Monday, December 1, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 1 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

One of our clients recently had a discussion with our auditing team and brought up a good point. John ask us specifically what are the 10 most common items missed during an audit or that IT personnel or security personnel fail to catch when preparing or when being audited by our firm? I stood there for a minute just digesting the question that was just posed and actually listed what I thought from my perspective the top 10 items would be. Then I started thinking some more about how I could actually make something useful out of the question and present it to customers and others that could benefit from that question.

Once I returned to the office I decided that I would take a look at the last years failed items and try and generate a top 10 list of items from the data that we had from our customers. After all I wouldn't be releasing what items were failures at each customer and all of the items in the failure block have already been corrected or accepted as a risk item so little to no harm could be done by compiling stats and expounding on this question a bit.

This is the first of 10 articles that we will be writing on this topic over the next few weeks. The goal is to get this series completed by the 1st of the year.

The Number One Issue - Failure to Document
Every single audit this past year has had this issue. There was at least one system that was connected to the network that was not documented. In order to ensure that systems are patched, secured, accounts that are no longer being used are removed, etc, etc. You have to know that a system exist. And worse yet you have to know what operating system is installed on that system so you can map out what vulnerabilities may be present. A good example of this is a particularly large client. Because we are under NDA we won't name them but just know they are one of the largest companies in Internet communications. An audit was conducted and as part of the audit we identified nearly 1400 devices on the LAN (Local Area Network) for this company. Honestly this number is small but we were only dealing with a regional office so this was our number. The company could account for nearly all of the devices except 64 of them. We received valid responses to probes in our scanning software and we knew that the system work running Linux but we could not locate them anywhere. We checked everything from the security cameras, VOIP phones, etc, etc and were having a hard time locating them until we were about to give up.

I was walking from the third floor heading to the parking lot when I swiped my card to exit the building and just froze. My team mate looked at me because he could sense the rubber burning in my head and I said to him "that's it". He said "What's it?". I said right there... He looked at me confused I said it's the door access readers that are running Linux. We went back to the third floor and ask who maintains the door access system and the security manager said that's managed by corporate. After a quick 10 minute phone call we had located all of the devices and accounted for them and were able to document the finding. Guess what?! Four of these devices had been compromised and were being used as a jump point into the internal network of this "company". We were able to get on the same VLAN as the devices and we determined that each and every one of them were vulnerable to the bash bug as the readers were running Busybox. The vendor had even notified the IT department but that information never got back to the security department. This is why having a third set of eyes is important. For months information was being stolen from the company without anybody even being aware of it. Luckily it was only the reader data which included the card number and employees name and email address but it was still a significant finding. Upon additional research we noted that this information was being used in Phishing attacks against individuals within the company and two personnel's computers were compromised using data that was obtained through the card readers.

Since the company did not document these devices our counts were off during the audit and we were certainly not going to leave the company until we knew what these devices were and could ensure that they were secured. This audit was a preliminary audit that ended up getting us a major support contract with the company because the security staff realized that we would ensure that each and every connected device was accounted for and documented properly. This contract was just signed on the 22nd of November and we look forward to auditing many other locations in the upcoming year.

Make sure you are documenting every device. When a vulnerability comes along if you don't know what devices are running what operating system it is nearly impossible to ensure that your networks and connected devices are secured.

If you can't document your finding or your devices correctly make sure you hire a company that can. The sad part of this story is that this company had passed 2 previous audits in the preceding 6 months and swore they were compliant. Luckily the network in which these readers were placed were in a separate VLAN but there were problems with shared space as these devices were directly addressable from the Internet as were the controllers that connected the office back to corporate to obtain the list of authorized personnel for each location. These were the systems that were vulnerable and what caused us to fail the organization. The good news is that the issue uncovered was not reportable so the company maintained their reputation but that is not always the case. As part of our audits we report any findings if we can confirm that information has been leaked to unauthorized third parties and we follow the reporting recommendations of CMS, HIPAA, ITSG, STIG, etc, etc.

Here are the other 9 items missed on most audits. These items will be followed up on in later articles with specific and detailed examples and information.

Ask yourselves today do you know where every single connected or mobile device is that is attached to your network? Have you secured all guest networks, access networks, VLAN's? Have you patched all security systems, telephone systems, copier machines, faxes, computers, servers, routers, switches, etc.? I we audited your organization today do you know what versions of software are running on every device? Are you current with all third party vendor patches?

The answer obviously is no. No organization ever can document every single device, patch level, operating system, etc. The goal of the audit is to do just that. Provide the documentation that turns a 3 month audit into a 2 week audit. If you can answer the auditors questions the first time you may pass but don't you want to pass with flying colors? Don't you want real piece of mind? Remember Target passed their audits too but that's because the audits were only for a specific system and not how the systems interacted. It doesn't matter if a system is patched to the latest version of your guest network has vulnerabilities that can allow MITM or Malware to infect those systems. Just because you passed that audit doesn't mean you have passed an SLC Security Services LLC audit. If we don't find it, your audit is free!

The Rest of the List... (Future Articles)

2. Failure to remove old accounts or have a system in place to deactivate unused accounts.

3. Incorrect workstation settings not in line with your business need. Insecure servers and workstations.

4. Reliance on Anti-Virus and Malware Protection that is inadequate

5. No signal and propagation protection in regards to wireless, paging, cellular and other wireless technologies.

6. Inadequate email protection.

7. No ability to audit email, files leaving the enterprise or the removal of proprietary information via electronic systems.

8. Social networking succeeded at the organization leading to a compromised system.

9. Inadequate security of network path and access control systems.

10. Attacks on disaster recovery plan whereas data was stolen from a third party or a third party provider to our clients in transit.

We hope you have enjoyed this initial article. We will cover the other nine topics in future post. We hope you have all had a great holiday and now we are all back to the grind. Have a great week and remember to keep things secured!

No comments:

Post a Comment