency Power Management
  • Are there sufficient resources in the form of auxiliary power generators, uninterruptible power supplies, and electrical power conditioners for all user needs?

  • Is there individual hardware protection for power surges and voltage spikes?

    Environmental Conditions
  • Are specific environmental needs met for employees, data, and equipment?

  • Are heating, air conditioning, and ventilation equipment in conformity with building and safety codes?

  • Is the employee work environment safe?

    Configuration Management
  • Describe hardware and software configuration management. Who is responsible for configuration approval?

  • Are the protected interior systems connected to systems, through modems, terminal equipment, or PBX equipment having weak security procedures?

  • Are IP or IPX addresses accountable? When was the last inventory?

  • Are telephone numbers accountable? When was the last inventory?

  • Is information, within the organization, classified relative to its sensitivity?
  • Does information have an owner?

  • What is the means by which access is granted to information resources?

    Network Protocols
  • Have all nonessential network services been disabled or removed on all relevant equipment?

  • Can any system be accessed by telephone, and if so, why?

  • Can any system be accessed wirelessly, and if so, why?

  • What security precautions have been implemented in wireless environments? Is there adequate supporting documentation?

  • Are wireless security precautions adequate for the traffic?

  • Are cabling cabinets/closets secured? Who has access, and why?

  • Are rooms containing networking equipment secured with restricted access? Who has access, and why?

  • Document all network equipment with remote configuration. Why?

  • Is network equipment accessible from consoles other than those located immediately next to the equipment? Why?

  • Have Web services been placed in a DMZ?

  • Are interior networks protected by firewalls?

  • Are sensitive interior networks partitioned by firewalls?

  • In the case of sensitive information, what is the justification of having open-ended networks connected?

  • Has intrusion detection technology been installed at the network and host levels?

  • Is there a procedure to respond to IDS alarms?

    Disaster Recovery and Business Resumption
  • Have critical assets been identified and prioritized?

  • Has there been a risk management program implemented? Has this risk plan been thoroughly tested in the past 12 months?

  • Do employees know of shut-off procedures for water, electricity, and gas?

  • Is there a business resumption program? Has it been tested in the past 12 months?

  • Is there a critical incident management program?

  • Is there a Critical Incident Response Team?

  • Is there a business resumption plan? Has it been tested in the past 12 months?

  • Are there application and network transaction logs? With what frequency are they reviewed?

    Software

  • Is there a list of authorized software to be installed on systems? Document authorized software lists.

  • Is there a policy regarding employees authorized to install software?

  • When was the last software inventory? Did this inventory include version numbers?

  • Is there a policy that addresses personally owned software?

  • Is there a standard configuration procedure for all authorized software installations?

  • What are the procedures for remote access to network/applications/workstations?

  • Are nonessential ports and services disabled?

  • Has antivirus software been installed and updated? How often is it run?

  • Have all applications and operating systems been updated with appropriate security patches?

  • Are software licenses audited regularly? When?

  • Are applications/operating systems protected by access control procedures?

  • Who are the employees having access to data? Why?

  • Who are the employees having access to production systems? Why?

  • Who is capable of accessing production code/applications/operating systems?

  • Do engineers/programmers/help desk employees have access to data? Why?

  • Are there system maintenance accounts? Who has access?

  • What justification is needed for user accounts?

  • Are departing employees' accounts audited before exiting? Are former employees' accounts disabled appropriately?

    Media
  • Are media containing sensitive information appropriately secured during use and in idle periods?

  • Is there a policy regarding the use of personally owned media?

  • Is there a policy regarding scanning all media antivirus software?

  • Are media regularly backed up with copies secured offsite?

  • Is there a test of the integrity of backed-up media?

  • Is backed-up media tested for systems recovery? How long do recovery steps take?

  • Is printer output protected?

  • Is media, containing sensitive information, appropriately labeled?

  • Is there a procedure for media destruction and disposal?

  • Are there efforts requiring passwords to be changed regularly, minimum length, and containing special characters and capital letters? Are passwords required for application and operating system access? Are biometrics used to grant system access? Are Tokens/Smart Cards required for system access?

  • Are there documents showing that user authentication mechanisms are installed to limit system, building, and workspace access?

  • Are procedures requiring employee background investigations in place? Have the professional and personal references of all employees been verified? Have the professional qualifications of all employees been verified?

  • Is there appropriate separation of duties and least privilege?

    Employee Security Awareness Training
  • Have employees been trained relative to risks and their management?

  • Is security awareness training mandatory for all employees? Are there documented attendance records?
  • Audit Conferences: More (but Important) Meetings You Need to Attend

    Opening Conferences
    Opening conferences occur at the initiation of the audit and should communicate the scope of the audit, the audit's objectives, introduce the audit staff, agendas, schedules, and relevant handouts. In part it is an opportunity to explain in professional terms the purpose and expected results of the audit to the employees who are going to be going to be participating in the audit. The entrance conference should be conducted with the following in attendance: Directors, or department heads responsible for the area being audited, managers and their subordinates who work in the specific audit target and any appropriate senior employees.

    A typical entrance conference will have an agenda similar to the following:

    Welcome

    Introduce auditors and related audit participants

    Review audit objectives

    Review audit steps

    Review time schedule

    Identify relevant points of contact for each step

    Describe the audit process from the auditor's and target's perspective

    Set up first contact appointments

    Conclusion

    Other Conferences
    During the course of the audit, there will likely be reasons for other conferences. For example, if an auditor finds there is something of a fraudulent nature, this should be brought to the attention of senior managers immediately. This meeting will take place behind closed doors. It is recommended that conferences between the entrance and exit conference take place away from the eyes of employees. If held before employees' view, they tend to foster unwarranted speculation, and damaging rumors can be fomented. Conferences of this type should be scheduled away from the work area being audited. In the case of reporting potential criminal activities, it is strongly recommended that the persons participating in this conference communicate through out-of-band means. Cellular telephones and communications methods, not using the organization's communication networks, are the best out-of-band communications. Involve the appropriate levels of staff including senior managers, legal unit, security unit, and risk managers in all conferences.

    One point of professional due diligence is the discussion of the audit findings somewhere toward the end of the audit with the senior managers of the unit being audited. This gives them a chance to see any "hot grounders" headed their way. Responding to the auditor's findings is an effective way of determining if the auditors "hit their marks" with their work. Most senior managers realize their strengths and weaknesses before the audit takes place. Often the audit results merely provide them with the motivation to take corrective action.

    An end of audit conference provides a formal means for a meeting of the minds and makes a matter of record of the audit's performance in the eyes of the responding managers. If there are serious differences between the auditor's findings and the manager's responses, it may be the auditors did not have a sufficient grasp of their material or they were not diligent in their efforts. In a worst-case scenario, it could mean the senior managers were out of touch with their business processes. In the former case, it is the responsibility of the audit managers to see that audit team members receive training to bring their skills up to par or find ways to motivate them to diligently perform their tasks.

    Meetings whose purpose it is to preliminarily discuss their findings, allow senior managers an informal opportunity to discuss the audit findings and recommendations. This is a useful technique in addressing significant findings and permits the meeting's participants to determine if a follow-up audit is going to be needed.

    Usually, follow-up audits are very narrow in their scope focusing entirely on those significant findings of the previous audit. Follow-up audits are much abbreviated, do not have opening or closing conferences and are staffed only with enough auditors to review the findings for compliance.

    Exit Conferences

    The auditors have completed their work, the report is done, and it is time to bring the audit to a close. Often, auditors deliver a performance survey to the managers of the target business unit. Such surveys have the purpose of collecting information about the performance of the auditors and the audit in general. Audit managers commonly use these surveys in completing the auditors' performance appraisals.

    The agenda below is typical of a closing conference:

    Welcome

    Review audit objectives

    Review audit steps

    Briefly review controls adequacy

    Briefly review controls recommendations

    Present draft report

    Field any questions from the attendees

    Conclusion


    Summary of Audit Steps
    By way of summary, here are some steps to successfully completing audits:

    Preparation

    Predication for audit, routinely scheduled or based on an allegation

    Form audit team from qualified employees

    Prepare audit management plan

    Prepare and deliver preliminary questionnaires

    Prepare audit program

    Prepare audit budget

    Field work

    Entrance conference

    Audit field work

    Audit status conference

    Prepare draft of report including senior management responses

    Exit conference

    Conclusion

    Prepare final audit report

    Complete audit performance survey

    Schedule follow-up audit, if necessary

    Auditing Common Systems Vulnerabilities

    Buffer Overflows
    During 1996, a series of articles about buffer overflows and the havoc they can create was published, changing application security forever. One such article authored by Aleph One, "Smashing the Stack for Fun and Profit," detailed the profound effects of buffer overflows on poor programming practices.

    In essence, buffer overflows occur when an attacker or other malicious user stuffs more data into a buffer than is allocated. For the technically inclined, this type of overflow input is generally associated with C programming language functions similar to strcpy (), strcat (), and sprintf (). These are merely examples as there are many other types of exploitable functions. Buffer overflows cause a segmentation violation to occur. This type of input can be exploited to gain access to the target system. Buffer overflows are not limited to remote attacks, they can also occur from within the local network.

    In this example, the UNIX-based application, Sendmail, will be used. Suppose there is a fixed-length buffer of 255 bytes. This buffer defines the amount of data that can be stored as input to the VRFY command. In this example, the Sendmail application will be running at Root. What is the result if an attacker connects to the Sendmail application and sends a block of data consisting of 10,000 "V" s to the VRFY command rather than the expected user name? The system will crash, essentially causing a denial-of-service attack, as the VRFY buffer is overrun because it is only designed to expect an input of not more than 255 bytes of user input. If the attacker inputs a specific code that overflows the buffer and executes the command /bin/sh, the attacker could reach root access.

    When the attack is executed by the system, a special assembly code known as egg is sent to the VRFY command as part of the string used to overflow the buffer. On being overrun, the attacker can set the return address of the offending function allowing the alteration of the program flow. Instead of the function returning to its proper memory location, the attacker executes the code that was sent included as part of the buffer overflow data that will run with root privileges.

    It is important to note that buffer overflow codes are specific to systems' architecture and operating systems. For example, a buffer overflow targeting a BSD UNIX, based on an Intel processor will not be effective on a Solaris operating system running on a SPARC processor. From this brief explanation, auditors can see that buffer overflows are extremely dangerous and are the bane of most system administrators. For the most part, attackers must be fairly talented to create a workable egg; however, most system-dependent eggs have been discovered and programmed, and are available from attacker Web sites on the Internet.

    Many common system vulnerability lists have a description of the exploit, the systems on which it is effective, and the CVE (Common Vulnerability and Exposure) number.

    In the Domain Name Server, DNS, known as BIND, Berkley Internet Domain, there are security vulnerabilities in older versions prior to 8.2.2 with patch 5. Good reason for auditors to look at the application update and change policy of the organization, right? Older and unpatched BIND versions can be corrupted by attackers that allow them to redirect Internet traffic to sites not of the owner's choosing. Poorly configured BIND can allow attackers to download all the names, operating systems, and IP addresses of the organization's internal network. With this knowledge, attackers can search for specific tools targeting machines in your network to gain unauthorized access to your systems.

    CGI Scripting
    Common Gateway Interface (CGI) is the means by which Web page developers collect and display your input to a Web-based form. CGI scripts are frequently written in PERL (Practical Extraction and Report Language) and uploaded to the CGI-BIN directory located on the Web server. In some cases, developers and vendors have distributed these scripts with vulnerabilities already in them.

    CGI scripts can be written in almost any standard input programming language, but PERL is the most common. It is important to note that for each executed CGI script there is a new process started that will be terminated when the CGI has finished. Usually data is sent to the server to be executed or manipulated, and is returned to the user in the form of HTML or images.

    By way of review, CGI processing generally follows this way: The user accesses a Web page that requests user-input. After making the input, the user clicks the Send button and sends the data to the Web server for processing. The server forwards the data to the CGI application, sometimes called the CGI script, as these are small programs, where the user-input is processed. After processing the data, it is returned to the server and the server returns the data to the user. It can be seen the potential for vulnerabilities exist with the user-input data. CGI is used to perform functions that normal Web pages cannot. For example, CGIs manage databases of user accounts, calculations, form-input data processing, etc. There are easily available CGI scripts available as part of Web servers, downloaded from CGI Web sites, or developers may write their own.

    Before placing a Web server into a production environment, developers should make certain the CGI code has been thoroughly reviewed by quality control managers and auditors for programming errors. It is imperative that CGI scripts are tested thoroughly and retested before being allowed into a production environment. It is equally important that CGI scripts have delimited input in that only expected input and input length are permitted, denying all other types of input.

    Attackers have discovered they can corrupt these scripts and cause them to do things they were not intended to do. For example, it is possible for attackers to access collected credit card numbers by corrupting the CGI scripts. It is also possible for attackers to gain root access to the Web server and deface your E-commerce site. If you do not have any production need for CGI scripts, remove them from your system.

    In keeping with policy and procedures, auditors should note that all unnecessary services should be disabled or removed thereby reducing the number of vulnerabilities. Also, ensure the Web server software is updated and documented regularly. This will go a long way to minimizing unauthorized intrusions.

    Remote Procedure Calls

    RPC allows a computer to launch and run a program on another computer. Many client-server architectures depend on this functionality. Those systems that are most frequently affected by RPC vulnerabilities are those based on the UNIX platform, such as Linux, Solaris, AIX, HP-UX, and IRIX. It is important to remember from an auditing perspective that RPC vulnerabilities can be exploited by buffer overflows resulting in the attacker being granted root privileges. The best means to deal with RPC vulnerabilities is to update the operating system's security patches. And, if RPC functionality is not necessary for system functionality, disable or remove it.

    Default installations of operating systems and applications frequently use installation scripts to facilitate the installation of the software. In many cases, most of the program's functions are enabled with the least amount of interaction from the installer. Installation scripts usually install more features than the majority of users need. Although this installation action is convenient for users, it deposits potentially dangerous vulnerabilities. They become more serious, as administrators and managers do not actively update software components. For example, it is common for some operating systems and applications to install default passwords for many of their features. If these features or default passwords are not disabled or removed, they provide an easily accessible entry-point for the attacker. In addition, many users do not realize the default features that have been installed. Left unattended, these services provide ready access to attackers both inside and outside the organization. Likewise, it is important that all software is updated on a regular basis, allowing for patches and newer versions to address current vulnerabilities. Change control, management, and documentation is not just a drill. It is a matter of system survivability.

    Software installers must have standard installation procedures mandating the removal or disabling of unnecessary features and updating software. It is important these installation procedures are written and disseminated to all employees authorized to install software and hardware. Auditors must review the software installation process, making certain all unnecessary features, passwords, and services are removed or disabled, and that all software is regularly updated and those updates are appropriately documented.

    Weak, default, or missing passwords is another common systems failing. Most of today's systems are configured to use passwords as the first, and many times, the only line of access restriction. User identification is relatively easy to acquire, and regrettably many business have unauthorized dial-up access that bypass firewall protections.

    A more glaring problem is the account that does not have any password protection. As a matter of business sense, all weak passwords, accounts without passwords, and default passwords must be removed from the system or disabled. System attackers usually look for applications and accounts with easy password access. They have downloaded utilities that attack password accounts and are successful more often than not when poor password policies and procedures exist. Auditors should carefully review the company's password and software installation policies and procedures. Testing passwords is easily accomplished by using commercial software solutions available from vendors such as www.accessdata.com.

    It is not a matter of if a critical incident will happen; it is only a matter of when. Count on it, it will happen, and it will happen at the worst possible moment. It is Murphy's Law! Recovery from critical incidents requires accurate, reliable, easily accessible backups and tested methods of restoring data. It is a common mistake for organizations to make frequent backups of their data, but never take the time to verify that the backed-up data is viable or that their recovery and business restoration procedures will actually work under the worst possible conditions.

    One of the secondary faults of backed-up data is that of physical security and accessibility. More than one security administrator has lost sleep after discovering an attacker has entered the company's system and destroyed sensitive information. Because the backed-up data was stored on a server within the system, the attacker destroyed those files also.

    Popular Posts