Table 8.1 A Sample of Findings from the SA for Medical Management Finding Threat Impact Vulnerability # Source Rating Consequence Lack of 33 Intentional High System administrators, separation of modifi- without detection, can duties cation bypass mechanisms in place of data for holding users responsible for their actions. Due to a lack of resources, a decision has been made to allow the system administrators to audit their own activity. This could result in a loss of integrity. .JSPServlet 34 Unauthor- Low An attacker can use this enumeration ized access vulnerability to enumerate vulnerability the physical path of the webroot. This could result in a loss of confidentiality, integrity, and availability if the attacker is able to use this information to compro- mise the system. Web server 35 Unauthor- Low Allows attackers to enumeration ized access identify specific version vulnerability of IIS to tailor specific attacks. This could result in a loss of confidentiality, integrity, and availability if the attacker is able to use this information to compro- mise the system. Cold Fusion 36 Unauthor- Low It is possible to anonymously debug ized access view debug information, enumeration which usually contains sensi- tive data such as template path or server version. This could result in a loss of con- fidentiality, integrity, and availability if the attacker is able to use this information to compromise the system. www.syngress.com Managing the Findings • Chapter 8 295 Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 295 Table 8.1 A Sample of Findings from the SA for Medical Management Finding Threat Impact Vulnerability # Source Rating Consequence Security alerts 37 Administra- Low Without documented and incident tive error procedures, the response handling taken is ad hoc and results procedures are in opinion-driven decisions, not documented which can expose Medical Management to errors in human judgment. This could result in a loss of confiden- tiality or integrity if an inci- dent goes unnoticed. Contingency 38 Administra- Low Current contingency plan- plan does tive error ning is scattered through not exist various location documents and should be centralized in one document that all loca- tions utilize. This could result in a loss of availability. Process to 39 Administra- Low Currently being done ad modify incident tive error hoc, which could result handling does in wasted time during not exist future CISRT responses by not having procedures to incorporate lessons learned. This could result in a loss of confidentiality, integrity, and availability. Risk assess- 40 Human error/ Low Inconsistent application of ment imple- omission quarterly scan results in mentation is various vulnerabilities not not consistent being identified or cor- rected. This could result in a loss of confidentiality, integrity, and availability if the vulnerabilities are not identified and resolved. www.syngress.com 296 Chapter 8 • Managing the Findings Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 296 Table 8.1 A Sample of Findings from the SA for Medical Management Finding Threat Impact Vulnerability # Source Rating Consequence Rules of 41 Disgruntled Low Rules of behavior define to behavior are employee the user what is acceptable not consistent or citizen behavior and the conse- and are not incident quences for failure to signed by users comply. Without a signature, there may be an issue with proving the user was ade- quately warned. This could result in a loss of integrity and management having no legal recourse available. Termination 42 Disgruntled Low Current procedures would process does employee allow access to medical not address or citizen system to continue after an short-notice incident employee or contractor has quitting departed. This could result in a loss of confidentiality, integrity, and availability. Access to 43 Intentional Low Inconsistent screening of system is modifica- personnel with system granted tion of data access. Contractors are without appro- granted access without priate back- background checks being ground required. Periodic reviews of screening sensitive positions are not performed. This could result in a loss of confidentiality and integrity. Software 44 Human Low No documented procedure distribution error/omission leads to inconsistent oper- implementa- ating systems and patch tion is incon- levels for system compo- sistent nents. This could result in a loss of confidentiality, integrity, and availability due to poor configurations. www.syngress.com Managing the Findings • Chapter 8 297 Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 297 Table 8.1 A Sample of Findings from the SA for Medical Management Finding Threat Impact Vulnerability # Source Rating Consequence No software 45 Human error/ Low This could allow for inconsis- or hardware omission tent test procedures testing pro- resulting in unknown risk to cedures in place the system. This could result in a loss of confidentiality, integrity, and availability if poor configurations are introduced to the system. Recommendation Road Map Table 8.2 provides the assessment team recommendations, referenced by finding numbers presented in Table 8.1. Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 1 .IDA ISAPI Install appropriate buffer overflow MS patch (Q317815). present Unmap the .IDA extension and any other unused ISAPI extensions if they are not required. 2 dvwssr.dll Delete this file if available not needed. If this file is required, restrict access to authen- ticated user only. 3 Newdsn.exe Delete this file if not available needed. If this file is required, restrict access to authenticated user only. www.syngress.com 298 Chapter 8 • Managing the Findings Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 298 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 4 Msadcs.dll Install latest patch; available see MS99-025 for information. 5 Unauthen- Edit the ubroker. ticated Web properties file as Script follows: WSMAdmin AllowMsngrCmds = 1 available Change to AllowMsngrCmds = 0 6 Allaire JRun Modify the following in 3.0/3.1 accepts the JRun console: malformed URLs JRun Default Server/ Web Applications/ Default User App- lication/File Settings/ Directory Browsing Allowed set to FALSE. JRun Default Server/ Web Applications/ JRun Demo/ File Settings/Directory Browsing Allowed set to FALSE. 7 Allaire Cold Remove HTML login Fusion DOS file if not required. If HTML login file is required, implement HTTP basic authenti- cation to restrict access to this page. 8 Internet Printer Unmap the .printer Protocol (IPP) extension. buffer overflow present www.syngress.com Managing the Findings • Chapter 8 299 Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 299 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 9 Anonymous Create /users user repost directory. Restrict anonymous access. 10 Remote file Disable this service system viewing if it is not needed. Restrict anonymous access if this service is required. 11 CompaqDiag Disable this service if remote man- it is not needed. agement services active Restrict anonymous access if this service is required. 12 Oracle account Assign a password to password the TNSLSNR. missing 13 Old TNSLSNR If possible, upgrade to Version version 9.0 or later. running 14 Sadmin enabled Disable this service if not needed. 15 Statd enabled Disable this service if not needed. 16 Tooltalk enabled Disable this service if not needed. 17 aexp2.htr Delete this file if not available needed. 18 BIND DNS Upgrade to BIND 8.3.4. Server Ensure that all patches have been implemented. www.syngress.com 300 Chapter 8 • Managing the Findings Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 300 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 19 SNMP default Disable SNMP if not string needed. Change the SNMP community string. 20 SMTP server Disable mail relay if relaying not required. allowed 21 Cisco SNMP Implement controls to block access to the ILMI community and to SNMP if possible. 22 Antivirus Require and have users detection and sign an acknowledg- elimination is ment requiring they inconsistent have installed an up- to-date antivirus software on any machine that they will be using for remote access. Implement scripts to auto-update antivirus software for all remote users when they connect to the WAN. 23 Inadequately Provide formal training trained for equipment prior to personnel installation. Hire trained and certified contractors to operate equipment. 24 Cross-site Install available patches scripting or comply with vendor recommendations where possible. www.syngress.com Managing the Findings • Chapter 8 301 Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 301 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 25 NULL session Ensure that NULL/ enabled anonymous sessions are disabled if not needed. See MS Q143474 or Q246261. 26 Cross-site Deny HTTP TRACE requests. tracing vul- nerability exists Permit only the methods required by authorized individuals. 27 Java cross-site Disable the Java service tracing vul- if not needed. nerability exists Update the Java service. WASCAdmin IAW Medical Man- password does agement policy. not expire 29 Remote Migrate to MS terminal terminal services or Citrix, or services allows some other product bypassing of that can follow/ security protocols enforce Medical Man- agement password and audit requirements. 30 Echo, Chargen, Disable these services if Ootd enabled not needed. If these services are required, restrict them to administrators only. 31 Data integrity Implement Tripwire or and validation other integrity and controls are validation controls. not consistently applied www.syngress.com 302 Chapter 8 • Managing the Findings Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 302 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 32 Audit trail Implement chain-of- cannot support custody and storage after-the-fact IAW solicitor investigations requirements. 33 Lack of Hire personnel to separation of handle security duties. duties 34 .JSPServlet Set a global error enumeration page for the vulnerability ServletExec Virtual Server. 35 Web server Modify the reported enumeration Web server appli- vulnerability cation with urlscan to misdirect the attacker. 36 Cold Fusion Enter an IP address Debug (e.g. 127.0.0.1) in Enumeration the Debug Settings within the Cold Fusion Admin. 37 Security alerts Incorporate docu- and incident mented procedures handling pro- and distribute to cedures are all locations. not documented Schedule and document testing of procedures. 38 Contingency Develop, document, plan does not implement, and exist distribute a contin- gency plan. 39 Process to Develop, document, modify incident implement, and handling does distribute lessons- not exist learned procedures. www.syngress.com Managing the Findings • Chapter 8 303 Continued 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 303 Table 8.2 Recommendation Road Map for Medical Management Finding Action # Vulnerability Recommendation Target Date Responsibility 40 Risk assessment Develop, document, implementation and implement is not consistent security tools utilization procedures with written auth- orization for who can use the tools and when. 41 Rules of Standardize Medical behavior are Management medical not consistent system rules of and are not behavior and have all signed by users users sign acknow- ledgment. 42 Termination Update current process does procedures to not address address all short-notice situations. quitting 43 Access to Standardize and system is enforce background- granted without screening process appropriate for employees and background contractors. screening Require contractor to provide certifi- cation of screening. 44 Software Document and distribution distribute procedures implementation for software is inconsistent distribution and implementation. 45 No software Document the or hardware required test testing pro- procedures and cedures are in retain test reports. place www.syngress.com 304 Chapter 8 • Managing the Findings 286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 304 [...]... applicability to the customer environment? Does the recommendation address the importance of the finding to the critical information? Does the recommendation address the users who have to implement the recommendation? Does the recommendation give the customer options? www.syngress.com 286 _NSA_ IAM_ 08. qxd 12/15/03 5:03 PM Page 307 Managing the Findings • Chapter 8 Frequently Asked Questions The following... OICM and the SICM www.syngress.com 307 286 _NSA_ IAM_ 08. qxd 3 08 12/15/03 5:03 PM Page 3 08 Chapter 8 • Managing the Findings Q: Do you list all the possible findings for the customer individually, or do you group them? A: We try to merge the findings to a common solution.This provides the customer with a simpler road map www.syngress.com 286 _NSA_ IAM_ 09.qxd 12/16/03 12: 58 PM Page 309 Chapter 9 Leaving No Surprises... recommendations .The senior security manager is the person that will be heading up the network security and any implementation that is recommended These are the people that invited us into their organization.These are the people that set the goals and told us what information and systems were critical These people are the customer and they will be taking our recommendations and applying them to their systems... give the customer the information that you have gathered over the last few weeks, and to ensure that there will not be any surprises at the end of the assessment Determining Time and Location There are many things to consider when choosing the time and location for this meeting .The objective when scheduling the meeting is to accommodate the schedules of as many of the important attendees as possible.These... Review the information that you have gathered over the last few weeks with the customer.This is just the information, not the systems, platforms, or applications It is information that has been deemed critical through the discussions and interviews with the customer What additional organizational information have you found through your assessment to be critical? The attributes that are used during the assessment. .. We Came, We Saw, Now What? We have gathered all of the data, and have reviewed this information with the customer in the Closeout Meeting We are all on the same page and there are no surprises www.syngress.com 286 _NSA_ IAM_ 09.qxd 12/16/03 12: 58 PM Page 323 Leaving No Surprises • Chapter 9 What Happens Next? Now it is time for the post -assessment phase of the IAM Assessment. This phase can take anywhere... transmit information about criminal records, informants, investigations, and warrants Walk your customer through the information on their systems information criticality matrix .The following table will show the impact value of the systems that contain the critical information .The first table is the FACTS systems, which contains the criminal records, investigations, and warrants The second table is the SNOOP... Constraints The reason for an assessment will vary depending on the organization For obvious reasons, organizations that have specific concerns about their critical information are: federal, financial, medical, public, private, etc .The basic reason for an assessment is that the organization wants to assess the current state of security within their networks, and establish a current security posture.They want... consultants followed by the preparation for the OnSite Assessment, which can take up to a week .The On-Site Assessment can take a few weeks depending on the size, scope, and complexity of the organization.Tell your customer how much time you spent on the project Let them know how much time you have dedicated to the pre -assessment and the on-site assessment of their organization whether it has been two... customer team members These individuals should be involved with the closeout meeting to ensure that the assessment is done and that there are no surprises at the end of the day Your POC needs to be there as your connection to the customer .The managewww.syngress.com 311 286 _NSA_ IAM_ 09.qxd 312 12/16/03 12: 58 PM Page 312 Chapter 9 • Leaving No Surprises ment team will need to be there to make the final decisions . have to map the finding to the OICM, or can you just map it to the SICM? A: As you have already learned, the impact definitions are the same for both the OICM and the SICM.Therefore, the findings. on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com. 286 _NSA_ IAM_ 08. qxd 12/15/03 5:03 PM Page 307 Q: Do you list all the possible findings for the. if the attacker is able to use this information to compromise the system. www.syngress.com Managing the Findings • Chapter 8 295 Continued 286 _NSA_ IAM_ 08. qxd 12/15/03 5:03 PM Page 295 Table 8. 1