How systems evolved · The Threat Scene · Policy > Procedure > Audit
This chapter includes:
· How systems evolved
· The Threat Scene
· Policy > Procedure > Audit
The Evolution and future of audit
We have moved from mainframe interfaces and systems to microcomputers, then to network systems and now with virtualized enclaves, we are coming full circle. Throughout this, auditors have had to describe feeds to and from the audited application by other applications including the methods of data transfer, security, changes of key data occurring and reflected in other systems.
To do this, it remains (as it has been) necessary to understand those controls which are in place to ensure interfaces are providing valid and accurate data between applications and to people (editing, independent checks of record counts, record format verification etc).
In the last 50 years of systems audit (and especially the last 20 and the birth of the Internet and exponential uptake of network systems) information technology has moved into the main stream and out from the ivory tower of the 70’s and 80’s MIS function. It has permeated all of our lives in unforeseen ways.
IT audit has to continue to evolve in response to the ever increasing needs for assurance of information security mutually in existing conventional information systems and in up-and-coming Internet-enabled services. The increasing trends for financial systems to be connected online have resulted in vast increases in electronic transfers between and among government, commerce and individuals. Even defense and intelligence agencies have come to rely on commercially accessible information technology processes and systems.
SCADA systems, essential utilities and telecommunications now rely heavily on information technology for the management of their everyday operations with greater volumes of susceptible economic and commercial information being exchanged electronically over potentially insecure channels all the time. The massive increase in complexity and interconnectivity coupled with simple point and click attack tools (such as metasploit) has appreciably amplified the necessity to ensure the privacy, security, and availability of information systems.
Terminology used in this Book
Ambiguities are reduced if uniform meanings are adopted for the various terms used in reviews. Here are some definitions that should be used to help eliminate confusion.
Analyze. To break into significant component parts to determine the nature of something.
Check. A tick-mark placed after an item, after the item has been verified.
Confirm. To obtain proof to be true or accurate, usually by written inquiry from a source other than the client.
Evaluate. To look at or into closely and carefully for the purpose of arriving at accurate, proper, and appropriate opinions.
Inspect. To examine physically, without complete verification.
Investigate. To ascertain facts about suspected or alleged conditions.
Review. To study critically.
Scan. To look over rapidly for the purpose of testing general conformity to pattern, noting apparent irregularities, unusual items, or other circumstances appearing to require further study.
Substantiate. To prove conclusively.
Test. To examine representative items or samples for the purpose of arriving at a conclusion regarding the group from which the sample is selected.
Verify. To prove accuracy.
The term audit is too general to use in referring to a work step.
Primary Objective of Auditing
Audit is about managing risk. The function of the auditor is to be the eyes and ears of management acting as a means of management to measure and report on risk. The follow-on benefit is that this also decreases risk through a level of increased awareness.
The primary objective of an auditor is to Measure and report on risk.
An audit is the means in which management can find the answers to the difficult questions concerning the organization. It allows them to appreciate the means and processes that are implemented to achieve the organizational missions and objectives.
Measurement leads to reports of risks and allows management to act.
One of the greatest side benefits of an audit is an enhanced awareness of the issues facing the organisation. To understand risk, we will look first at those threats that may impact us.
The Threat Scene
There are two fundamental threat vectors; Internal and External. Each of these categories has a number of sub-categories and rationales.
Internal Threats may be divided into:
· Intentional
· Accidental
External threats may be classified as those that either:
· Intend loss,
· Intend harm, or are
· Accidental
A threat is any circumstance or event with the potential to cause harm to an organization through the disclosure, modification or destruction of information, or by the denial of critical services. Threats may be either non-malicious (like those caused by human error, hardware/software failures, or natural disaster) or malicious (within a range going from protests to irrational in nature). Typical threats include:
· Availability Issues - Systems and Hardware Failure - Failure of hardware and software whether due to design flaws or faults often result to a denial of service condition and/or security vulnerabilities or compromises through the malfunction of a system component. This group includes
o Environmental Hazards such as damage from fire, flood, dust, static electricity, or electrical storms;
o Hardware and Equipment Failure - mechanical or electrical failure of the computer, its storage capacity, or its communications devices
o Software Errors - programming bugs to simple typing errors
o Accidents, Errors, and Omissions
o Intentional Acts - fraud, theft, sabotage, and misuse of information by competitors and employees
· Confidentiality Issues - Illegitimate Viewing of Information – The screening of confidential information by unauthorized parties may occur. Some examples are: electronic mail sent to the wrong recipient, printer redirections, incorrectly configured access control lists, badly defined group memberships etc.
· Perception Issues - Misrepresentation - Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organization.
· Integrity Issues - Unauthorized deletion or modification of information - Intentional damage to information assets that result in the loss of integrity of the assets.
A threat does not always result in actual harm. A risk is a threat that takes advantage of vulnerability in a system security control. The system must be visible to the attacker. Visibility is a measure both of the attractiveness of a system to malicious intruders and of the amount of information available about that system.
Some organizations are more visible than others are, and the level of visibility may change regularly or due to extraordinary events. The Australian Stock Exchange is much more visible than the Migratory Bird Management Office, and the Australian Tax Office is particularly visible as Oct 31th nears. Exxon became much more visible after the Valdez disaster, while MFS became much less visible after being acquired by Worldcom.
Many Internet-based threats are opportunistic in nature. An organization’s level of visibility directly drives the probability that a malicious party will attempt to cause harm by realizing a threat by exploiting a vulnerability.
The following definitions will be used as the basis of the definitions associated with network and host based attacks used throughout the book.
Any systems compromise is a Critical attack.
Critical events include:
· A system compromise is any attack that has gained unauthorized access (including altering of files on the respective system).
· Bypassing a firewall filter or other security controls (Inc VLANS) when this is not permitted.
· Any DOS (Inc DDOS) attack that significantly impairs performance.
· Virus infections or Trojans that are not stopped and infect systems.
A high risk is a threat or attack with the potential to effect or compromise a system. These are appropriate or targeted attacks.
High level risks are those that concern relevant attacks against relevant systems and security controls. These are issues that need to be addressed as soon as possible to stop them becoming a critical issue.
Any high level attack has the potential to become a critical event on a system if left unattended.
Skilled scans or attacks with the potential to affect the system if security controls (including patching) were not in place. These are targeted but filtered attacks.
A medium level attack is defined as one that is targeted towards the systems in place but is not likely to succeed due to other factors that are in place. An example of this would be an attack against a patched web server. The attack may be listed as high if the system was unpatched, but is now unlikely to cause any noticeable effect.
A low level attack is an attack with little or no likelihood of compromising a system. These are often general probes and tools often run by unsophisticated attackers.
An example of a low level attack would be an attacker running an IIS targeted attack tool against an Apache web server on Linux. The attack being directed towards a Microsoft Web server running IIS is not likely to cause any noticeable issues on a Linux based system with Apache. There are exceptions to this, for example, if that version of Apache was configured with FrontPage extensions, than this attack (if against IIS FrontPage extensions) could be relevant and may be thus classified as either High or Medium.
Suspicious Activity covers all traffic and system behavior that is not explainable or does not conform to any reasonable expectation of an attack and is not capable of causing damage to the system.
The following events are modifiers and may affect the level of an attack as reported.
If a high volume of a particular attack occurs, the severity level may be increased. An example of this is:
In the examples above, the volume affects the level assigned to the attack as a large number of packets consumes bandwidth and may affect performance. In the Web example, a large volume of attacks from a single source may signify a new or unpatched vulnerability that the attacker is trying to exploit and thus needs to be investigated.“ICMP Source Quench” is generally considered a Suspicious packet and not an attack. If these packets have been forged or it is suspected that a “trusted” host has been compromised to send these, the attack may be rated as either Low or even Medium.
An example of this would be if “ICMP redirect host” packets where being received from the ISP upstream router.
The following table is a guide for determining levels of risk associated with an attack.
Using these definitions we can start to formulate a rule of thumb for risk and threat levels even before we start to analyze the risk being faced in detail.
| CIA | Type of threat | Description |
| Confidentiality | Interceptions | Unauthorized access to information, which may or may not result in the illicit use of data.
|
| Integrity | Modification | Tampering with information · changing software or hardware controls · changing data. |
| | Fabrication | Fraud and counterfeiting. · Modification in a way to benefit the intruder · Modification to cause problems for the organization. · It may involve the addition of data or objects to the computing system such as transactions or additional files on a database. |
| Availability | Interruptions | A delay or disruption of normal operations.
|
It is important to not that there are individuals and groups who will attack organizations for many reasons. In today’s society it is just not rational to believe that your organization is safe because there is modest external perception. Both large and small organizations are targeted for a variety of reasons. Some examples are listed below;
· In the 90’s, Mitsubishi was a target of activists for using rainforest timber in some of their vehicles,
· Care International has been targeted by groups who believe that they are spying for the US,
· The Red Cross has been targeted by fundamentalists
· Many US organizations have been targeted (for example by Chinese Hacking groups) as a protest against the US government.
It is important to know that just because your organization is not well known that this does not mean it is not a target.
Hacktivists, or hacker activists seek to advance their political views through attacks on information infrastructure. These groups are similar to the activist groups of the Sixties, but focus on using electronic means. Some examples include;
· Protestors who attacked financial web sites during the G8 summit;
· Attacks against the web sites and infrastructure of logging companies by pro-green groups.
Some of the common methods used by these groups include;
· Holding virtual sit-ins,
· visiting a site en mass in order to shut it down (a Denial of Services),
· Email bombing inboxes,
· The formation of a virtual blockade, or
· The defacement of public web pages to post messages of political protest
Terrorism also is no longer confined to the physical world. Cyber attacks against the critical infrastructure are becoming more and more prevalent. Many terrorist organizations have setup schools dedicated to the training of cyber terrorists. The goals of these groups range from causing economic instability to the large scale loss of human life.
Some examples for this type of attack include;
· Attacks against signaling systems designed to cause instability in transit systems
· Attacks against a sewage plant resulting in the release of raw sewage into lakes.
Attackers are not just politically motivated. Crime has moved into the electronic arena as well. Many traditional crimes map well into the electronic environment. Crimes such as –
· Theft
· Fraud and Misrepresentation
· Stalking (cyber-staking)
· Trespass
Map directly to the virtual environment. The clients of many banks have been affected by fraud (such as false emails asking for account information). It is important to know that many crimes are easier to accomplish online and that they are often more difficult to prove and prosecute when done in this manner.
Insider based attacks are those that are derived from persons or organizations who have access to your organization. This group includes employees, contractors and even partner organizations. This is the most difficult threat to defend against as an insider has knowledge of systems and procedures within the organization as well as usually having a high degree of access to systems. The best defenses are derived from a combination of well developed policies, processes and controls combined with monitoring and audit.
Insider based attacks are potentially the most devastating.
Intentional Attacks include attacks completed by disgruntled employees. This may be a physical attack (such as unplugging hosts) or one of many other types (such as purposely infecting systems with a virus).
Unintentional Attacks such as accidentally spilled coffee on a system occur on a regular basis. Setting policy to avoid having drinks or food in the computer room is one method of mitigating this risk.
Attackers have a wide variety of reasons to attempt to break into systems. Some of these have been listed above, but the list is too comprehensive to include. Reasons range from attacking systems because they can, to monetary gain and self ego gratification. Even those with no intentional malicious reasons are still attacks. These still result in the loss of system resources and damage no matter how good natured the attacker.
Any attack will have a number of stages and it is important that an administrator both knows and understands these states in order to be able to;
1. mitigate attacks before they cause damage,
2. log an evidence trail for possible prosecution use
3. defend against possible attacks against the organization.
It should be possible to stop all attacks from unskilled attackers and to make it infeasible for skilled attackers to spend time on your systems. An understanding of how an attacker thinks is essential to this process.
Initially a skilled attacker will look for information about your organization. This often differs from the process used by unskilled attackers (such as “script kiddies) who will scan blocks of addresses for a particular vulnerability that they have a tool for (e.g. scanning blocks of IP addresses for a particular IIS web attack). It is extremely rare for this type of attacker to have access to tools prior to a vendor releasing a patch and as such they are generally mitigated using a good patch regime.
Unobtrusive Public Research
Skilled attackers and others with some cause will research an organization to attack it. Before any attack starts it is generally easy to gain a large amount of information about a site. Some of the methods used are;
1) Checking whois information about a site. Whois information can provide names and phone numbers (both technical and management), domain names and IP addressesing and sometimes ISP information as well,
2) Searches of NNTP (Newsgroups) may turn up technical information (such as systems used and possible problems),
3) Web based search engines may provide a wealth of information form the organisation itself or from other sources (such as newspaper articles and references from vendors),
4) Web based search engines may also be used to search for mis-configured systems and network devices which run web browsers for management purposes. A commonly missed example is to do a search for printer management pages (many HP, Fujitsu etc printers support telnet – thus allowing access inside a network and set the password using a web page on the printer). It is a common error to miss this type of vulnerability as it is often not widely known.
5) Checking version information on public services. Opening a web page or SMTP mail session in a telnet client will often give the version on the server (unless the administrator has obscured it).
From the above example we have found that the system has a Checkpoint Firewall-1 server with the host name of “firewall-ns”. It may be also noted that the firewall is configured to allow HTTP 1.1 requests only.
6) DNS searches using nslookup and DIG. These tools can be used to find the IP addressing of an organisation, its public servers and sometimes even version information.
7) Viewing bad pages will often give system information. For this reason it is recommended that error pages be customised.
There are numerous other sources of information that an attacker would search. For this reason “Security through Obscurity” is not a defense. No organization is obscure.
Social Engineering
Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships with insiders. Attackers use this approach to attempt to gain confidential information, such as organizational charts, phone numbers, operational procedures, or passwords in order to evaluate the organization's vulnerability to social engineering attacks.
Social engineering can be defined also as "misrepresentation of oneself in a verbal manner to another person in order to obtain knowledge that is otherwise unattainable."
Scanning
Once an organization has been researched and all possible information gathered (through research and social engineering) the attacker may scan the systems and addresses collected for more information (if a vulnerability was not already discovered – i.e. using version information etc).
There are generally two possible goals for an attacker.
1. To break into a system
2. To deny services to a system
· (or both)
The attacker breaks into a system to control it. In the “hacker” community this is known as “owning a system”.
Often after a successful attack, an attacker will load a Trojan in order to either;
1. Gain access to the system again (without security controls),
2. To use the exploited system as an attack platform
a. For DDoS attacks against other sites
b. To cover their tracks (i.e. logging)
c. To attack other systems within the organization
Any system that has been compromised should not be trusted again unless it has been rebuilt in a secure manner.
Often when a site has been compromised, attackers will continue to use the system in order to attack other systems without leaving logs of their location. This is known as attack chaining. It may be difficult to find the original source of the attack as the intervening systems have likely had their logs destroyed by the attacker.
Electronic vandalism is similar to graffiti. The idea is to “tag” a page, replacing it with one of the attackers design. This is often used by “Hacktivists” to transmit their message.
Often an attacker does not care if they break into a site or not, just in doing damage. A common method of achieving this is a Denial of Services Attack. DoS attacks are characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Some examples include;
1. Attempts to "flood" a network, thereby preventing legitimate network traffic,
2. Attempts to disrupt connections between two machines, thereby preventing access to a service,
3. Attempts to prevent a particular individual from accessing a service,
4. Attempts to disrupt service to a specific system or person,
5. Attempts to “offline” a host (e.g. cause it to reboot).
Generally the methods of attack may be summarized into the following groups;
o Network Connectivity, using all ports for example
o Using Vulnerabilities (e.g. Pointing echo services to chargen services)
o Bandwidth Consumption (esp. DDoS)
o Consumption of Other Resources (e.g. memory or database overflow attacks)
· Destruction or Alteration of Configuration Information (e.g. wiping router memory)
· Physical Destruction or Alteration of Network Components (spilling coffee on a host)
Single-Message DoS Attacks
Once also known as "Nuke" Attacks these are designed to cause networked computers to disconnect from the network or crash (possibly rebooting or hanging the system).
Commonly these attacks exploit bugs in a specific operating system (OS). In general, these problems are promptly fixed by the vendor. Good patching procedures to implement the latest security patches reduce this vulnerability.
Flooding Denial-of-Service (DDoS) Attacks or Distributed DoS Attacks
A remote system is overwhelmed by a continuous flood of traffic designed to consume resources at the targeted server (CPU cycles and memory) and/or in the network (bandwidth and packet buffers). These attacks result in degraded service or a complete site shutdown.
Smurf Attacks
SMURF attacks use an intermediary to flood their victim. They spoof the victim's address and send an ICMP Ping (Echo Request) to a subnet broadcast address. Each device on the subnet will respond back to what they think is the sender (the victim) with an ICMP ECHO Reply, thus flooding their target. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users
Land Attacks
LAND: set the source and destination IP address (on any packet) both to the victim's IP address. This used to kill some machines a long time ago (they'd try to send a response to themselves, and either burn a lot of cycles or end up in a nice tight death spiral).
Flooding Attacks
TCP SYN Flood Attacks take advantage of TCP’s “three-way handshaking”. The attacker makes connection requests aimed at a target system. The packets have unreachable (forged) source addresses. The server is not able to complete the connection requests and, as a result, the target system wastes resources. A relatively small number of forged packets will consume memory, CPU, and applications, resulting in shutting down a server.
UDP Flood Attacks rely on UDP being a connectionless protocol. A UDP Flood Attack is achievable if an attacker can send a UDP packet to a random port on the target system and the target system responds with an ICMP packet of destination unreachable to the forged source address. By sending enough UDP packets to ports on the target system, the system will fail to respond.
ICMP Flood Attacks come in many forms. There are 2 basic kinds, Floods and Nukes (as detailed above).
An ICMP flood is usually accomplished by broadcasting either ICMP ping packets or UDP packets. The basis of the attack is to send large amounts of data to the target system. This results in it slowing down to a point where it is no longer functional.
A system may contain hostile code even if it appears to be clean. Viruses for example are capable of remaining hidden to show up months later and infect your system. It is essential to scan systems daily using current anti-virus software and where possible to have controls resident in memory.
What is Hostile Code
Hostile Code is software or firmware capable of performing an unauthorized function on an information system. It is designed with a malicious intent to deny, destroy, modify or impede systems configuration, programs, data files, or routines. Malicious Code comes in several forms to include viruses, Trojan horses, Bombs, and Worms .
Viruses
A virus is hostile code designed to attach itself to a file (file-infector) or, infrequently, to a sensitive system sector of the victim computer’s hard disk. It is Malware that infects files and spreads when the file executes or is executed by another program.
Like all hostile code the effects range from benign to the destruction of data and resources.
Bombs
There are several types of Bombs. Some of these are listed below.
A Logic or Fork Bomb is a resident computer program which, when executed, checks for a particular condition or particular state of the system which, when satisfied, triggers the perpetration of an unauthorized act.
An email bomb
This is a program designed to overwhelm an email server or, more generally, a single inbox, with so many messages that it becomes unusable. This is a type of Denial of Service attack. Due to the manner that messaging systems function, shutting off or disconnecting the server from the does not always help the situation. Often the messages simply wait for the system to come back on line.
Access Bombs
These are designed to affect a lockout feature implemented in software programs. They may result in the program’s shut down unless it receives a license or a security key from the programmer or to lock accounts (for example accounts on Windows systems where account lockout has been defined). These are a type of Denial of Service attack.
Trojans
A Trojan or Trojan horse backdoor program is a program that allows an attacker to access a system using a backdoor (an example was Back Orifice). Often disguised as a program with a different purpose, these are generally used by an attacker to make access easier after they have successfully attacked a system.
A Trojanized program is a system program replaced with a Trojan of the same name and extension.
Worms
A worm is an independent program that replicates itself, crawling from machine to machine across network connections. It often clogs networks as it spreads. Many worms are spread by e-mail though this is not the only means.
Policy > Procedure > Audit
One of the most important sections of this book is that which covers policy. Without an effective policy and supporting processes, an audit is a shot in the dark based on the personal opinions and belief of the audit team. This is why it is important to have a policy. If not, you have to ask the question, who is running the organization, management or the audit team?
Auditors should be involved in creating policy, but it is management who has to sign off on it. Policy is management’s tool to answer that who and what questions in the organization. They set authority and empower people to do a better job (if effective). If written well, they may even answer why. Procedure are derived from policy and formulate who does what when and how in the organization.
The auditor’s role is thus to report to management on how well the organization is aligned to the policy and procedures that management has put into place.
0 Response to "How systems evolved · The Threat Scene · Policy > Procedure > Audit"
Post a Comment