Audit Network Security Presenter Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit University System of New Hampshire 1 University System of New Hampshire 34,000 enrolled students 4 institutions 15 locations Largest provider of postsecondary education in NH Produces 61% of STEM graduates in state Lowest student loan default rate in US Degree completion 78% - US average is 63% 2 1
Why Audit Network Security High-risk area Higher education culture Cybersecurity Often overlooked in internal audit plan Complexity Wide scope Internet of things (IoT) 3 Agenda Approaching the audit Key risk identification Common design gaps and issues Resources Key areas to cover Common issues and hurdles 4 2
What is Network Security? Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment. 5 Where to Start? Network diagram Inventory of network devices Copy of recent penetration testing Organization chart Network security policies, procedures, and standards 6 3
Risk Assessment Key risk areas Physical security Configurations Change management Access Risk analysis and monitoring 7 Audit Approach Looks for overall control environment for securing the network Select network devices based on: Location Sensitivity of data Type of device When put in service 8 4
Research and Knowledge Development Develop knowledge on selected device NIST or vendor recommendations Federal Information Processing Standard (FIPS) mode Configuration guide Policies and procedures PCI-DSS 9 Key Audit Areas 5
Physical Security Physical security network closets, rooms data centers Lock vs key card 11 Generic IDs Default passwords Access justification Password encryption Console Access 12 6
Password Policy Password parameter are configured in accordance with policy 13 Password Security Encryption settings Proper algorithm used Commonly used algorithm Best practices 14 7
Key Management Pre-shared keys are used for authentication between two network resources Settings key length, encryption, protocols Change protocols of keys Who knows and maintains these keys? Unencrypted keys/passwords in configuration files 15 Test: Current time is accurate Daylight time settings Clock Settings 16 8
Patches Compare OS patch level against recommended by vendor Understand upgrade procedures 17 Remote Login Protocols Inquire on existing practices and see policies & standards Is activity logged? Best Practices Dedicated management interface Two-factor authentication Dedicated VPN Procedures to confirm the integrity of device configurations 18 9
Services Which services are really needed Who ensures these services are appropriate Look for commonly exploited services Benchmark against organization s policy on allowed services Standards and periodic review of key configurations 19 Simple Network Management Protocol (SNMP) Default community names Version used (version 3 is currently recommended) Authentication Encryption used Common audit finding version 1 or 2c is active while version 3 is mainly used 20 10
ICMP Used to gather information about a network device ICMP should be limited to hosts with a business need 21 Other Areas Anti spoofing settings Authentication, authorization, and accounting (AAA) Login banners IP fragmentation Access Control Lists (ACL) Session time outs Enable logs and monitoring 22 11
Common Issues Default settings Inadequate network security policies, procedures, and standards No periodic review of configurations Generic IDs or shared accounts Lack of accurate network device inventory Segregation of duties between maintenance and security 23 Summary Security standards Periodic review of key configurations Segregation between security and maintenance Physical security Key management Remote access 24 12
Thank you! Questions? 13