Auditing Security Measures Preventing Automated Attacks

Root Tools to Gain Access

Attackers are those who are attempting to gain unauthorized access to your business and personal systems. It does not surprise anyone that attackers do not have programming or profound knowledge of communications systems in order to gain "root" or "administrative" access to a system or application.

Tools of the attacker's trade, inside or outside your organization include programs that will give them what they want, administrator or root access to the target. Attackers currently have the ability to launch automated tools to scan ports looking for sockets.

Experience Note

Sockets are programs listening at Transmission Control Protocol, TCP, or User Datagram Protocol, UDP, ports waiting to connect to incoming traffic.

The act of gaining administrator or root access is commonly called "rooting" or "busting root" on a system. Attackers use tools scanning networks and even standalone machines for exploitable applications and other vulnerabilities. Once a system is successfully compromised, virtually any type of malicious code can be installed. Sensitive data including proprietary information may be captured and stolen, or Web pages can be vandalized, or services may be installed allowing attackers to launch denial-of-service attacks, DoS, targeting other systems. When the information packets are traced, they show a return to your compromised system.

Experience Note

Many legal experts do not understand that the return address on information packets, commonly known as Internet Protocol, IP, does not necessarily reflect the IP packet's true origin.

Computer networks that have been compromised by attackers often have the logged evidence of their origins erased making the determination of who and where the attacker is virtually impossible. Often lawyers and law enforcement officers ask for the IP address of someone sending an obscene e-mail only to find the IP address is incorrect and not traceable.

Who Uses Attacking Tools?

Automated network and vulnerability scanning tools may be used for legitimate auditing reasons as well as illegitimate purposes. This is not the case with attacker root tools. In the Internet community, attackers having little if any true technical skill and even less regard for the resources of others are known as "script kiddies."

Usually, script kiddies have little, if any, idea who or why an exploit works; nevertheless, they are successful because they have the leisure time and resources to scan thousands of systems without any consideration of the damage or resources they waste. Script kiddies locate root tools and other vulnerability tools on the Internet, download, install, configure, click, and attack.

A few years ago, attackers needed a port scanning tool, similar to Nmap, to explore and map large ranges of networks. Once done, the attacker would then review the data her tool had collected. She looked for specific open ports, vulnerable versions of operating systems, or exploitable services. From this, she would construct a list of potential targets. After deciding the easiest way to gain entry, the attacker would enter the system, install malicious code on the compromised systems, erase the log files that documented her activities, and repeat the process on the compromised systems to launch attacks on other systems to disguise her identity.

With the arrival of automated root tools, an attacker does not need to manually scan systems for open ports or operating system information. The actual technical knowledge required earlier is no longer required. Attackers, using automated root tools, merely point them to a range of IP addresses and launch the tool. Every network device within the specified address range will be tested for potential vulnerabilities. All collected data will be organized by the root tool and will launch attacks against exploitable machines. If the tool is successful, the root tool will delete log entries attempting to remove traces of its intrusive activities.

The ramifications of this type of point-and-click attacking are frightening for system professionals and users. Today, a relative novice can attack literally hundreds of systems in a matter of a few hours. If only one in two hundred machines is vulnerable, the attacker can have visibility into dozens of vulnerable machines by one night's work. Entire networks may be caught if they are not properly updated with the latest security patches or if they have been improperly configured. Root tools can be configured to attack the systems surrounding the target. As an example, if a packet screen is improperly configured, a compromised interior network server can be used by the attacker to attack machines on the interior network.

What is the defense against automated attacker tools? It boils down to protection based in system's best practices:

• Workstations and servers must install updated antivirus software because root tools may spread via e-mail and Web scripts. Today's antivirus software will detect and stop root tools.

• Disabling services. Remove or disable unnecessary services from all system devices is an important step in defending against root tools. Many root tools spread from compromised services. Consequently, this step will go a long way to effectively thwarting their effects.

• Firewalls. Packet screens filtering ingress and egress traffic will be effective. Partition sensitive interior systems using firewalls. This measure can be used to prevent and contain the proliferation of root tools.

• Intrusion detection systems can act like alarms by alerting employees of malicious activities.

• Update your systems. Successful root tools depend on the frequency of security holes in a system or its connected systems. Systems must be updated with the latest patches to thwart these automated tools.

Experience Note

Do not allow secure systems to be connected to a system having lower levels of security than your own. If you do, they will be used as launching pads against your system.

Due Diligence

If one of your systems becomes compromised, follow your policies and procedures in taking it offline. If you allow it to remain active, the root tool is going to spread to other systems.

Following good system policies and procedures can thwart automated root tools. It is imperative that these steps receive the attention of the auditors and self-assessment, so systems can function correctly. It is not magic, just good business procedure.

Tools | Auditing

This is a good place to discuss tools such as SamSpade, and the audit features they offer. Most of these tools offer similar features and prove to be invaluable during a vulnerability assessment. SamSpade provides a GUI (graphical user interface) that expedites its configuration. It runs on Windows 9X, ME, NT, and XP. As part of its functionality, it performs queries such as whois, ping, DNS Dig (Advanced DNS request and zone transfer), traceroute, finger, SMTP mail relay checking, and Web site crawling. Using SamSpade and similar tools are intuitive and self-explanatory so it would be a waste of time to fully describe their features and configuration. However, before using this tool, and others, auditors are cautioned to become familiar with their capabilities and risks. Additionally, all the tools listed below include very well written help files as part of their product


SamSpade
Similar tools are easily found on the Internet, caution is urged in making certain with whom you are doing business, make certain the tools come from reputable vendors and locations. Examples of similar tools may be located at www.ipswitch.com (WS-Ping ProPack) and www.nwpsw.com (NetScan Tools).

Attentive auditors review the domain registration and notice the technical contact is not located at the same address and telephone exchange as the target enterprise. Several conclusions may be drawn from this information.

The Web host is a contractor or the company that has its hosting facilities located outside its headquarters.

The response also gives some insight into the e-mail naming conventions for the target. This information could be useful if an attacker wanted to find e-mail addresses she could target.

In discovering more of the audit target, the auditor will look to the Internet for more information. Using such resources as www.google.com or www.hotbot.com will locate information about the target, its employees, and publicly available information. Google may also be used to query newsgroups for postings made by employees using the organization's domain name. This technique can be useful if employees are posting information about their company's vulnerabilities while using the organization's e-mail system.

Frequently, attackers publish the company's network vulnerabilities in newsgroups or chat rooms. Experienced auditors will query newsgroups and participate in chat rooms to determine if relevant system vulnerabilities are available.

Auditors often search public information areas such as the Securities Exchange Commission database known as EDGAR (www.sec.gov) for information about the target's filings. Two of the most informative filings are the 10K and 10Q. The form 10Q provides visibility into the company's activities in the last quarter, while the 10K is an annual filing describing the company's previous year. Reviewing these documents can provide information about recent mergers and acquisitions. It is possible the entities recently blended to form today's organization may allow the auditor to discover already documented vulnerabilities and permit unauthorized entries.

Additionally, SEC filings and posted annual company reports provide a wealth of information for the attacker. It is not unusual for attackers to collect personal information about owners and senior managers, including private e-mail addresses, residences, financial holdings, automobile ownership, marital status, social security numbers, credit histories, etc.

In the case of smaller organizations, auditors may purchase subscriptions to services that provide detailed information about individuals on a query-fee basis. If the rules of engagement allow this type of review, the type of information available about the target's senior management is almost limitless. These agencies collect information from magazine subscriptions, real estate transactions, driver's permits, professional organizations, clubs, and innocuous areas such as dog and cat licensing. Companies using this type of information collection are legitimate and are easily locatable on the Internet. Not all companies use legal means of information collection; so be wary and deal only with reputable agencies.

Auditors must be fully aware that collecting private information is sensitive, but if the auditor can find the information, so can those who intend harm. It should be within the rules of engagement to discover available information. Auditors must make appropriate recommendations as to the information disclosed by employees that could result in jeopardizing their safety. If a regulatory agency or law does not require disclosure of information, do not do it. Making it a matter of audit programs will ensure its compliance with policy and procedures.

Auditors should carefully document their public information discoveries in a detailed schedule as part of their final report. Making a printout and including it as part of the work papers is an accepted practice. This information will become very useful as the vulnerability assessment continues.

If the rules of engagement permit the auditor to travel where attackers venture, it would be wise to enter the world of chat. Downloading a shareware chat client from, www.mirc.com will provide the means to speak with others about their knowledge of the audit target's vulnerabilities. Using this vehicle requires a fair degree of skill and is not going to be valuable unless the auditor has used this communication medium previously. However in the hands of a skillful professional, chatters frequently know an organization's critical asset vulnerabilities and exploits.

Experience Note At a credit card clearinghouse, an auditor discovered several chat rooms and Web pages providing free scripts targeting the clearinghouse's Web site as well as open chats about the audit target's credit card network vulnerabilities. These scripts were designed to verify credit card information using the clearinghouse's computing facilities. When the auditor queried the persons chatting and the persons supporting the Web pages, it was discovered they were located virtually everywhere: Brazil, Russia, Philippines, Malaysia, and the United States. Auditors should not underestimate the value of chat rooms in determining an organization's vulnerabilities.

Audit Risk (Incident Management)

Auditors must make judgments on the acceptable levels of audit risk. It is important to remember that the levels of risk will vary across the different segments of the audit, as there are systems that are more susceptible to errors, ineffectiveness,

inefficiencies, and fraud.

An example of different types of risks associated with different segments of the audit, systems involving handling of cash are very susceptible to theft, where data processing systems are usually susceptible to inefficient resource allocation. In planning to manage audits, the most difficult judgment is the level of acceptable risk relevant to each audit segment. It is for this reason that auditors should be knowledgeable and experienced persons. Auditors must understand the control environment and the associated risks by examining management and application controls already in place. For example, when auditors review system development activities, they are seeking to understand the controls that are associated with these tasks.

They attempt to understand the business processes, including components such as human expertise, information technology, communications, management controls and application controls so they can assess related vulnerabilities and attendant risks. By understanding processes, components, behavior, and intended results, auditors can provide appropriate safeguard recommendations, if any apply.

Planning the Audit
In order to conduct an audit properly, a comprehensive audit management plan must be crafted.

The audit management plan should be action oriented, by listing the primary objectives to be performed. It should be tailored to the specific targeted business unit or division.

In drafting the audit management plan, a thorough review must be made of the organization's policies, with particular attention paid to risk management activities.

In the crafting, development, and implementation of policies, procedures, and standards, the organization is providing a process governing the activities of its employees consistent with the particular organization's goals and objectives. In many cases there are laws, regulations, and requirements affecting how the organization must conduct all or part of their business processes. Risk management is an integral part of the policy and procedure implementation. Auditing is basically an impartial review and investigation into the application of the organization's policies, procedures, and standards.

In crafting the audit management plan, the organization's strategic plan and objectives should be reviewed. This is essentially the basic guiding documentation for the organization. Depending on the business' units that are being audited, their applicable policies, procedures, and standards should be carefully reviewed. Job descriptions, organizational charts, lines of reporting, lines of authority, and chains of command should be made part of the information cache used to form the basis of the audit management plan.

In some business environments, audit management planning requires the auditors to conduct a preliminary survey through questionnaires to establish the appropriate scope addressing relevant business risks, develop the audit management plan, and direct auditor activities within the audit program. Often senior audit managers prepare questionnaires, also known as interrogatories, and send them to appropriate senior managers of the audit target. When completed, these questionnaires will provide the auditors with comprehensive visibility into the processes of the business unit.

These questionnaires may help auditors identify critical areas on which they need to focus their attention rather than taking a scattered, "shotgun" approach. As part of this preliminary questionnaire survey, auditors should review systems and processes to identify key controls already in place.

General questions that should be asked in preparing audit management plan questionnaires include but not limited to:

What are the critical issues regarding this business unit's operation?

What are the critical assets of this business unit?

What are the critical management functions?

What are the critical applications?

Does this business unit process sensitive data?

What are the risks to the business unit?

What substantive steps have been taken to address these risks?

What processes are least tested in the unit's business unit's daily operations? For example, if the business unit suffers from frequent power-outages and uses emergency power sources, including uninterruptible power sources and emergency generators, to restore operations, then power recovery requirements are likely to be well-formulated and tested. However, in the case of a complete disaster recovery plan, it may not be tested, and in fact, may not exist at all. The audit management plan should be the governing document for the "biggest bang for the buck."

Another valuable source in the development of an audit management plan is the review of previously performed audit reports. Many times these documents will identify potential weaknesses that should have been corrected or addressed earlier. The audit management plan is merely that, an activity plan. It should address those areas to be evaluated, and not too much more. Audit programs are different from audit plans in that they are comprehensive documents delving into the audit's "nuts and bolts."

Exhibit 1 is a brief example of an audit management plan.

====================================================================

Audit Step

Planning

1. Discuss nature and scope of audit with key senior personnel

2. Discuss audit requirements with senior managers

3. Assemble required audit staff and build team

4. Draft comprehensive audit program

Draft initial budget

Reporting

1. Hold opening meeting with appropriate personnel at initiation of audit

2. Use standard audit reports format including compilation of audit findings and recommendations

3. Hold closing meeting with key managers to review draft of final audit report

4. Identify key senior managers in the event of reporting irregularities before audit conclusion

Preliminary Audit Steps

1. Identify key employee contacts for audit

2. Obtain appropriate organization and business unit documentation including

A. Strategic business plans

B. Relevant policies, procedures, and standards for firewall administration unit

C. Relevant documentation to gain an understanding of the operations of the firewall administration unit

Audit Procedures

1. Understand unit's business practices and compare with organization's policies, practices, and standards

2. Understand and document business process flows

3. Interview pertinent employees in firewall administration unit to gain an understanding of their functions, risks, and other relevant issues

Testing

1. Testing will be performed to increase auditor's understanding of the firewall administration unit's function and activities

2. Testing will increase the auditor's understanding of managerial and application controls

3. Auditor will test if relevant controls are operating correctly and consistently

4. Auditor will test metrics to manage firewall administration

5. Auditor will test the correct design, development, and implementation of firewall administration

The Auditors Are Coming. The Auditors Are Coming.

Audit policies and procedures are needed to ensure that employees are meeting management objectives, legal and regulatory requirements, and addressing risks. Auditing is covered in the next post, so it is only going to be lightly addressed here. Management audits assure that resources are being properly utilized and monitored:

- Develop and implement policies addressing human resources management, data, and facilities.

- Ensure that projects are completed on schedule and within budget.

- Ensure that projects have been completed utilizing quality models such as the SDLC.

- Develop and maintain business priorities and long-term strategies.

- Assure that controls are in place for risk detection, prevention, and correction.

Systems Development and Programming Policies
These audits are more technical than management audits and require more knowledge and detail. Frequently, organizations do not have policies governing operations, so employees are left to their own devices, making decisions they are not qualified to make. Systems development involves activities ranging from purchasing commercial off-the-shelf software systems, to developing in-house systems, to purchasing turnkey systems. All systems development must be considered in the light of confidentiality, integrity, and availability.

Organizations must have written policies and auditing programs for:

Systems design and development through quality models

Systems selection and procurement criteria

Systems application development

Program testing

Systems implementation

Systems monitoring

Systems disposal

Systems change controls

Systems documentation

Systems quality assurance

Data Controls
Data control policies have the objectives of addressing confidentiality, integrity, and availability of data. These features are audited in the following areas:

Input controls to any operation must be addressed by policies and procedures. Because input varies considerably, so will policies.

Output controls address electronic and printed media.

Database management controls must be established by policies with compliance assured by audit activities.

Database information backup and storage policies.

Disaster Recovery and Business Continuity
Disaster recovery audit policies also address business continuity. Audit policies must require that auditors obtain evidence that these are in place and combined with regular unannounced testing. Audits of this nature address the existence of the following policies:

Establishment of a Risk Management team

Critical asset identification and prioritization

Threat: impact analysis

Existence of critical asset safeguards

Disaster recovery plan

Establishment of Disaster Recovery team

Designated employees to address public and press inquiries

Business continuity plan

Plan testing

Workstation Audit Policies
These audits address the use of workstations and all company-owned equipment and facilities, including:

Access restrictions to workstations

Inventory of software and hardware reconciled with licensing and purchase documents

Evidence of policy and individual compliance for the procurement and installation of software and hardware

Evidence of individual compliance with policy regarding official use

Evidence of individual compliance with policy regarding network and workstation security

Policy and individual compliance with regular data backup

Evidence of policy and individual compliance with workstation housekeeping