Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
EXECUTIVE SUMMARY........................................................................................................................... 3 NETWORK ASSESSMENT ........................................................................................................................ 4 Network Assessment Overview .................................................................................................................................5 External Network Findings ........................................................................................................................................6 Internal Network Findings .........................................................................................................................................7 Network Operating System Findings .........................................................................................................................8 Sample Host Findings................................................................................................................................................9 Key Recommendations ............................................................................................................................................ 10
CONFIDENTIAL
Page 2 of 10
Executive Summary
Resonant Technology Partners has become increasingly dependent on systems operating on their network to provide adequate security of private information and prevent the disclosure of such information. However, these systems are increasingly vulnerable to a variety of common attacks that take place frequently on corporate networks. To assess how vulnerable their systems may be, Resonant Technology Partners engaged Perimeter eSecurity to conduct an extensive review of their security infrastructure in February 2012. During the review, Perimeter performed a comprehensive security assessment, which involved assessing the overall integrity of the network and critical IT resources. To effectively protect private information and company resources from exposure, Resonant Technology Partners should address the identified key findings noted in this report. PLEASE NOTE: Professional judgment was used in reaching the conclusions and recommendations presented, and while Perimeter has exercised due care in the performance of this engagement, it should be recognized that other parties may evaluate the results differently and draw different conclusions.
The following summarizes the key recommendations resulting from the assessment: Short Term Recommendations Disable all unnecessary network services. Ensure that all equipment has the latest security patches installed. Implement stronger network access controls. Enable comprehensive security event auditing on all systems. Secure all necessary network services. Long Term Recommendations None
CONFIDENTIAL
Page 3 of 10
Network Assessment
Perimeter eSecurity conducted a network vulnerability assessment for Resonant Technology Partners in February 2012. The primary objective of the vulnerability assessment was to assess the overall security level of Resonant Technology Partnerss network environment. This review involved a comprehensive assessment of critical network resources and systems. The following is a detailed breakdown of the methodology utilized by Perimeter to perform this part of the assessment. 1. Information gathering - Documentation on the network is gathered during this phase, such as server/device listings, IP address ranges, and network diagrams. Initial discovery scans are run on all applicable address ranges in the network to verify the accuracy of the information provided from the documentation and identify any discrepancies. 2. Vulnerability testing - A variety of methods and techniques are used during this phase to assess the integrity and overall level of security of the network. Network vulnerability scans, host vulnerability scans, manual checks, and password audits, among other tasks, are performed on the external network, internal network, network operating system, and specific hosts. The scans and checks incorporate testing of the latest vulnerabilities and exploits. 3. Analysis of findings - The data generated from the vulnerability tests are compiled and a thorough and comprehensive analysis is performed. Findings are analyzed to determine the criticality and potential impact each can have on the environment. Checks are performed on the affected systems to eliminate false positives and mitigated vulnerabilities. 4. Development of recommendations - Upon completion of the findings analysis, steps and recommendations are developed to address or mitigate the risks associated with the various vulnerabilities identified. Recommendations are made based on security best practices and commonly accepted security principals.
CONFIDENTIAL
Page 4 of 10
Importance
Category High
High
Internal Network
Medium
Medium
Sample Hosts
Low
Organization exhibits a very strong and secure network environment overall. Organization exhibits a safe and sound network overall, only modest vulnerabilities exist. Organization exhibits a generally safe network, vulnerabilities that range from moderate to somewhat serious exist. Organization exhibits an unsafe network, some serious vulnerabilities exist. Organization exhibits a very unsafe network, several critical vulnerabilities exist.
4 (Poor) 5 (Inadequate)
CONFIDENTIAL
Page 5 of 10
Application Integrity
Low
System Integrity
Low
No significant system integrity findings identified. There were no significant weaknesses identified in the configuration and setup of the network components. An adequate and acceptable level of security has been attained in this category with regards to best practices.
CONFIDENTIAL
Page 6 of 10
Application Integrity
Med
System Integrity
High
Insecure services running. There were network services identified that have not been properly secured. This increases the exposure and risk to the network by potentially providing channels for attackers to exploit.
CONFIDENTIAL
Page 7 of 10
Access Controls
Audit Settings
Med
Some security events are not being audited. Security event auditing is enabled, however, some critical events are not selected for audit. Not auditing all critical events may allow suspicious or unauthorized activity to occur unnoticed.
Low
No significant user account security findings identified. There were no significant weaknesses identified in the network accounts and account settings. An adequate and acceptable level of security has been attained in this category with regards to best practices.
CONFIDENTIAL
Page 8 of 10
Audit Settings
Med
File Security
Low
No significant file/directory security findings identified. There were no significant weaknesses identified in the file/directory security of the servers tested. An adequate and acceptable level of security has been attained in this category with regards to best practices.
Security Patches
Med
Some security patches not installed. Patches address known security vulnerabilities on servers. Because the latest patches are not installed, attackers may exploit these vulnerabilities to compromise or gain access to the server.
Low
No significant user account security findings identified. There were no significant weaknesses identified in the network accounts and account settings. An adequate and acceptable level of security has been attained in this category with regards to best practices.
CONFIDENTIAL
Page 9 of 10
Disable all unnecessary network services. The best way to protect against attack through a network service is to disable it altogether. Disabling unnecessary services will limit the possible options and opportunities an attacker has in attempting to access the network. Ensure that all equipment has the latest security patches installed. Vendor supplied security patches address known exploits and weaknesses. Installing the latest security patches will ensure that equipment is protected against such known flaws and vulnerabilities. Enable comprehensive security event auditing on all systems. Auditing all critical and important security events will provide the information needed to identify and detect malicious and unauthorized activity, as well as provide logs and data that can serve as key evidence in legal procedures. Implement stronger network access controls. Implementing and enforcing strict network access controls, such as login, authentication, and password requirements, will reduce the risk of unauthorized use of the network and company resources. Secure all necessary network services. Services are typically the only means by which external parties can gain access to the network. Restricting and securing network services will help to prevent the exploitation and misuse of such services by unauthorized and malicious users.
CONFIDENTIAL
Page 10 of 10
RESONANT TECHNOLOGY PARTNERS VOLUME II DETAILED FINDINGS <CLIENT> Table of Contents VOLUME II DETAILED FINDINGS
ASSESSMENT OVERVIEW ................................................................................................................. 3 EXTERNAL NETWORK ASSESSMENT ............................................................................................ 4 External Assessment Approach ..................................................................................................... 4 External Vulnerabilities Overview................................................................................................. 5 External Vulnerabilities Detail ...................................................................................................... 6 External Services Detected ............................................................................................................ 7 INTERNAL NETWORK ASSESSMENT ............................................................................................. 8 Internal Assessment Approach ...................................................................................................... 8 Internal Vulnerabilities Overview.................................................................................................. 9 Internal Vulnerabilities Detail...................................................................................................... 10 NETWORK OPERATING SYSTEM ASSESSMENT ....................................................................... 13 Network Operating System Assessment Approach ...................................................................... 13 Network Operating System Vulnerabilities Overview.................................................................. 14 Network Operating System Vulnerabilities Detail ....................................................................... 15 HOST ASSESSMENT .......................................................................................................................... 17 Host Assessment Approach ......................................................................................................... 17 Host Vulnerabilities Overview .................................................................................................... 18 Host Vulnerabilities Detail .......................................................................................................... 19
CONFIDENTIAL
Page 2 of 19
Resonant Technology Partners has become increasingly dependant on systems operating on their network. Many of these systems have become critical to business operations. However, these systems are increasingly vulnerable to a variety of common attacks that take place frequently on corporate networks. To assess how vulnerable their business critical systems may be to these types of attacks, Resonant Technology Partners asked Perimeter ESecurity to conduct an extensive security review of their network environment. Perimeter performed a comprehensive network assessment, which involved assessing the overall design and integrity of the external network, internal network, network operating system, and a representative sample of servers. Perimeter used a variety of assessment tools, techniques, and methods to identify existing deficiencies and vulnerabilities. Our analysis of these areas was compared against security industry best practices and recommendations were made on the basis of those comparisons. To effectively protect company resources from exposure, Resonant Technology Partners should address the identified key improvement areas and findings noted in this report. PLEASE NOTE: All vulnerabilities recorded and identified in this assessment are regarded as POTENTIAL vulnerabilities and need to be further validated in order to determine if they are real and exploitable in your environment. Many vulnerabilities cannot be completely confirmed due to the potential disruption or damage doing so may cause. In addition, due diligence and care must be taken before implementing any of the recommended changes, as changes to production systems may cause disruptions or irreparable damage. Perimeter ESecurity is not responsible for any problems or issues resulting from the implementation of these recommendations.
CONFIDENTIAL
Page 3 of 19
As part of the network vulnerability assessment, Perimeter conducted an assessment targeting publicly accessible devices/servers. The objective of the review was to perform controlled diagnostic activities to assess the level of security on devices and servers accessible from the Internet. The following were included in the scope of the assessment.
Ranges Scanned
IP Address Range
24.242.162.242
CONFIDENTIAL
Page 4 of 19
<CLIENT> II DETAILED FINDINGS A variety of vulnerabilities were discovered as a VOLUME result of the external assessment. The following summary graph was
compiled outlining the total vulnerabilities grouped by criticality.
CONFIDENTIAL
Page 5 of 19
<CLIENT> VOLUME II DETAILED FINDINGS The following is a detailed breakdown of the specific vulnerabilities identified during the external assessment.
** There are no vulnerabilities identified as a result of the external assessment **
Risk Level Vulnerability Description Recommendation Equipment Affected
CONFIDENTIAL
Page 6 of 19
<CLIENT> VOLUME II DETAILED FINDINGS The following section is a detailed breakdown of the services identified during the external assessment.
IP Address 24.242.162.242 Service Name ssl/http MICROSOFT-RDP Port Number 443 3389 Type TCP TCP
CONFIDENTIAL
Page 7 of 19
As part of the network vulnerability assessment, Perimeter conducted an assessment targeting network devices/servers on the private LAN/WAN. The objective of the review was to perform controlled diagnostic activities to assess the level of security on devices and servers accessible from the internal network. The following were included in the scope of the assessment.
Devices/Servers Tested
IP Address 10.10.10.1 10.10.10.5 10.10.10.7 10.10.10.8 10.10.10.50 10.10.10.52 10.10.10.53 10.10.10.80 10.10.10.82 10.10.10.84 10.10.10.253 10.10.10.253 Type Firewall Switch Domain Controller Application Server Domain Controller Application Server Application Server Application Server Application Server Application Server Router Router Operating System Cisco IOS Cisco IOS Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Cisco IOS Cisco IOS Hostname N/A N/A RTPDC02 RTPBDR01 RTPSBS01 RTPTS01 RTPTS01 EMAIL SERVICEDESK SUPPORT N/A N/A
CONFIDENTIAL
Page 8 of 19
<CLIENT> II DETAILED FINDINGS A variety of vulnerabilities were discovered as a VOLUME result of the internal assessment. The following summary graph was
compiled outlining the total vulnerabilities grouped by criticality.
12 9 6 3 0 Total
High 1
Medium 3
Low 7
CONFIDENTIAL
Page 9 of 19
<CLIENT> VOLUME II DETAILED FINDINGS The following is a detailed breakdown of the specific vulnerabilities identified during the internal assessment.
Risk Level 3 High Vulnerability Default community names of the SNMP Agent Description The SNMP default public community name is specified, allowing anyone the ability to change the host systems information if they use this default value. An attacker can use SNMP to obtain valuable information about the system, such as information on network devices and current open connections. A TFTP server is listening on the remote host. The remote host has a TFTP server installed that is serving one or more Cisco CallManager files. These files do not themselves include any sensitive information, but do identify the TFTP server as being part of a Cisco CallManager environment. The CCM TFTP server is an essential part of providing VOIP handset functionality, so should not be exposed to unnecessary scrutiny. 2 Med Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability The remote version of Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle attack. An attacker may exploit this flaw to decrypt communications between client and server and obtain sensitive information (passwords, ...). The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Recommendation Disable the SNMP service if not required. If necessary, change the default community name to something that is complex and very difficult-to-guess. Equipment Affected 10.10.10.53
2 Med
If it is not required, disable or uninstall the TFTP server. Otherwise restrict access to trusted sources only.
10.10.10.1
Force the use of SSL as a transport layer for this service. Reference: http://www.oxid.it/download s/rdp-gbu.pdf http://www.securityfocus.co m/bid/13818 Reconfigure the affected application if possible to avoid use of weak ciphers. Reference: http://www.openssl.org/docs /apps/ciphers.html
10.10.10.50 10.10.10.80
2 Med
10.10.10.50 10.10.10.80
CONFIDENTIAL
Page 10 of 19
1 Low
Ensure that the server is running the latest stable Service Pack.
CONFIDENTIAL
Page 11 of 19
1 Low
This script checks expiry dates of certificates associated with SSLenabled services on the target and reports whether any have already expired or will expire shortly. The remote host is running Terminal Services Server. The encryption settings used by the remote service is not FIPS-140 compliant.
1 Low
1 Low
VNC running
The remote server is running VNC. VNC permits a console to be displayed remotely. An attacker can potentially compromise this service to take control of the system.
Disable the service if not necessary. If required, ensure that it is secured with a difficult-to-guess password and shut down when not in use.
CONFIDENTIAL
Page 12 of 19
As part of the network vulnerability assessment, Perimeter conducted a vulnerability assessment targeting Resonant Technology Partnerss network operating system environment. The objective of the review was to perform diagnostic activities using host based assessment tools to assess its overall level of security. The following network operating system was included in the scope of the assessment.
CONFIDENTIAL
Page 13 of 19
A variety of vulnerabilities summary graph was compiled outlining the total vulnerabilities grouped by criticality.
<CLIENT> II DETAILED FINDINGS were discovered as VOLUME a result of the network operating system assessment. The following
15 12 9 6 3 0 Total Hi gh 0 Medium 4 L ow 3
CONFIDENTIAL
Page 14 of 19
<CLIENT> VOLUME II DETAILED FINDINGS The following is a detailed breakdown of the specific vulnerabilities identified during the network operating system
Description The time an account remains locked out after login failure is too short. If an account is reinstated automatically, it will allow an attacker to continue with his attack. The maximum password age is set too high. This gives anyone with a stolen password long-term access to that account. The number of bad logon attempts that is allowed before the system locks out an account is set too high. This increases the chance that a logon attack will be successful. Security event audit settings were not stringent enough in accordance with best practices. Unauthorized access and/or events may go unnoticed until systems have been completely compromised.
Recommendation Set the account lockout time to forever in accordance with best practices.
2 Med
Set the maximum password age to at most 60 days in accordance with best practice standards. Set the number of bad logon attempts allowed to 5 in accordance with best practices.
RTP
2 Med
RTP
2 Med
Enable security event auditing for all critical events in accordance with best practices. The following events should be audited: Success and Failure: Account management Object access Policy changes System events Failure: Account logon Directory service access Logon events Privileged use
RTP
1 Low
The counter reset time is set too low. Logon attempts can occur more frequently since the number of bad logon attempts is reset to 0 quicker.
RTP
CONFIDENTIAL
Page 15 of 19
1 Low
Users are permitted to change their passwords too quickly. This gives users the ability to change their passwords to a previous one or cycle through their history quickly, defeating the requirement to change the passwords on a regular basis.
Set the minimum password age to at least 7 days in accordance with best practice standards.
RTP
CONFIDENTIAL
Page 16 of 19
As part of the network vulnerability assessment, Perimeter conducted a vulnerability assessment targeting a representative sample of Resonant Technology Partnerss hosts. The objective of the review was to perform diagnostic activities using host based assessment tools to assess their overall level of security. The following hosts were included in the scope of the assessment.
Hosts Tested
IP Address 10.10.10.7 10.10.10.8 10.10.10.50 10.10.10.52 Type Domain Controller Application Server Domain Controller Application Server Operating System Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Hostname RTPDC02 RTPBDR01 RTPSBS01 RTPTS01
CONFIDENTIAL
Page 17 of 19
<CLIENT> II assessment. DETAILED FINDINGS were discovered as VOLUME a result of the host The following summary graph was
CONFIDENTIAL
Page 18 of 19
<CLIENT> VOLUME II DETAILED FINDINGS The following is a detailed breakdown of the specific vulnerabilities identified during the host assessment.
Risk Level 2 Med Vulnerability Patches not installed. Description Several patches were not installed on these systems. Many patches fix known security issues. This is a problem that can allow attackers to exploit such issues. Bulletin ID : APSB10-26 Bulletin ID : JAVA6022 2 Med Security event settings too weak. Security event audit settings were not stringent enough in accordance with best practices. Unauthorized access and/or events may go unnoticed until systems have been completely compromised. Enable security event auditing for all critical events in accordance with best practices. The following events should be audited: Success and Failure: Account management Object access Policy changes System events Failure: Account logon Directory service access Logon events Privileged use 1 Low Default Guest account not renamed. The guest account on the system has not been renamed. This account is a well-known user and is a typical first target for a break-in. Even though this account is disabled, it should be renamed in case it is accidentally or intentionally enabled. Rename this account to something inconspicuous. 10.10.10.8 10.10.10.52 10.10.10.8 10.10.10.52 Recommendation Test and apply the appropriate patches to the systems. Equipment Affected 10.10.10.50 10.10.10.52
CONFIDENTIAL
Page 19 of 19