Page 170 - Courses
P. 170

Logical Security: The Network Layer

                   •  Default settings are not disabled, such that one can access the FTP server through an
                       anonymous, guest, or other such account.
                   •  Password strength on the server is insufficient.
                   •  A hacker could use access to initiate further attacks into the organization’s primary
                       network.
            •  Data is stolen.
                   •  Due to limited monitoring of FTP servers, data could be stolen, and the breach could go
                       undetected. A user accessing the server could be an authorized or unauthorized user.
                   •  Data is not promptly removed after being sent or received.
                   •  Automated processes that remove and monitor data residing on the FTP server do not
                       execute as intended.

            Controls

            Controls include:
            •  The OS on the server is hardened by removing or disabling unnecessary services.
            •  Default vendor settings are disabled or modified.
            •  The server is monitored, and timely follow-up occurs when alerted.
            •  Password features are strong.
            •  Automated processes monitor data contained on FTP servers, and remove data when applicable.
            •  Appropriate alerts exist when automated processes are not running.

            Suggested Audit Procedures

            Suggested audit procedures include:
            •  Obtaining a network diagram to determine the appropriate placement of FTP server(s) on the
               network.
                   •  Normally, these could be located within the DMZ, but are sometimes placed inside the
                       organization’s network.
            •  Testing to ensure the appropriateness of authentication protocols.
                   •  The best practice is to isolate the authentication protocols to the FTP server; especially, if
                       they are within the DMZ.
            •  Reviewing the adequacy of the password policy.
            •  Reviewing the appropriateness of account and access management procedures.
                   •  Test to ensure unused accounts are disabled.
                   •  Test to ensure access is restricted.
                          •  Access could be restricted by functionality or data. For example, bank treasury
                              data could be isolated from 401K employee data.
            •  Reviewing log monitoring (if applicable).
                   •  Logs should be enabled and immediately transferred to an SIEM.
                   •  The SIEM should contain appropriate alerts and notifications of irregular behavior.
            •  Testing to ensure that all network appliance software default settings are changed to a security-
               hardened status. If an external OS is used, test to ensure bare minimum OS processes, systems,
               services, and commands are enabled.

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   165   166   167   168   169   170   171   172   173   174   175