SECURITY ASSESSMENT AUDIT

REPORT
(Company X), (Date)
TABLE OF CONTENTS
EXECUTIVE SUMMARY.......................................................................................................................................... 3
Background........................................................................................................................................................... 3
Objective and Scope............................................................................................................................................. 3
Key Observations and Recommendations............................................................................................................ 4
SUMMARY OF OBSERVATIONS............................................................................................................................ 5
DETAILED OBSERVATIONS................................................................................................................................... 6
1. General Observations................................................................................................................................... 6
2. Microsoft Windows and UNIX Platforms....................................................................................................... 9
3. Virtualization Environment.......................................................................................................................... 12
4. Microsoft SQL and DB2 Databases............................................................................................................ 14
5. Security Architecture and Remote Access.................................................................................................. 16
6. Smartphone Devices.................................................................................................................................. 17
7. External Penetration Assessment............................................................................................................... 18
APPENDIX A – CRITICALITY RATING DEFINITIONS..........................................................................................19
APPENDIX B – RISK TYPE DEFINITIONS............................................................................................................ 20
APPENDIX C – SUPPORTING DOCUMENTATION.............................................................................................. 21
APPENDIX D – ACKNOWLEDGEMENTS.................................................................................................................................. 22

This report presents the results of the information security audit performed for <Company ABC> from <Month> to
<Month>, <Year>. This management summary report is designed for you to understand the level of security
assessed, to identify security deficiencies and areas of strength and weakness, and to develop a course of action
to correct vulnerabilities and mitigate the associated risks.

It should be understood that all information security systems, which by their nature are dependent on their human
operators, are vulnerable to some degree. Therefore, major security vulnerabilities are believed to have been
identified on the systems analyzed. There can be no assurance that any exercise of this nature will identify all
possible vulnerabilities or propose exhaustive and operationally viable recommendations to mitigate those
exposures.

This report identifies known vulnerabilities that were detected during the test period; new devices, configuration
changes and new/future vulnerabilities were not tested. While the matters presented herein are the result of the
review, had additional procedures been performed, other matters may have been identified that would have been
reported.

Additionally, this report contains information concerning potential vulnerabilities of <Company ABC> and methods
for exploiting them. It is recommended that special precautions be taken to protect the confidentiality of both this
document and the information contained herein.

2 Source: www.knowledgeleader.com
EXECUTIVE SUMMARY

Background
<Company ABC> performed an enterprise security assessment of the organization’s external and internal
technology infrastructure. <Company ABC’s> technology infrastructure is composed of several computing
platforms, ranging from desktop computers and handheld phones to servers and databases that support critical
applications and store business critical information.

A wide range of technology areas were selected for the assessment, based on their overall business importance
and criticality to the organization. A focus was placed on evaluating controls that directly correlated to threats and
risks that may compromise the confidentiality, integrity and availability of the information technology environment
that supports <Company ABC’s> business operations.

The assessment was executed in multiple stages, starting with interviews of key <Company ABC> employees
across the infrastructure, network, information security and data services functions. The purpose of each meeting
was to gain an understanding of the existing processes, policies and controls surrounding the management of the
technology environment. The results of these interviews were compared for alignment against many of <Company
ABC’s> policies, procedures and technical standards. Where applicable, specific technology areas were
measured and compared against generally accepted industry standards and practices. Testing was performed to
validate that processes and controls employed throughout each scope area were operating effectively.

While the security posture of <Company ABC’s> IT environment is continually being evaluated and assessed by
Information Security, Internal Audit and various other functions, a comprehensive enterprise security assessment
has not been performed by an external party since <Month, Date>. Fieldwork for this audit was conducted from
<Month, Date> through <Month, Date>.

Objective and Scope

The primary objective of the assessment was to identify and evaluate the overall security posture, controls and
potential risk exposures that would allow an unauthorized person the ability to access <Company ABC> systems,
as well as business and personally identifiable information. The scope of the audit consisted of eight distinct
phases, including:
• Microsoft Windows and UNIX Servers: Security settings were reviewed on a sample of X Microsoft Windows
devices, X Red Hat Linux devices, a single Sun Solaris device for alignment with established <Company ABC>
and generally accepted industry standards.
• Microsoft Windows Workstations: Processes and controls used to manage <Company ABC’s> laptop and
workstation environment were evaluated. Security settings on a sample of X Microsoft Windows workstation
devices were reviewed for compliance with established <Company ABC> and generally accepted industry
standards.
• Virtualization Server Environment: Configuration and security controls were reviewed on X virtualized
infrastructure devices to identify potential vulnerabilities and single points of failure.
• Network and Security Architecture: <Company ABC’s> network and security perimeter are the primary
control mechanisms that protect the environment from external threats and attacks. The overall design and
architecture was reviewed and evaluated. A sample of X network device configurations from various points
around the internal <Company ABC> environment and perimeter were evaluated.
• Remote Access Security: Security settings were reviewed on a sample of VPN and remote access devices
that enable and control access to trusted internal <Company ABC> resources. Settings and practices were
reviewed for compliance and alignment with established <Company ABC> and generally accepted industry
standards.
• Microsoft SQL Server and IBM DB2 Databases: Databases that store business critical information and
support key applications across the Microsoft SQL and IBM DB2 platforms were reviewed. Security processes
and configuration controls were evaluated on a sample of X databases.

3 Source: www.knowledgeleader.com
• Smartphones and Tablets: Security controls and processes were evaluated across <Company ABC’s>
smartphones and tablets. Processes around provisioning, deployment, management, and security
configuration and control were evaluated.
• External Network Security and Information Discovery: Information gathering and vulnerability scanning
was performed from the external internet to detect issues and vulnerabilities on internet-facing <Company
ABC> systems. Attempts were made to gain access to resources and information from the internet.
Additionally, attempts were made to discover information using internet search engines (e.g., Google) where
information may have been inappropriately posted or disclosed to various forums, social networking sites and
websites.

Within each technology area listed above, specific processes and controls were evaluated in the following
categories:
• Configuration Management
• Vulnerability Management
• Patch Management
• Security Process Integration and Consistency
• Logging and Monitoring
• Information Classification and Prioritization

The scope of this audit did not include the mainframe computing platform. Additionally, processes surrounding
access control and the lifecycle of user IDs were not evaluated for all technology areas.

Key Observations and Recommendations

Overall, <Company ABC’s> technology environment is largely configured and managed to meet generally
accepted industry standards and practices. Strong security controls and mature management processes were
observed throughout all scope areas reviewed. This can be largely attributed to a strong information security
function, a well architected network security infrastructure and effective operational IT processes.

Although several medium and low-risk issues were noted across the areas and technologies reviewed, no risks
were identified that present an immediate, high-impact threat to <Company ABC’s> business operations. In areas
where issues were identified, numerous compensating controls were often identified to mitigate the likelihood and
impact of the potential risk. Improvement opportunities exist in the areas of technical documentation and
configuration management, including:
• Baseline security configuration standards have not been documented for several of the technology areas
reviewed, including workstations, DB2 databases and smartphones. As a result, technology owners may not
have clear requirements around the minimum required settings when configuring devices prior to deployment
in the production environment. While these technologies were generally well configured, <Company ABC>
should refine and in some cases, document baseline security configuration standards to define and require a
minimum level of protective measures for these technologies.
• A number of configuration issues were identified across the technology areas reviewed during the assessment.
Many of these issues are a result of legacy or one-off devices not being retroactively configured to align with
current <Company ABC> technical standards. A key example of this would include the legacy Solaris server
used to support the acquired “Specialty Managers” application. Although this server was originally configured
according to vendor requirements, the configurations were not updated to align with security provisions in the
recently established “Information Asset Protection Technical Standard” for UNIX platforms. <Company ABC>
should implement a process to retroactively configure older legacy systems to meet current configuration
requirements.

A detailed listed of all observations noted is listed on the subsequent pages of this report.

4 Source: www.knowledgeleader.com
SUMMARY OF OBSERVATIONS
The table below provides a summary of the observations identified as a result of the enterprise security audit.
Criticality ratings are defined in Appendix A and risk types are defined in Appendix B.

Issue Observation Criticality Risk Type

1. General Observations

1.1 Password Complexity ● Medium Operational, Fraud

1.2 Patch Management ● Low Operational

1.3 Technical Documentation ● Low Operational

2. Microsoft Windows and UNIX Platforms

2.1 Insecure Red Hat Server Configurations ● Medium Operational

2.2 Insecure Solaris Configurations ● Medium Operational

2.3 Weak Windows Password Storage ● Low Operational, Fraud

3. Virtualization Environment

3.1 Insecure ESX Configurations ● Medium Operational, Fraud

3.2 Incomplete ESX Audit Logging ● Low Operational, Fraud

4. Microsoft SQL and DB2 Databases

4.1 Insecure DB2 Configurations ● Medium Operational, Fraud

4.2 Excessive SQL Server Permissions ● Low Operational, Fraud

4.3 Incomplete SQL Server Audit Logging ● Low Operational, Fraud

5. Security Architecture and Remote Access

5.1 Insecure Network Device Configurations ● Low Operational

6. Smartphone Devices

Personal Smartphone Encryption

6.1 ● Medium Operational, Reputation
Controls

7. External Penetration Assessment

7.1 Technical Information Disclosure ● Low Operational, Reputation

5 Source: www.knowledgeleader.com
DETAILED OBSERVATIONS
The table below provides descriptions and details for the observations noted as a result of the enterprise security
audit. Observations have been separated by auditable areas and ranked in order of priority within each area.

1. General Observations

1.1 Password Complexity Medium Risk Type: Operational, Fraud

Observation:
Password complexity is not required in the <Company ABC> environment. Specifically, users are not
technically required to use a complex password (a password that includes a combination of upper and
lowercase letters, numbers and special characters) when establishing and changing passwords on <Company
ABC> systems and applications.
Note: <Company ABC> utilizes Password Vault to generate, store and manage strong passwords for privileged
accounts across the <Company ABC> environment. While this mitigates the risk of powerful administrator
accounts being compromised, this control does not apply to standard user accounts.
Risk:
Passwords using dictionary words without additional numbers or symbols are more susceptible to “cracking”
and brute force attacks. Weak passwords increase the chances that an unauthorized user could guess the
correct password and gain or elevate access to <Company ABC> systems and information.
Recommendation:
• Re-evaluate the overall security benefits against the unintended consequences of enabling password
complexity across <Company ABC> systems and applications. At a minimum, password complexity should
be enforced for all privileged accounts and critical applications.
• Continue working to expand the use of Password Vault to generate, store and manage privileged account
passwords.
• Determine whether any legacy systems in the <Company ABC> environment can be configured to accept
and enforce complex passwords.
Note: <Company ABC> should strive to implement at least alphanumeric complexity requirements. Adding
numbers and special characters to passwords exponentially increases the difficulty of guessing or cracking a
password and compromising a user account.

1.2 Patch Management Low Risk Type: Operational

Observation:
The following missing patches were identified within the <Company ABC> technology environment:
• Windows Workstations: Missing Microsoft patches were identified on all X Windows workstations
sampled. A total of X missing patches were identified, all of which were given a “Critical” severity rating by
Microsoft.
• Note: These results do not include missing patches released after <Month, Date>. It’s important to note that
these would not have been deployed at the time of testing, which is in accordance with <Company ABC’s>
Windows workstation patch management process.
• Windows Servers: Missing Microsoft patches were identified on X of X Windows Server 2003 servers
sampled. A total of X missing patches were identified, X of which were given a “Critical” severity rating by
Microsoft.
Note: These results do not include missing patches released after <Month, Date>. It’s important to note that
these would not have been deployed at the time of testing, which is in accordance with <Company ABC’s>

6 Source: www.knowledgeleader.com
 1.2 Patch Management Low Risk Type: Operational

Windows workstation patch management process.

• SQL Server Databases: Missing patches were identified on all X SQL Server databases sampled.
Note: Three databases tested are restricted to earlier patch levels by vendor requirements. It should be
noted, that <Company ABC’s> SQL Server Team generally stays at the latest service pack level, but does
not apply Hot Fixes or cumulative updates, due to concerns around the impact of the patch.
• DB2 Databases: Missing patches were identified on all X DB2 databases sampled. X of the version levels
identified are currently at end of life status.
Note: All X databases tested are restricted to earlier patch levels by vendor requirements.
• Network Devices: Outdated or unsupported IOS versions were noted on X out of X network devices
sampled.
Note: Audit identified missing patches using authenticated scans with leading security tools. There are
numerous ways to measure whether patches have been installed and results may vary depending on the tools
and methods utilized. The missing patches presented in this report are solely based on the results of the
authenticated scans performed.
Risk:
As new vulnerabilities are identified, software vendors release updates to patch these gaps. If these patches
are not applied in a timely manner, vulnerabilities increase the risk of an attacker gaining unauthorized access,
rendering a system inaccessible and/or obtaining sensitive data.
Recommendation:
• Validate that critical patches are applied to all <Company ABC> systems in alignment with <Company
ABC’s> established patch management process.
• Consider aligning the existing patch management and vulnerability management processes to account for
business criticality. Effort should be placed on deploying and validating appropriate patches are in place on
high-risk and high-value business resources and information.

1.3 Technical Documentation Low Risk Type: Operational

Observation:
Policies, procedures and technical standards documentation does not consistently reflect current processes
and configurations within the <Company ABC> environment. While thorough technical documentation exists
for several areas, technology owners are not consistently implementing established standards to secure new
technologies or retroactively secure existing technologies.
Specifically, the following documents were noted:
• IT Standards Document: The IT Standards document has not been reviewed and updated since <Date>.
• Virtualization (ESX) Environment: ESX build documentation has been developed; however, it does not
include provisions for hardening and securing the workstation environment.
• Smartphones and Tablets: Configuration policies exist within the Mobile Messaging software, but a mobile
device configuration baseline with provisions for security has not been documented and approved.
• Workstations: Microsoft Windows build documentation has been developed; however, it does not include
provisions for hardening and securing the workstation environment.
• DB2 Databases: Baseline DB2 configuration documentation has not been created.
Risk:

7 Source: www.knowledgeleader.com
 1.3 Technical Documentation Low Risk Type: Operational

Comprehensive and up-to-date technical documentation enables IT to effectively manage the security
configurations of their respective technologies. Incomplete technical documentation and/or the lack of
consistency implementing approved technical standards may lead to conditions of prolonged security and
operational exposures for systems supporting <Company ABC’s> business operations.
Recommendation:
• Establish baseline configuration standards, which include provisions for security and hardening for all
technology areas. Technology and business owners should continue working and consulting with
<Company ABC> Information Security to establish or update technical configuration baseline standards for
ESX devices, smart phone devices, workstations and the DB2 database environment.
• Review existing policies, procedures and technical standards on a periodic basis to ensure that they align
with <Company ABC> information security guidelines and generally accepted industry standards.
• Implement a process to periodically review the configuration settings for business-critical systems and
applications. Implement an approval process for out-of-compliance settings that are required to support the
business and incorporate this process into the existing IT security exception process. Ensure the exception
process identifies alternative controls that mitigate the risk of non-compliance.

2. Microsoft Windows and UNIX Platforms

2.1 Insecure Red Hat Configurations Medium Risk Type: Operational

Observation:
A sample of X Red Hat servers were analyzed and reviewed against <Company ABC’s> information security
policies and generally accepted industry standards. The following insecure configuration settings were
identified:
• Password Requirements: X Red Hat servers were configured with a password length enforcement of X
characters. Additionally, passwords were not configured to expire.
• Unnecessary Services: X Red Hat servers were configured with the SendMail service and Simple Network
Management Protocol (SNMP) service enabled. SendMail is an email routing service that supports a variety
of mail transfer delivery methods. SNMP is a protocol that enables network and system administrators to
remotely monitor and configure devices on the network.
Note: <Company ABC> utilizes Password Vault to generate, store and manage strong passwords for privileged
accounts on Red Hat servers. This mitigates the risk of powerful administrator accounts being compromised
but does not apply to standard user accounts.
Risk:
Weak password requirements increase the risk of an unauthorized individual gaining access to the server
through brute force, eavesdropping, or other means. Unnecessary services can be used to gain more
information about the structure of the internal network, which can be used by a malicious user attempting to
gain unauthorized access or perform malicious activities.
Recommendation:
• Validate that all Red Hat servers enforce password length and have expiration requirements as well as
unnecessary or potentially dangerous services disabled.
• Implement a process to ensure that all Red Hat systems put into production are configured with appropriate
password controls and have any extra/unnecessary services disabled. Reference <Company ABC’s>
Information Asset Protection Technical Standard for UNIX systems for a list of services that are
recommended to be disabled upon the configuration of a Red Hat system.

8 Source: www.knowledgeleader.com
 2.2 Insecure Solaris Configurations Medium Risk Type: Operational

Observation:
A sample of X Solaris server was analyzed and reviewed against <Company ABC’s> information security
policies and generally accepted industry standards. The following insecure configuration settings were
identified:
• Password Requirements: The Solaris server was configured with the following password settings:
− Password history
− Account lockout threshold
− Maximum password age
− Minimum password length of X characters
• Remote Root Access: The Solaris server was configured to allow anonymous remote root login.
• Duplicate UID: The Solaris server was configured with the “root” and “smtp” accounts assigned
administrator access (UID of ‘0’).
• Unnecessary System Accounts: Generic and unnecessary system accounts have not been disabled.
Additionally, these accounts can be used to login into the Solaris server (i.e. not locked or disabled).
• Unnecessary Services: The Solaris server was configured with the following unnecessary services
enabled:
− File transfer protocol (FTP): A service used to transfer files.
− Telnet: A service used to log into a remote computer.
− Finger: A service used to find information about other network users.
− Chargen: A service used for network testing and measurement purposes.
− Discard: A service used for network testing and measurement purposes.
− SNMP: A service used to remotely monitor and configure devices.
Risk:
Weak password requirements increase the risk of an unauthorized individual gaining access to the server
through brute force, eavesdropping, or other means. In conjunction with anonymous remote root access,
duplicate UIDs and default accounts, the risk increases that an unauthorized individual could to access the
server remotely and anonymously.
File Transfer Protocol (FTP) and Telnet services transmit user credentials over the network in clear text,
allowing a malicious user to intercept these transmissions and obtain access to the server.
The additional unnecessary services identified can be used to gain more information about the structure of the
internal network, which can be used by a malicious user attempting to gain unauthorized access or perform
malicious activities.
Recommendation:
• Configure Solaris password controls to align with the <Company ABC> Access Control standard.
• Disable anonymous root access, remove administrator access from the “smtp” account and disable or lock
all default accounts not currently in use.
• Evaluate whether the FTP and Telnet services are being used for specific business purposes. Otherwise,
consider using more secure alternative protocols (e.g. SFTP instead of FTP, SSH instead of Telnet).
• Disable Finger, Chargen, Discard and SNMP on the referenced devices. If they are required for a specific
business purpose, restrict access to the appropriate individuals.

9 Source: www.knowledgeleader.com
 Risk Type: Operational,
2.3 Weak Windows Password Storage Low
Fraud

Observation:
A sample of X Windows servers and X workstations were analyzed and reviewed against <Company ABC’s>
information security policies and generally accepted industry standards. An insecure method of encrypting local
account passwords was identified on all X servers and X workstations reviewed. Specifically, the setting,
“Network security: Do not store LAN Manager hash value on next password change,” was not enabled on the
servers tested. With this setting disabled, passwords are stored locally in a legacy format (LAN Manager hash)
that is susceptible to modern password attacks.
Note: <Company ABC> utilizes Password Vault to generate, store and manage strong passwords for local
administrator accounts on Windows servers and workstations. Password Vault requires a password length of at
least 15 characters. When Windows passwords are longer than 14 characters, Microsoft Windows will, by
default, utilize strong encryption. This mitigates the risk of local administrator accounts being compromised but
does not apply to standard user accounts.
Risk:
The LAN Manager hash encryption method does not adequately protect the password value and could be
decrypted by a malicious individual with access to the hash within minutes. These local passwords may be
leveraged on other <Company ABC> systems in order to obtain unauthorized access to potentially sensitive
information.
Recommendation:
• Verify whether enabling the “Network security: Do not store LAN Manager hash value on next password
change,” will interrupt any communications with any legacy systems (e.g. Windows NT 4.0, Windows 95,
Linux’s Samba service).
• Enable the “Network security: Do not store LAN Manager hash value on next password change,” setting on
an Active Directory Group Policy and apply the policy to all Windows servers and workstations in the
<Company ABC> environment.

3. Virtualization Environment
Risk Type: Operational,
3.1 Insecure ESX Configurations Medium
Fraud

Observation:
A sample of X virtual devices were analyzed and reviewed against generally accepted industry standards. The
following insecure configuration settings were identified:
• Password Settings: The X servers sampled were configured with default password settings, which did not
define the following:
– Password length
– Password complexity
– Password history
– Password lockout thresholds
– Password expiration thresholds
• MAC Address Spoofing: X servers sampled were not configured to prevent spoofing. Spoofing is a type of
attack where a malicious user impersonates an appropriate user through technical communication. The
following configuration settings were identified:
– Mac Address changes are accepted
– Forged Transmits are accepted

10 Source: www.knowledgeleader.com
 Risk Type: Operational,
3.1 Insecure ESX Configurations Medium
Fraud

Note: <Company ABC> utilizes Password Vault to generate, store and manage strong passwords for privileged
accounts on ESX devices. This mitigates the risk of powerful administrator accounts being compromised but
does not apply to standard user accounts.
Risk:
Weak password requirements increase the risk of an unauthorized individual gaining access to the server
through brute force, eavesdropping, or other means. MAC address spoofing may allow an unauthorized
individual to bypass access control lists by allowing it to impersonate another computer.
Recommendation:
• Configure ESX password controls to align with the <Company ABC> Access Control standard and establish
a process to ensure that new and existing ESX devices align with the <Company ABC> Access Control
standard.
• Verify whether the MAC Address Spoofing configurations identified are not required by applications that
interface with the ESX environment. If applicable, set MAC Address Changes and Forged Transmits to
‘reject’.

Risk Type: Fraud,

3.2 Incomplete ESX Logging Low
Operational

Observation:
A sample of X virtual ESX devices were analyzed and reviewed against generally accepted industry standards.
Event logs generated by the ESX platform are not sent to a remote logging system and have not been
integrated into the existing log management process (LogLogic) on all X tested virtual devices.
Risk:
In the event of malicious activity or network security events, adequate security logs are essential to assist in the
identification of the intruder and the assessment of damage.
Recommendation:
Integrate ESX platform logs into the corporate logging solution (LogLogic) and ensure an established ESX
technical configuration baseline standard reflects this configuration.

4. Microsoft SQL and Oracle Databases

Risk Type: Operational,

4.1 Insecure Oracle DB Configurations Medium
Fraud

Observation:
A sample of X DB2 databases were analyzed and reviewed against generally accepted industry standards. The
following insecure access control configurations were identified:
• DB Authentication: All X tested databases utilize the SERVER authentication type. The SERVER
authentication type sends the password and the username in clear text over the network.
• DB Permissions: All X tested databases have the IMPLICIT_SCHEMA authority granted to the PUBLIC
role. This value is assigned by default and indirectly allows the PUBLIC role access to create procedures
that can execute malicious code on the database and operating system.
Risk:

11 Source: www.knowledgeleader.com
 Risk Type: Operational,
4.1 Insecure Oracle DB Configurations Medium
Fraud

The SERVER authentication type transmits user credentials over the network in clear text, allowing a malicious
user to intercept these transmissions and obtain access to the server. Excessive DB2 permissions may allow a
malicious user to perform functions that are outside of their authority including accessing the database and
underlying operating system.
Recommendation:
• Configure all DB2 databases to use the SERVER_ENCRYPT authentication type so that authentication
credentials are not sent across the network in the clear.
• Unless it is required for a specific business purpose, revoke the IMPLICIT_SCHEMA authority from the
PUBLIC role.

Risk Type: Operational,

4.2 Excessive SQL Server Permissions Low
Fraud

Observation:
A sample of X SQL Server databases were analyzed and reviewed against <Company ABC’s> information
security policies and generally accepted industry standards. The following excessive permissions were
identified:
• SSIS Package Password: All user accounts on the X databases tested are granted access to credentials
(login name and password) stored in SSIS packages. SSIS packages perform recurring database actions at
set intervals and can either be used with Windows (domain) authentication, or with a local login and
password. Access to this user name and password could allow users execute actions on the database and
underlying operating system.
• Unnecessary Stored Procedures: Users of the database are granted access to X packages,
sp_replwritetovarbin and sp_add_SSISpackage. Granting execute permissions on these procedures allow
users to run operating system commands from the database. This allows a malicious user access to
functionality on the server.
Risk:
Excessive SQL Server configurations may allow a malicious user to perform functions that are outside of their
authority including accessing the database and underlying operating system.
Recommendation:
• Revoke permissions from the group PUBLIC on the following stored procedures:
− msdb.dbo.sp_enum_SSISpackages
− msdb.dbo.sp_get_SSISpackage
• Unless they are required for a specific business purpose, remove referenced permissions for unnecessary
stored procedures.
• Update the Information Asset Protection Technical standard for SQL Server documentation to reflect these
requirements.

Risk Type: Operational,

4.3 Incomplete SQL Server Audit Logging Low
Fraud

Observation:

12 Source: www.knowledgeleader.com
 Risk Type: Operational,
4.3 Incomplete SQL Server Audit Logging Low
Fraud

A sample of X SQL Server databases were analyzed and reviewed against <Company ABC’s> information
security policies and generally accepted industry standards. While the configuration for recording failed login
attempts was enabled, the configuration for recording successful login attempts was not enabled on all seven
(7) tested SQL servers.
Risk:
The recording of user login attempts to the database is important to prevent unauthorized access and to
determine if unauthorized access has occurred. Additionally, it is necessary documentation in response to an
event in which unauthorized access has been gained.
Recommendation:
• Evaluate the extent at which enabling successful login attempts would adversely affect database
performance.
• Unless this will incur a significant impact on performance or capacity, configure the Microsoft SQL Server to
record successful login attempts to the database. These logs should be stored locally as well as on a
remote log server.

5. Security Architecture and Remote Access

5.1 Insecure Network Device Configuration Low Risk Type: Operational

Observation:
A sample of X network devices were analyzed and reviewed against <Company ABC’s> information security
policies and generally accepted industry standards. The following insecure configuration settings were
identified:
• Insecure Services Enabled: Telnet is enabled on X of X network devices tested. Telnet is used to remotely
access system console and perform management tasks.
• Bootstrap Protocol (BOOTP) Server Enabled: BOOTP server was enabled on X network device(s).
BOOTP allows routers and computers to download their internet configuration data and other software from
a centrally maintained server upon startup.
• Proxy ARPs Enabled: Proxy ARPs (Address Resolution Protocol) requests were enabled on X network
device(s). Proxy ARPs is a technique by which a device answers (by providing its MAC address) ARP
queries for a network address that is outside of the current network.
• CDP Enabled: The Cisco Discovery Protocol (CDP) service was enabled on X network device. CDP is
primarily used to obtain protocol addresses of neighboring devices and discover the platform of those
devices.
According to <Company ABC’s> Information Asset Protection Technical Standard for Internal Cisco IOS and
Cat OS Network Devices, Telnet, BOOTP, Proxy ARPs and CDP are specifically required to be disabled unless
an explicit business requirement exists.
Risk:
The Telnet protocol transmits user credentials over the network in clear text, allowing a malicious user to
intercept these transmissions and obtain access to the network devices. BOOTP, Proxy ARPs and CDP
services identified can be used to gain more information about the structure of the internal network, which can
be used by a malicious user attempting to gain unauthorized access or perform malicious activities.
Recommendation:
• Consider upgrading to a newer version of Cisco IOS that provides more secure remote access services
including SSH.

13 Source: www.knowledgeleader.com
 5.1 Insecure Network Device Configuration Low Risk Type: Operational

• Disable the BOOTP, Proxy ARP and CDP service on the referenced devices. If they are required for specific
business purposes, restrict access to the appropriate individuals.

14 Source: www.knowledgeleader.com
6. Smartphone Devices
Risk Type:
6.1 Personal Smartphone Encryption Controls Medium
Operational, Reputation

Observation:
Audit reviewed and analyzed all X Mobile configuration policies used to centrally manage smart phones
attached to the <Company ABC> environment. The Mobile “Personal Device Policy” is X of the X policies and
was established for users who purchased their own smart phone devices and requested to connect to
<Company ABC’s> messaging services. This policy does not enforce encryption on either local or removable
device storage.
At the time of the audit, the Personal Device Policy was applied to only X users out of approximately X total
users. Prior to connecting personal devices to <Company ABC’s> messaging environment, users must obtain
approval from their immediate manager and IT senior management.
Risk:
In the event that a <Company ABC> smart phone configured with the ‘Personal Device Policy’ is lost or stolen,
the data on the device and any removable storage could be read in clear text. These devices connect to
<Company ABC> messaging services and could contain sensitive information.
Recommendation:
• Configure the Personal Device Policy to encrypt both local and removable storage.
• Push the updated Personal Device Policy to all applicable smart phone devices.
• Document a Mobile policy standard that records all security configurations that should be enabled on smart
phone devices, including the encryption of all local and removable storage.

7. External Penetration Assessment

Risk Type:
7.1 Technical Information Disclosure Low
Operational, Reputation

Observation:
Audit performed a comprehensive vulnerability assessment on <Company ABC’s> public external-facing
network components. The following technical information disclosure issues were identified:
• Internal internet Protocol (IP) Disclosure: X externally facing IP addresses disclosed internal IP address
when a special request was issued to the web server.
• Detailed .NET Error Message: Detailed .NET error messages were identified on X externally facing IP
addresses. Error messages provide useful information to an attacker about the application and is usually the
first stepping stone to help carry out an attack.
Risk:
Unnecessary information disclosure could assist an attacker in enumerating and identifying information about
the <Company ABC> external and internal network infrastructure. While these issues do not pose a significant
risk by themselves, it can assist an attacker in attempting to enumerate and identify information about
<Company ABC’s> environment and internal systems.
Recommendation:
• Ensure the string option in Cisco CSS load balancer service is set to a value (other than blank/null) to
prevent the disclosure of internal IP addresses.
• Configure the .NET application to not display verbose error messages to remote (application) users.
• Redirect errors to an application page or to a global error handler page.

15 Source: www.knowledgeleader.com
16 Source: www.knowledgeleader.com
APPENDIX A – CRITICALITY RATING DEFINITIONS
Observations made during this audit have been identified with one of the following risk levels. Each risk level
indicates the significance and likelihood of specific risk types in the <Company ABC> environment. This audit can
be used by management as a tool to determine how quickly attention should be given to each observation
provided within this report.

Each vulnerability or risk identified has been labeled with a particular significance rating of high, medium or low
risk levels, defined as follows:

Risk Level Significance

High-priority observations should be addressed in an expedited manner. While mitigating

controls may exist, these issues present an increased level of risk associated with the
● High
protection and safeguarding of confidential and sensitive information and should be
addressed as soon as possible.

Medium-priority observations should be noted and implemented later but may not pose a
● Medium
real threat to the network and connected systems at this time.

Low-priority observations are system configurations, cultural issues and technical process-
● Low related items observed throughout this review. These items are included to help <Company
ABC> improve technical processes and assist in defining its long-term strategy.

17 Source: www.knowledgeleader.com
APPENDIX B – RISK TYPE DEFINITIONS O
R
C
F
p
ro
e
e
m
a
p
Based on the risk audit, four risks potentially impacting <Company ru
ABC> were identified: Compliance, Fraud, Operations and p
a
Reputation. <Company ABC> identified a number of significant lt
td
observations and correlated them to the respective risks. ii
a
aL
to
The diagram identifies the level of significance and likelihood of each in
o
risk type in the <Company ABC> environment. Descriptions of each scw
o
risk type, with example observations, have been defined: M
e
n
Compliance Risk refers to the risk not enacting internal <Company e
M
L
ABC> policies and procedures, laws and regulations, or policyholder d
o
e
agreements, resulting in lower quality, loss of reputation,
id
w
litigation/claims, higher production costs, lost revenues, unnecessary
u
i
penalties/fines, etc. An example of an issue that poses compliance
m
u
risk would be emailing sensitive information which violates a specific m
regulation, such as the Health Insurance Portability and
Accountability Act.
Fraud Risk refers to fraudulent activities perpetrated by associates or third-parties against <Company ABC> for
personal gain (e.g., misappropriation of financial or information assets) which expose the company to financial
and/or reputation loss. An example of an issue that poses risk of fraud would be the lack of dual approvals prior to
paying an invoice to a vendor.
Operations Risk refers to the risk operations are inefficient and ineffective in executing <Company ABC’s>
objective to satisfy policyholders and agents, while achieving quality, cost and performance targets. An example
of an issue that poses operational risk would be ineffective controls in place to quickly recover a critical application
that has been broken.
Reputation Risk refers to the risk that <Company ABC> may lose policyholders, key associates or its ability to
compete, due to perceptions that the company’s business practices, processes or environment are not secure,
potentially permitting confidential information to be leaked or fraudulent activity. An example of an issue that
poses reputational risk would be practices a company is engaged in that could be perceived by the public as not
environmentally sound.

18 Source: www.knowledgeleader.com
APPENDIX C – SUPPORTING DOCUMENTATION
The chart below maps each phase of the audit with the appropriate supporting documentation. Each technology
area’s detailed observations will map directly to a supporting document in the respective section.

Supporting Documentation

Technology Area Document(s)

General Observations <Document Name>

Microsoft Windows and UNIX Platforms <Document Name>

Virtualization Environment <Document Name>

Microsoft SQL and DB2 Databases <Document Name>

Security Architecture and Remote Access <Document Name>

Smartphone Devices <Document Name>

External Penetration Testing <Document Name>

19 Source: www.knowledgeleader.com
APPENDIX D – ACKNOWLEDGEMENTS
<Company ABC> Internal Audit would like to thank all personnel who provided assistance during this project,
including:

<Name, Designation>

<Name, Designation>

<Name, Designation>

<Name, Designation>

<Name, Designation>

20 Source: www.knowledgeleader.com