Transcript Office of the State Auditor: Holding State Government

COLORADO’S
CYBERSECURITY
ASSESSMENT APPROACH
Matt Devlin, CISA, CISM
Deputy State Auditor
September 30, 2014
Overview
 Colorado OSA and IT Audit Background
 State of Colorado IT and InfoSec
Organizational Structures
 OSA’s Cybersecurity Assessment Approach
 General description of what we have done in the
past and what we are doing now
 Prior VA / Pen Test Audit (Nov. 2010)
 Current VA / Pen Test Audit (Dec. 2014 )
 Not a detailed or technical “How To” on VA / pen
testing
2
Colorado OSA: Background Info
 OSA is under the Legislative Branch
 Reports to a nonpartisan Legislative Audit
Committee (LAC)
 State Auditor is appointed to a 5 year term
 3 Audit Divisions:
 Financial, Performance, and IT
 Approx. 70 auditors
 Produce about 50 to 55 products/reports year
3
Colorado OSA: Organizational Chart
4
Colorado OSA: Statutory Authority
 OSA has statutory authority to:
 Conduct audits of all state departments and agencies (Sec. 2-3-
103, C.R.S)
 “Access at all times…all of the books, accounts, reports,
vouchers, or other records or information in any department,
institution, or agency, including but not limited to records or
information required to be kept confidential or exempt from
public disclosure…” (Sec. 2-3-107(2), C.R.S.)
5
Colorado OSA: IT Audit Division
 IT Audit Division:
 Est. in February 2006 (8 yrs., 8 mos. young!)
 4 IT Audit Staff, Mainly Senior-level Auditors
 IT Audit Engagement Types:
1.
Financial Audit Support (Statewide Single Audit)
 E.g., Fin. system ITGCs, SSAE 16 reviews, contractor audit
reviews
2.
Performance Audit Support
 E.g., MMJ, Vocational Rehab, Health Exchange, etc.
3.
Standalone IT and InfoSec Audits (Technologies /
Systems / Processes / Projects / Org. Unit)
6
FY 2014 Allocation of Audit Staff
Performance Audits
47%
Financial Audits
36%
IT Audits
5%
Other Work Products and
Activities
5%
Local Government
Audit Reviews
7%
7
State of Colorado: IT Org. Structure
 Executive Branch
 Office of Information Technology (OIT)
 Est. in 2008 through legislation (SB 08-155)
 Consolidation of IT from a decentralized model
 OIT sits under the Governor’s Office
 Judicial Branch
 Separate IT (i.e., ITS)
 Legislative Branch
 Separate IT (i.e., LIS)
8
State of Colorado: InfoSec Org. Structure
 Executive and Judicial Branch
 Office of Information Security (OIS)
 Est. in 2006 through legislation (HB 06-1157)
 Consolidation of InfoSec (from a decentralized
model?)
 OIS sits under OIT (i.e., the Exec. Branch IT Unit)
 Legislative Branch & Higher Ed. Institutions
 Excluded from OIS oversight, but have info. sec.
reporting requirements
9
State of Colorado: IT & InfoSec Org Charts
10
CYBERSECURITY APPROACH:
THE 2010 PEN TEST AUDIT
Audit Objectives
 Objective #1
 To review the Governor’s Office of Cyber Security’s
progress in fulfilling the requirements of the
Colorado Cyber Security Program (Section 2437.5-401 through 406, C.R.S.)
12
Audit Objectives
 Objective #2
 To perform a “covert” penetration test of state
networks, applications, and information systems
 Gain unauthorized access to state systems and data
 Simulate hacking attempts
 Test incident response
13
Audit Scope
14
VA vs. Pen Test
 Vulnerability Assessment – assessment approach used to
identify system weaknesses or vulnerabilities.
 Penetration Test – assessment approach used to gain
access to systems by exploiting or circumventing system
weaknesses or vulnerabilities.
 Hacking vs Pen Test Difference
 Get Permission!!!
 Authorized by Governor’s Office,
State CISO, and other Dept. Mgt.
15
Audit Methodology
 In-house & Contract Audit – OSA Partnered
with 2 Contractors specializing in VA/pen
testing
 Nonrisk-Based Approach – Open to all state
networks, applications, and systems
 Black Box – no advance information on
systems/networks/departments/agencies,
etc.
 All attacks available; Nothing off limits!
16
Audit Methodology (cont.)
 Tests performed included:
 Network Scans (external /internal) – Ports and Services
 Application/DB/OS Scans – Patch Levels,
Configuration Settings/Hardening Standards, Vendor
Defaults, Brute Force,
 Website Security - Attacks to gain access to backend
apps and DBs
 Social engineering – Spam, Impersonation
 Physical-based attacks – gaining unauthorized access
to facilities and DCs
 What did we find??
17
Office of Cyber Security
“Overall, the results of the Pen
Test demonstrate that the State
is at high risk of a system
compromise and/or data breach.”
18
Audit Results
Relating to Objective #1:
 The Office of Cyber Security failed to successfully
implement the Colorado Cyber Security Program, as
required by statute.
 Info Sec Program Governance & Org. Structure
 Policy, procedures, and plans lacked definition, implementation, and
enforcement
 InfoSec Operations & Controls
 InfoSec processes and controls lacked definition, implementation, and
compliance
 All findings and recommendations were agreed to (or
partially agreed to).
19
Audit Results (cont.)
Relating to Objective #2:
 The State was at high risk of a system compromise and/or
data breach by malicious individuals, including individuals
both internal and external to the State.
 Hundreds of vulnerabilities identified





Unnecessary and Insecure Ports, Services, and Utilities
Exposed Management Interfaces
Default and Easily Guessable Usernames and Passwords
Unsecured Web Applications
Lack of Internal Network Security Controls (e.g., network
segmentation, hardening and patching, use of insecure network
protocols, lack of IDS/IPS)
20
Audit Results (cont.)

Relating to Objective #2 (cont.):

Compromised or gained unauthorized access to:


Numerous State Networks and Systems
Lots of Sensitive and Confidential Information:
 Usernames and passwords (belonging to state employees and others non-state
individuals)
 state employee records
 SSNs
 income levels
 birth dates
 contact information—i.e., phone numbers and physical addresses.

A data breach of this magnitude would have cost the State between $7
and $15 million to remediate (based on national averages at the time).
 All findings and recommendations were agreed to (or partially agreed
to).
21
Audit Results (cont.)
State of Colorado Penetration Test Results Risk Ranking by Network/System
Network/System Component Tested
Risk Ranking
External Network Testing
HIGH
Internal Network Testing
HIGH
Physical Security Testing
HIGH
Web Application Testing
HIGH
Social Engineering
HIGH
Modem Testing
LOW
Wireless Network Testing
LOW
Source: Office of the State Auditor penetration test results.
22
Audit Results (cont.)
Vulnerabilities by Severity
400
300
200
100
0
High
Medium
Low
Source: Colorado Office of the State Auditor.
Key Vulnerability Areas
28.66%
Web Apps
52.12%
5.48%
Web Server
Systems
Other
13.74%
Source: Colorado Office of the State Auditor.
23
Challenges
 “First of It’s Kind” Audit
 OSA Authority to Conduct Pen Test? -Not “specific”
 Communication/Coordination
 All Business Management (as well as IT/InfoSec Mgt.)
 Very Complex IT Org, Systems, and Technologies
 Took a lot to plan, execute, and report
 Reporting
 Public vs. Private Info
 Diff. contractors partnering with OSA
24
Successes


Information Security Posture – Identified a Baseline!
Raised Information Security Awareness – within State Ops, the
Legislature, and Public

Increased OSA Authority – new statute was created to allow our office to
conduct ongoing VA’s, pen tests, and technical security assessments…
after consultation and in coordination with, but not requiring the
approval of, the CIO (Sec. 2-3-103(1.5) et al, C.R.S.)
25
CYBERSECURITY APPROACH:
CURRENT VA/PEN TEST AUDIT
(TO BE RELEASED DEC. 2014)
Audit Objectives
 Objective #1: To conduct a vulnerability assessment,
penetration test, and technical information security
evaluation on state networks, applications, and
systems.
 Objective #2: To gain an understanding of the root
cause of identified information system security
vulnerabilities.
27
Key Differences (vs. Prior Audit)

Scope Size & Complexity


Risk-based/Targeted (vs. Statewide/All-inclusive)
White/Grey Box (vs. Black Box)
 Resulted in Fewer Networks, Systems, & Depts.



No InfoSec Program Review
Root Cause Analysis Focus
Shorter Timeline


One Contractor (vs. 2 Prior)



Simplified with 2 Entrance Meetings with IT/InfoSec Mgt. (vs. Business Mgt.)
Reporting


Simplify Communications & Processes
Reports to Match OSA Style
Communication With Management


Mar.-Dec. 2014 (vs. more than 12 mos.)
Public vs. Private Content
Evaluation vs. Audit – did not have to follow Yellow Book standards
28
Audit Scope
 Left Scope and Schedule Open in RFP
 The engaged contractor was required to work with us (OSA) to:
1.
2.
Define the networks, applications, and/or systems to be included in
the scope, , based on risk;
Develop the audit schedule (working backwards from our LAC date).
 List of Scope Areas






External Network (89,614 IP addresses)
Internal Network (3, across diff. departments)
Firewalls (10, mix of external & internal)
Enterprise Apps (2, across diff. depts.)
Web Apps (5, across diff. depts.)
Social Engineering (spam email to all Executive and Judicial
Branch agencies)
29
Audit Results
 TBD – Report to be released in December!!!
 Generalization:
 Lots of very similar findings as last time, indicating
slow progress in maturing the state’s info sec
program
30
Outcomes (Expected)
TBD…but we’re hoping to:
 Issue Two Reports Again:
 Management-level Report (Public )
 Technical-level Report (Private)
 Provide Transparency & Value
 Identify System Vulnerabilities/Findings
 Identify Root Causes
 Raise Awareness of InfoSec Posture
 Provide Accountability
 Track Audit Findings & Recs
 Annual Report on Recommendations not Fully Implemented
31
Challenges
 New (and few) IT audit staff – 1 contract
monitor
 Independence – Concern due to prior audit
deputy moving into the CISO role
 New Contractor – Get up to speed!
 Risk-based Scoping - Very complex IT organization
and systems:
 Outdated technologies and systems
 Redundant systems
 New system developments
32
Challenges (cont.)
 Lots of Staff Turnover/Reorgs.
 Significant IT management turnover during the
review, including:
 Secretary of Technology & State Chief Information
Officer (CIO)
 Chief Technology Officer (CTO)
 Chief Operating Officer (COO)
 Chief Information Security Officer (CISO)
 Chief Customer Officer
 Director of HR
 Director of Enterprise Applications
 Communication/Coordination with appropriate
management and staff
33
Challenges (cont.)
 Authority to conduct Pen Test Evaluations
 2 separate but similar “Rules of Engagement” (for
Exec. And Judicial Branch agencies/systems
subject to our evaluation)
 Obtaining access to systems for credential
testing
 Despite statutory authority (to access all state
information and records)
34
Improvement Opportunities
 Tie Current Results to Prior Results – to analyze
trends about whether InfoSec is improving over





time
Multi-year Plan – Continue risk-based coverage?
Simplify Further – smaller audits, dept.-specific
Incident Response Testing
Contractor Consistency – to improve efficiencies
in coordination of planning, fieldwork and
reporting
Develop In-house Expertise – perform VA/pen
tests using available tools and techniques
35
Questions?
 Contact me:
 [email protected]
 303-869-2800
 www.state.co.us/auditor
36