Upload
ngothu
View
216
Download
0
Embed Size (px)
Citation preview
Dennis J. Gallagher Auditor
Office of the Auditor
Audit Services Division
City and County of Denver
Network Security Management–Phase 2 Performance Audit
July 2012
The Auditor of the City and County of Denver is independently elected by the citizens of Denver.
He is responsible for examining and evaluating the operations of City agencies for the purpose
of ensuring the proper and efficient use of City resources and providing other audit services and
information to City Council, the Mayor and the public to improve all aspects of Denver’s
government. He also chairs the City’s Audit Committee.
The Audit Committee is chaired by the Auditor and consists of seven members. The Audit
Committee assists the Auditor in his oversight responsibilities of the integrity of the City’s finances
and operations, including the integrity of the City’s financial statements. The Audit Committee is
structured in a manner that ensures the independent oversight of City operations, thereby
enhancing citizen confidence and avoiding any appearance of a conflict of interest.
Audit Committee
Dennis Gallagher, Chair Robert Bishop
Maurice Goodgaine Jeffrey Hart
Leslie Mitchell Timothy O’Brien, Co-Chair
Rudolfo Payan
Audit Staff
Audrey Donovan, Deputy Director, CIA, CRMA
Stephen E. Coury, IT Audit Supervisor, CISA
Roman Bukhtiyar, Senior IT Auditor, CISA
Ketki Dhamanwala, Senior IT Auditor, CIA, CISA
You can obtain copies of this report by contacting us at:
Office of the Auditor
201 West Colfax Avenue, Department 705 Denver CO, 80202
(720) 913-5000 Fax (720) 913-5247
Or download and view an electronic copy by visiting our website at:
www.denvergov.org/auditor
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services
that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000
FAX 720-913-5247 www.denvergov.org/auditor
Dennis J. Gallagher
Auditor
July 19, 2012
Mr. Chuck Fredrick, Chief Information Officer
Technology Services
City and County of Denver
Dear Mr. Fredrick:
Attached is the Auditor’s Office Audit Services Division’s report of their audit of Network Security
Management – Phase 2. This report summarizes the second and final phase of our audit of the
City’s data network that is managed by the Technology Services Department. The purpose of
the audit was to determine whether the City’s data network is protected from unauthorized
access and whether controls are effective in protecting network confidentiality, integrity, and
availability.
I am concerned that portions of our data network are vulnerable to attack or abuse that are
neither prevented nor detected. I know that you share my concerns as I understand that you
have already taken corrective actions to eliminate some of the risks we identified, and that you
have plans to address those that require more time to resolve.
A common theme in both phases of our audit is that periodic user security awareness training is
key to helping all our employees know the role they have in protecting the City’s data. Your
challenge to establish an information security governance program will be to ensure that the
controls you have in place continue to operate as intended. So many times we can have the
best of intentions, yet to find that a control we thought was working has become obsolete or has
evaporated into the ether. We must remain diligent in ensuring we are always protecting the
City’s information.
On a final note, as you consider the benefits of cloud computing for the City, please see our
short treatise on “Cloud Computing Considerations” in this report. I think you will find it supports a
careful and thoughtful approach to this new era of computing.
If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5000.
Sincerely,
Dennis J. Gallagher
Auditor
DJG/sec
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services
that provide objective and useful information to improve decision making by management and the people. We will monitor
and report on recommendations and progress towards their implementation.
cc: Honorable Michael Hancock, Mayor
Honorable Members of City Council
Members of Audit Committee
Ms. Janice Sinden, Chief of Staff
Ms. Stephanie O’Malley, Deputy Chief of Staff
Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer
Ms. Beth Machann, Controller
Mr. Doug Friednash, City Attorney
Ms. Janna Bergquist, City Council Executive Staff Director
Mr. L. Michael Henry, Staff Director, Board of Ethics
Mr. Ethan Wain, Deputy Chief Information Officer
To promote open, accountable, efficient and effective government by performing impartial reviews and other audit
services that provide objective and useful information to improve decision making by management and the people.
We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000
FAX 720-913-5247 www.denvergov.org/auditor
Dennis J. Gallagher
Auditor
AUDITOR’S REPORT
We have completed an audit of Network Security Management – Phase 2. This report
summarizes the second and final phase of our audit of the City’s data network that is managed
by the Technology Services Department. The purpose of the audit was to determine whether the
City’s data network is protected from unauthorized access and whether controls are effective in
protecting network confidentiality, integrity, and availability.
This performance audit is authorized pursuant to the City and County of Denver Charter, Article
V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance
with generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.
The findings from the second phase not only reinforce the information security governance issues
identified in the first phase, but further highlight a disturbing concern that key information
security controls are not operating as a result of gaps in Information Technology (IT)
Governance. Specifically, the Technology Services Department is insufficiently staffed, which
places an over reliance on key personnel; key policies and procedures have not been
developed; and there is a low process maturity environment where critical processes are ad hoc
and disorganized. This condition results in a security environment where portions of the City
network are vulnerable to attack or abuse that are neither prevented nor detected.
The Chief Information Officer has recognized the gravity of the issues identified in both our Phase
1 and Phase 2 audit reports and has already taken actions to eliminate or mitigate some of the
risks identified. Where risk mitigation requires a more strategic solution, the Chief Information
Officer has responded that he will develop appropriate plans to reduce the identified risks.
We extend our appreciation to the Chief Information Officer and his staff who assisted and
cooperated with us during the audit.
Audit Services Division
Kip Memmott, MA, CGAP, CRMA
Director of Audit Services
TABLE OF CONTENTS
EXECUTIVE SUMMARY 1
INTRODUCTION & BACKGROUND 2
Information Technology Governance 2
Process Maturity Model 3
Defense in Depth and Basic Controls 3
SCOPE 5
OBJECTIVE 5
METHODOLOGY 5
FINDING 8
City Network Vulnerable to Attack or Abuse Due to Gaps in IT
Governance and Low Process Maturity 8
RECOMMENDATIONS 13
OTHER PERTINENT INFORMATION 15
Cloud Computing Considerations 15
APPENDICES 17
Appendix A – Network Security Management – Phase 1
Performance Audit 17
Appendix B – News Story of Email Virus Impacting a Federal
Agency 50
AGENCY RESPONSE 52
P a g e 1
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
EXECUTIVE SUMMARY
This report summarizes the second and final phase of our audit of the City and County of
Denver’s network security.1 The findings from the second phase not only reinforce the
information security governance issues identified in the first phase, but further highlight a
disturbing concern that key information security controls are not operating as a result of
gaps in Information Technology (IT) Governance. Specifically, the Technology Services
Department is insufficiently staffed, which places an over reliance on key personnel; key
policies and procedures have not been developed; and there is a low process maturity
environment where critical processes are ad hoc and disorganized.2 This condition results
in a security environment where portions of the City network are vulnerable to attack or
abuse that are neither prevented nor detected. This indicates that information
technology (IT) governance needs to be strengthened not only in the risk management
domain, but also in the resource management domain.3 Examples of specific
weaknesses include the following:
Six of ten essential information security duties are not
being performed
Antivirus controls are not always effective in preventing
malware from entering the email system or from being
saved and backed up on network storage
Key information security policies are missing or outdated
Network admission controls do not detect unauthorized
devices
The general public has inappropriate access to portions of the City’s internal data
network
On a positive note, the audit identified areas where controls have been implemented
and are especially strong. Specifically, change control over firewalls and routers are
automated and at a high process maturity. Additionally, authentication controls over
administrative access to both firewalls and routers are strong.
Lastly, the Technology Services strategy to take advantage of cloud computing still
needs to significantly develop and increase the maturity of its information security
posture in preparation for the implementation of a cloud computing delivery strategy.
Our thoughts on the City’s preparedness for cloud computing can be found in “Other
Pertinent Information – Cloud Computing Considerations.”
1 The audit scope is limited to the portions of the network specifically managed by the Technology Services Department. Refer
to the Introduction & Background of the Phase 1 report contained in Appendix A “Network Security Management – Phase 1 Performance Audit” for additional details. 2 Please see the Introduction & Background section of this report for more information on the Process Maturity Model.
3 Please see the Introduction & Background section of this report for more information on IT governance domains.
Portions of the
City network
are vulnerable
to attack or
abuse
P a g e 2
City and County of Denver
INTRODUCTION & BACKGROUND
Information Technology Governance
The overall governance of the City includes several disciplines of which Information
Technology (IT) is a significant part. Accordingly the governance of IT is not the sole
responsibility of one agency, but rather a collaborative effort between the City’s top
leadership, i.e., the Mayor and City Council, working closely with the leadership of the IT
organization.
The Technology Services Department is responsible for managing IT risks and determining
which resources are necessary to mitigate those risks. However the City’s top leadership
has ultimate authority over IT resources. Accordingly, when City leadership is faced with
financial challenges, budget decisions should include consideration of the IT risk impact
that may result from those choices. A role of the Chief Information Officer (CIO) as the IT
leader is to advise the Mayor and City Council on the IT risks threatening the City’s
network so that management may make informed decisions regarding risks and the
resources to mitigate those risks.
When presented with IT risks, City leadership has the option to either mitigate those risks
by implementing controls, transferring risks, such as through insurance, or accepting risks
through formal acknowledgement. If there are significant IT risks that the City cannot
mitigate or transfer, the acceptance of that risk must come from an appropriate level of
authority – the City’s top leadership – and be disclosed to stakeholders and citizens.
IT Governance Domains
IT governance consists of the five major
domains of strategic alignment, value delivery,
risk management, resource management, and
performance measurement.4 Two areas of
concern in this audit are risk management and
resource management.
Risk Management – The risk management
domain addresses the safeguarding of IT assets
and disaster recovery. Risk management also
includes regular self-testing to ensure
established controls are operating as intended
and continuous assessment of emerging risks in
light of an ever changing threat landscape.
4 Board Briefing on IT Governance, 2
nd Edition, IT Governance Institute, http://www.itgi.org
P a g e 3
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
0-Nonexistent
•Management processes are not applied at all
1-Initial
•Processes are ad hoc and disorganized
2-Repeatable
•Processes follow a regular pattern
3-Defined
•Processes are documented and communicated
4-Managed
•Processes are monitored and measured
5-Optimized
•Best practices are followed and automated
Risk management concerns are raised in both phases of this audit. The phase one report
is included in Appendix A.
Resource Management – The resource management domain addresses optimizing IT
knowledge and infrastructure, in particular people, technology tools, and the
management of outsourced services. It is the resource management domain that
promotes workforce planning for adequate staffing and training in order to retain skilled
IT staff. Resource management also includes aligning the IT budget to support business
operations. Resource management concerns are raised in this second phase of the
audit.
Process Maturity Model
The degree to which an organization can effectively manage its IT risk depends largely
on the maturity of its IT governance system. The maturity level can be determined by
evaluating the organization’s key information security policies, standards, and
procedures against an industry standard IT governance maturity model, or process
maturity model. As illustrated below the model establishes a method
to rank a process along a six-point scale ranging from “0 –
Nonexistent” to “5 – Optimized.”
Information security controls need to be repeatedly verified over time to ensure they are
continuing to operate as intended. Constantly monitoring the effectiveness of controls,
such as through a manual or automated compliance program, is considered to be at
maturity level 4. Processes that are automated and include an aspect of continuous
improvement are at maturity level 5.
Defense in Depth and Basic Controls
Best practices promote the concept of “defense in depth”
or “security in layers.” Specifically, IT security programs
should protect information through the use of multiple
layers including physical, policy, and technical controls.
Physical controls primarily protect access to computing
equipment. Policy controls include all aspects of security,
such as review of logs, compliance programs, and
employee security awareness training. Technical controls are
mostly automated and include firewalls, intrusion prevention
appliances, and antivirus software. The technical controls should not be overly reliant on
P a g e 4
City and County of Denver
limited defenses or overly dependent on a single person to review security alerts.
Physical Controls
Physical controls include the protection of physical access to facilities, the protection of
network equipment within those facilities, and environmental (temperature and
humidity) controls. As with all controls, physical controls must be regularly tested to insure
they are operating as intended.
Policy Controls
Information security policies are the basis for defining management’s commitment and
the organization’s approach to managing information security. Information security
policies must be reviewed periodically as the rapid change in technology could render a
policy inadequate to control the risk it was intended to prevent. Consider password
length and complexity as a policy that has evolved over the years. Ten years ago, a four-
digit password would have been considered adequate, but by today’s standards a four-
digit password would be considered weak and one that could be easily compromised. It
is common today to see password requirements of eight characters with the inclusion of
capital letters, numbers, special characters, expiring every ninety days or so, and users
reminded not to use easily guessed mnemonics, family or pet names, dates, or the
names of sports teams or their mascots.
Technical Controls
Technical controls include some of the basic controls that most users are familiar with,
such as antivirus software or system patching. Often these controls are automated and
are assumed to be working properly. An important study of system intrusions and data
breaches, the “2012 Data Breach Investigations Report,” highlights that 97 percent of
data breaches were avoidable through simple or intermediate controls.5 The report also
points out that the largest threat actions came from hacking and malware.6 Hackers
strive to get the most reward or benefit from the least amount of work or investment. The
data show that an attacker will try the simplest techniques to break into a system before
engaging more sophisticated techniques. This emphasizes the need for organizations to
remain vigilant in providing basic controls, such as end user information security
awareness training, antivirus software, network segmentation, and password protocols
and to engage in continuous monitoring to ensure that basic controls are operating as
intended.
5 The 2012 Data Breach Investigations Report was prepared by the Verizon RISK team with cooperation from the United States
Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police. The report spans eight years and the breach database includes well over 2,000 breaches and information on greater than one billion compromised records. http://www.verizonbusiness.com/Resources/Search 6 In this report we will use the term “malware” to refer to computer software that is designed with malicious intent, such as
computer viruses, Trojans, and spyware, which are intended to cause harm, disruption, or provide surreptitious access to computer resources and data.
P a g e 5
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Antivirus controls are especially important, since malware is one of the main “attack
vectors” or ways that systems are compromised. Earlier this year, the Washington Post
(and other print and online sources) featured a story about a federal agency that was
the victim of a computer virus outbreak that arrived via email. The malware posed a high
enough threat that the agency disconnected its computers from the network to prevent
the malware from spreading to other agencies.7 We contacted the affected agency
directly to vet the accuracy of the news story. Although the agency has not issued
publicly its own account of the incident, they did confirm occurrence and that it was still
under investigation.
SCOPE
This report summarizes the second and final phase of our audit of the segments of the
City and County of Denver’s Metropolitan Area Network that are managed by
Technology Services, which excludes the portions of the network that are managed by
other agencies, such as the Denver International Airport, Denver District Attorney’s
Office, and Denver County Courts.
In accordance with Generally Accepted Government Auditing Standards (GAGAS) the
reader should be aware that some details about information security weaknesses are
considered sensitive security information and are not disclosed within this report.
The details of all findings, however, have been presented to the City’s Chief Information
Officer. As part of our regular follow-up for audit issues, we will return at a future date to
ensure that all findings have been addressed.
OBJECTIVE
The purpose of the audit was to determine whether the City’s data network is protected
from unauthorized access and whether controls are effective in protecting network
confidentiality, integrity, and availability.
METHODOLOGY
We utilized several methodologies to achieve the audit objective. Our evidence
gathering techniques included, but were not limited to, the following:
Examining existing information security policies, procedures, and standards
7 Please see Appendix B, “News Story of Email Virus Impacting a Federal Agency,” to view the article.
P a g e 6
City and County of Denver
Consulting best practices standards for information security policies and
procedures from sources such as the International Organization for
Standardization publication “Information technology – Security techniques –
Code of practice for information security management” (ISO 27002:2005), the
National Institute of Standards and Technology special publication
“Recommended Security Controls for Federal Information Systems and
Organizations” (NIST SP800-53), the Payment Card Industry Data Security
Standard, Requirements and Security Assessment Procedures Version 2.0 (PCI
DSS), and as a point of local reference, the security policies of the State of
Colorado Governor’s Office of Information Technology (OIT)
Consulting best practices for routing device configurations from organizations
such as the Center for Internet Security (CIS), NIST, the National Security Agency
(NSA), and an equipment manufacturer (Cisco)
Consulting authoritative reports on data breaches such as Verizon’s “2012 Data
Breach Investigations Report”
Conducting interviews with Technology Services personnel to clarify our
understanding of its network security processes
Reviewing Technology Services organization charts and job descriptions to
determine whether an information security management structure has been
established
Examining vulnerabilities associated with opportunistic cyber attacks, as well as
those for advanced persistent threats (APT)
Performing testing of the antivirus controls to determine whether the antivirus tool
is effective in protecting the network against malware
Examining the vulnerabilities associated with generic user IDs having e-mail
accounts and the use of web-based email
Verifying the status of issues noted in the City’s PCI self-assessment questionnaire
and attestation of compliance to determine remediation progress
Examining vulnerability scans to determine whether non-PCI portions of the
network are susceptible to cyber threats
Performing tests to determine whether technical controls are in place to enforce
the City’s remote access policy
Reviewing the effectiveness of incident management policies and procedures
Evaluating the effectiveness of the use of security information and event
management (SIEM) software, particularly the Cisco Security Monitoring, Analysis
and Response System (MARS) product
Determining whether a strategy exists to replace MARS as the City’s SIEM in light
of the product’s end-of-life announcement by the vendor
P a g e 7
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Interviewing Technology Services management to verify whether essential
information security duties are being performed
Reviewing training records of key information security personnel to determine
whether training is current
Performing a physical security walkthrough of the data center to verify whether
physical security, equipment protection, and environmental controls are
adequate for critical firewalls and routers
Reviewing network architecture diagrams to identify critical firewalls and routers
Performing tests of critical firewall and router security settings with the Titania
Nipper configuration analysis tool
Testing change management and configuration backup controls for critical
firewalls and routers using the Solarwinds Orion and Network Configuration
Manager (Cirrus-NCM) tools
Evaluating the password configuration settings for the City’s Authentication,
Authorization, and Accounting (AAA) protocol implemented through the Cisco
Terminal Access Controller Access Control System Plus (TACACS+) server
Verifying the list of users who have administrative access to firewalls and routers
Evaluating staff competency to operate network software tools and explain
network configuration settings
Consulting best practices for cloud computing from organizations including the
Cloud Security Alliance (CSA) and NIST
P a g e 8
City and County of Denver
FINDING
City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity
The results of our work from the second and final phase of this audit not only reinforce the
information security governance issues identified in the first phase, but further highlight a
disturbing concern that key information security controls are not operating as a result of
gaps in Information Technology (IT) Governance. Specifically, the Technology Services
Department is insufficiently staffed, which places an over reliance on key personnel; key
policies and procedures have not been developed; and there is a low process maturity
environment where critical processes are ad hoc and disorganized. This condition results
in a security environment where portions of the City network are vulnerable to attack or
abuse that are neither prevented nor detected. This indicates that information
technology (IT) governance needs to be strengthened not only in the risk management
domain, but also in the resource management domain. Examples of specific weaknesses
follow.
Six of ten essential information security duties are not being performed
We identified ten essential information security duties that were being performed by
personnel in Technology Services in order to ensure the proper functioning of security
controls. Although subject matter experts should develop and document key information
duties, those duties should be performed by operations staff or automated. Contrary to
best practice, six of the ten essential information security controls were being performed
by subject matter experts and their procedures were not documented or otherwise
operationalized. As a result, these six controls ceased operating and some have not
been performed for over eight to twelve months when the personnel performing them
left the city workforce or were reassigned to different projects. For security reasons we
have not listed the essential duties that are no longer being performed.
This condition illustrates the importance of resource management in the governance of
information technology. The CIO should ensure that adequate qualified staffing exists to
perform essential security tasks. Critical security tasks should be documented and
transferred to network operations personnel to ensure that essential information security
controls continue to operate in the event of staff turnover. In the event that employment
market conditions significantly challenge the ability to maintain staffing, the CIO should
consider outsourcing network security monitoring to ensure continuous monitoring of
network security controls.
P a g e 9
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Antivirus controls are not always effective in preventing malware from
entering the email system or from being saved and backed up on network
storage
To test the City’s antivirus controls we attempted to introduce, after informing IT
management about the test, a pseudo-malware file into the City network, both through
email and through a file transfer. The pseudo-malware file was not detected through
either delivery method by the City’s antivirus software, which should have triggered an
alert if the file had been properly detected.8 In the absence of proper detection controls
or an alert, we were able to place the file on the City’s network. Additionally, the file was
successfully backed up and subsequently restored from network backups without
prevention or detection of the pseudo-malware.
The outcome of our test illustrates an initial and subsequent risk to the City’s network. Not
only can a potential attacker store malware undetected on the City’s network, but the
malware can be backed up and enabled for future use. If the malware were used in an
attack on the City network and the initial attack was detected and stopped, the
attacker may be able to subsequently restore the malware tools stored during backup
and attempt the attack again.
We concluded that we were able to upload the pseudo-malware file due to the way the
antivirus software was configured. We also identified several control points where the
pseudo-malware could have been stopped, had the antivirus strategy been properly
integrated between various system services, including backup and restore.
We attempted the same test using a common email system available to the public
(Gmail). However, we were unsuccessful since Gmail would not allow us to upload the
pseudo-malware file. The City email system, on the other hand, not only allowed the
upload of the pseudo-malware file, but allowed us to email it from one account to
another account, save it on the network, have it backed up, and restore it on demand.
We were also able to store the pseudo-malware file through a common type of file
transfer used by City employees when working outside of the City network and
connecting through a secure connection. This test not only demonstrated the same
antivirus weakness as our City email system test, but it also highlighted the fact that the
City’s IT security policy is antiquated and relies on employees to abide by rules that are
not enforced through technical controls. Specifically, the policy requires employees to
sign a statement when they are hired that they will keep their personal computers free
from malware before remotely connecting to the City network. Employees are not
reminded of this agreement after they are hired. In the event that employees neglect to
keep their home systems protected or choose not to pay for antivirus software,
connecting remotely to the City’s network from these computers poses a risk to the City.
8 The pseudo-malware file we utilized was an industry standard file that is used to test antivirus software. This file is commonly
referred to as an EICAR file and is published by the European Institute for Computer Antivirus Research (EICAR). The file contains a special string of characters that all antivirus software will identify and raise an alert when scanned. The file is safe, as it does not contain any malicious code. It is a file used to assure system owners that their antivirus software is active. If one is able to pass the file through systems, it is an indication that the antivirus software is not running or is configured incorrectly.
P a g e 10
City and County of Denver
Should these home systems become compromised, they can serve as a conduit for
malware to be introduced to the network. Technology currently exists to interrogate
remote systems to determine if they are safe before allowing them to connect to the
network. This type of technical control may prove more effective at preventing the
introduction of malware onto the network than relying on employees to abide by the
agreement they signed at the time of employment.
Technology Services should revise the antivirus configurations to prevent the introduction
of malware into the City network. The overall deployment of antivirus should be reviewed
to prevent and detect the introduction of malware through the City’s email system, and
during storage, backup and restore of data files. Technology Services should also adopt
technical controls to interrogate remote systems to determine if they are safe before
allowing them to connect to the network.
Key information security policies are missing or outdated
As a means to evaluate the maturity of the City’s information security policies, we
identified twelve key information security policies that are considered best practices and
are accepted standards in the IT industry. The sources of the policies include the
International Organization for Standardization publication “Information technology –
Security techniques – Code of practice for information security management” (ISO
27002:2005), the National Institute of Standards and Technology special publication
“Recommended Security Controls for Federal Information Systems and Organizations”
(NIST SP800-53), the Payment Card Industry Data Security Standard (PCI DSS), and the
State of Colorado Governor’s Office of Information Technology security policies, which
we used as a point of local reference.
Of the twelve critical information security policies reviewed, eight were not incorporated
into the City’s overall security policy strategy. Although the City has defined twenty-one
information security policies, fourteen of those have not been updated for more than
two years. Table 1, “Information Security Policy Analysis,” shows which of the twelve
critical policies have been adopted by the City and which have not. Of those that have
been adopted, the table shows when the policy was defined and how well it was
reviewed or kept current over the past ten years. For security reasons, the names of the
policies are not included in the chart. However, some of the polices included in the list of
twelve address areas such as risk assessment, security training and awareness, disaster
recovery, physical security, acceptable use, wireless access, mobile computing and
teleworking, social media, and incident response.
P a g e 11
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Table 1 - Information Security Policy Analysis
Prio
rity
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
1
2
3
4
5
6
7
8
9
10
11
12
Legend
Policy is defined or updated
Policy has not been updated
Policy is missing
Policy not required
The priority column noted in Table 1 indicates the relative importance of the policy
according to best practices. For items 3 and 8 in the table, two rows are shown for each,
indicating that there were two defined policies addressing a similar topic. The City does
not have eight of twelve critical information security policies in place to protect the
network from malicious attack. Of the four policies that are in place, three have not
been regularly evaluated or updated. This analysis supports the conclusions reached in
the first phase of this audit where we identified the need for an information security
governance program that includes the development of information security policies.
Network admission controls do not detect unauthorized devices
The City does not have technical controls or policies in place to prevent the connection
of unauthorized wireless routers to the City’s internal network. We found a City agency
that stores sensitive personal information as part of its daily operations. In order to better
protect that information, the agency has a portion of its network segmented away from
the City’s internal network thus creating a private network that can only be accessed by
computers located physically within the agency. However, to meet one of its business
needs, the agency from time to time uses two consumer / home grade wireless routers
and connects one to its private network and connects the other to the City’s internal
network. The agency has configured the routers similar to how a consumer / home
wireless network would be set up with the router broadcasting its name making it
conveniently detectable by anyone with a mobile device such as a smart phone. These
P a g e 12
City and County of Denver
consumer / home grade routers also grant a connection to any device where the user
has correctly entered the password; no user ID is required.
In contrast, wireless access points supported by Technology Services employ rigorous
security configurations that limit access to pre-authorized users, use strong session
encryption, and do not broadcast their network name to avoid advertising the wireless
network’s presence to the general public.
Connecting consumer / home grade equipment to the City’s network weakens the
defense in depths controls as the wireless routers rebroadcast the contents of both the
agency’s private network and the City’s internal network making both networks
accessible outside of the intended physical access areas.
Technology Services should adopt technical controls, such as network admission controls
(NAC), which can detect and prevent the connection of unauthorized wireless routers
and other devices to the network. Further, policies prohibiting the attachment of
unauthorized devices should be developed and communicated through periodic user
security awareness training to educate agencies and users regarding the risks of
attaching devices such as wireless routers to the network.
The general public has inappropriate access to portions of the City’s
internal data network
During the first phase of this audit, we performed site visits to various City facilities and
tested for both wireless networks and computer connections that the general public
could use to access the City’s internal network. The connections we found could be
used by an outsider to launch a cyber attack against the City’s network from inside the
network without having to contend with the defenses the City has in place to protect the
network from an attack originating from the outside. For security reasons, we
communicated those locations confidentially to Technology Services management and
did not list them in the audit report.
In the second phase of this audit, we further examined whether there were any technical
controls that Technology Services had available that could be used to mitigate the risk of
inappropriate access by the general public through those previously identified
connections. We found that Technology Services currently has the technical controls
available to prevent those publicly accessible areas from accessing the City’s internal
data network. Access to the City’s internal network should be limited to authorized
persons in order to prevent a cyber attack from within the City network by outsiders.
We recommended in the first phase of our audit that an information security governance
program be put into place that would include the assessment of risks associated with
various technology deployments, such as granting the public access to computers
connected to the City network. Since this second phase of the audit further highlights the
risk that these computers and connections could be used to launch an imminent cyber
attack from within the City network, Technology Services should move expeditiously to
segregate publicly accessible computers and connections from the City’s internal
network.
P a g e 13
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Strong controls found for firewall and router change control and
administrative access
On a positive note, the audit identified areas where controls have been implemented
and are especially strong. Specifically, change control over firewalls and routers are
automated and at a high process maturity. Further, authentication controls over
administrative access to both firewalls and routers are strong.
RECOMMENDATIONS
Throughout the course of this audit we were continually reminded of the underlying
cause for the lack of effective information security controls that serve to prevent or
detect an attack or abuse of system vulnerabilities. At the conclusion of the first phase of
this audit we recommended that the City’s Chief Information Officer (CIO) establish an
information security governance program. This will also aid in addressing the concerns
noted in this final phase of the audit over missing and outdated information security
policies. Additionally, at the conclusion of the first phase of this audit we recommended
that the CIO ensure the information security governance program has the full support for
authority and funding from the Mayor and City Council. Both of these recommendations
were agreed to with an expected implementation date of October 15, 2012.
As part of our follow-up process we will be addressing the recommendations provided in
the first phase of this audit along with the following recommendations offered by the
Auditor’s Office to improve IT governance and process maturity.
1.1 The Chief Information Officer should strengthen the resource management
governance domain within the Technology Services Department to ensure that
adequate qualified staffing exists to perform essential security tasks. Critical
security tasks should be documented and transferred to network operations
personnel to ensure that essential information security controls continue to
operate in the event of staff turnover. In the event that employment market
conditions significantly challenge the ability to maintain staffing, the CIO should
consider outsourcing network security monitoring to ensure continuous monitoring
of network security controls.
1.2 Technology Services should revise the antivirus configurations to prevent the
introduction of malware into the City network. The overall deployment of antivirus
should be reviewed to prevent and detect the introduction of malware through
the City’s email system, and during storage, backup and restore of data files.
1.3 Technology Services should also adopt technical controls to interrogate remote
systems to determine if they are safe before allowing them to connect to the
network.
P a g e 14
City and County of Denver
1.4 The Technology Services Department should adopt network admission control
technologies in order to detect and prevent the attachment of unauthorized
wireless routers to the City’s network.
1.5 The Technology Services Department should communicate necessary information
regarding security policies to end users through periodic user security awareness
training to educate agencies and users about their role in protecting the City’s
network, including the risks of attaching devices such as wireless routers to the
network.
1.6 The Technology Services Department should move expeditiously to segregate
publicly accessible computers and connections from the City’s internal network.
P a g e 15
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
OTHER PERTINENT INFORMATION
Cloud Computing Considerations
One of the latest trends in modern computing is the adoption of vendor-provided service
technologies collectively referred to as cloud computing.9 The Technology Services
Department has adopted a “cloud first” long term strategy and is in the early stages of
evaluating cloud services for City technology needs. However, Technology Services
needs to significantly enhance its cloud services selection criteria for information security
as cloud services pose their own types of security concerns.
The growing interest in cloud computing can be attributed to the potential for financial
economies of scale making cloud-based solutions more affordable than traditional
computing models. Other reasons for interests in cloud computing come from the
capability to utilize new hardware or software functionality that would be too
cumbersome or expensive to develop with existing personnel and equipment.
Cloud computing essentially entails renting an outside vendor’s software and computers.
For example, in a “software as a service” model, a vendor provides access to its software
over the Internet on a subscription-type fee schedule. With subscription to the service,
the customer gains quick access to software that can provide enhanced capabilities
without having to buy new servers, hire new staff, or install software. On the other hand
the customer no longer has control of where the data and servers are located or how
they are maintained. With these benefits, the customer is giving up storing data on
premises and maintaining the servers on which the data is stored.
Sometimes the loss of control over the computing environment can pose information
security risks. For example, in the non-cloud environment, the customer may know that
only authorized individuals have access to their data center. In a cloud environment, the
customer may not have the right to know who has data center access, leaving the
customer to trust that the service provider has strong security practices. By contrast,
customers that currently have poor or weak information security practices may be able
to significantly improve their security posture by utilizing a cloud service provider with
strong security practices. As a result, customers must carefully evaluate their security
requirements to ensure their security needs can be met by the cloud service provider.
Customers should ensure their service agreements allow them the right to audit or
otherwise verify that the service provider is indeed providing the security controls it claims
to have in place.
Cloud computing is at its early stages of development and is becoming more
competitive as more service providers enter the market. It is possible the customer may
9 This discussion is intended as a high level summary of cloud computing. Please refer to “Cloud Computing Synopsis and
Recommendations” (Special Publication 800-146), published by the National Institute of Standards and Technology (NIST), for an explanation of cloud computing concepts, including security risks. http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
P a g e 16
City and County of Denver
wish to switch providers in the future as new capabilities become available or more
affordable. An aspect that must be considered before entering into a cloud computing
agreement, is how the customer’s data will be backed up and returned to the customer
should they terminate their service. Of similar importance, the agreement must specify
that the provider will destroy and certify the destruction of the customer’s data it
previously stored before the services were terminated. Situations could arise where the
customer loses all of its previously stored data because provisions for data handling at
the termination of service were not considered in advance.
City agencies use a request for proposal (RFP) process when seeking vendors to provide
or bid on system solutions. The system requirements are specified in an RFP and vendors
can competitively bid on providing their solutions. The bids are scored and the vendor
best meeting all the criteria is selected.
To help City agencies evaluate their security requirements, one of the first steps
Technology Services took was to augment the RFP process to include criteria for
evaluating cloud-based solutions. Our review of the initial cloud computing criteria for
RFPs indicates that the information security criteria is rudimentary and does not
sufficiently address basic information security concerns for cloud computing. The RFP
criteria for cloud computing could be significantly enhanced by incorporating security
considerations from the NIST guide “Cloud Computing Synopsis and Recommendations”
and the “Security Guidance for Critical Areas of Focus in Cloud Computing” developed
by the Cloud Security Alliance.10,11
Responsibility and accountability for information security never transfers to a cloud
service provider or to any third party, for that matter; it always remains with the City. As a
result, decisions to adopt cloud computing solutions must carefully consider the
information security impact alongside other business considerations.
10
Ibid. 11
The Cloud Security Alliance is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. https://cloudsecurityalliance.org/
P a g e 17
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
APPENDICES
Appendix A – Network Security Management – Phase 1 Performance Audit
P a g e 18
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 19
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 20
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 21
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 22
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 23
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 24
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 25
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 26
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 27
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 28
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 29
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 30
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 31
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 32
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 33
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 34
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 35
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 36
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 37
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 38
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 39
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 40
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 41
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 42
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 43
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 44
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 45
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 46
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 47
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 48
City and County of Denver
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 49
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix A – Network Security Management – Phase 1 Performance Audit (continued)
P a g e 50
City and County of Denver
Appendix B – News Story of Email Virus Impacting a Federal Agency
P a g e 51
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
Appendix B – News Story of Email Virus Impacting a Federal Agency (continued)
P a g e 52
City and County of Denver
AGENCY RESPONSE
P a g e 53
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr
P a g e 54
City and County of Denver
P a g e 55
Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr