I posted a piece entitled "Log files - are you reviewing yours?"  as a gentle reminder that despite how overworked we are, log files should be mined for data as they form a critical part of our defences. I was lamenting that perhaps some of the breaches we've seen splashed across the media may have been prevented if more attention had been paid to the logs. Well, a link to the Western Australian Auditor General's report on 15 government departments' information systems , published just on the 15th of June turned up in my inbox.
It makes an eye-opening and fairly concerning reading, on the poor state of IT security in these government agencies. I suggest you take time to read through the 32 pages of the report and make your own notes. Some comments in the report will antagonize professional penetration testers reading it, so make sure you haven't had too much caffeine first. The report is split in to two sections and I'm just going to focus on the first section; the external attack portion.
The meat of the external attack portion in the report covers a third party, using common security tools, running very aggressive and obviously hostile external scans against the targeted departments. The heavy scanning uncovered a number of exploitable known vulnerabilities. One of the most damning statements is no-one noticed one web application system actually started to slow down from millions of username and password brute force attacks. If the security team missed this, that’s one thing but the operation team missing the system hit is another. Operations team tend to pick up on “wrongness” pretty quickly, either from help desk calls or their own performance alerts. I wonder if someone did notice, would they have told the security team? If you've ever tested your own systems, any obvious noisy, repetitive attacks should standout and scream for attention against normal log entries. This, to me highlights, the total misused of monitoring and reporting on logs that could so easily provide warning of an attack and the attacker.
I'm impressed that this type of report is in the public domain and the blunt approach it has taken to highlight the key findings*. This open approach is a marked change to the old misdirection of "These aren't the droids, er, - massive problems we're pretending don't exist, which anyone with Nessus 0.99.10 could find - you're looking for", so we'll just ignore it.
It is easy, and important, to take a number of positive actions and lessons learnt from the report, rather than treat this as another stick to be beaten with. Show this report and the any of the numerous breaches to management to and use resources such as http://datalossdb.org/ to factor in the financial cost of breach to your company. This may sway those that control your time and the purse strings to make time for simple, effective security steps, such as testing and log review, and even a bit of training**
Here are a couple of points I've gotten from reading this report:
- Know what normal traffic and logs look like for your environment
- Test your own systems with freely available and widely used scanning and vulnerability assessment tools to see what shows up in the logs files ***With PERMISSION only***
- Test username and password brute force attack tools against your publicly facing systems and see what shows up in the logs files ***With PERMISSION only***
- Find a simple, automated process to review logs files for the alert or events generated in these scans
- Let people in your company know who to call if they see a possible security incident
- Make sure you have an incident response plan first, then one that works and finally is understood, endorsed and signed off by management
- Show other IT staff what attacks look like and how they can affect system performance
As a final note, if you get an audit result like this on your systems, use it to highlight business risks and produce a plan on how to effectively and realistically address the points and issues raised. IT security is part of the business to support and protect it so it a group effort involving the business to fix it, not just the poor, misunderstood IT security sap in the corner. To the folks in those fifteen agencies trying get their systems and processes secured keep at it, work through what’s been reported and next year audit will be very different picture.
As always, if you have any suggestions, insights or tips please feel free to comment.
[2a] Strategies to Mitigate Targeted Cyber Intrusions pdf mentioned in the report http://www.cert.gov.au/www/cert/RWPAttach.nsf/VAP/(3A6790B96C927794AF1031D9395C5C20)~intrusion_mitigations+pdf+for+CERT+website.PDF/$file/intrusion_mitigations+pdf+for+CERT+website.PDF
* Despite the warm and fuzzy thanks that are recorded in the agencies' responses, I suspect there may have been a number of closed door meetings with enraged management waving the report and equally annoyed security teams waving their own reports saying we told you this already.
** http://www.sans.org/security-training/courses.php - learn something new for every, and any, security professional :)
Chris Mohan --- Internet Storm Center Handler on Duty