Global Technology

Audit Guide:
Managing and
Auditing IT
Vulnerabilities
Summary for the Chief Audit Executive

Among their responsibilities, information technology (IT) Provide useful guidance to IT

management on best management and IT security are responsible for ensuring that practices
for vulnerability management. Technology risks are managed appropriately. These risks
originate from the deployment and use of IT assets in various ways, Be able to sell your
recommendations more such as configuring systems incorrectly or gaining access to effectively
to your chief information officer (CIO),restricted software. However, these risks can be identified
chief information security officer (CISO), chief and remediated by detecting vulnerabilities,
assessing their executive officer (CEO), and chief financial officer potential impact, and when
warranted, deploying corrective (CFO).measures. Vulnerability management is the processes
and technologies that an organization employs to identify, assess, and remediate IT
vulnerabilities weaknesses or exposures in IT assets or processes that may lead to a
business risk or security risk.
According to the U.S. National Vulnerability Database3, approximately 5,000 new vulnerabilities
are discovered every year, and 40 percent of those vulnerabilities have a high severity (i.e.,
they could cause major disruptions to organizations). You may be wondering why you should
read a guide on vulnerability management. After all, isnt this something you can completely
delegate to your IT audit staff? The answer is no. Often, the potential impact of an IT-related
risk remains sill-defined and misunderstood until a worm, such as SQL Slammer, shuts down
business operations. Knowing how to educate and inform executive management on the
importance of vulnerability management will help drive support and create a call for action.
Executive management must understand that to have an effective vulnerability management
program, they must design a process to detect, assess, and mitigate vulnerabilities continually
by integrating these tasks into the overall IT process framework. The issues surrounding
vulnerability management arent all technical in nature. In fact, many of the greatest challenges
will lie with motivating individuals and driving effective processes. This guide was developed to
help chief audit executives (CAEs) pose the correct questions to their IT security staff when
assessing the effectiveness of their vulnerability management processes. The guide
recommends specific management practices to help an organization achieve and sustain higher
levels of effectiveness and efficiency and illustrates the differences between high- and low-
performing vulnerability management efforts. After reading this guide, you will:
Have a working knowledge of vulnerability management processes.
Have the ability to differentiate between high- and low-performing vulnerability management
organizations.
Be familiar with the typical progression of capability from a technology-based approach to a
risk-based approach to an IT process-based approach.1 Such as failure to maintain integrity of
financial reporting or a loss of revenue or productivity.
Such as violations of confidentiality, integrity, or availability of data.
 I. Introduction
IT vulnerabilities have become epidemic, exposing network to attackers ,viruses,
and worms. In fact, more than 12 vulnerabilities are discovered very day in hardware
and software products. Other types of IT vulnerabilities include inadequate password
management, inappropriate access to files, weak cryptography, and, misconfigured
applications. Keeping up with the latest announcements and patches has become a
nonstop job for IT managers and security professionals. However, some are more
successful than others.

2.1. Identifying for Poor Vulnerability Management

IT vulnerabilities have become an epidemic, exposing net-requirements in regulations such as
the U.S. Sarbanes-Oxley works to attackers, viruses, and worms. In fact, more than 12 Act of
2002, the U.S. Federal Financial Institution vulnerabilities are discovered every day in hardware
and soft- Examination Council (FFIEC), and Canadian and Japanese ware products. Other
types of IT vulnerabilities include inversion SOX acts. Therefore, there is an increasing require-
equate password management, inappropriate access to files, meant for IT management to
provide mission-critical services weak cryptography, and misconfigured applications.

Keeping to businesses.
IT management and IT security are accountable up with the latest announcements and patches
has become a implementing and demonstrating that sufficient security nonstop job for IT
managers and security professionals. Controls exist and operate effectively to meet internal
control. However, some are more successful than others and regulatory requirements.
Identifying Poor Vulnerability Internal auditors provide guidance and value to the business
management in many ways. According to The Institute of Internal Auditors (The IIA), the top six
indicators of poor vulnerability management processes are: Internal auditors should assess the
effectiveness of preventive, detective, and mitigation measures against past

A higher than acceptable number of security attacks, as deemed appropriate, and future
attempts or incidents during a given period of time.

An inability to identify IT vulnerabilities systematically, threats, incidents, vulnerabilities

exploited, and corrective resulting in exposures to critical assets.

An inability to assess risks associated with each Internal auditors also provide
recommendations to executive vulnerability and to prioritize vulnerability management
regarding compliance with internal and regulatory mitigation activities requirements and
raise their awareness concerning likely vulnerabilities and impacts. In this way, internal
auditors
 Poor working relationships between IT management assist executive management by
identifying possible sources of and IT security, leading to an inability to control risk to
enterprise, thus helping to avoid security incidents or and make changes to computer
assets.

Regulatory violations. In particular, internal auditors identify where IT security has failed
to implement effective vulnerability
Lack of an asset management system. Management processes and validate existing
vulnerability
Lack of a configuration management process that is remediation efforts and integrated
with vulnerability mitigation efforts. One question auditors might ask is, What would a
vulnerability audit scope look like?
The top 6 indicators of poor vulnerability management processes are( GTAG 6 ):
1. A higher than acceptable number of security incidents during a given period of time.
2. An inability to identify IT vulnerabilities systematically, resulting in exposures to critical
assets.
3. An inability to assess risks associated with each vulnerability and to prioritize
vulnerability mitigation activities.
4. Poor working relationships between IT management and IT security and leading to an
inability to control and make changes to computer assets.
5. Lack of an asset management system.
6. Lack of a configuration management process that is integrated with vulnerability
mitigation efforts.

2.2 Improving Vulnerability Management to the activities auditors may consider

in scope. More details of each section are provided in Section 3.The six prescriptive steps that
can be taken to improve vulnerability management processes are:
Obtain executive management support for identifying and remediating IT vulnerabilities
consistent Scanning for and discovering vulnerabilities initiates the risk assessment with the
organizations tolerance for risk.

Process, possibly requiring changes to IT assets. With the increasing proliferation of

vulnerabilities, the successful execution
Acquire a complete inventory of all IT assets and from discovery to expeditious
remediation is important to ensure their vulnerabilities. Minimal impact to the business.
This means that vulnerability management must be integrated with an organizations
change and
Prioritize remediation efforts according to patch management activities. As will be
discussed, prioritizing business risks and executing changes to IT assets is always a
challenge, but there are ways to determine if you have an effective vulnerability
Remediate vulnerabilities by delivering planned management process that is fully
integrated with your work projects to IT management organizations change
 management practices. Change management processes are discussed fully in GTAG 2:
Change and
Continually update asset discovery6, vulnerability Patch Management Controls Testing,
and remediation processes.
Use automated patch management and vulnerability discovery technologies to the
greatest extent possible.

2.3 The Internal Auditors Role

Vulnerability management has become a high priority, becauseIT controls are considered part
of the internal control structure over financial reporting and regulatory compliance4 Source: U.S.
National Vulnerability Database5 An acceptable number of incidents can be determined by
comparing ones tolerance for loss with the loss from past incidents. Then, one can adjust
vulnerability management efforts by balancing the costs of implementing controls and
remediating vulnerabilities with the benefits of these activities, possibly as a function of loss
avoided.

2.4 How Vulnerability Management Drives Changes To The IT

Infrastructure?
Scanning for and discovering vulnerabilities initiates the risks assessment process,
possibly requiring changes to IT assets. With the increasing proliferation of vulnerabilities, the
successful execution from the discovery to expeditious remediation is important to
ensuremi9nimal impact to the business. This means that vulnerability management must be
integrated with an organizations change and management activities (GTAG 6).
VULNERABILITY MANAGEMENT SCOPE
VULNERABILITY MANAGEMENT LIFECYCLE

Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and

mitigating vulnerabilities,especially in software and firmware. Vulnerability management is
integral to computer security and network security.
Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer
system in search of known vulnerabilities,such as open ports, insecure software configuration,
and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found
with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer
overflow exploit with relevant test cases. Such analysis can be facilitated by test automation. In
addition, antivirus software capable of heuristic analysis may discover undocumented malware if
it finds software behaving suspiciously (such as attempting to overwrite a system file).
Correcting vulnerabilities may variously involve the installation of a patch, a change in network
security policy, reconfiguration of software (such as a firewall), or educating users about social
engineering.
 Vulnerability Management and IT Dependencies

3.1 IDENTIFICATION AND VULNERABILITIES

Scoping Systems

To scope system properly, the auditor should acquire a complete list of all network
segments used throughout the organization, such as corporate wired and wireless networks,
production networks, back up or administration networks, transit networks, laboratories and
testing networks, and remote offices. Each of these networks must be identified and
documented.
The networks also should be included in a network architecture diagram that shows
network interconnections as well as perimeter security devices, such as routers, firewalls, and
intrusion detection systems.
All security issues are bugs, but not all bugs are security issues. This section is meant to
be a guide from the Xen community to the Xen security response team regarding which bugs
should have advisories issued for them. Discoverers are encouraged to err on the side of
caution and report any potential vulnerability to the security team. These guidelines are not
meant to be set in stone; if they do not fit your needs as a user, please raise the issue on xen-
devel.
Every potential vulnerability will have a source context, an effect, and a target effect
context. For instance, a bug may allow a guest user (source context) to escalate their privileges
(effect) to that of the guest kernel (target context); or it may allow a guest administrator (source
context) to severely degrade the disk performance (effect) of another guest (target context).
Only the following source/target context pairs will be considered vulnerabilities:
1a. the source is the guest user space, guest kernel, or QEMU stub domain, and the target is
the hypervisor, dom0 and tool stack.
1b. the source is the guest user space, guest kernel, or QEMU stub domain, and the target is
another guest.
1c. the source is guest user space, and the target is the guest kernel, or other guest user space
processes.
This means, for instance, that bug which allows a guest kernel to perform a DoS on itself will not
be considered a security vulnerability. It also means, at the moment, that the security team will
not issue advisories for highly disaggregated environments.

Detecting Vulnerabilities
Most Web applications are susceptible to some kind of vulnerability. Last year's research
shows that over 80% of Web applications were vulnerable to Cross Site Scripting (XSS) and
over 25% were vulnerable to SQL injection flaws . These are also the vulnerabilities that are
most often searched by Web application vulnerability scanners. Trying to find all the
vulnerabilities in a Web application is a complicated and time-consuming task, so available
scanners often concentrate on vulnerabilities that are easier to detect and that are more
widespread then the others. After analyzing the source code of some popular open source Web
application vulnerability scanners, we found out that they all work in a similar way. They all
detect vulnerabilities by finding common error messages or finding input values echoed back to
the user. If the Web application uses custom error messages without additional unnecessary
information for the user, these methods of detection fail. On the other hand, some of the
vulnerabilities are very difficult or even impossible to detect by automated scanners so human
intervention is needed. However, testing without automated scanners is highly impractical
because of large amount of input parameters that some Web applications have and the large
amount of input values that should be used for each parameter. The solution is to combine
automated scanners and human intervention. This is the reason why we also took the same
approach. We used the computer's capability to process a large amount of data, collecting
various pages with big sets of input parameters and input values. User's intervention is needed
to configure parameters and values for testing and to decide which of the results indications of
vulnerabilities are. In this paper the following terms will be used. When talking about Web
page's non-HTML content, i.e. text that can be seen on the screen, it will be simply referenced
as content. When talking about Web page's HTML content, i.e. HTML elements, it will be
references as Web page's structure.

Once a network inventory is obtained, all IT assets connected to each network segment
should be scanned or monitored periodically for vulnerabilities. These assets include devices
such as business application servers (e.g., database, emails, Web, and customer relationship
management servers), security devices, telecommunication and networking devices and
printers.
Scanning refers to network devices or specialized applications that actively probe other
applications and IT assets weaknesses. These devices should be scheduled to run daily,
monthly, or quarterly based on the needs, risks, or capability of organization.
Monitoring refers to software agents installed on IT assets that report host configuration
information. It also refers to network devices that continuously listen to network traffic and
report, or optionally block, malicious traffic that may exploit vulnerability. These devices also are
useful for identifying rouge or previously unknown IT assets. They are considered a preventive
security control because of their ability to block attacks before they cause loss.
Validating Findings
Finally, companies should validate the results from the vulnerability monitoring and
scanning process. Although the sophistication and accuracy of vulnerability scanning and
monitoring devices are generally good, they always have limitations. Errors can occur in the
form of false positives or false negatives. A false positive is a vulnerability that has been
reported but does not exist, because the detection mechanism was in error. A false negative
occurs when vulnerability exists, but the detection system failed to identify it.
When youre testing IP-based hosts, you often dont need to manually validate every single
finding only occasionally. However, with Web applications, you need to validate just about
everything to ensure youre not documenting problems and solutions for issues that dont even
exist. I told the project manager that for an SSL certification flaw I uncovered, the scanner is
providing the same information Id be able to get via any other means.
Another flaw was regarding the internal IP address being exposed on the server. The project
manager was specifically interested in that finding. I told him that the internal IP address
uncovered was right before us in the scanner results. Although there may be some
circumstances that warrant it, Ive never found a need to manually validate this specific
vulnerability. In fact, this one could be next to impossible unless youre on the internal network,
but thats a different discussion. Either way, if the scanner finds an internal IP address, it finds
an internal IP address. Theres no other explanation for how a scanner could come up with a
random internal IP address that happens to match an internal IP addressing scheme (that I
happened to know of) otherwise.
Be it a web vulnerability scanner or advanced penetration testing tools you use manually, you
need reliable means to ferret out such information, especially if its to be reliable and accurate.
But in most cases, based on my experience, youre not going to have to double-check every
single finding of a server host in this regard.
IT VULNERABILITIES

Today's state-of-the-art network security appliances do a great job of keeping the

cyber monsters from invading your business. But what do you do when the monster is
actually inside the security perimeter? Unfortunately, all of the crosses, garlic, wooden
stakes and silver bullets in the world have little effect on today's most nefarious cyber
creatures. Here are the top 10 ways your network can be attacked from inside and what
you can do to insure your business never has to perform an exorcism on your servers.

In computer security, a vulnerability is a weakness which allows an attacker to

reduce a system's information assurance. Vulnerability is the intersection of three
elements: a system susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least
one applicable tool or technique that can connect to a system weakness. In this frame,
vulnerability is also known as the attack surface.
Vulnerability management is the cyclical practice of identifying, classifying,
remediating, and mitigating vulnerabilities. This practice generally refers to software
vulnerabilities in computing systems.
A security risk may be classified as a vulnerability. The use of vulnerability with
the same meaning of risk can lead to confusion. The risk is tied to the potential of a
significant loss. Then there are vulnerabilities without risk: for example when the
affected asset has no value. A vulnerability with one or more known instances of
working and fully implemented attacks is classified as an exploitable vulnerability a
vulnerability for which an exploit exists. The window of vulnerability is the time from
when the security hole was introduced or manifested in deployed software, to when
access was removed, a security fix was available/deployed, or the attacker was
disabledzero-day attack.
Security bug (security defect) is a narrower concept: there are vulnerabilities that
are not related to software: hardware, site, personnel vulnerabilities are examples of
vulnerabilities that are not software security bugs.

Examples of IT Vulnerabilities:

1. USB thumb drives: Believe it or not, USB drives are actually one of, if not the most,
common ways you can infect a network from inside a firewall. There are several
reasons for this; they're inexpensive, small, hold a lot of data and can be used between
multiple computer types. The ubiquity of thumb drives has driven hackers to develop
targeted malware, such as the notorious Conficker worm, that can automatically
execute upon connecting with a live USB port. What's worse is that default operating
system configurations typically allow most programs (including malicious ones) to run
automatically. That's the equivalent of everyone in your neighborhood having an electric
garage door opener and being able to use it to open everyone else's garage doors.
What to do: Change the computer's default autorun policies. You can find information
on how do that within Windows environments here.

2. Laptop and netbooks: Laptops are discreet, portable, include full operating
systems, can operate using an internal battery and come with a handy Ethernet port for
tapping directly into a network. What's more, a notebook may already have malicious
code running in the background that is tasked to scour the network and find additional
systems to infect. This notebook could belong to an internal employee or guest who's
visiting and working from an open cube or office.

Beyond infected laptops compromising an internal network, it's important to think about
the laptops themselves. All companies have some forms of sensitive information that
absolutely cannot leave the walls of the building (salary information, medical records,
home addresses, phone numbers and Social Security numbers are just a few obvious
examples). It becomes very dangerous when that information is stored on an unsecured
portable computer, as they are easy to walk off with. We've seen numerous, publicly
disclosed instances of notebooks with sensitive data that have "gone missing." Unless
the laptop employs a tough encryption algorithm, data is often easy to recover from any
given file system.

What to do: Implement an encrypted file system for sensitive data. There are a number
of off-the-shelf solutions out there to choose from, along with open source ones such as
TrueCrypt. Control over endpoints that enter and exit the internal system is also
important. Sensitive information, such as VPN, DV and Wi-Fi access should not be
stored persistently on devices such as laptops or netbooks.

3. Wireless access points:

Wireless APs provide immediate connectivity to any user within proximity of the
network. Wireless attacks by wardrivers (people in vehicles searching for unsecured Wi-
Fi networks) are common and have caused significant damage in the past. TJ Stores,
owners of Marshalls and TJMaxx, was attacked using this method, and intruders
penetrated the company's computer systems that process and store customer
transactions including credit card, debit card, check and merchandise return
transactions. It's been reported that this intrusion has cost TJ Stores more than $500
million dollars to date.

The future of composability is delivering the adaptability, flexibility, and the cloud-like
speed and efficiency of composable infrastructure to other technologies in the
datacenter. Most importantly, hyperconverged...

Wireless APs are naturally insecure, regardless if encryption is used or not. Protocols
such as wireless encryption protocol contain known vulnerabilities that are easily
compromised with attack frameworks, such as Aircrack. More robust protocols such as
wireless protected access (WPA) and WPA2 are still prone to dictionary attacks if strong
keys are not used.
What to do: WPA2 Enterprise using RADIUS is recommended along with an AP that is
capable of performing authentication and enforcing security measures. Strong, mixed
passwords should be used and changed on a fairly frequent basis. Generally, wireless
APs are connected for convenience, so it is usually not necessary to have them
connected to a working environment.

4. Miscellaneous USB devices: Thumb drives aren't the only USB-connected devices
IT needs to be wary of. Many devices are also capable of storing data on common file
systems that can be read and written to through a USB or similar connection. Since it
isn't the primary function of these devices, they are often forgotten as a potential threat.
The fact is, if an endpoint can read and execute data from the device, it can pose just as
much of a threat as a thumb drive. These devices include digital cameras, MP3
players, printers, scanners, fax machines and even digital picture frames. In 2008, Best
Buy reported that they found a virus in the Insignia picture frames they were selling at
Christmas that came directly from the manufacturer.

What to do: Implement and enforce asset control and policies around what devices can
enter the environment and when. And then follow that up with frequent policy reminders.
In 2008, the Department of Defense developed policies and banned USB and other
removable media from entering/exiting their environments.

5. Inside connections: Internal company employees can also inadvertently or

intentionally access areas of the network that they wouldn't or shouldn't otherwise have
access to and compromise endpoints using any of the means outlined in this article.
Maybe the employee "borrows" a co-worker's machine while he's away at lunch. Maybe
the employee asks a fellow worker for help accessing an area of the network that he
doesn't have access to.

What to do: Passwords should be changed regularly. Authentication and access levels
are a must for any employee -- he should only have access to systems, file shares, etc.
that are needed to fulfill his duties. Any special requests should always be escalated to
a team (not a single user with authority) who can authorize the request.

6. The Trojan human: Like the Trojan horse, the Trojan human comes into a business
in some type of disguise. He could be in business attire or dressed like legitimate
repairman (appliance, telecom, HVAC). These types of tricksters have been known to
penetrate some pretty secure environments, including server rooms. Through our own
social conditioning, we have the tendency to not stop and question an appropriately
attired person we don't recognize in our office environment. An employee may not think
twice about swiping their access card to allow a uniformed worker into their environment
for servicing. It can take less than a minute for an unsupervised person in a server room
to infect the network.

What to do: Reminders should be sent to employees about authorizing third parties.
Identify the source by asking questions, not making assumptions.
7. Optical media: In June 2010, an Army intelligence analyst was arrested after being
charged with stealing and leaking confidential data to public networks. Sources claim
the analyst did so by bringing in music CDs labeled with popular recording artists, using
this medium only as a guise. Once he had access to a networked workstation, he would
access the classified information he had authorized credentials for and store the data on
the "music" CDs in encrypted archives. To help cover his tracks, the analyst would lip
sync to the music that was supposedly stored on the CDs while at his workstation.
Recordable media that appear to be legitimate can and has been used to piggyback
data in and out of networks. And, like the thumb drives mentioned above, they can be
used as a source for network infection.

What to do: As with the USB tip, it's important to implement and enforce asset control
and policies around what devices can enter the environment and when. And then follow
that up with frequent policy reminders.

8. Hindsight is 20/20: While much of this list focuses on mitigating threats that
capitalize on digital technology, we shouldn't forget that the human mind is also very
effective at storing information. Who is watching you when you log into your desktop?
Where are your hard copies stored? What confidential documents are you reading on
your laptop at the coffee shop, airplane, etc.?

What to do: The best safeguard is being conscious and alert about this threat
whenever working on sensitive material -- even if it means stopping what you're doing
momentarily to observe your surroundings.

9. Smartphones and other digital devices: Today, phones do more than just allow
you to call anyone in the world from anywhere; they're full-functioning computers,
complete with Wi-Fi connectivity, multithreaded operating systems, high storage
capacity, high-resolution cameras and vast application support. And they, along with
other portable tablet-like devices, are starting to be given the green light in business
environments. These new devices have the potential to pose the same threats we've
seen with notebooks and thumb drives. What's more, these devices also have the
potential to elude traditional data-leak prevention solutions. What's to stop a user from
taking a high-resolution picture of a computer screen, and then e-mailing it over a
phone's 3G network?

What to do: The same rules for USB devices and optical media apply here. Implement
and enforce asset control and policies around what devices can enter the environment
and when.

10. E-mail: E-mail is frequently used within businesses to send and receive data;
however, it's often misused. Messages with confidential information can easily be
forwarded to any external target. In addition, the e-mails themselves can carry nasty
viruses. One targeted e-mail could phish for access credentials from an employee.
These stolen credentials would then be leveraged in a second-stage attack.
What to do: With e-mail security, source identification is key. Identify the sender using
technology such as PGP, or a simple array of questions before sending sensitive
information. Access control to broad alias-based e-mail addresses should be enforced.
And policy and reminders should be sent out to employees.