Network Security Management Phase 2 - Denver · Denver’s network security ... A role of the Chief ... leader is to advise the Mayor and City Council on the IT risks threatening

Dennis J. Gallagher Auditor

Office of the Auditor

Audit Services Division

City and County of Denver

Network Security Management–Phase 2 Performance Audit

July 2012

The Auditor of the City and County of Denver is independently elected by the citizens of Denver.

He is responsible for examining and evaluating the operations of City agencies for the purpose

of ensuring the proper and efficient use of City resources and providing other audit services and

information to City Council, the Mayor and the public to improve all aspects of Denver’s

government. He also chairs the City’s Audit Committee.

The Audit Committee is chaired by the Auditor and consists of seven members. The Audit

Committee assists the Auditor in his oversight responsibilities of the integrity of the City’s finances

and operations, including the integrity of the City’s financial statements. The Audit Committee is

structured in a manner that ensures the independent oversight of City operations, thereby

enhancing citizen confidence and avoiding any appearance of a conflict of interest.

Audit Committee

Dennis Gallagher, Chair Robert Bishop

Maurice Goodgaine Jeffrey Hart

Leslie Mitchell Timothy O’Brien, Co-Chair

Rudolfo Payan

Audit Staff

Audrey Donovan, Deputy Director, CIA, CRMA

Stephen E. Coury, IT Audit Supervisor, CISA

Roman Bukhtiyar, Senior IT Auditor, CISA

Ketki Dhamanwala, Senior IT Auditor, CIA, CISA

You can obtain copies of this report by contacting us at:

Office of the Auditor

201 West Colfax Avenue, Department 705 Denver CO, 80202

(720) 913-5000 Fax (720) 913-5247

Or download and view an electronic copy by visiting our website at:

www.denvergov.org/auditor

http://www.denvergov.org/auditor

To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services

that provide objective and useful information to improve decision making by management and the people.

We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000

FAX 720-913-5247 www.denvergov.org/auditor

Dennis J. Gallagher

Auditor

July 19, 2012

Mr. Chuck Fredrick, Chief Information Officer

Technology Services


Dear Mr. Fredrick:

Attached is the Auditor’s Office Audit Services Division’s report of their audit of Network Security

Management – Phase 2. This report summarizes the second and final phase of our audit of the

City’s data network that is managed by the Technology Services Department. The purpose of

the audit was to determine whether the City’s data network is protected from unauthorized

access and whether controls are effective in protecting network confidentiality, integrity, and

availability.

I am concerned that portions of our data network are vulnerable to attack or abuse that are

neither prevented nor detected. I know that you share my concerns as I understand that you

have already taken corrective actions to eliminate some of the risks we identified, and that you

have plans to address those that require more time to resolve.

A common theme in both phases of our audit is that periodic user security awareness training is

key to helping all our employees know the role they have in protecting the City’s data. Your

challenge to establish an information security governance program will be to ensure that the

controls you have in place continue to operate as intended. So many times we can have the

best of intentions, yet to find that a control we thought was working has become obsolete or has

evaporated into the ether. We must remain diligent in ensuring we are always protecting the

City’s information.

On a final note, as you consider the benefits of cloud computing for the City, please see our

short treatise on “Cloud Computing Considerations” in this report. I think you will find it supports a

careful and thoughtful approach to this new era of computing.

If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5000.

Sincerely,

Dennis J. Gallagher

Auditor

DJG/sec


To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services

that provide objective and useful information to improve decision making by management and the people. We will monitor

and report on recommendations and progress towards their implementation.

cc: Honorable Michael Hancock, Mayor

Honorable Members of City Council

Members of Audit Committee

Ms. Janice Sinden, Chief of Staff

Ms. Stephanie O’Malley, Deputy Chief of Staff

Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer

Ms. Beth Machann, Controller

Mr. Doug Friednash, City Attorney

Ms. Janna Bergquist, City Council Executive Staff Director

Mr. L. Michael Henry, Staff Director, Board of Ethics

Mr. Ethan Wain, Deputy Chief Information Officer

To promote open, accountable, efficient and effective government by performing impartial reviews and other audit

services that provide objective and useful information to improve decision making by management and the people.

We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000

FAX 720-913-5247 www.denvergov.org/auditor

Dennis J. Gallagher

Auditor

AUDITOR’S REPORT

We have completed an audit of Network Security Management – Phase 2. This report

summarizes the second and final phase of our audit of the City’s data network that is managed

by the Technology Services Department. The purpose of the audit was to determine whether the

City’s data network is protected from unauthorized access and whether controls are effective in

protecting network confidentiality, integrity, and availability.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article

V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance

with generally accepted government auditing standards. Those standards require that we plan

and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis

for our findings and conclusions based on our audit objectives. We believe that the evidence

obtained provides a reasonable basis for our findings and conclusions based on our audit

objectives.

The findings from the second phase not only reinforce the information security governance issues

identified in the first phase, but further highlight a disturbing concern that key information

security controls are not operating as a result of gaps in Information Technology (IT)

Governance. Specifically, the Technology Services Department is insufficiently staffed, which

places an over reliance on key personnel; key policies and procedures have not been

developed; and there is a low process maturity environment where critical processes are ad hoc

and disorganized. This condition results in a security environment where portions of the City

network are vulnerable to attack or abuse that are neither prevented nor detected.

The Chief Information Officer has recognized the gravity of the issues identified in both our Phase

1 and Phase 2 audit reports and has already taken actions to eliminate or mitigate some of the

risks identified. Where risk mitigation requires a more strategic solution, the Chief Information

Officer has responded that he will develop appropriate plans to reduce the identified risks.

We extend our appreciation to the Chief Information Officer and his staff who assisted and

cooperated with us during the audit.

Audit Services Division

Kip Memmott, MA, CGAP, CRMA

Director of Audit Services


TABLE OF CONTENTS

EXECUTIVE SUMMARY 1

INTRODUCTION & BACKGROUND 2

Information Technology Governance 2

Process Maturity Model 3

Defense in Depth and Basic Controls 3

SCOPE 5

OBJECTIVE 5

METHODOLOGY 5

FINDING 8

City Network Vulnerable to Attack or Abuse Due to Gaps in IT

Governance and Low Process Maturity 8

RECOMMENDATIONS 13

OTHER PERTINENT INFORMATION 15

Cloud Computing Considerations 15

APPENDICES 17

Appendix A – Network Security Management – Phase 1

Performance Audit 17

Appendix B – News Story of Email Virus Impacting a Federal

Agency 50

AGENCY RESPONSE 52

P a g e 1

Office of the Auditor OOffffiiccee ooff tthhee AAuuddiittoorr

EXECUTIVE SUMMARY

This report summarizes the second and final phase of our audit of the City and County of

Denver’s network security.1 The findings from the second phase not only reinforce the

information security governance issues identified in the first phase, but further highlight a

disturbing concern that key information security controls are not operating as a result of

gaps in Information Technology (IT) Governance. Specifically, the Technology Services

Department is insufficiently staffed, which places an over reliance on key personnel; key

policies and procedures have not been developed; and there is a low process maturity

environment where critical processes are ad hoc and disorganized.2 This condition results

in a security environment where portions of the City network are vulnerable to attack or

abuse that are neither prevented nor detected. This indicates that information

technology (IT) governance needs to be strengthened not only in the risk management

domain, but also in the resource management domain.3 Examples of specific

weaknesses include the following:

Six of ten essential information security duties are not

being performed

Antivirus controls are not always effective in preventing

malware from entering the email system or from being

saved and backed up on network storage

Key information security policies are missing or outdated

Network admission controls do not detect unauthorized

devices

The general public has inappropriate access to portions of the City’s internal data

network

On a positive note, the audit identified areas where controls have been implemented

and are especially strong. Specifically, change control over firewalls and routers are

automated and at a high process maturity. Additionally, authentication controls over

administrative access to both firewalls and routers are strong.

Lastly, the Technology Services strategy to take advantage of cloud computing still

needs to significantly develop and increase the maturity of its information security

posture in preparation for the implementation of a cloud computing delivery strategy.

Our thoughts on the City’s preparedness for cloud computing can be found in “Other

Pertinent Information – Cloud Computing Considerations.”

1 The audit scope is limited to the portions of the network specifically managed by the Technology Services Department. Refer

to the Introduction & Background of the Phase 1 report contained in Appendix A “Network Security Management – Phase 1 Performance Audit” for additional details. 2 Please see the Introduction & Background section of this report for more information on the Process Maturity Model.

3 Please see the Introduction & Background section of this report for more information on IT governance domains.

Portions of the

City network

are vulnerable

to attack or

abuse

P a g e 2


INTRODUCTION & BACKGROUND

Information Technology Governance

The overall governance of the City includes several disciplines of which Information

Technology (IT) is a significant part. Accordingly the governance of IT is not the sole

responsibility of one agency, but rather a collaborative effort between the City’s top

leadership, i.e., the Mayor and City Council, working closely with the leadership of the IT

organization.

The Technology Services Department is responsible for managing IT risks and determining

which resources are necessary to mitigate those risks. However the City’s top leadership

has ultimate authority over IT resources. Accordingly, when City leadership is faced with

financial challenges, budget decisions should include consideration of the IT risk impact

that may result from those choices. A role of the Chief Information Officer (CIO) as the IT

leader is to advise the Mayor and City Council on the IT risks threatening the City’s

network so that management may make informed decisions regarding risks and the

resources to mitigate those risks.

When presented with IT risks, City leadership has the option to either mitigate those risks

by implementing controls, transferring risks, such as through insurance, or accepting risks

through formal acknowledgement. If there are significant IT risks that the City cannot

mitigate or transfer, the acceptance of that risk must come from an appropriate level of

authority – the City’s top leadership – and be disclosed to stakeholders and citizens.

IT Governance Domains

IT governance consists of the five major

domains of strategic alignment, value delivery,

risk management, resource management, and

performance measurement.4 Two areas of

concern in this audit are risk management and

resource management.

Risk Management – The risk management

domain addresses the safeguarding of IT assets

and disaster recovery. Risk management also

includes regular self-testing to ensure

established controls are operating as intended

and continuous assessment of emerging risks in

light of an ever changing threat landscape.

4 Board Briefing on IT Governance, 2

nd Edition, IT Governance Institute, http://www.itgi.org

http://www.itgi.org/

P a g e 3


0-Nonexistent

•Management processes are not applied at all

1-Initial

•Processes are ad hoc and disorganized

2-Repeatable

•Processes follow a regular pattern

3-Defined

•Processes are documented and communicated

4-Managed

•Processes are monitored and measured

5-Optimized

•Best practices are followed and automated

Risk management concerns are raised in both phases of this audit. The phase one report

is included in Appendix A.

Resource Management – The resource management domain addresses optimizing IT

knowledge and infrastructure, in particular people, technology tools, and the

management of outsourced services. It is the resource management domain that

promotes workforce planning for adequate staffing and training in order to retain skilled

IT staff. Resource management also includes aligning the IT budget to support business

operations. Resource management concerns are raised in this second phase of the

audit.

Process Maturity Model

The degree to which an organization can effectively manage its IT risk depends largely

on the maturity of its IT governance system. The maturity level can be determined by

evaluating the organization’s key information security policies, standards, and

procedures against an industry standard IT governance maturity model, or process

maturity model. As illustrated below the model establishes a method

to rank a process along a six-point scale ranging from “0 –

Nonexistent” to “5 – Optimized.”

Information security controls need to be repeatedly verified over time to ensure they are

continuing to operate as intended. Constantly monitoring the effectiveness of controls,

such as through a manual or automated compliance program, is considered to be at

maturity level 4. Processes that are automated and include an aspect of continuous

improvement are at maturity level 5.

Defense in Depth and Basic Controls

Best practices promote the concept of “defense in depth”

or “security in layers.” Specifically, IT security programs

should protect information through the use of multiple

layers including physical, policy, and technical controls.

Physical controls primarily protect access to computing

equipment. Policy controls include all aspects of security,

such as review of logs, compliance programs, and

employee security awareness training. Technical controls are

mostly automated and include firewalls, intrusion prevention

appliances, and antivirus software. The technical controls should not be overly reliant on

P a g e 4


limited defenses or overly dependent on a single person to review security alerts.

Physical Controls

Physical controls include the protection of physical access to facilities, the protection of

network equipment within those facilities, and environmental (temperature and

humidity) controls. As with all controls, physical controls must be regularly tested to insure

they are operating as intended.

Policy Controls

Information security policies are the basis for defining management’s commitment and

the organization’s approach to managing information security. Information security

policies must be reviewed periodically as the rapid change in technology could render a

policy inadequate to control the risk it was intended to prevent. Consider password

length and complexity as a policy that has evolved over the years. Ten years ago, a four-

digit password would have been considered adequate, but by today’s standards a four-

digit password would be considered weak and one that could be easily compromised. It

is common today to see password requirements of eight characters with the inclusion of

capital letters, numbers, special characters, expiring every ninety days or so, and users

reminded not to use easily guessed mnemonics, family or pet names, dates, or the

names of sports teams or their mascots.

Technical Controls

Technical controls include some of the basic controls that most users are familiar with,

such as antivirus software or system patching. Often these controls are automated and

are assumed to be working properly. An important study of system intrusions and data

breaches, the “2012 Data Breach Investigations Report,” highlights that 97 percent of

data breaches were avoidable through simple or intermediate controls.5 The report also

points out that the largest threat actions came from hacking and malware.6 Hackers

strive to get the most reward or benefit from the least amount of work or investment. The

data show that an attacker will try the simplest techniques to break into a system before

engaging more sophisticated techniques. This emphasizes the need for organizations to

remain vigilant in providing basic controls, such as end user information security

awareness training, antivirus software, network segmentation, and password protocols

and to engage in continuous monitoring to ensure that basic controls are operating as

intended.

5 The 2012 Data Breach Investigations Report was prepared by the Verizon RISK team with cooperation from the United States

Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police. The report spans eight years and the breach database includes well over 2,000 breaches and information on greater than one billion compromised records. http://www.verizonbusiness.com/Resources/Search 6 In this report we will use the term “malware” to refer to computer software that is designed with malicious intent, such as

computer viruses, Trojans, and spyware, which are intended to cause harm, disruption, or provide surreptitious access to computer resources and data.

http://www.verizonbusiness.com/Resources/Search

P a g e 5


Antivirus controls are especially important, since malware is one of the main “attack

vectors” or ways that systems are compromised. Earlier this year, the Washington Post

(and other print and online sources) featured a story about a federal agency that was

the victim of a computer virus outbreak that arrived via email. The malware posed a high

enough threat that the agency disconnected its computers from the network to prevent

the malware from spreading to other agencies.7 We contacted the affected agency

directly to vet the accuracy of the news story. Although the agency has not issued

publicly its own account of the incident, they did confirm occurrence and that it was still

under investigation.

SCOPE

This report summarizes the second and final phase of our audit of the segments of the

City and County of Denver’s Metropolitan Area Network that are managed by

Technology Services, which excludes the portions of the network that are managed by

other agencies, such as the Denver International Airport, Denver District Attorney’s

Office, and Denver County Courts.

In accordance with Generally Accepted Government Auditing Standards (GAGAS) the

reader should be aware that some details about information security weaknesses are

considered sensitive security information and are not disclosed within this report.

The details of all findings, however, have been presented to the City’s Chief Information

Officer. As part of our regular follow-up for audit issues, we will return at a future date to

ensure that all findings have been addressed.

OBJECTIVE

The purpose of the audit was to determine whether the City’s data network is protected

from unauthorized access and whether controls are effective in protecting network

confidentiality, integrity, and availability.

METHODOLOGY

We utilized several methodologies to achieve the audit objective. Our evidence

gathering techniques included, but were not limited to, the following:

Examining existing information security policies, procedures, and standards

7 Please see Appendix B, “News Story of Email Virus Impacting a Federal Agency,” to view the article.

P a g e 6


Consulting best practices standards for information security policies and

procedures from sources such as the International Organization for

Standardization publication “Information technology – Security techniques –

Code of practice for information security management” (ISO 27002:2005), the

National Institute of Standards and Technology special publication

“Recommended Security Controls for Federal Information Systems and

Organizations” (NIST SP800-53), the Payment Card Industry Data Security

Standard, Requirements and Security Assessment Procedures Version 2.0 (PCI

DSS), and as a point of local reference, the security policies of the State of

Colorado Governor’s Office of Information Technology (OIT)

Consulting best practices for routing device configurations from organizations

such as the Center for Internet Security (CIS), NIST, the National Security Agency

(NSA), and an equipment manufacturer (Cisco)

Consulting authoritative reports on data breaches such as Verizon’s “2012 Data

Breach Investigations Report”

Conducting interviews with Technology Services personnel to clarify our

understanding of its network security processes

Reviewing Technology Services organization charts and job descriptions to

determine whether an information security management structure has been

established

Examining vulnerabilities associated with opportunistic cyber attacks, as well as

those for advanced persistent threats (APT)

Performing testing of the antivirus controls to determine whether the antivirus tool

is effective in protecting the network against malware

Examining the vulnerabilities associated with generic user IDs having e-mail

accounts and the use of web-based email

Verifying the status of issues noted in the City’s PCI self-assessment questionnaire

and attestation of compliance to determine remediation progress

Examining vulnerability scans to determine whether non-PCI portions of the

network are susceptible to cyber threats

Performing tests to determine whether technical controls are in place to enforce

the City’s remote access policy

Reviewing the effectiveness of incident management policies and procedures

Evaluating the effectiveness of the use of security information and event

management (SIEM) software, particularly the Cisco Security Monitoring, Analysis

and Response System (MARS) product

Determining whether a strategy exists to replace MARS as the City’s SIEM in light

of the product’s end-of-life announcement by the vendor

P a g e 7


Interviewing Technology Services management to verify whether essential

information security duties are being performed

Reviewing training records of key information security personnel to determine

whether training is current

Performing a physical security walkthrough of the data center to verify whether

physical security, equipment protection, and environmental controls are

adequate for critical firewalls and routers

Reviewing network architecture diagrams to identify critical firewalls and routers

Performing tests of critical firewall and router security settings with the Titania

Nipper configuration analysis tool

Testing change management and configuration backup controls for critical

firewalls and routers using the Solarwinds Orion and Network Configuration

Manager (Cirrus-NCM) tools

Evaluating the password configuration settings for the City’s Authentication,

Authorization, and Accounting (AAA) protocol implemented through the Cisco

Terminal Access Controller Access Control System Plus (TACACS+) server

Verifying the list of users who have administrative access to firewalls and routers

Evaluating staff competency to operate network software tools and explain

network configuration settings

Consulting best practices for cloud computing from organizations including the

Cloud Security Alliance (CSA) and NIST

P a g e 8


FINDING

City Network Vulnerable to Attack or Abuse Due to Gaps in IT Governance and Low Process Maturity

The results of our work from the second and final phase of this audit not only reinforce the

information security governance issues identified in the first phase, but further highlight a

disturbing concern that key information security controls are not operating as a result of

gaps in Information Technology (IT) Governance. Specifically, the Technology Services

Department is insufficiently staffed, which places an over reliance on key personnel; key

policies and procedures have not been developed; and there is a low process maturity

environment where critical processes are ad hoc and disorganized. This condition results

in a security environment where portions of the City network are vulnerable to attack or

abuse that are neither prevented nor detected. This indicates that information

technology (IT) governance needs to be strengthened not only in the risk management

domain, but also in the resource management domain. Examples of specific weaknesses

follow.

Six of ten essential information security duties are not being performed

We identified ten essential information security duties that were being performed by

personnel in Technology Services in order to ensure the proper functioning of security

controls. Although subject matter experts should develop and document key information

duties, those duties should be performed by operations staff or automated. Contrary to

best practice, six of the ten essential information security controls were being performed

by subject matter experts and their procedures were not documented or otherwise

operationalized. As a result, these six controls ceased operating and some have not

been performed for over eight to twelve months when the personnel performing them

left the city workforce or were reassigned to different projects. For security reasons we

have not listed the essential duties that are no longer being performed.

This condition illustrates the importance of resource management in the governance of

information technology. The CIO should ensure that adequate qualified staffing exists to

perform essential security tasks. Critical security tasks should be documented and

transferred to network operations personnel to ensure that essential information security

controls continue to operate in the event of staff turnover. In the event that employment

market conditions significantly challenge the ability to maintain staffing, the CIO should

consider outsourcing network security monitoring to ensure continuous monitoring of

network security controls.

P a g e 9


Antivirus controls are not always effective in preventing malware from

entering the email system or from being saved and backed up on network

storage

To test the City’s antivirus controls we attempted to introduce, after informing IT

management about the test, a pseudo-malware file into the City network, both through

email and through a file transfer. The pseudo-malware file was not detected through

either delivery method by the City’s antivirus software, which should have triggered an

alert if the file had been properly detected.8 In the absence of proper detection controls

or an alert, we were able to place the file on the City’s network. Additionally, the file was

successfully backed up and subsequently restored from network backups without

prevention or detection of the pseudo-malware.

The outcome of our test illustrates an initial and subsequent risk to the City’s network. Not

only can a potential attacker store malware undetected on the City’s network, but the

malware can be backed up and enabled for future use. If the malware were used in an

attack on the City network and the initial attack was detected and stopped, the

attacker may be able to subsequently restore the malware tools stored during backup

and attempt the attack again.

We concluded that we were able to upload the pseudo-malware file due to the way the

antivirus software was configured. We also identified several control points where the

pseudo-malware could have been stopped, had the antivirus strategy been properly

integrated between various system services, including backup and restore.

We attempted the same test using a common email system available to the public

(Gmail). However, we were unsuccessful since Gmail would not allow us to upload the

pseudo-malware file. The City email system, on the other hand, not only allowed the

upload of the pseudo-malware file, but allowed us to email it from one account to

another account, save it on the network, have it backed up, and restore it on demand.

We were also able to store the pseudo-malware file through a common type of file

transfer used by City employees when working outside of the City network and

connecting through a secure connection. This test not only demonstrated the same

antivirus weakness as our City email system test, but it also highlighted the fact that the

City’s IT security policy is antiquated and relies on employees to abide by rules that are

not enforced through technical controls. Specifically, the policy requires employees to

sign a statement when they are hired that they will keep their personal computers free

from malware before remotely connecting to the City network. Employees are not

reminded of this agreement after they are hired. In the event that employees neglect to

keep their home systems protected or choose not to pay for antivirus software,

connecting remotely to the City’s network from these computers poses a risk to the City.

8 The pseudo-malware file we utilized was an industry standard file that is used to test antivirus software. This file is commonly

referred to as an EICAR file and is published by the European Institute for Computer Antivirus Research (EICAR). The file contains a special string of characters that all antivirus software will identify and raise an alert when scanned. The file is safe, as it does not contain any malicious code. It is a file used to assure system owners that their antivirus software is active. If one is able to pass the file through systems, it is an indication that the antivirus software is not running or is configured incorrectly.

P a g e 10


Should these home systems become compromised, they can serve as a conduit for

malware to be introduced to the network. Technology currently exists to interrogate

remote systems to determine if they are safe before allowing them to connect to the

network. This type of technical control may prove more effective at preventing the

introduction of malware onto the network than relying on employees to abide by the

agreement they signed at the time of employment.

Technology Services should revise the antivirus configurations to prevent the introduction

of malware into the City network. The overall deployment of antivirus should be reviewed

to prevent and detect the introduction of malware through the City’s email system, and

during storage, backup and restore of data files. Technology Services should also adopt

technical controls to interrogate remote systems to determine if they are safe before

allowing them to connect to the network.

Key information security policies are missing or outdated

As a means to evaluate the maturity of the City’s information security policies, we

identified twelve key information security policies that are considered best practices and

are accepted standards in the IT industry. The sources of the policies include the

International Organization for Standardization publication “Information technology –

Security techniques – Code of practice for information security management” (ISO

27002:2005), the National Institute of Standards and Technology special publication

“Recommended Security Controls for Federal Information Systems and Organizations”

(NIST SP800-53), the Payment Card Industry Data Security Standard (PCI DSS), and the

State of Colorado Governor’s Office of Information Technology security policies, which

we used as a point of local reference.

Of the twelve critical information security policies reviewed, eight were not incorporated

into the City’s overall security policy strategy. Although the City has defined twenty-one

information security policies, fourteen of those have not been updated for more than

two years. Table 1, “Information Security Policy Analysis,” shows which of the twelve

critical policies have been adopted by the City and which have not. Of those that have

been adopted, the table shows when the policy was defined and how well it was

reviewed or kept current over the past ten years. For security reasons, the names of the

policies are not included in the chart. However, some of the polices included in the list of

twelve address areas such as risk assessment, security training and awareness, disaster

recovery, physical security, acceptable use, wireless access, mobile computing and

teleworking, social media, and incident response.

P a g e 11


Table 1 - Information Security Policy Analysis

Prio

rity

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

1

2

3

4

5

6

7

8

9

10

11

12

Legend

Policy is defined or updated

Policy has not been updated

Policy is missing

Policy not required

The priority column noted in Table 1 indicates the relative importance of the policy

according to best practices. For items 3 and 8 in the table, two rows are shown for each,

indicating that there were two defined policies addressing a similar topic. The City does

not have eight of twelve critical information security policies in place to protect the

network from malicious attack. Of the four policies that are in place, three have not

been regularly evaluated or updated. This analysis supports the conclusions reached in

the first phase of this audit where we identified the need for an information security

governance program that includes the development of information security policies.

Network admission controls do not detect unauthorized devices

The City does not have technical controls or policies in place to prevent the connection

of unauthorized wireless routers to the City’s internal network. We found a City agency

that stores sensitive personal information as part of its daily operations. In order to better

protect that information, the agency has a portion of its network segmented away from

the City’s internal network thus creating a private network that can only be accessed by

computers located physically within the agency. However, to meet one of its business

needs, the agency from time to time uses two consumer / home grade wireless routers

and connects one to its private network and connects the other to the City’s internal

network. The agency has configured the routers similar to how a consumer / home

wireless network would be set up with the router broadcasting its name making it

conveniently detectable by anyone with a mobile device such as a smart phone. These

P a g e 12


consumer / home grade routers also grant a connection to any device where the user

has correctly entered the password; no user ID is required.

In contrast, wireless access points supported by Technology Services employ rigorous

security configurations that limit access to pre-authorized users, use strong session

encryption, and do not broadcast their network name to avoid advertising the wireless

network’s presence to the general public.

Connecting consumer / home grade equipment to the City’s network weakens the

defense in depths controls as the wireless routers rebroadcast the contents of both the

agency’s private network and the City’s internal network making both networks

accessible outside of the intended physical access areas.

Technology Services should adopt technical controls, such as network admission controls

(NAC), which can detect and prevent the connection of unauthorized wireless routers

and other devices to the network. Further, policies prohibiting the attachment of

unauthorized devices should be developed and communicated through periodic user

security awareness training to educate agencies and users regarding the risks of

attaching devices such as wireless routers to the network.

The general public has inappropriate access to portions of the City’s

internal data network

During the first phase of this audit, we performed site visits to various City facilities and

tested for both wireless networks and computer connections that the general public

could use to access the City’s internal network. The connections we found could be

used by an outsider to launch a cyber attack against the City’s network from inside the

network without having to contend with the defenses the City has in place to protect the

network from an attack originating from the outside. For security reasons, we

communicated those locations confidentially to Technology Services management and

did not list them in the audit report.

In the second phase of this audit, we further examined whether there were any technical

controls that Technology Services had available that could be used to mitigate the risk of

inappropriate access by the general public through those previously identified

connections. We found that Technology Services currently has the technical controls

available to prevent those publicly accessible areas from accessing the City’s internal

data network. Access to the City’s internal network should be limited to authorized

persons in order to prevent a cyber attack from within the City network by outsiders.

We recommended in the first phase of our audit that an information security governance

program be put into place that would include the assessment of risks associated with

various technology deployments, such as granting the public access to computers

connected to the City network. Since this second phase of the audit further highlights the

risk that these computers and connections could be used to launch an imminent cyber

attack from within the City network, Technology Services should move expeditiously to

segregate publicly accessible computers and connections from the City’s internal

network.

P a g e 13


Strong controls found for firewall and router change control and

administrative access

On a positive note, the audit identified areas where controls have been implemented

and are especially strong. Specifically, change control over firewalls and routers are

automated and at a high process maturity. Further, authentication controls over

administrative access to both firewalls and routers are strong.

RECOMMENDATIONS

Throughout the course of this audit we were continually reminded of the underlying

cause for the lack of effective information security controls that serve to prevent or

detect an attack or abuse of system vulnerabilities. At the conclusion of the first phase of

this audit we recommended that the City’s Chief Information Officer (CIO) establish an

information security governance program. This will also aid in addressing the concerns

noted in this final phase of the audit over missing and outdated information security

policies. Additionally, at the conclusion of the first phase of this audit we recommended

that the CIO ensure the information security governance program has the full support for

authority and funding from the Mayor and City Council. Both of these recommendations

were agreed to with an expected implementation date of October 15, 2012.

As part of our follow-up process we will be addressing the recommendations provided in

the first phase of this audit along with the following recommendations offered by the

Auditor’s Office to improve IT governance and process maturity.

1.1 The Chief Information Officer should strengthen the resource management

governance domain within the Technology Services Department to ensure that

adequate qualified staffing exists to perform essential security tasks. Critical

security tasks should be documented and transferred to network operations

personnel to ensure that essential information security controls continue to

operate in the event of staff turnover. In the event that employment market

conditions significantly challenge the ability to maintain staffing, the CIO should

consider outsourcing network security monitoring to ensure continuous monitoring

of network security controls.

1.2 Technology Services should revise the antivirus configurations to prevent the

introduction of malware into the City network. The overall deployment of antivirus

should be reviewed to prevent and detect the introduction of malware through

the City’s email system, and during storage, backup and restore of data files.

1.3 Technology Services should also adopt technical controls to interrogate remote

systems to determine if they are safe before allowing them to connect to the

network.

P a g e 14


1.4 The Technology Services Department should adopt network admission control

technologies in order to detect and prevent the attachment of unauthorized

wireless routers to the City’s network.

1.5 The Technology Services Department should communicate necessary information

regarding security policies to end users through periodic user security awareness

training to educate agencies and users about their role in protecting the City’s

network, including the risks of attaching devices such as wireless routers to the

network.

1.6 The Technology Services Department should move expeditiously to segregate

publicly accessible computers and connections from the City’s internal network.

P a g e 15


OTHER PERTINENT INFORMATION

Cloud Computing Considerations

One of the latest trends in modern computing is the adoption of vendor-provided service

technologies collectively referred to as cloud computing.9 The Technology Services

Department has adopted a “cloud first” long term strategy and is in the early stages of

evaluating cloud services for City technology needs. However, Technology Services

needs to significantly enhance its cloud services selection criteria for information security

as cloud services pose their own types of security concerns.

The growing interest in cloud computing can be attributed to the potential for financial

economies of scale making cloud-based solutions more affordable than traditional

computing models. Other reasons for interests in cloud computing come from the

capability to utilize new hardware or software functionality that would be too

cumbersome or expensive to develop with existing personnel and equipment.

Cloud computing essentially entails renting an outside vendor’s software and computers.

For example, in a “software as a service” model, a vendor provides access to its software

over the Internet on a subscription-type fee schedule. With subscription to the service,

the customer gains quick access to software that can provide enhanced capabilities

without having to buy new servers, hire new staff, or install software. On the other hand

the customer no longer has control of where the data and servers are located or how

they are maintained. With these benefits, the customer is giving up storing data on

premises and maintaining the servers on which the data is stored.

Sometimes the loss of control over the computing environment can pose information

security risks. For example, in the non-cloud environment, the customer may know that

only authorized individuals have access to their data center. In a cloud environment, the

customer may not have the right to know who has data center access, leaving the

customer to trust that the service provider has strong security practices. By contrast,

customers that currently have poor or weak information security practices may be able

to significantly improve their security posture by utilizing a cloud service provider with

strong security practices. As a result, customers must carefully evaluate their security

requirements to ensure their security needs can be met by the cloud service provider.

Customers should ensure their service agreements allow them the right to audit or

otherwise verify that the service provider is indeed providing the security controls it claims

to have in place.

Cloud computing is at its early stages of development and is becoming more

competitive as more service providers enter the market. It is possible the customer may

9 This discussion is intended as a high level summary of cloud computing. Please refer to “Cloud Computing Synopsis and

Recommendations” (Special Publication 800-146), published by the National Institute of Standards and Technology (NIST), for an explanation of cloud computing concepts, including security risks. http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

P a g e 16


wish to switch providers in the future as new capabilities become available or more

affordable. An aspect that must be considered before entering into a cloud computing

agreement, is how the customer’s data will be backed up and returned to the customer

should they terminate their service. Of similar importance, the agreement must specify

that the provider will destroy and certify the destruction of the customer’s data it

previously stored before the services were terminated. Situations could arise where the

customer loses all of its previously stored data because provisions for data handling at

the termination of service were not considered in advance.

City agencies use a request for proposal (RFP) process when seeking vendors to provide

or bid on system solutions. The system requirements are specified in an RFP and vendors

can competitively bid on providing their solutions. The bids are scored and the vendor

best meeting all the criteria is selected.

To help City agencies evaluate their security requirements, one of the first steps

Technology Services took was to augment the RFP process to include criteria for

evaluating cloud-based solutions. Our review of the initial cloud computing criteria for

RFPs indicates that the information security criteria is rudimentary and does not

sufficiently address basic information security concerns for cloud computing. The RFP

criteria for cloud computing could be significantly enhanced by incorporating security

considerations from the NIST guide “Cloud Computing Synopsis and Recommendations”

and the “Security Guidance for Critical Areas of Focus in Cloud Computing” developed

by the Cloud Security Alliance.10,11

Responsibility and accountability for information security never transfers to a cloud

service provider or to any third party, for that matter; it always remains with the City. As a

result, decisions to adopt cloud computing solutions must carefully consider the

information security impact alongside other business considerations.

10

Ibid. 11

The Cloud Security Alliance is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. https://cloudsecurityalliance.org/

https://cloudsecurityalliance.org/

P a g e 17


APPENDICES

Appendix A – Network Security Management – Phase 1 Performance Audit

P a g e 18


Appendix A – Network Security Management – Phase 1 Performance Audit (continued)

P a g e 19



P a g e 20



P a g e 21



P a g e 22



P a g e 23



P a g e 24



P a g e 25



P a g e 26



P a g e 27



P a g e 28



P a g e 29



P a g e 30



P a g e 31



P a g e 32



P a g e 33



P a g e 34



P a g e 35



P a g e 36



P a g e 37



P a g e 38



P a g e 39



P a g e 40



P a g e 41



P a g e 42



P a g e 43



P a g e 44



P a g e 45



P a g e 46



P a g e 47



P a g e 48



P a g e 49



P a g e 50


Appendix B – News Story of Email Virus Impacting a Federal Agency

P a g e 51


Appendix B – News Story of Email Virus Impacting a Federal Agency (continued)

P a g e 52


AGENCY RESPONSE

P a g e 53


P a g e 54


P a g e 55


Documents

Network Security Management Phase 2 - Denver · Denver’s network security ... A role of the Chief ... leader is to advise the Mayor and City Council on the IT risks threatening