audit dan evaluasi ti 7

Audit dan EvaluasiTeknologi Informasi

Sesi 7

MTI-CIO2012

Key to IT Fraud Initiatives: Tone at the Top

• Standards and literature claim Tone at the Top is key to prevention of IT fraud

• Study of IT audits showed that Tone at the Top is most important criterion in assessing IT security

• Tone at the Top is more important than:– Software– Logical controls– Physical controls

Security Controls and Management ToneT. Kizinian and W. R. Leese, Internal Auditing, March/April 2004

Tone at the Top Options

• Culture of fear– Responses triggered by events– Adopts a “fortress” strategy– Compliance is sufficient– CIO or CTO responsibility– Punishment oriented – requires monitoring and systems that may

impede legitimate business• Culture of security

– Motivated by desire for excellence– Holistic understanding of security– Aims to prevent fraud– Compliance is necessary but not sufficient for security– Organizational responsibility– Conscious strategy for Tone at the Top and culture

Problems with Culture of Fear

• Fear is a short-term motivator• Responds to failures after the damage is done• Underestimates costs of failures and costs of prevention (e.g.

time lost in dealing with security issues and systems)• Lowers morale and creates “us vs. them” mindset

Standards and Assessment Tools

• COSO and SOX• Control Objectives for Information and Related Technology

(COBIT) and Information Technology Control Guidelines (ITCG)• Need management and assessment tool specifically for Tone

at the Top and Culture of Security

ACFE Report to the Nation Occupational Fraud and Abuse

• 2 1/2 year study of 2608 Frauds– Fraud costs U.S. organizations more than $400 billion

annually.– Fraud and abuse costs employers an average of $9 a day

per employee– The average organization loses about 6 percent of its total

annual revenue to fraud and abuse admitted to by its own employees

Two Types of Fraud

• Fraud on behalf of an organization– Financial statement manipulation to make the company

look better to stockholders– Also called management fraud

• Fraud against an organization– Stealing assets, information, etc.– Also called employee or consumer fraud

Ernst & Young Fraud Study 2002 (Europe)

• One in five workers are aware of fraud in their workplace• 80% would be willing to turn in a colleague but only 43% have• Employers lost 20 cents on every dollar to workplace fraud• Types of fraud– Theft of office items—37%– Claiming extra hours worked—16%– Inflating expenses accounts—7%– Taking kickbacks from suppliers—6%

Extent of Fraud

• 10% of organizations suffer serious IT fraud each year• Damage to reputation due to IT fraud slices 8% to 13% off

market value of public companies• Every survey shows IT fraud at top or near the top of CFOs

concerns

But So Far?

• Each firm seems to have different groups working on fraud detection– No best practices model has emerged

• IT auditors perform control testing on company systems, not fraud detection

Why Don’t Auditors Find Fraud?

• Limited time– Our most precious resource is our attention

• History: Lack of historical fraud detection instruction• Lack of fraud symptom expertise• Lack of fraud-specific tools• Lack of analysis skills• Lack of expertise in technology• Auditors do find 20-30 percent of fraud

ACFE 2004 Report to the Nation

Common Fraud in USA

• Top Sales VP Sponsors Award Event• High-priced Gifts Bought for Spouses and Guests• Cost Buried in Cost of Overall Event -Gift Items Not Identified• Voucher Meets Budget Projection

Ethical Standards Tested Every Day

• Have to Take a Stand Based on Your Personal Ethics• Tested Every Day by Decisions Your People Make• Foreign Corrupt Practice is Rule of Law

???

What Next in IT Audit?

• Prosecute??• Apply short-term solutions to contain an intrusion• Eliminate all means of intruder access • Return systems to normal operation • Identify and implement security lessons learned

What is a security audit?

• Policy based • Assessment of risk • Examines site methodologies and practices • Dynamic • Communication

"The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data... There’s a war out there... and it’s not about who’s got the most bullets. It’s about who controls the information.“

Federation of American Scientists - Intelligence Resource Program

Why and What IT Security Audits?

Why?• Information is power • Check and measure policy compliance • Assessing risk and security level or other specific information• Assessing potential damage and vulnerable areas• Security incident response to allow remediation• Ensure ongoing security and efficient system• Change management • Expectations

What?• Host • Firewall • Networks • Large networks

Who Needs IT Security Auditing?

• A security audit is necessary for every organization, especial with the utilization of Internet.

• A ongoing process that must be tried and improved to cope up with the ever changing and challenging threats.

• Should not be feared of being audited. Audit is good practice.

When to audit?

• Emergency! • Before prime time • Scheduled/maintenance• Example schedules– Individual Host 12 -24 months – Large Networks 12- 24 months – Network 12 months – Firewall 6 months

IT Specific Audit Phases

• External Audit– Public information collection– External Penetration

• Non-destructive test• Destructive test

• Internal Audit– Confidential information collection– Security policy reviewing– Interviews– Environment and Physical Security– Internal Penetration – Change Management

• Reporting

Important Notes on External Audit

• Do not make ANY changes to the systems or networks• Do not impact processing capabilities by running scanning/

testing tools during business hours or during peak or critical periods

• Always get permission before testing• Be confidential and trustworthy• Do not perform unnecessary attacks

External Audit-Penetration Test

• Plan the penetration process– Search for vulnerabilities for information gathered and obtain the

exploits– Conduct vulnerabilities assessments (ISO 17799)

• Non-destructive test– Scans / test to confirm vulnerabilities– Make SURE not harmful

• Destructive test– Only for short term effect (DDOS….)– Done from various locations– Done only off-peak hours to confirm effect

• Record everything– Save snapshots and record everything for every test done even it

returned false result– Watch out for HONEYPOTS

Internal Audit

• Conducted at the premises• A process of hacking with full knowledge of the network

topology and other crucial information. • Also to identify threats within the organization • Should be 100% accurate.• Must be cross checked with external penetration report.

Internal Audit-Policy review

• Everything starts with the security policy

• If there is no policy, there is not need of security audit?

• Policies are studied properly and classified

• Identify any security risk exist within the policy

• Interview IT staffs to gain proper understanding of the policies

• Also to identify the level of implementation of the policies.

Policy

Standards

Procedures, Guidelines & Practices

Internal Audit-Information gathering

• Discussion of the network topology• Placement of perimeter devices of routers and firewalls• Placement of mission critical servers• Existence of IDS • Logging• Always cross-check with security policy

Internal Audit-Environment and Physical Security

– Locked / combination / card swipe doors– Temperature / humidity controls– Neat and orderly computing rooms– Sensitive data or papers laying around?– Fire suppression equipment– UPS (Uninterruptible power supply)– Always cross-check with security policy

Section 8.1 of the ISO 17799 document defines the concepts of secure area, secure perimeter and controlled access to such areas.

Internal Audit-Penetration

For Internal penetration test, it can divided to few categories– Network – Perimeter devices– Servers and OS– Application and services– Monitor and response– Cross-check with security policy

Internal Audit-Network

• Location of devices on the network• Redundancy and backup devices• Staging network• Management network• Monitoring network• Other network segmentation• Cabling practices• Remote access to the network• Cross-check with security policy

Internal Audit-Perimeter Devices

Check configuration of perimeter devices like– Routers– Firewalls– Wireless AP/Bridge– RAS servers– VPN servers– Perform test

• Egress and ingress communication• Firewall rules• Configuration access method• Logging methods

– Cross-check with security policy

Internal Audit-Server and OS

• Identify mission critical servers like DNS,Email and others..• Examine OS and the patch levels• Examine the ACL on each servers• Examine the management control-account and password • Placement of the servers• Backup and redundancy• Cross-check with security policy

Internal Audit-Application and Services

Identify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application

– DNS• Name services(BIND)

– Email• Pop3,SMTP

– Web/Http– SQL– Others– Cross-check with security policy

Internal Audit-Monitor and Response

Check for procedures on• Event Logging and Audit

– What are logged?– How frequent logs are viewed?– How long logs are kept?

• Network monitoring– What is monitored?– Response Alert?

• Intrusion Detection– IDS in place?– What rules and detection used?

• Incident Response– How is the response on the attack?– What is recovery plan?– Follow up?

Internal Audit-Analysis and Report

• Analysis result – Check compliance with security policy– Identify weakness and vulnerabilities– Cross check with external audit report

• Report- key to realizing value– Must be 2 parts

• Not technical (for management use)• Technical (for IT staff)

– Methodology of the entire audit process– Separate Internal and External– State weakness/vulnerabilities – Suggest solution to harden security

Security Policies and Documentation

What is a security policy?• Components • Who should write it? • How long should it be? • Dissemination • It walks, it talks, it is alive..• RFC 1244 • What if a written policy doesn't exist? • Other documentation

Components of a Security Policy

• Who can use resources • Proper use of the resources • Granting access and use • System Administrator privileges • User rights and responsibilities • What to do with sensitive information • Desired security configurations of systems

RFC 1244 ``Site Security Handbook''

• Defines security policies & procedures • Policy violations • Interpretation • Publicizing • Identifying problems • Incident response • Updating

Other Documentation

• Hardware/software inventory • Network topology • Key personnel • Emergency numbers • Incident logs

How to do a Security Audit

• Pre audit: verify your tools and environment • Audit/review security policy • Gather audit information • Generate an audit report • Take actions based on the report's findings • Safeguard data and report

The Golden Rule of Auditing

• Verify ALL tools used for the audit are untampered with.– Write them yourself – Find a trusted source (person, place) – Verify them with a digital signature (MD5)

• If the results of the auditing tools cannot be trusted, the audit is useless• Platform

– Should have extraordinary security – Submit it to a firewall+ type of audit – Physical access should be required to use – No network services running – Portable mobile secured and trusted hardware– Software: Secured OS, Audit tools, Development tools

Audit Tools the Hall of Fame

• SAINT/SATAN/ISS • Nessus• lsof /pff • Nmap, tcpdump, ipsend • MD5/DES/PGP • COPS/Tiger • CrackWeb security specific• Acunetix: http://www.acunetix.com • Web Sleuth: http://www.sandsprite.com/Sleuth • Paros Proxy: http://www.parosproxy.org • Web Inspect: http://www.spidynamics.com/products/webinspect • nikto: /http://www.cirt.net/code/nikto.shtml • XSS NASL plugin for Nessus: http://www.cirt.net/code/nessus.shtml • JMeter: http://www.jakarta.apache.org/jmeter

Audit/Review Security Policy

• Utilize existing or use ``standard'' policy • Treat the policy as a potential threat • Does it have all the basic components? • Are the security configurations comprehensive? • Examine dissemination procedures

Security policy

• Treat the policy as a potential threat • Bad policies are worse than none at all • Good policies are very rare • Look for clarity and completeness • Poor grammar and spelling are not tolerated

Does it Have All the Basic Components?

• Who can use resources • Proper use of the resources • Granting access and use • System Administrator privileges • User rights and responsibilities • What to do with sensitive information

Security Configs Comprehensive?

• Details are important! • Addresses specific technical problems

(COPS like tests, network services run, etc.) • Allowable trust must be clearly outlined • Should specify specific tools (The TCP wrappers, S/Key, etc.)

that are used • Must have explicit time schedules of security • Audits and/or tools used • Logfiles must be regularly examined!

Examine Dissemination Procedures

• Policies are worthless unless people read and understand them

• Ideally it is distributed and addressed when people join organization

• E mail is useful for updates, changes • Written user acknowledgment necessary

Gather Audit Information

• Talk to/Interview people • Review Documentation • Technical Investigation

Talk to/Interview people

• Difficult to describe, easy to do • Usually ignored • Users, operators, sysadmins, janitors, managers…• Usage & patterns • Have they seen/read the security policy?• What can/can't they do, in own words • Could they get root/system privileges? • What are systems used for? • What are the critical systems? • How do they view the security audit?

Review Documentation

• Hardware/software inventory • Network topology • Key personnel • Emergency numbers • Incident logs

Technical Investigation

• Run static tools (COPS, Crack, etc.) • Check system logs • Check system against known vulnerabilities (CERT, bugtraq, CIAC

advisories, etc.) • Follow startup execution • Check static items (config files, etc.) • Search for privileged programs (SUID, SGID, run as root) • Examine all trust • Check extra network services (NFS, news, httpd, etc.) • Check for replacement programs (wu ftpd, TCP wrappers, etc.) • Code review ``home grown'' programs (CGI's, finger FIFO's, etc.) • Run dynamic tools (ps, netstat, lsof, etc.) • Actively test defenses (packet filters, TCP wrappers, etc.)

Test, Execution, and Check

Static tools• Nmap• SAINT/SATAN/ISS • Crack • Nessus• COPS/TigerStartup execution/program• Boot (P)ROMS • init • Startup programs (rc.* like files)Check• Examine all config files of running processes (inetd.conf, sendmail.cf,

etc.) • Examine config files of programs that can start up dynamically (ftpd, etc.)

Search for privileged programs

• Find all SUID/SGID programs • Look at all programs executed as root • Examine:

– Environment – Paths to execution – Configuration files

• Examine all trust– rhosts, hosts.equiv – NFS, NIS – DNS – Windowing systems – User traffic and interactive flow

Check Network Services

• NFS/AFS/RFS • NIS • News • WWW/httpd • Proxy (telnet, ftp, etc.) • Authentication (Kerberos, security tokens, special services) • Management Protocols (SNMP, etc.)

Check for Replacement Programs

• wu ftpd • TCP wrappers • Logdaemon • Xinetd • GNU fingerd

Code Review ``Home Grown''/Non Standard Programs/Custom

• Network daemons • Anything SUID, SGID • Programs run as system account • CGI's• Bad signs:

– external commands (system, shell, etc.) – /usr/ucb/mail – large size – No documentation – No comments in code – No source code available

Actively Test Defenses

• Packet filtering• TCP wrappers • Other defense programs

Safeguard Data and Report

• Save for the next audit • Do not keep on line • Use strong encryption if stored electronically • Limit distribution to those who ``need to know'' • Print out report, sign, and number copies

Incident Response-Purpose

Minimize overall impact

• Hide from public scrutiny

• Stop further progression

• Involve Key personnel

• Control situation

Recover Quickly and Efficiently

• Respond as if going to prosecute

• If possible replace system with new one

• Priority one, business back to normal

• Ensure all participants are notified

Secure System

• Lock down all known avenues of attack

• Assess system for unseen vulnerabilities

• Implement proper auditing

• Implement new security measures

Follow-up (A continuous process)

• Ensure that all systems are secure.

• Continue prosecution.

• Securely store all evidence and notes.

• Distribute lessons learned.

Incident Verification

• How are we certain that an incident occurred?• Verify the Incident! • Where to find information?– Intrusion Logs– Firewall Logs– Interviews• Emails, Network Admin, Users, ISP, etc…

Verification: What do we know?

• Three situations– 1. Verification without touching the system– 2. Verification by touching the system minimally. You have a clue or

two where to look.– 3. Verification by full analysis of live system to find any evidence that

an incident has occurred.

Secure Incident Scene

• What exactly does this mean?– Limit the amount of activity on the system to as little as

possible• Limit damage by isolating• ONE person perform actions• Limit affecting the crime environment• Record your actions

Preserve Everything!

• Anything and everything you do will change the state of the system– POWER OFF? Changes it.– Leave it plugged in? Changes it.– Obtaining a backup will change the system– Unplug the network? Changes it.– Even Doing Nothing will ALSO change the state of the

system.

Incident Scene Snapshot

• Record state of computer– Photos, State of computer, What is on the screen?– What is obviously running on the screen?• Xterm?• X-windows?

– Should you port scan the affected computer?• Pros: You can see all active and listening ports• Cons: It affects the computer and some backdoors log

how many connections come into them and could tip off the bad guy

Unplug Power from System?

• This method may be the most damaging to effective analysis though there are some benefits as well– Benefits include that you can now move the system to a

more secure location and that you can physically remove the hard drive from the system

– Cons… you lose evidence of all running processes and memory

Unplug from Network?

• Unplug from the network?– Unplug it from the network and plug the distant end into a

small hub that is not connected to anything else.– Most systems will write error messages into log files if not

on a network. – If you make the computer think it is still on a network, you

will succeed in limiting the amount of changes to that system.

Intrusion Detection

• Intrusion Detection is the process of monitoring computer networks and systems for violations of security.

• An Intrusion – any set of actions that attempt to compromise the integrity, confidentially or availability of a resource.

• All intrusion are defined relative to a security policy– Security policy defines what is permitted and what is

denied on a network/system– Unless you know what is and is not permitted, its pointless

to attempt to catch intrusion

Intrusion Detection Systems

• Goal– To detect intrusion real time and respond to it

• False positive– No intrusion but alarm– Too many make your life miserable

• False negative– Intruder not detected– System is compromised

Intrusion Detection - Detection Schemes

• Misuse Detection– The most common technique, where incoming/outgoing traffic is

compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan

• Anomaly Detection– Uses statistical analysis to find changes from baseline behavior (such

as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research

Intrusion Detection - Detection • Misuse Detection

• Detect Known Attack Signatures• Advantage:

• Low False Positive Rate• Drawbacks:

• Only Known Attacks• Costs for Signature Management

• Anomaly Detection• Learn Normal Profiles from User and System Behavior• Detect Anomaly• Advantage

• Detect Unknown Attacks• Drawbacks

• Difficulty of Profiling• Profile can be controlled by intruders• High false positive rate