Audit, Measurement, Practice and Control
www.netbuy.com is a small
online shopping site run by a single owner and administrator. www.netbuy.com.pk
outsources its technical infrastructure to a large Internet Service Provider
and has recently experienced a series of external hacking attacks; thus
interrupting business operations. www.netbuy.com.pk would like an audit
performed on its basic infrastructure components to determine areas of exposure
and weaknesses within its technical environment. However, due to the nature of
the business, this audit will not only need to focus on identifying the
security risks and exposures from the technical standpoint, but it will also
need to perform a more detailed analysis within its business operations.
Because www.netbuy.com.pk is a small business operated by one person and utilizes
an outsourced service, additional security concerns and exposures need to be
addressed. This audit will identify the risks and determine its associated
vulnerabilities within www.netbuy.com’s
technical and business operations environments. The audit will provide
recommendations focused on maximizing the protection of its data while still
maintaining functionality and usability for regular business operations.
A-2.1 System Environment
www.netbuy.com provides a
website for users to purchase online home-appliances, Smart Gadgets from home.
The overall environment of www.netbuy.com.pk is composed of one database server
and one web-application server. Each server runs Windows 2003 as the server
operating system. The database runs SQL Server and stores data such as user
details, their shopping-purchasing order as well as credit card information.
This database is populated by user input from the Graphical User Interface that
supported by a separate web server. The web server is built on a Windows 2003
Server and runs Internet Information Services 5.0. This server is accessed on
the front end from user input via the internet. On the backend, the server
communicates with the database server to feed and retrieve requested data.
These two servers are physically located at the Internet Service Provider in
Faisalabad. Both servers are accessed and administered by the system owner, via
terminal services, from the Administrator’s home, using a cable connection to
Focus of the
As discussed the overall focus of the
audit will be the Application-Web Server. This is because of several reasons.
The major application and service this server runs, Internet Information
Service IIS 5.1, has many known (and of course unknown) vulnerabilities
associated with it. Because this system is accessed from the web, the system
has many access points and is most exposed to external users. This system is
housed at the Internet Service Provider, which can limit the control for the
Administrator. The below table provides more detailed specifications for the
Processor Dual Xeon 2.3 Ghz
Memory 3 GB RAM AND HARD DRIVE 40 GB
Software IIS 5.1
System Windows 2003
Pack Level Service pack 1
Access Connects to Client workstation via terminal services
Connections Connects to the
Connects to the Database
Personnel Access Administrator
Business Purpose Runs
applications services and web service information
1.3 The First Step
to Evaluating Risk
can be defined as the potential impact of the system’s exposure to a known or
unknown vulnerability. Impacts of risk are evaluated through the potential loss
to confidentiality, integrity and availability of the data. Confidentiality
ensures that information resources are used only by those authorized to do so.
Integrity indicates that the information should be protected from unauthorized
or unintentional modification. Lastly, Availability ensures that information
resources remain accessible whenever needed. This audit will focus on identifying
risks that will pose potential threats to the loss of Confidentiality,
Integrity and Availability to the data. It is important to remember that there
must be a balance between security and business functionality. For example,
solutions that address threats to confidentiality and integrity of data may
also limit the availability of the data. Therefore, in responding to any
potential threats, one must remember how this threat relates to the business
functionality and needs.
are two categories of risk which will be examined throughout these audit
procedural and technical risks. Procedural risks are associated with business
operations, and its processes, and procedures. Technical risks are associated
with the configurations and maintenance of the physical technical
infrastructure. Due to the nature of www.netbuy.com.pk’s business, procedural
and technical risks are identified as a function of the company’s physical
infrastructure, the principles of small business, and its outsourced
arrangement with Internet Service Provider.
This audit will
use the following criteria to evaluate the identified risks
how the given aspect of the business-system should exist and-or function. The “control” therefore is
the definition of what should exist-occur.
of what could go wrong, both procedural and technical, with the control.
of how likely this could occur
of the effects of an exploited risk and its impacts to confidentiality, integrity and availability of the data
A.3.1 Business and Procedural Risk
business is operated by one person. No
established security processes, procedures nor checks and balances exist. As a
small business, Netsol.com.pk is confronted with concerns associated with
limitations on budgets, resources, and functional expertise. Furthermore, www.netbuy.com
uses an Internet Service Provider, which therefore
limits many physical as well as information security controls. These
constraints create major obstacles to ensuring security best practices. The
following table discusses these business and procedural risks.
should have skilled and available resources in order to effectively perform all
necessary business operations.
and inexperienced resources are operating the www.netbuy.com.pk business, and
therefore, they cannot effectively manage all operations.
In small businesses, it is difficult to financially support many resources with
specialized skills, such as security.
number of resources working for www.netbuy.com.pk is limited and they do not
have the time or the skills to implement and follow appropriate security
procedures and controls. An exploit can take advantage of this lack of
knowledge and resources.
best practice is to allocate 15% of the company’s budget to Information
Technology investment; this would include costs for addressing security.
budgets will not be able to support the required hardware, tools, and resources
required to securely operate the business.
In small and particularly startup businesses, funds are limited as they are
funded by few investors. Therefore, operating budgets are at a minimum.
does not exist to support the hardware, tools and resources required to support
the existence of security processes and controls within the company. Therefore,
in the case of an exploit, the appropriate tools and resources are not
available to mitigate and remediate the incident.
C-Non-standardized security policies and
standardized set of processes should be implemented within any operation to
ensure all security concerns are acknowledged and addressed. Examples of such
processes would be the consistent monitoring of audit logs and verifying users-groups
and permissions allowed into the systems.
of these security processes indicates that neither attention nor efforts are
made to address security needs. Furthermore, when a security incident does
occur, there is no knowledge or guidance of what to do.
Basic business plans should include these standardized processes. Additionally,
contracts with outsourcers should include these policies and procedures.
operates in an insecure environment with little awareness of what security
vulnerabilities exist. In the event of an incident, business operations could
cease as little knowledge exists on how to control it.
D-Uncontrolled-monitored physical security
and access control
business should install physical security measures in order to protect both
their physical and information assets. This would include appropriate locks to
doors, desks and storage areas. Furthermore, there should be established
controlled processes for people who wish to access them.
any physical security, there is no way of preventing or identifying
unauthorized people from gaining access to proprietary and confidential data.
Most buildings and offices contain some form of physical security. However, the
enforcement of this security is usually out of the business owner’s control, as
physical security is usually managed by an outsourced company.
people will gain access into physical areas and be able to gain access to
proprietary and confidential data; thus compromising its confidentiality,
integrity and availability
E-Nonexistent Backup and Storage procedures
stored in the system should be regularly backed up and stored in a secure
data is not regularly backed up, compromises to the system could result in loss
of all data which cannot be restored.
Back up of data should be a primary concern for the system administrator. In
any system compromise, the data will certainly be altered if not lost.
a system is compromised or mistakenly shut down and data is lost, www.netbuy.com
potentially loses all information, which is detrimental to the
operations of the company.
A-3.2 Technical Risk
a technical perspective, risks are associated with known vulnerabilities and
exploits. www.netbuy.com’s application and web server runs on
Windows 2000 Server and IIS 5.0 which have known vulnerabilities and exploits
associated with them. Without appropriate maintenance and knowledge of these
vulnerabilities, www.netbuy.com runs a serious risk to
external threats. The technical risks are outlined below
Installations of the Operating System
“out of the box” installation of the operating system should never be trusted
by system administrators. All operating systems should be uniquely configured
according to the business requirements and appropriately hardened for security
are running default installations which have many known security Vulnerabilities-known
exploits associated with them.
Many Administrators, particularly those with less security knowledge, trust the
is easy for an attacker to determine probable vulnerabilities of the Operating
system when it is configured from the default settings. An attacker will attempt known attacks toward
the system based on the default installation and compromise the system.
Installations of Major Application
default “out of the box” installation of Internet Information Service 5.0
should be uniquely configured for business requirements and appropriately
hardened for known security risks.
which are running default installations have many known security
vulnerabilities and exploits.
Many Administrators, particularly those with less security knowledge, trust the
attacker will attempt known attacks toward the system based on the default
installation and compromise the system Exposure to known Vulnerabilities-Exploits
should be tested for and patched on a regular basis against
which are not hardened against known vulnerabilities can be easily compromised
through known and frequent attacks, worms and viruses.
Regular maintenance-hardening of systems is often left to the Responsibility of
the administrator and seen as less important. Therefore, time is not spent
toward understanding and learning old and new security vulnerabilities. This leaves the system unpatched and
can be attacked by common-well known exploits such as Buffer overflows, cross
site scripting, and Denial of Service attacks.
should be protected by perimeter security controls such as a Firewall to
protect against external access and attacks.
there is no layer of perimeter protection, access into systems is Open to any
and all external attacks.
A majority of ISPs enforce some form of perimeter Protection. However, the strength of the firewall rules
may be weak as they need to service a variety of needs.
can be easily identified, accessed and compromised.
Insecure Data in
between connected systems should not be seen to anyone eavesdropping on
network. SSL should be used.
the client machine (administrator’s console) communicates with the servers
stored at the ISP Information is sent in clear text.
Most Internet Service providers do not provide private Connections.
Data is transferred in clear text across the internet. “Listeners” can Capture, store or alter this
A-4 Current State of Practice
Currently www.netby.com.pk has no regular
security auditing, vulnerability assessment or baseline practices. Therefore,
this will be the first audit to be conducted these systems. The following
process and resources will be used to audit www.netbuy.com.pk’s system
1.4.2 Tools The following security tools will be
used to obtain information and identify security vulnerabilities associated
with the system
This is a free Vulnerability Assessment tool. Nessus identifies running services and open ports within
the system scanned
and identifies known vulnerabilities and exploits associated with them. Nessus
relies heavily on banner information and therefore can result in many false
positives. Careful attention and investigation has to be made on the results of
Free port scanning tool which can be run against
the system to determine open ports-services running on the system
MS Baseline Security Analyzer
Scans system to determine missing security
patches as well as default installation-mis-configurations in Microsoft
operating systems and applications
Snort is a free network traffic monitoring tool which
will be used to collect traffic packets as the web-application server is
Written approval will be obtained from both www.netbuy.com.pk
and the ISP to perform the audit and use of the tools identified
User Ids and passwords will be created for
access to system
Baseline and back up of the systems to be
audited will be taken. This will provide an accurate depiction of the current
state of the environment.
All relevant documents will be obtained from the
client to begin procedural audit
Technical audit will be performed using the
listed tools above