Documente Academic
Documente Profesional
Documente Cultură
October 1, 2006
2 of 14
LEFTHAND SOFTWARE
INFORMATION SECURITY AUDIT
PITTSBURGH, PENNSYLVANIA
EXECUTIVE SUMMARY
INTRODUCTION LeftHand Software is a supplier of software and consulting
services to primarily defense sector organizations, such as
the Department of the Army, the Department of the Navy,
and numerous defense contractors. LeftHand Software has
been in litigation with former employees and customers who
had personal and sensitive corporate information leaked
after security incidents and breaches within LeftHand’s
network. The payouts as a result of the settlements of these
lawsuits have caused LeftHand to file for bankruptcy
protection. This information assurance audit will ensure that
LeftHand Software has taken appropriate steps in dealing
with the security of their network, and will identify gaps in
compliance with their newly established information security
policy.
3 of 14
(4) logging and auditing systems on the network, (5)
creation of subnets to create access control points, (6)
deployment of ingress/egress filtering, (7) creation of a
management network for administration tasks, (8)
implementation of an IDS, (9) deployment of integrity
checking applications, (10) creation of a configuration
management and change control guidelines, (11)
implementing anti-sniffer procedures, (12) implementing
VPNs to remote locations, and (13) creation of a training
and education program for administrative staff.
4 of 14
OBSERVATIONS AND RECOMMENDATIONS
CREATE NETWORK LeftHand Software network has one router between the
DEMILITARIZED ZONE Internet and the enterprise. This router is doing filtering of
(DMZ) inbound traffic, but the enterprise network is one large, flat
network. Publicly available services (such as mail and web)
reside on the same network as the traditionally ‘protected’
network – file servers, client systems, etc. This strategy is
ineffective in managing inbound connections to the externally
available services and is risky for systems which should not
be allowed external access.
5 of 14
access attempts
• Hardening of services – tools which identify vulnerable
configurations or unpatched services and operating
systems should be regularly used to evaluate the
security of the host and service.
Management’s Response Tools which evaluate security posture will be run regularly
and processes for these will be developed; all servers will be
sufficiently hardened to ensure no unneeded services are
running; operating systems will be patched, as will
applications.
CREATE EXTERNAL MAIL In the current configuration, all inbound mail for users on
HANDLER LeftHand Software mail server come directly through the
router and into the protected network. These messages are
not checked for viruses or other malicious code, nor are they
filtered for spam. This places the entire burden of the anti-
virus work on the end-user on their client system.
This is an unacceptable practice – as multi-tiered virus
checking has proven to by exponentially more effective in
detecting and managing viruses.
Recommendation 3 Create a mail handler in the DMZ to filter spam and viruses,
and forward clean mail to the Exchange server in the
protected network.
6 of 14
IMPLEMENT The current configuration of LeftHand Software does not
LOGGING/AUDITING include logging or log file analysis. Given the wealth of
security information an administrator can gain from log file
analysis, and how useful log files prove to be in the event of a
security incident, the current state of logging and auditing is
unacceptable. Logs are not maintained on the firewall,
individual hosts providing services, or any other network
infrastructure system.
Recommendation 5 Implement one subnet for the end users, one for data-center
services (mail, internal DNS, intranet, etc.), and a third for a
management subnet, to be described in more detail later.
Implement strong access control procedures between these
networks.
Management’s Response LeftHand Software will install and configure a router on the
internal network to establish 3 subnets, and will manage
access controls closely on each of these subnets.
7 of 14
IMPLEMENT NETWORK The current network configuration of LeftHand Software,
ADDRESS TRANSLATION which has a public Class C address, is to address all of the
(NAT) systems in the enterprise with public IP addresses. This
address scheme, coupled with the vulnerabilities in LeftHand
Software infrastructure already mentioned, is a security risk.
The enterprise should take advantage of private address
space (RFC1918) within the internal subnets. The
implementation of NAT, along with a Dynamic Host
Configuration Protocol (DHCP) server, will ease the
administrative overhead associated with managing the IP
space for the enterprise as the number of systems grows,
and will add a layer of security to the systems which are
behind the NAT device.
FILTER OUTBOUND The packet filtering router which connects the enterprise to
TRAFFIC the Internet is configured to allow only specified ports on
specific protocols (as inbound connections) through into the
protected network. There are currently no rules for blocking
any outbound traffic, leaving the enterprise destined for the
Internet. Failure to have these filtering rules in place is a poor
security practice, and should be addressed by LeftHand
Software.
8 of 14
CREATE A Currently, all administration of all of the infrastructure systems
MANAGEMENT within the enterprise is done from hosts on the client network.
NETWORK Because of the nature of the network architecture, all
management traffic is currently subject to packet capture by
insiders who may want to view administration traffic. This
configuration will allow all insiders to do so – as well as allow
them to spoof administrative address information. As such,
using access controls to limit this type of packet capture and
spoofing attacks is ineffective.
9 of 14
IMPLEMENT INTRUSION LeftHand Software currently has no means to detect network
DETECTION SYSTEMS anomalies – other than auditing a small number of systems
(IDS) which produce log files (see Recommendation 4 for logging).
Given the increase in traffic to and from the Internet and the
growing number of infrastructure systems and people on
LeftHand Software enterprise, it is imperative that some form
of incident or intrusion detection systems be deployed within
the enterprise. These systems should come in a number of
forms, which include:
• Signature Based Intrusion Detection Systems. These
systems, like Snort and a variety of other IDS, use
signatures to determine if the packets they are
inspecting may be malicious, and write logs and
create alerts based on their inspection of every packet
on the network. These systems can offer a great deal
of information about the enterprise they monitor in
real-time as well as for forensic purposes. The logs
from these traditional IDS should be periodically
reviewed, and special alerting processes should be
put into place for potentially dangerous traffic
identified by the IDS.
• Integrity Checking. Tools exist which take
cryptographic checksums of specific files or
directories and alert administrators when the contents
of the file/directory have been modified. This process
is not effective for checking files which are modified
regularly (such as an online database), but is very
effective at monitoring files which do not change
frequently (such as static web pages and system files.
The administrators can configure these integrity
checking systems to alert them in the event a critical
file is modified.
Management’s Response LeftHand Software will deploy IDS as prescribed by this audit,
and will implement integrity checking on information on critical
systems within the enterprise.
10 of 14
IMPLEMENT SPLIT The current configuration of DNS for LeftHand Software,
DOMAIN NAME SERVICE which includes one zone file for the entire enterprise (both
(DNS) externally available services and internal hosts). This
configuration is considered poor from a security perspective,
and should be modified to include two distinct DNS hosts,
one which is publicly available in the DMZ and one which
does host name resolution inside the protected network. The
zone file on the externally available DNS host should not
contain any information about hosts on the internal network.
The internal DNS host should not be externally available to
queries from the Internet.
Management’s Response LeftHand Software relied on the DNS provided by the host
organization before that unit departed from Fort Pitt, and has
not had the opportunity to develop and deploy a second DNS.
LeftHand Software will now create split DNS, having one
DNS externally available to users on the Internet and one
available for internal users.
11 of 14
oversight board which will manage the overall configuration
control process.
12 of 14
Recommendation 13 Deploy host-based firewalls on all client systems as well as
all servers operated by LeftHand Software.
13 of 14
Recommendation 16 The administrators should have a set of training requirements
that deal with information and network security which they are
to attend, and these requirements should become part of their
professional training and development career progression
path.
14 of 14