This document summarizes the results of a security audit conducted by Martinez Technology Consulting for COVERT Security Systems. The audit included assessing physical security, wireless networks, servers, workstations, and policies. Wireless networks were found to use outdated and insecure encryption methods. Servers had weak password policies and lacked patching. The network used an unsegmented flat design without central management. Several recommendations were provided to address issues, including implementing Active Directory, wireless encryption upgrades, firewalls, logging, backup solutions, and physical access controls. The findings highlighted the need for COVERT to continually evolve their security practices.
2. Who Are We?
• IT Security Audit Firm
• Since June 2011
• Corporate Headquarters located in Milwaukee, WI
• Privately held and operated
• Specializing in logical and physical security audits
3. Mission Statement
Our mission is simple: We want to make your
company’s security an enhancement, not a
hindrance. Unlike other IT firms, COVERT will
only recommend solutions that are appropriate for
the specific client while keeping business
operations in mind. We work with our clients to
provide the best possible support, training,
documentation, policies and plans to ensure the
utmost security.
4. Security Audit Department Staff
Lane Salmon
Joseph Finn
Robert Conti
Ryan Urban
Jason Leitner
Matthew Wiza
Ronald Cox
Project Lead Project Manager Security Staff
7. Scope
Security Audit
Primary
• Audit security functions already in place
• Physical and virtual audit including penetration testing
• Of both MTC as well as the housing Church (Cedar Hills Church)
The Three - P’s Review
Secondary
• Review already in place:
• Policies, Processes and Procedures
Recommendations and Reports
Final
• Create final analysis reports
• Create updated polies, processes and procedures
10. Our Process
Data
Gathering
•Interviewed MCT Staff
•Internet and public record
searches
Verification •Verified data collected
Security Audit
•Physical,
Logical and
Social
Policy Review
and Creation
Information
Consolidation
and Review
• Review policies
currently in place,
expand upon or
create
14. Interview – Key Findings
Joe Cindy
• CEO of MTC
• Specialize in SAP cloud services and
training
• Recently terminated an employee
• Does not regularly check logs of any kind
• No Disaster Recovery Plan in place
• Time Warner is the ISP
• Rents a firewall from them
• Company web pages are not hosted
locally
• Remote access via RDP using open ports
and basic Windows authentication
21. Scanning and Enumeration
MTC Network
IP Schema
Ping Sweeps
Fingerprinting (Limited)
Cedar Hills Network
IP Schema
Ping Sweeps
Fingerprinting
Port Scanning
Enumeration
22. Tools Used for Scanning Process
• NMAP
• Hping
• Tracert
• Dsniff
• DFI LANguard
23. Fingerprint of Server
CCI-SAP14
• Server DataWin AuditCCI-SAP14CCI-
SAP14.html
• A few security flaws that were found.
Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 9999 Minutes
Screen Saver Password Protected No
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age Forever
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Disabled
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
24. Fingerprint of Server
CCI-SAP17B
• Server DataWin AuditCCI-SAP17BCCI-
SAP17B.html
Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Notify before installation
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Not allowed
25. Fingerprint of Server
ECC6C2
• Server DataWin AuditECC6C2ECC6C2.html
Item Name Setting
AutoLogon Enabled No
Screen Saver Enabled Yes
Screen Saver Timeout 0 Seconds
Screen Saver Password Protected No
All Accounts Force Network Logoff Never
All Accounts All Accounts All
Accounts All Accounts
Automatic Updates Automatic
Updates Internet Explorer
Internet Explorer Internet
Explorer Internet Explorer
Internet Explorer Internet
Explorer
Minimum Password Length
0 Characters Maximum
Password Age Forever
Historical Passwords 0
remembered Lockout
Threshold 0 Attempts
Update Status Disabled
Update Schedule Every day
Run Script Allow Run
ActiveX Allow Run Java
Allow Download Files Allow
Install Desktop Items
Prompt user Launch
Applications Prompt user
26. Fingerprint of Server
SVCTAG-2KXKWC1
• Server DataWin AuditSVCTAG-
2KXKWC1SVCTAG-2KXKWC1.html
Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status NotConfigured
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
27. Fingerprint of Server
SVCTAG-5KXKWC1
• Server DataWin AuditSVCTAG-
5KXKWC1SVCTAG-5KXKWC1.html
Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status NotConfigured
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
28. Fingerprint of Server
SVCTAG-CJXKWC1
• Server DataWin AuditSVCTAG-
CJXKWC1SVCTAG-CJXKWC1.html
Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Scheduled installation
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
29. Win Audit
• WinAudit is a software program that audits Windows
based personal computers. Just about every aspect of
computer inventory is examined. The report is displayed
as a web page, which can be saved in a number of
standard formats. You can e-mail it to your technical
support or even post the audit to a database for
archiving. When used in conjunction with its command
line functionality, you can automate inventory
administration at the network level.
http://www.pxserver.com/WinAudit.htm
30. System Information for Windows (SIW)
• SIW is an advanced System Information for
Windows tool that analyzes your computer
and gathers detailed information about
system properties and settings and displays it
in an extremely comprehensible manner.
http://www.gtopala.com/
31. SIW Continued
• The System Information is divided into few major categories:
• Software Information: Operating System, Software Licenses (Product Keys
/ Serial Numbers / CD Key), Installed Software and Hot fixes, Processes,
Services, Users, Open Files, System Uptime, Installed Codec's, Passwords
Recovery, Server Configuration.
• Hardware Information: Motherboard, CPU, Sensors, BIOS, chipset,
PCI/AGP, USB and ISA/PnP Devices, Memory, Video Card, Monitor, Disk
Drives, CD/DVD Devices, SCSI Devices, S.M.A.R.T., Ports, Printers.
• Network Information: Network Cards, Network Shares, currently active
Network Connections, Open Ports.
• Network Tools: MAC Address Changer, Neighborhood Scan, Ping, Trace,
Statistics, Broadband Speed Test
• Miscellaneous Tools: Eureka! (Reveal lost passwords hidden behind
asterisks), Monitor Test, Shutdown / Restart.
• Real-time monitors: CPU, Memory, Page File usage and Network Traffic.
32. Microsoft Baseline Security Analyzer
• Microsoft Baseline Security Analyzer (MBSA) is an easy-
to-use tool designed for the IT professional that helps
small- and medium-sized businesses determine their
security state in accordance with Microsoft security
recommendations and offers specific remediation
guidance. Improve your security management process
by using MBSA to detect common security
misconfigurations and missing security updates on your
computer systems.
http://technet.microsoft.com/en-us/security/cc184924
33. SIW Audit of Server
CCISAPECC6C2
• Server DataSIWECC6siwReport.html
SIW Audit of Server
CCI-SAP14
• Server DataSIWSIW_FREEWARE_CCI-
SAP14_20110718_192250.html
SIW Audit of Server
CCI-SAP17B
• Server DataSIWSIW_FREEWARE_CCI-
SAP17B_20110718_194229.html
Analyzer Audit of Server CCISAPECC6C2
• Server DataAnalyzerECC6.xps
Analyzer Audit of Server
WORKGROUPSVCTAG-2KXKWC1
• Server DataAnalyzerubuntu.mht
34. SIW Audit of Server
CCISAPECC6C2
• Server DataSIWSIW_FREEWARE_ECC6C2_20110718_192841.html
SIW Audit of Server
WORKGROUPSVCTAG-5KXKWC1
• Server DataSIWSIW_FREEWARE_SVCTAG-
5KXKWC1_20110718_192726.html
SIW Audit of Server
WORKGROUPSVCTAG-CJXKWC1
• Server DataSIWSIW_FREEWARE_SVCTAG-
CJXKWC1_20110718_184840.html
Analyzer Audit of Server WORKGROUPSVCTAG-CJXKWC1
• Server DataAnalyzerC4.xps
Analyzer Audit of Server
WORKGROUPSVCTAG-5KXKWC1
• Server DataAnalyzerc3ecc6.mht
35. Physical Site Security
Fire Suppressions
Power Issues
Access Control
Door & Window Reinforcement
Site Monitoring
41. Audit Findings Summery
Wireless
• Cedar Hills WEP -> WPA2
• Cedar Hills wireless and LAN same network
Network
• Flat Network
• Lack of central management (AD)
• Lack of enforced network security policy
• Windows Updates
Physical
• Social Engineering successful
• Power Issues
• High Availability and Redundancy
• Cooling
• Fire Suppression
• Battery backup
• Backup process
• Security Camera
42. Recommendations Specifics
• Implement AD system
• This will allow constant
server hardening and
polies to be pushed to
all machines
• IDS
• Logging
• Wireless change to WPA2
• Change password to
complex on all networking
devices
• Including church router
and printer
• Backup system
• High Availability
• Switches, routers, ISP,
Important servers
• Redundancy
• Switches, routers, ISP,
UPS, Cooling
• Possibly Hot or Cold site
• Inventory Control
43. Recommendations Specifics (Continued)
• Physical Security
• Camera and access controls
• Must include logging capabilities
• Reinforced doors and walls
• Glass into server room - remove
• Fire suppression
• Seal Server room for better cooling
• Power issues
• Extension cord
• Encryption on Laptops
• More Secure method of Remote
Access
I don’t think we should read this mission statement but just a quick summery of our key beliefs.
-don’t interrupt the normal business procedures.
-focus on security
-only recommend applicable and necessary upgrades/changes
-With our network infrastructures going into the cloud along follow our security. With all the benefits and increased functionality that the cloud can bring, it also offers many security related challenges.
-This new horizon has proven a challenge for many companies so far this year. Including Sony, RSA and wordpress
Add more specificis
http://mobile.eweek.com/c/a/Security/10-Biggest-Data-Breaches-of-2011-So-Far-175567/
http://www.informationweek.com/news/security/229401787
We put our best efforts into securing from the most common to the least to ensure your getting the most out of your investment.
Update with exact
I need the Gant chart in another form that PDF
Make sure this format is followed thought the PPT
Plan and organize
Implement
Operate and maintain
Monitor and evaluate
Make sure these diag.’s get updated before presentation for the larger text
Also make sure you say which floor plan is which.
Have to enlarge text and add diagram
Have to enlarge text and add diagram
Ron has the interview notes from Cindy
Exploiting human vulnerably.
The weakest link are untrained employees. We took advantage of this
Recommend the social eng. Toolkit
Outline our steps -> in the way outlined in slide
Include Diagrams/SSIDS list/WEP Cracking
The main purpose of this audit procedure was to show how many people were around. If we can see their wireless they can see MCT
Video inserted here. Will not show until presentation because it isn't embedded.
Explain what is going on along with it
Note that this is a list of discoverable network devices. Define discoverable.
Fingerprinting
Don’t go into detail about pen testing them
NOTE: that we were not allowed to attack the MTC Network
Enumeration occurs after scanning and is the process of gathering and comiling user names, machines names, network resources, shares and services
Note that this is a list of discoverable network devices. Define discoverable.
Don’t go into detail about pen testing them
Define fingerprinting
May want to take this out, duplicate as info before it
May want to take this out, duplicate as info before it
Create a section of all tools and resources used in this audit
Figure out where this should go. Before all audit finds or after (one of the last)
Make sure addition of server function is done
We may not want to use these in presentation
Make sure addition of server function is done
We may not want to use these in presentation
Explain what it is: How to stay in business in the even of a disaster
Why we need it.
Go over the steps and then go into the DR plan
This plan also has to include things like state of current Fire suppression, power issues, UPS and then suggestions to fix
We could do tour here
Ethics Policy
Defines the means to establish a culture of openness, trust and integrity in business practices.
Dial-in Access Policy
Defines appropriate dial-in access and its use by authorized personnel.
Explain what it is: How to stay in business in the even of a disaster
Why we need it.
Go over the steps and then go into the DR plan
This plan also has to include things like state of current Fire suppression, power issues, UPS and then suggestions to fix
We need to upgrade or DR plan to include HA and redundancy. Possibly the option of a hot/cold site
This plan also has to include things like state of current Fire suppression, power issues, UPS and then suggestions to fix
This has got to relate to $$ but from lost and cost of creation
Do not define solutions to these just identify the vulnerabilities
Define flat network
Create more slides here such as backups/compliance
Make sure we put together training materials for employees and clients who have access to system.
Create more slides here such as backups/compliance
Make sure we put together training materials for employees and clients who have access to system.
Have to enlarge text and add diagram
Break up into current cost monthly and one time costs including a total for one year
Explain the graph – businesses which reported incidents to law enforcement within the US
Sales pitch: As technology evolves so does the work places network infrastructure. This evolution unfortunately brings more security vulnerabilities into the work place to keep updated and tested. Network security audits should not be a one time test but ongoing process to be done at set intervals throughout the year. We hope you will think of us again next time that date pops onto your calendars.
Thanks you