iss capstone - martinez technology consulting and cedar hills church security audit

Martinez Technology ConsultingSecurity Audit

COVERT Security Systems

Who Are We?

• IT Security Audit Firm

• Since June 2011

• Corporate Headquarters located in Milwaukee, WI

• Privately held and operated

• Specializing in logical and physical security audits

Mission Statement

Our mission is simple: We want to make your company’s security an enhancement, not a hindrance. Unlike other IT firms, COVERT will only recommend solutions that are appropriate for the specific client while keeping business operations in mind. We work with our clients to provide the best possible support, training, documentation, policies and plans to ensure the utmost security.

Security Audit Department Staff

Lane Salmon

Joseph Finn

Robert Conti

Ryan Urban

Jason Leitner

Matthew Wiza

Ronald Cox

Project Lead Project Manager Security Staff

Security Industry As A Whole

2011 Cloud Security

Largest Threats

Graph from Infoweek.com article (see Sited Sources)

Scope

Security AuditPrimary• Audit security functions already in place• Physical and virtual audit including penetration testing• Of both MTC as well as the housing Church (Cedar Hills Church)

The Three - P’s ReviewSecondary • Review already in place:• Policies, Processes and Procedures

Recommendations and ReportsFinal• Create final analysis reports• Create updated polies, processes and procedures

RFP (Request)

RFP (Response)

Our Process

Data Gathering• Interviewed MCT Staff• Internet and public record

searches

Verification • Verified data collected

Security Audit• Physical,

Logical and Social

Policy Review and Creation

Information Consolidation and Review

• Review policies currently in place, expand upon or create

Data Gathering

Physical Mapping

Interview

Server/Workstation Audit

Physical Floor Plan

Current Network Diagram

Interview – Key FindingsJoe

• CEO of MTC• Specialize in SAP cloud services and

training• Recently terminated an employee• Does not regularly check logs of any kind• No Disaster Recovery Plan in place• Time Warner is the ISP

• Rents a firewall from them• Company web pages are not hosted

locally• Remote access via RDP using open ports

and basic Windows authentication

Social Engineering

Exploit

Create Story A and B

Created Credentials

Verified Info

Took Known Info

Verification

Cross Reference Interview Questions

Web search

Security Audit

Network Audit

Wireless Audit

Software and Hardware Audit

•802.11G•WEPPinks

•802.11N•WPA2Kitty

•802.11N•WPA2PK Fire

•802.11G•WPA22Wire243

•802.11G•WPA22Wire160

•802.11G•OpenBad Rocket

•802.11G•WEPFinalApproach

•802.11N•WPA2Pegassus3

•801.11G•WEPThe430

•802.11N•WPA22Wire157

•802.11G•WPABelkin.5284

•802.11G•WPA2Pegasus2

Wireless Audit

13%

58%

13%

15%

Wireless Encryption Types Within 1 Block

WEPWPA2OpenWPA

52 Access Points Total

Wireless Audit

Wireless Audit Tools

Backtrack 5

Wireless Adapter (monitor)

Airodump -ng Airplay -ng Airmon -ng

Scanning and Enumeration

MTC Network

IP Schema

Ping Sweeps

Fingerprinting (Limited)

Tools Used for Scanning Process

• NMAP• Hping• Tracert• Dsniff• DFI LANguard

Fingerprint of ServerCCI-SAP14

• Server Data\Win Audit\CCI-SAP14\CCI-SAP14.html

• A few security flaws that were found.Item Name Setting

Screen Saver Enabled Yes

Screen Saver Timeout 9999 Minutes

Screen Saver Password Protected No

All Accounts Minimum Password Length 0 Characters

All Accounts Maximum Password Age Forever

All Accounts Historical Passwords 0 remembered

All Accounts Lockout Threshold 0 Attempts

Automatic Updates Update Status Disabled

Automatic Updates Update Schedule Every day

Internet Explorer Download Files Allow

Fingerprint of ServerCCI-SAP17B

• Server Data\Win Audit\CCI-SAP17B\CCI-SAP17B.htmlItem Name Setting

Screen Saver Enabled Yes

Screen Saver Timeout 10 Minutes

Screen Saver Password Protected Yes

All Accounts Minimum Password Length 0 Characters

All Accounts Maximum Password Age 42 Days

All Accounts Historical Passwords 0 remembered

All Accounts Lockout Threshold 0 Attempts

Automatic Updates Update Status Notify before installation

Automatic Updates Update Schedule Every day

Internet Explorer Download Files Not allowed

Fingerprint of ServerECC6C2

• Server Data\Win Audit\ECC6C2\ECC6C2.htmlItem Name Setting

AutoLogon Enabled No

Screen Saver Enabled Yes

Screen Saver Timeout 0 Seconds

Screen Saver Password Protected No

All Accounts Force Network Logoff Never

All Accounts All Accounts All Accounts All Accounts Automatic Updates Automatic Updates Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer

Minimum Password Length 0 Characters Maximum Password Age Forever Historical Passwords 0 remembered Lockout Threshold 0 Attempts Update Status Disabled Update Schedule Every day Run Script Allow Run ActiveX Allow Run Java Allow Download Files Allow Install Desktop Items Prompt user Launch Applications Prompt user

Fingerprint of ServerSVCTAG-2KXKWC1

• Server Data\Win Audit\SVCTAG-2KXKWC1\SVCTAG-2KXKWC1.htmlItem Name Setting

Screen Saver Enabled Yes

Screen Saver Timeout 10 Minutes

Screen Saver Password Protected Yes

All Accounts Minimum Password Length 0 Characters

All Accounts Maximum Password Age 42 Days

All Accounts Historical Passwords 0 remembered

All Accounts Lockout Threshold 0 Attempts

Automatic Updates Update Status NotConfigured

Automatic Updates Update Schedule Every day

Internet Explorer Download Files Allow

Fingerprint of ServerSVCTAG-5KXKWC1

• Server Data\Win Audit\SVCTAG-5KXKWC1\SVCTAG-5KXKWC1.htmlItem Name Setting

Screen Saver Enabled Yes

Screen Saver Timeout 10 Minutes

Screen Saver Password Protected Yes

All Accounts Minimum Password Length 0 Characters

All Accounts Maximum Password Age 42 Days

All Accounts Historical Passwords 0 remembered

All Accounts Lockout Threshold 0 Attempts

Automatic Updates Update Status NotConfigured

Automatic Updates Update Schedule Every day

Internet Explorer Download Files Allow

Fingerprint of ServerSVCTAG-CJXKWC1

• Server Data\Win Audit\SVCTAG-CJXKWC1\SVCTAG-CJXKWC1.htmlItem Name Setting

Screen Saver Enabled Yes

Screen Saver Timeout 10 Minutes

Screen Saver Password Protected Yes

All Accounts Minimum Password Length 0 Characters

All Accounts Maximum Password Age 42 Days

All Accounts Historical Passwords 0 remembered

All Accounts Lockout Threshold 0 Attempts

Automatic Updates Update Status Scheduled installation

Automatic Updates Update Schedule Every day

Internet Explorer Download Files Allow

Win Audit

• WinAudit is a software program that audits Windows based personal computers. Just about every aspect of computer inventory is examined. The report is displayed as a web page, which can be saved in a number of standard formats. You can e-mail it to your technical support or even post the audit to a database for archiving. When used in conjunction with its command line functionality, you can automate inventory administration at the network level.

http://www.pxserver.com/WinAudit.htm

System Information for Windows (SIW)

• SIW is an advanced System Information for Windows tool that analyzes your computer and gathers detailed information about system properties and settings and displays it in an extremely comprehensible manner.

http://www.gtopala.com/

SIW Continued

• The System Information is divided into few major categories:• Software Information: Operating System, Software Licenses (Product Keys /

Serial Numbers / CD Key), Installed Software and Hot fixes, Processes, Services, Users, Open Files, System Uptime, Installed Codec's, Passwords Recovery, Server Configuration.

• Hardware Information: Motherboard, CPU, Sensors, BIOS, chipset, PCI/AGP, USB and ISA/PnP Devices, Memory, Video Card, Monitor, Disk Drives, CD/DVD Devices, SCSI Devices, S.M.A.R.T., Ports, Printers.

• Network Information: Network Cards, Network Shares, currently active Network Connections, Open Ports.

• Network Tools: MAC Address Changer, Neighborhood Scan, Ping, Trace, Statistics, Broadband Speed Test

• Miscellaneous Tools: Eureka! (Reveal lost passwords hidden behind asterisks), Monitor Test, Shutdown / Restart.

• Real-time monitors: CPU, Memory, Page File usage and Network Traffic.

Microsoft Baseline Security Analyzer

• Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

http://technet.microsoft.com/en-us/security/cc184924

SIW Audit of Server CCISAP\ECC6C2

• Server Data\SIW\ECC6siwReport.htmlSIW Audit of Server

CCI-SAP14• Server Data\SIW\SIW_FREEWARE_CCI-SAP14_20110718_19225

0.html

SIW Audit of ServerCCI-SAP17B

• Server Data\SIW\SIW_FREEWARE_CCI-SAP17B_20110718_194229.html

Analyzer Audit of Server CCISAP\ECC6C2

• Server Data\Analyzer\ECC6.xps

Analyzer Audit of ServerWORKGROUP\SVCTAG-2KXKWC1

• Server Data\Analyzer\ubuntu.mht

SIW Audit of Server CCISAP\ECC6C2

• Server Data\SIW\SIW_FREEWARE_ECC6C2_20110718_192841.htmlSIW Audit of Server

WORKGROUP\SVCTAG-5KXKWC1• Server Data\SIW\SIW_FREEWARE_SVCTAG-5KXKWC1_20110718_1927

26.html

SIW Audit of Server WORKGROUP\SVCTAG-CJXKWC1

• Server Data\SIW\SIW_FREEWARE_SVCTAG-CJXKWC1_20110718_184840.html

Analyzer Audit of Server WORKGROUP\SVCTAG-CJXKWC1

• Server Data\Analyzer\C4.xps

Analyzer Audit of ServerWORKGROUP\SVCTAG-5KXKWC1

• Server Data\Analyzer\c3ecc6.mht

Physical Site Security

Fire Suppressions

Power Issues

Access Control

Door & Window Reinforcement

Site Monitoring

Policy Review and Creation

Review Current Polices & Procedures Update Existing

Create New

Acceptable Use Policy

Define Responsibility

System And Network Activates

Communications

Remote Connection

Proprietary Information Enforcement

Business Continuity Plan

1. Know the Business

2. Assess the Risks

3. Formulate the Plan4. Implement

5. Test

Disaster Recovery Policy

Current Policy

Current Threats

Acceptable Risk Assessment

Update

Information Consolidation and Review

Audit Overview Recommendations

Suggested Network Diagram

Audit Findings Summery

Wireless• Cedar Hills WEP -> WPA2• Cedar Hills wireless and LAN same network

Network• Flat Network• Lack of central management (AD)• Lack of enforced network security policy• Windows Updates

Physical• Social Engineering successful• Power Issues• High Availability and Redundancy• Cooling

• Fire Suppression• Battery backup• Backup process• Security Camera

Recommendations Specifics

• Implement AD system• This will allow constant

server hardening and polies to be pushed to all machines

• IDS• Logging

• Wireless change to WPA2• Change password to

complex on all networking devices

• Including church router and printer

• Backup system • High Availability

• Switches, routers, ISP, Important servers

• Redundancy• Switches, routers, ISP,

UPS, Cooling• Possibly Hot or Cold site

• Inventory Control

Recommendations Specifics (Continued)

• Physical Security• Camera and access controls• Must include logging capabilities• Reinforced doors and walls• Glass into server room - remove

• Fire suppression• Seal Server room for better cooling• Power issues

• Extension cord• Encryption on Laptops• More Secure method of Remote

Access

Final suggested network diagram

Cost Analysis

Continually Evolving

By Incident

Questions?

Thank You For Your Time

References