INFORMATION SECURITY

AUDIT REPORT AUDIT 03-0182

LEFTHAND SOFTWARE, INC.

October 1, 2006

Prepared by: PHNG Consulting, Inc.

Table of Contents

EXECUTIVE SUMMARY .................................................................................................3

OBSERVATIONS AND RECOMMENDATIONS ..............................................................5

CREATE NETWORK DEMILITARIZED ZONE (DMZ) ............................................ 5
HARDEN INTERNET AVAILABLE SERVICES........................................................ 5
CREATE EXTERNAL MAIL HANDLER.................................................................... 6
IMPLEMENT LOGGING/AUDITING.......................................................................... 7
IMPLEMENT SUBNETS FOR ACCESS CONTROL .................................................. 7
IMPLEMENT NETWORK ADDRESS TRANSLATION (NAT) ................................ 8
FILTER OUTBOUND TRAFFIC .................................................................................. 8
CREATE A MANAGEMENT NETWORK................................................................... 9
IMPLEMENT INTRUSION DETECTION SYSTEMS (IDS) .................................... 10
IMPLEMENT SPLIT DOMAIN NAME SERVICE (DNS) ........................................ 11
CREATE CONFIGURATION MANAGEMENT GUIDELINES FOR CLIENTS..... 11
DEFEND NETWORK AGAINST SPOOFING ........................................................... 12
STANDARDIZE AND DEPLOY HOST BASED FIREWALLS ON CLIENT
AND SERVER SYSTEMS................................................................................. 12
IMPLEMENT SERVICE AVAILABILITY MONITORING SYSTEMS................... 13
IMPLEMENT TRAINING AND EDUCATION FOR ADMINISTRATION
STAFF................................................................................................................. 13

2 of 14
 LEFTHAND SOFTWARE
INFORMATION SECURITY AUDIT
PITTSBURGH, PENNSYLVANIA

EXECUTIVE SUMMARY
INTRODUCTION LeftHand Software is a supplier of software and consulting
services to primarily defense sector organizations, such as
the Department of the Army, the Department of the Navy,
and numerous defense contractors. LeftHand Software has
been in litigation with former employees and customers who
had personal and sensitive corporate information leaked
after security incidents and breaches within LeftHand’s
network. The payouts as a result of the settlements of these
lawsuits have caused LeftHand to file for bankruptcy
protection. This information assurance audit will ensure that
LeftHand Software has taken appropriate steps in dealing
with the security of their network, and will identify gaps in
compliance with their newly established information security
policy.

OBJECTIVES The objective of this information security audit was to

identify possible gaps in the information security posture of
LeftHand Software, and to recommend high-level
implementation considerations to bring the network and
computing infrastructure into compliance with the
bankruptcy court orders and LeftHand’s information security
policy. The following areas were considered during the
audit:
• Information systems and controls in place to restrict
access to the information contained within those
systems
• Defensive posture with respect to the Internet and
other external connections
• Survivability issues within the enterprise

RESULTS OF AUDIT The Information Security Audit revealed a number of serious

network and infrastructure concerns which need to be
addressed immediately by the administrators within
LeftHand Software. The overall security administration
capabilities of LeftHand Software are constrained by
resources and experience, but should focus in the
immediate future on the following areas:
(1) creation of a DMZ, (2) hardening of internet services
(mail, DNS, web, etc.), (3) adding an external mail handler,

3 of 14
 (4) logging and auditing systems on the network, (5)
creation of subnets to create access control points, (6)
deployment of ingress/egress filtering, (7) creation of a
management network for administration tasks, (8)
implementation of an IDS, (9) deployment of integrity
checking applications, (10) creation of a configuration
management and change control guidelines, (11)
implementing anti-sniffer procedures, (12) implementing
VPNs to remote locations, and (13) creation of a training
and education program for administrative staff.

RECOMMENDATIONS This report provides high-level recommendations that will

help LeftHand Software to improve their information security
posture in the areas cited above. In some cases, the CEO
has been advised about immediate actions and tasks which
can significantly change the network’s security with little
resource utilization.

4 of 14
OBSERVATIONS AND RECOMMENDATIONS
CREATE NETWORK LeftHand Software network has one router between the
DEMILITARIZED ZONE Internet and the enterprise. This router is doing filtering of
(DMZ) inbound traffic, but the enterprise network is one large, flat
network. Publicly available services (such as mail and web)
reside on the same network as the traditionally ‘protected’
network – file servers, client systems, etc. This strategy is
ineffective in managing inbound connections to the externally
available services and is risky for systems which should not
be allowed external access.

The creation of a DMZ, with publicly available services

located in a separate network from the protected network, will
allow for greater control of inbound connections, and will lead
to a greater level of security for systems on the ‘protected’
network.

Recommendation 1 LeftHand Software should implement a DMZ with appropriate

packet filtering and routing software on their Internet-facing
router. Ingress filtering (filtering out inbound packets from the
Internet with a source address of a host on the local network)
should be implemented as well.

Management’s Response In the interest of time and ease of administration, LeftHand

Software had foregone a DMZ in the past. As more services
are now available to the public through the Internet
connection, the creation of a DMZ is a task which will be
accomplished for LeftHand Software network.

HARDEN INTERNET The hosts, which offer many of the Internet-available

AVAILABLE SERVICES services, have not been sufficiently hardened and secured to
minimize exposure to information security risks from the
Internet. These exposures include the presence of additional
services (i.e., IIS and other web servers) on hosts which are
not meant to perform that specific function; poor password
and user account administration; and weak default settings.

Recommendation 2 Many specifics will be discussed in further detail in the

remainder of this report, but all hosts offering services which
are available to the Internet must go through the following
hardening and securing steps:
• Minimization of services – reduction of the services
running on a specific host to the minimum essential
for that host to offer its services running on a specific
host to the minimum essential for that host to offer its
services
• Access-controls – creating rules which allow access to
specific services from appropriate clients (i.e., only
DNS traffic to the DNS server) and block all other

5 of 14
 access attempts
• Hardening of services – tools which identify vulnerable
configurations or unpatched services and operating
systems should be regularly used to evaluate the
security of the host and service.

Management’s Response Tools which evaluate security posture will be run regularly
and processes for these will be developed; all servers will be
sufficiently hardened to ensure no unneeded services are
running; operating systems will be patched, as will
applications.

CREATE EXTERNAL MAIL In the current configuration, all inbound mail for users on
HANDLER LeftHand Software mail server come directly through the
router and into the protected network. These messages are
not checked for viruses or other malicious code, nor are they
filtered for spam. This places the entire burden of the anti-
virus work on the end-user on their client system.
This is an unacceptable practice – as multi-tiered virus
checking has proven to by exponentially more effective in
detecting and managing viruses.

An external mail handler, or relay, can be configured to offer

a ‘safe-house’ for virus and spam testing, reviewing all mail
inbound to LeftHand Software network from the DMZ. This
allows for containment of malicious code before it gets to the
protected network and can filter out unsolicited commercial e-
mail before it reaches that network as well. This mail handler
should inspect the inbound e-mail traffic and then forward
those messages which pass the virus and spam tests on to
the Exchange server within the protected network, where the
end users would then access the messages.

Recommendation 3 Create a mail handler in the DMZ to filter spam and viruses,
and forward clean mail to the Exchange server in the
protected network.

Management’s Response LeftHand Software will implement an external mail

handler, located in the DMZ, and will run appropriate
filtering tools on all inbound mail.

6 of 14
IMPLEMENT The current configuration of LeftHand Software does not
LOGGING/AUDITING include logging or log file analysis. Given the wealth of
security information an administrator can gain from log file
analysis, and how useful log files prove to be in the event of a
security incident, the current state of logging and auditing is
unacceptable. Logs are not maintained on the firewall,
individual hosts providing services, or any other network
infrastructure system.

LeftHand Software network must provide the capability for

logging on the following systems to be in compliance with
directives: external firewall (logging for dropped packets, both
inbound and outbound); domain controller (logging for failed
login attempts, attempts to access information by
unauthorized individuals); and other potential policy violations
(such as su to root attempts on Linux systems, etc.).

Recommendation 4 LeftHand Software should implement logging and auditing

capabilities on all servers and other infrastructure equipment
which will provide for forensic capabilities and to act as an
early warning capability, alerting the administrators to
potential security problems.

Management’s Response LeftHand Software will implement logging and auditing

capabilities within the enterprise to comply with all audit
requirements.

IMPLEMENT SUBNETS As previously mentioned, LeftHand Software enterprise is a

FOR ACCESS CONTROL large, flat network. This flat network limits the ability of
administrators to implement access controls to the individual
hosts – rather than being able to manage by subnets.
Implementing subnets on the internal network will allow the
administrators to manage access control lists in a greater
number of places within the network, and will limit the
portions of the network to which an insider would have
access for packet sniffing.

Recommendation 5 Implement one subnet for the end users, one for data-center
services (mail, internal DNS, intranet, etc.), and a third for a
management subnet, to be described in more detail later.
Implement strong access control procedures between these
networks.

Management’s Response LeftHand Software will install and configure a router on the
internal network to establish 3 subnets, and will manage
access controls closely on each of these subnets.

7 of 14
IMPLEMENT NETWORK The current network configuration of LeftHand Software,
ADDRESS TRANSLATION which has a public Class C address, is to address all of the
(NAT) systems in the enterprise with public IP addresses. This
address scheme, coupled with the vulnerabilities in LeftHand
Software infrastructure already mentioned, is a security risk.
The enterprise should take advantage of private address
space (RFC1918) within the internal subnets. The
implementation of NAT, along with a Dynamic Host
Configuration Protocol (DHCP) server, will ease the
administrative overhead associated with managing the IP
space for the enterprise as the number of systems grows,
and will add a layer of security to the systems which are
behind the NAT device.

Recommendation 6 Implement a host on the client network, and possibly the

management network, which allows for NAT and for DHCP.
Use private IP space for both the client network and the
management network.

Management’s Response LeftHand Software will implement required hosts to support

NAT and DHCP on the client and management networks.

FILTER OUTBOUND The packet filtering router which connects the enterprise to
TRAFFIC the Internet is configured to allow only specified ports on
specific protocols (as inbound connections) through into the
protected network. There are currently no rules for blocking
any outbound traffic, leaving the enterprise destined for the
Internet. Failure to have these filtering rules in place is a poor
security practice, and should be addressed by LeftHand
Software.

Recommendation 7 Implementing filtering rules on outbound traffic which filter out

the following:
• Packets destined for the Internet with a source
address which is not part of LeftHand Software
enterprise (egress filtering)
• Packets destined for the Internet which use insecure
protocols (telnet, rlogin, etc.)

Management’s Response LeftHand Software will implement filtering rules on the

external firewall which block common spoofing attacks, and
will also block outbound connections for protocols which have
been deemed to be insecure or high risk.

8 of 14
CREATE A Currently, all administration of all of the infrastructure systems
MANAGEMENT within the enterprise is done from hosts on the client network.
NETWORK Because of the nature of the network architecture, all
management traffic is currently subject to packet capture by
insiders who may want to view administration traffic. This
configuration will allow all insiders to do so – as well as allow
them to spoof administrative address information. As such,
using access controls to limit this type of packet capture and
spoofing attacks is ineffective.

Creating a separate management subnet will give

administrators a safe place from which they can perform
system administration tasks without the possibility of users
from the client subnet being able to easily sniff their traffic,
and will also guard against users being able to spoof traffic
from administrative systems. The management network
should only allow secure shell (SSH, TCP port 22) packets
from the client network into it, and should have full access to
the hosts within the service network for administrative
purposes.

Additionally, traffic from hosts which generate log files to the

log server, which should be located within the management
network, should be encrypted.

Recommendation 8 Create a management network, allowing only appropriate

management traffic from the client network to access the
management network, to limit the possibility of administrators
having their administration packets sniffed and/or spoofed.
Encrypt log data from hosts to the syslog server.

Management’s Response The administrators of LeftHand Software had not previously

considered a management network because of the
unlikelihood of an insider performing any type of attack
against our infrastructure. However, given the requirement for
a management network and its recommendation in this audit,
LeftHand Software will create and maintain a management
network for the purpose of managing the infrastructure
systems.

9 of 14
IMPLEMENT INTRUSION LeftHand Software currently has no means to detect network
DETECTION SYSTEMS anomalies – other than auditing a small number of systems
(IDS) which produce log files (see Recommendation 4 for logging).
Given the increase in traffic to and from the Internet and the
growing number of infrastructure systems and people on
LeftHand Software enterprise, it is imperative that some form
of incident or intrusion detection systems be deployed within
the enterprise. These systems should come in a number of
forms, which include:
• Signature Based Intrusion Detection Systems. These
systems, like Snort and a variety of other IDS, use
signatures to determine if the packets they are
inspecting may be malicious, and write logs and
create alerts based on their inspection of every packet
on the network. These systems can offer a great deal
of information about the enterprise they monitor in
real-time as well as for forensic purposes. The logs
from these traditional IDS should be periodically
reviewed, and special alerting processes should be
put into place for potentially dangerous traffic
identified by the IDS.
• Integrity Checking. Tools exist which take
cryptographic checksums of specific files or
directories and alert administrators when the contents
of the file/directory have been modified. This process
is not effective for checking files which are modified
regularly (such as an online database), but is very
effective at monitoring files which do not change
frequently (such as static web pages and system files.
The administrators can configure these integrity
checking systems to alert them in the event a critical
file is modified.

Recommendation 9 LeftHand Software should implement signature intrusion

detection systems within the DMZ and inside the client
network. The critical infrastructure systems should also have
integrity checking software configured to test system and
critical static files.

Management’s Response LeftHand Software will deploy IDS as prescribed by this audit,
and will implement integrity checking on information on critical
systems within the enterprise.

10 of 14
IMPLEMENT SPLIT The current configuration of DNS for LeftHand Software,
DOMAIN NAME SERVICE which includes one zone file for the entire enterprise (both
(DNS) externally available services and internal hosts). This
configuration is considered poor from a security perspective,
and should be modified to include two distinct DNS hosts,
one which is publicly available in the DMZ and one which
does host name resolution inside the protected network. The
zone file on the externally available DNS host should not
contain any information about hosts on the internal network.
The internal DNS host should not be externally available to
queries from the Internet.

Recommendation 10 Deploy an external DNS in the DMZ, which resolves publicly

available services to Internet users. Deploy an internal DNS
which resolves hostnames on the local network for local
users.

Management’s Response LeftHand Software relied on the DNS provided by the host
organization before that unit departed from Fort Pitt, and has
not had the opportunity to develop and deploy a second DNS.
LeftHand Software will now create split DNS, having one
DNS externally available to users on the Internet and one
available for internal users.

CREATE There are currently not guidelines for LeftHand Software

CONFIGURATION users documenting what hardware and software is
MANAGEMENT acceptable for installation and utilization on computer
GUIDELINES FOR systems which are connected to the enterprise. Additionally,
CLIENTS there is not a standard for operating systems or the
configuration of those operating systems. Because of this
lack of standardization, many different configurations exist on
end-user systems within the enterprise. This can become a
problem for administration, and can also lead to
vulnerabilities due to unknown and/or insecure software being
installed on the network systems.

A process for configuration management, as well as some

technical safeguards, should be put into place to manage the
security risks on LeftHand Software network. The process,
which should include a configuration management and
control board should be tasked with establishing a baseline
for client systems on the enterprise, and should then create a
process for approving all requests for hardware/software
additions/exceptions to the current policy. For the technical
management, this should be handled by creating security
templates and/or using configuration management software,
such as Systems Management Server (SMS).

Recommendation 11 Create a configuration baseline for the systems on LeftHand

Software. Manage this baseline with technical solutions.
Create a process for managing exceptions/additions to the
current baseline, in concert with creating a management

11 of 14
 oversight board which will manage the overall configuration
control process.

Management’s Response LeftHand Software will create a management oversight

council to determine configuration management guidelines
and baselines, and will implement configuration control
processes and technical solutions consistent with the
recommendations in this audit report.

DEFEND NETWORK Without investing significant resources into creating a new

AGAINST SPOOFING architecture for LeftHand Software, it is not possible to stop
insiders from being able spoof traffic on the local network.
This is a security problem which needs to be dealt with by
LeftHand Software.

To identify users who may be spoofing their IP or Ethernet

address network, it is possible to run a tool called Arpwatch.
Arpwatch monitors Ethernet activity and keeps a database of
Ethernet/IP address pairings, and reports changes. It reports
changes via email to the root account on the host which is
running Arpwatch (by default). This information can be used
to check to see if users are attempting to spoof their address
information, and can be coupled with information in other log
files to confront potential problem users.

Recommendation 12 Deploy Arpwatch on the user subnet which will allow

identification of Ethernet/IP pairing changes and identify
potential spoofed addresses. Set up a process for monitoring
the e-mail generated by Arpwatch.

Management’s Response LeftHand Software will deploy appropriate network

infrastructure to support the Arpwatch tool, and will
routinely monitor Arpwatch’s logs.

STANDARDIZE AND In addition to creating a baseline for the configuration

DEPLOY HOST BASED management of the systems on LeftHand Software network, it
FIREWALLS ON CLIENT is considered a good security practice to deploy host-based
AND SERVER SYSTEMS firewalls on all systems on the client network as well as all
servers within the service network. These firewalls, which will
be configured to allow acceptable inbound and outbound
connections and to drop all others, will increase the
enterprise’s defense in depth capabilities, allowing for
management of network connections on both the at both the
subnet level (via the ACLs on the routers/firewalls there) and
at the host level.

Host based firewalls must be carefully configured to allow all

acceptable traffic while denying all unauthorized traffic.

12 of 14
Recommendation 13 Deploy host-based firewalls on all client systems as well as
all servers operated by LeftHand Software.

Management’s Response LeftHand Software will deploy host-based firewalls on all

client systems and servers to comply with the guidance from
this audit.

IMPLEMENT SERVICE There are currently no systems on LeftHand Software

AVAILABILITY network that perform availability monitoring for availability of
MONITORING SYSTEMS the network services offered. The lack of this type of
monitoring, although not necessarily a true security
vulnerability, can have a negative impact on availability of
network services, as downtime is likely to go unrecognized for
longer periods of time than it would if availability monitoring
was in place.

Recommendation 15 The best solution to this issue would be to select any of a

number of viable service availability monitoring applications
(such as PureSecure, Argus, Nagios, Big Brother, etc.) and
deploy the application in the management network. The
application would use its probing capabilities to determine
service availability and would subsequently send an alert (in
whatever fashion specified) to the administrators.

Management’s Response LeftHand Software will implement a service availability

monitoring server within the management network and will
respond to alerts generated by this system.

IMPLEMENT TRAINING Administrators within LeftHand Software have limited training

AND EDUCATION FOR for security issues. They have been forced to perform tasks
ADMINISTRATION STAFF for which they have not been trained, and have balanced a
heavy workload in doing so. The need for training is very
clear in the wake of this information security audit, and should
be addressed by LeftHand Software immediately.

Recommended training courses for administrators within

LeftHand Software include:
• Information Security for Technical Staff, offered by the
Network Systems Survivability Program at the
Software Engineering Institute.
• Global Information Assurance Center (GIAC) Security
Essentials Certification (GSEC), offered by SANS
• Certified Information Systems Security Professional
(CISSP) training offered by a number of training
organizations.

13 of 14
Recommendation 16 The administrators should have a set of training requirements
that deal with information and network security which they are
to attend, and these requirements should become part of their
professional training and development career progression
path.

Management’s Response The administrators will be given concrete training

requirements and will be sent to appropriate training to meet
these requirements.

14 of 14