1 / 23

Case Study in Business Information Security

Quick Introduction to RDA. IT Consulting company in the Security, Integration, and AppDev spacesPartners: Microsoft, IBM,, Rational, BEA, andCIS!MS Gold Certified in Security and E-commerce solutions (only handful in the U.S.)Verticals: Insurance, Capital finance and Commercial Lending. Security Offering.

faith
Download Presentation

Case Study in Business Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Case Study in Business Information Security Todd Fine, MCSE, MCSD, CNA Director, Security and Integration Practice, RDA

    2. Quick Introduction to RDA IT Consulting company in the Security, Integration, and AppDev spaces Partners: Microsoft, IBM,, Rational, BEA, and…CIS! MS Gold Certified in Security and E-commerce solutions (only handful in the U.S.) Verticals: Insurance, Capital finance and Commercial Lending

    3. Security Offering Security Assessments, Audits and Implementations Software security architecture design, including PKI and training on .NET Active Directory, ISA Server and Exchange design and implementation Network and Systems Consulting (VPNs, firewalls, network design, wireless) Disaster Recovery / Business Continuity Assessment and Implementation

    4. Case Study: Company Profile Financial Services: Annuity’s industry Pioneered Web-based approaches to transactions in the annuity market on the Internet Connect all industry constituencies: carriers and manufacturers, distributors and point of sale representatives, customers Client list includes large financial and insurance institutions including Merrill Lynch, Charles Schwab, Fidelity,GE Financial, Nationwide, and more Provide new, secure distribution channels for partner products and services Company Value Proposition Adds value in every distribution channel Standardizes the annuity application process Reduces administration and servicing costs Provides real-time reporting Create private-labeled web sites Provide compliance-approved marketing and educational materials New, secure distribution channels for partner products and services Company Value Proposition Adds value in every distribution channel Standardizes the annuity application process Reduces administration and servicing costs Provides real-time reporting Create private-labeled web sites Provide compliance-approved marketing and educational materials New, secure distribution channels for partner products and services

    5. Business Situation and Challenges As a financial institution, must work within strict regulatory environment Customers and Partners extremely strict on security, performing lengthy due diligence activities before coming on board facility site visits security policy and procedure reviews penetration/hacking attempts As part of strong focus on security, perform an annual security audit, the results of which are provided to their partners Underlying drivers can be understood by stating the issues of utmost importance to the organization in this arena: Guaranteeing privacy for partners, and their partner’s data Ensuring the highest degree of protection from hostile attacks

    6. Project Mission Statement Ensure that critical production networks, applications, and especially data, are secure and protected from attack. This will be accomplished via a comprehensive Security Audit designed to: Probe and validate security state via penetration testing and vulnerability assessments Review current security practices, policies, and processes Present resulting security posture in the context of security industry best practices, baselined against industry standards

    7. Methodology and Approach RDA uses a custom methodology, based on best practices from several industry-leading standards and methodologies, including: BS7799/ISO-17799 Information Security Standard Open Source Security Testing Methodology National Institute of Standards and Technology (NIST) Network Security Testing Guidelines Benchmarking and Comparative Scoring (CIS) For benchmarking and comparison of security state, there have been no dominant (and in fact few at all) standards CIS is the emerging leader in this arena, for which RDA is a partner RDA uses the CIS benchmarking tools and scoring systems where possible within the security audit

    8. CIS Overview/Recap CIS includes a large group of user organizations, security professionals and auditors that have collaboratively agreed upon security configuration specifications that: Represent a prudent level of due care (Level-1), and Consensus best-practice (Level-2) security configurations for computers connected to Internet CIS scoring tools are used to determine how systems measure up to these widely accepted security benchmarks

    9. CIS Tools Used in this Case Study CIS Windows 2000 Benchmark Criteria used for scoring are divided into three categories: Service Packs and Hotfixes Policies Security Settings CIS Cisco Router Security Benchmark Router Auditing Tool: for benchmarking Cisco router security Measures router configuration against CIS Level 1 configuration guidelines Downloads router config, checks against benchmark settings CIS “SANS Top Twenty” Vulnerability Scanner “Top Twenty” vulnerabilities benchmarking tool Runs specific set of scans targeting SANS top 20 vulnerabilities

    10. CIS Benchmark & Scoring Tool for W2K W2K scoring tool measures globally applied security policies on Windows servers and workstations Combination of guidance published by SANS Institute, the NSA and the DoD, plus CIS members Level-1 defines minimum standards for securing W2K servers and workstations Level-1 security actions specified satisfy 3 conditions: Can be safely implemented by a SysAdmin of any level of technical security skill Will “do no harm” to functionality commonly required by everyday users Can be scored by the CIS software tool

    11. CIS Tools: Windows Platform “Score” produced is a number between 1 and 10 Service Packs Hotfixes Needed Non-Expiring Passwords Policy Mismatches for Account and Audit Policies Restrict Anonymous Security Options Mismatches

    12. Results: W2K Benchmarks

    13. Results: W2K Benchmark Strengths Minimum password length set high Logon security banners and warnings are enabled User desktops locked down for access Accounts locked out until the administrator enables them Unnecessary services disabled Console access requires authentication w/ RSA encryption Weaknesses No max password age to force users to change passwords Passwords do not meet standard guidelines for complexity Insufficient restrictions for anonymous connections. NULL usernames and passwords can be used to obtain information from systems on the domain System not set for "No access w/o explicit anonymous permissions"

    14. Conclusions: W2K Benchmark Summary Mainly reliant on firewall and token authentication for security Several password policy enhancements and server configuration settings are necessary to enhance OS hardening of the servers Recommendations Set option for “No access without explicit anonymous access given” in the security policy for the Domain Set limited password ages for all passwords Increase password complexity requirements Additional restrictions for anonymous connections should be set Disable the ability to enumerate system information through the use of a NULL username and password

    15. CIS Benchmark & Scoring Tool: IOS Router Measures router configuration against CIS Level 1 benchmark Downloads router configuration, checks it against benchmark For each configuration, produces: A list of each rule checked with a pass/fail score Raw and weighted overall score List of IOS commands that will correct problems identified Also comes with a Router Security Configuration Guide (by NSA) Provides technical guidance to help administrators and security officers improve network security Principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco routers Use to help control access, resist attacks, shield network components, protect integrity and confidentiality of network traffic

    16. Results: Router Benchmarks Score Summary #Rules #Passed Failed %Passed 37 15 22 40 Perfect Weighted Score Actual Weighted Score 275 109 %Weighted Score 39 Overall Score (0-10) 4.4

    17. Results: Router Benchmarks Strengths Router not exposed to the Internet All small TCP services and UDP services disabled on the router This prevents some denial of service vulnerabilities on the router SNMP is disabled on the router (prevents SNMP enumeration) Web server service is disabled Prevents router from being susceptible to a web-based attack Weaknesses Logging on router not being captured No access lists to prevent unneeded traffic from DR to Production RIP routing is enabled on the router Telnet access not restricted to allowable subset of IP addresses User logging not enabled Enable ID of any person who makes a configuration change

    18. Conclusions: Router Benchmarks Summary Routers connecting DR to Production are in secure location on network; thus security not under same scrutiny as devices that touch the internet However, taking further measures to lock down routers would require little effort, and would add additional security barrier in the event of a system exploit or virus infection Recommendations Add access lists to router to prevent unneeded traffic from passing through Disable RIP routing Enable logging on the router, to aid in troubleshooting configuration changes and preventing security breaches Enable user logins

    19. CIS Tools: Top Twenty Vulnerability Scanner Specific set of scans targeted at SANS Top 20

    20. Initial Results Summary CIS "Windows 2000 Level I” benchmark Score: 1.7 (out of 10) CIS Cisco Router security benchmark Score: 4.4 (out of 10) CIS “SANS Top 20" vulnerability scanner Score: 100 (perfect score). No vulnerabilities!

    21. Next Steps (Remediation) Fix problems Follow benchmark results, which in some cases specify security actions to take Use expertise to interpret results Need to consider both business and technical constraints and make informed trade-offs Re-run the benchmark scoring tools!

    22. Post-Remediation: Final Results CIS "Windows 2000 Level I” benchmark Score: 6.5 (out of 10) CIS Cisco Router security benchmark Score: 7.2 (out of 10) CIS “SANS Top Twenty“ Vulnerability Scanner Score: 100 (perfect score)

    23. Final Overall Conclusions Although minor issues found, RDA was unable to penetrate any production host on the network Note: Application Layer security is a different story – but that’s a also a different presentation ? Strong policies were in place covering most aspects of security Staff very security-conscious, security ingrained upon employees After remediation, firm was able to further increase security posture, and upon conclusion received a HIGH overall rating, above most other companies CIS leadership and tools a great boon to RDA and our customers Differentiates RDA in the security market Makes our security audit services and deliverables better Creates a sense of confidence for customer (esp. exec mgmt)

    24. Questions? Todd Fine – RDA, Business Development Director fine@rdacorp.com http://www.rdacorp.com

More Related