DIA Network Security Management - Denver

Dennis J. Gallagher Auditor

Office of the Auditor Audit Services Division

City and County of Denver

DIA Network Security Management Performance Audit

September 2013

The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor, and the public to improve all aspects of Denver’s government. He also chairs the City’s Audit Committee.

The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City’s finances and operations, including the integrity of the City’s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest.

Dennis Gallagher, Chair Robert Bishop

Audit Committee

Maurice Goodgaine Jeffrey Hart Leslie Mitchell Timothy O’Brien, Vice-Chair Rudolfo Payan

Audrey Donovan, Deputy Director, CIA, CRMA

Audit Staff

Stephen E. Coury, IT Audit Supervisor, CISA Shannon Kuhn, Lead IT Auditor, CISA

You can obtain copies of this report by contacting us at:

Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, 80202

(720) 913-5000 Fax (720) 913-5247

Or download and view an electronic copy by visiting our website at:

www.denvergov.org/auditor

http://www.denvergov.org/auditor�

To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people.

We will monitor and report on recommendations and progress towards their implementation.

City and County of Denver 201 West Colfax Avenue, Department 705 • Denver, Colorado 80202 • 720-913-5000 • FAX 720-913-5247 • www.denvergov.org/auditor


September 19, 2013 Ms. Kim Day, Manager Department of Aviation City and County of Denver Dear Ms. Day: Attached is the Auditor’s Office Audit Services Division’s report of their audit of network security management at Denver International Airport (DIA). The purpose of the audit was to determine whether DIA’s network equipment is protected from unauthorized physical access and secured should environmental conditions threaten the integrity of DIA's important information technology assets. First, I want to commend DIA's Technologies Department for the exceptional efforts it has made in a number of important areas, including information security awareness training and network equipment inventory controls. These are issues that we have identified as problematic in other information technology audits, and we recognize the hard work and expertise required to put such controls in place. However, the IT audit team did identify a number of issues that we encourage you to address to further improve the security of the airport's data network infrastructure. We have made several recommendations that we believe will, if implemented, enhance physical access controls, strengthen environmental controls, and expand security policies and standards. If you have any questions, please call Kip Memmott, Director of Audit Services, at 720-913-5000. Sincerely,

Dennis J. Gallagher Auditor DJG/eaj cc: Honorable Michael Hancock, Mayor

Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer Ms. Janice Sinden, Chief of Staff




Ms. Stephanie O’Malley, Deputy Chief of Staff Ms. Beth Machann, Controller Mr. Doug Friednash, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Staff Director, Board of Ethics Mr. Eric Hiraga, Deputy Manager of Aviation and Chief of Staff Mr. Patrick Heck, Deputy Manager of Aviation and Chief Financial Officer Mr. Robert Kastelitz, Deputy Manager of Aviation and Chief Information Officer



City and County of Denver 201 West Colfax Avenue, Department 705 • Denver, Colorado 80202 • 720-913-5000 FAX 720-913-5247 • www.denvergov.org/auditor


AUDITOR’S REPORT

We have completed an audit of the data network infrastructure controls supporting Denver International Airport (DIA). The purpose of the audit was to determine whether DIA’s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

The audit found three areas where controls need to be improved to adequately protect the confidentiality, integrity, and availability of the data network. First, we found that physical access controls were ineffective for some of the network equipment areas that we tested. Although access to areas containing network equipment should be limited to authorized personnel, in more than half of the sites we tested, door locks were not working, equipment areas were not adequately isolated from public access, or management was not monitoring room access. Second, we found that nearly all the network equipment rooms that we tested were not in compliance with DIA's physical security standards. This was evident in a number of conditions, ranging from a lack of current fire inspections to unhealthy environmental conditions. Third, we found several areas where DIA's information and physical security policies and standards were incomplete, out-of-date, or unenforced.

Despite these deficiencies, we also identified five areas where controls were well-designed and functioning properly. These areas include DIA's information security awareness training program, malware prevention controls, network equipment inventory records, information security management system, and information security and network personnel expertise.

We extend our appreciation to the personnel who assisted and cooperated with us during the audit.

Audit Services Division

Kip Memmott, MA, CGAP, CRMA

Director of Audit Services


For a complete copy of this report, visit www.denvergov.org/auditor or Contact the Auditor’s Office at 720.913.5000

Background The Technologies Department at Denver International Airport (DIA Technologies) supports the data network infrastructure used by DIA business and security systems, such as financial accounting, parking fees, access control and alarm monitoring, video surveillance, and emergency response. DIA Technologies provides network services to concessionaires who purchase internet access from DIA but does not manage infrastructure used by other concessionaires, airlines, and federal agencies, such as the Federal Aviation Administration (FAA) and the Transportation Security Administration (TSA). The DIA network is physically large and has equipment housed in over 190 locations both on and off the airport property.

Purpose To test that information security policies are adequate; personnel are experienced, qualified, and trained; network equipment is physically protected from unauthorized access; environmental controls protect the safety of both equipment and personnel; network equipment inventories are accurate; malware protection is effective; and equipment rooms are compliant with DIA physical security standards.

City and County of Denver – Office of the Auditor Audit Services Division

REPORT HIGHLIGHTS

DIA Network Security Management Performance Audit September 2013 A review of the data network infrastructure controls supporting the Denver International Airport, including information security management, physical security and environmental controls, and asset management.

Highlights The audit found three areas where controls need to be improved and five areas where controls are well designed. Improvements are recommended in the areas of physical access controls; environmental controls related to fire, health, and safety; and information and physical security policy. Specifically:

1. In 70% of the sites we tested, door locks were not working, equipment areas were not adequately isolated from public access, or management was not monitoring room access.

2. We found that nearly all equipment rooms were non-compliant with DIA physical security standards in at least one area, ranging from a lack of current fire inspections to unhealthy environmental conditions.

3. We found several areas where policies and standards should be expanded, updated, and enforced.

Audit tests demonstrated that DIA Technologies has exceptional controls in the following five areas:

• Information security awareness training • Anti-malware prevention • Network equipment inventory records • Information security management system • Information security and network staffing

TABLE OF CONTENTS

INTRODUCTION & BACKGROUND 1

Denver International Airport’s Data Network 1

SCOPE 2

OBJECTIVE 2

METHODOLOGY 2

FINDING 1 4

Physical Access Controls Are Ineffective for Some Network Equipment Areas 4

RECOMMENDATIONS 5

FINDING 2 6

Environmental Controls Are Inadequate for Some Network Equipment Areas 6

RECOMMENDATIONS 7

FINDING 3 8

Some Security Policies and Standards Are Incomplete and Outdated and Security Policy Administration Needs Improvement 8

RECOMMENDATIONS 9

APPENDICES 10

Appendix A – Site Test Locations 10

Appendix B – Results of Site Location Tests 11

Appendix C – Photos of Conditions Observed 13

AGENCY RESPONSE 14

P a g e 1


INTRODUCTION

& BACKGROUND Denver International Airport’s Data Network

The City and County of Denver operates a large and complex Metropolitan Area Network that supports City services throughout Denver, including the Denver International Airport (DIA).1

Accordingly, DIA’s Technologies Department (DIA Technologies) supports the data network infrastructure used by DIA business and security systems, such as financial accounting, parking fees, access control and alarm monitoring, video surveillance, and emergency response. DIA Technologies provides network services to concessionaires who purchase internet access from DIA and facilitates, but does not manage, infrastructure used by other concessionaires, airlines, and federal agencies, such as the Federal Aviation Administration (FAA) and the Transportation Security Administration (TSA).

Due to the City network’s diverse purposes and physical make-up, some portions of the network are managed by different agencies or departments as illustrated in Figure 1.

Figure 1 – Managers of the City and County of Denver’s Metropolitan Area Network

1 A Metropolitan Area Network connects offices distributed throughout the area of a large city.

Denver District Attorney Denver County Courts

Denver Public Library & Others Technology Services Denver International

Airport

FAA, TSA, Others

DIA Technologies

P a g e 2

OOffffiiccee ooff tthhee AAuuddiittoorr

SCOPE The audit focused on the segments of the City’s Metropolitan Area Network that are managed by DIA Technologies, which excludes the highlighted portions shown in Figure 1 above that are managed by other agencies, such as the City’s Technology Services Department, the Denver District Attorney’s Office, and the Denver County Courts.

In accordance with Generally Accepted Government Auditing Standards (GAGAS) promulgated by the U.S. Comptroller General, the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report.

The details of all findings, however, have been presented to DIA Technologies management. As part of our regular follow-up process, we will return at a future date to ensure that all findings have been addressed.

OBJECTIVE The purpose of the audit was to determine whether DIA’s data network is protected from unauthorized access and whether controls are effective in protecting network confidentiality, integrity, and availability.

METHODOLOGY We utilized several methodologies to achieve the audit objective. Our evidence gathering techniques included, but were not limited to:

• Selecting and testing a sample of facilities housing network equipment, detailed in Appendix A, for:

o Physical security, such as door access and equipment protection

o Environmental controls, such as temperature, humidity, fire detection, and fire suppression

o Compliance with DIA Technologies Physical Security Standard for Information Systems and Data Networks

o Prevention of access to DIA internal networks from wired network jacks that can be accessed by the public

o Prevention of access to DIA internal networks from wireless networks that can be accessed by the public

o Accuracy of network equipment inventory records

P a g e 3


• Testing whether malware controls were effective at protecting the DIA internal network through remote network connections that included attempts to implant the EICAR pseudo-malware file onto network file shares and into internal email2, 3

• Evaluation of essential network and information security personnel qualifications, experience, and training

• Direct evaluation of the SANS Securing the Human information security awareness training program for technical and non-technical employees and contractors4

• Examining existing information security policies, procedures, and standards

• Consulting best practice standards for information security policies and procedures from sources including:

o International Organization for Standardization publication “Information technology – Security techniques – Code of practice for information security management” (ISO 27002:2005)

o Federal Information System Controls Audit Manual (FISCAM February 2009)

o National Institute of Standards and Technology special publication “Recommended Security Controls for Federal Information Systems and Organizations” (NIST SP800-53)

o Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, Version 2.0 (PCI DSS)

o National Fire Protection Association Standard for the Fire Protection of Information Technology Equipment (NFPA 75, 2013 edition)

• Reviewing relevant audits conducted by other organizations

2 In this report we will use the term “malware” to refer to computer software that is designed with malicious intent, such as computer viruses, Trojans, and spyware, which are intended to cause harm, cause disruption, or provide surreptitious access to computer resources and data. 3 The pseudo-malware file we utilized was an industry standard file that is used to test antivirus software. This file is commonly referred to as an EICAR file and is published by the European Institute for Computer Antivirus Research (EICAR). The file contains a special string of characters that all antivirus software will identify and raise an alert when scanned. The file is safe, as it does not contain any malicious code. It is a file used to assure system owners that their antivirus software is active. If one is able to pass the file through systems, it is an indication that the antivirus software is not running or is configured incorrectly. 4 SANS Securing the Human provides information security awareness services and was established by the SANS (SysAdmin, Audit, Network, Security) Institute, which is a cooperative research and education organization.

P a g e 4


FINDING 1 Physical Access Controls Are Ineffective for Some Network Equipment Areas

The Denver International Airport (DIA) network is physically large and has equipment housed in over 190 locations both on and off the airport property. We tested a sample of ten sites, as shown in Appendix A, to assess whether physical access controls were effective in protecting the data network. Access to areas containing network equipment should be limited to authorized personnel to help protect the confidentiality, integrity, and availability of the data network. In 70 percent of the sites we tested, door locks were not working, equipment areas were not adequately isolated from public access, or management was not monitoring room access. Specifically, auditors observed the following conditions and the effects that they potentially could have on network security at DIA.

• At five of the ten (or 50 percent of) sites tested, auditors encountered unlocked doors leading to network equipment. Of these, three sites had doors with faulty locking mechanisms, which could be opened without an access card or key; one site’s door lock was not operable as the result of someone having stuffed material into the door jamb to prevent the door from latching (see Figure 3 in Appendix C); and one site had equipment that was not stored in a locked cabinet, making it accessible by unauthorized personnel through a door that was routinely propped open. Without equipment being protected in locked rooms or in locked cabinets, unauthorized individuals could access equipment areas and potentially damage equipment or disrupt the data network.

• Three of the ten (or 30 percent of) sites tested (including one listed above) were not adequately isolated from public access. A member of the public should not be able to physically touch a door that leads to network equipment without other compensating controls. Of the three inadequately isolated sites, the first site is the area with the door routinely propped open as mentioned in the first bullet. The second site is a building outside the airport-controlled property where the external door is situated in a publicly accessible area and opens directly into the network equipment room. The third site is a data center where a door that could provide adequate isolation from the public exists, but the door does not latch properly and is not equipped with an access card reader. Without adequate physical isolation from the public, network equipment areas could be identified for subsequent intrusion or an unauthorized person could follow behind an authorized individual who is entering the room.

• For the data center mentioned in the second bullet, management did not have a list of personnel with authorized access and did not regularly review access logs

50% of sites tested had issues with

doors not being locked

P a g e 5


to determine who has entered the room. Without reviewing authorized access lists and door access logs, management cannot determine whether unauthorized personnel are entering the room.

Table 1 (in Appendix B) demonstrates which test sites we considered to have a low, medium, or high level of physical security risk based on both the physical security of the site and the protection of equipment within the site. Appendix B also highlights how some mitigating controls help limit risk.

RECOMMENDATIONS To improve the effectiveness of physical access controls for network equipment areas, DIA Technologies should:

1.1. Adopt a process whereby personnel working in network equipment rooms confirm that door locks are working properly and report malfunctioning door locks for repair or, alternatively, conduct routine security checks of all rooms to ensure that network equipment areas are secured.

1.2. Provide isolation from public access to network equipment areas by securing equipment in a locked rack or cabinet in sites where the building door is routinely propped open for business purposes.

1.3. Provide isolation from public access to network equipment rooms by installing an internal “cage” second door in sites that currently have doors that open to publicly accessible spaces.

1.4. Provide isolation from public access by repairing and installing card reader access on the existing doors that lead to a data center.

1.5. Develop and regularly review a report for the data center that lists individuals with access rights and another report to show who has recently accessed the room.

P a g e 6


FINDING 2 Environmental Controls Are Inadequate for Some Network Equipment Areas

Environmental controls help ensure that network equipment areas not only operate within the appropriate temperature and humidity tolerances, but also serve to help protect against fire damage and ensure healthy and safe working environments for personnel. We tested ten sites for compliance with the DIA Technologies Physical Security Standard for Information Systems and Data Networks (DIA standard). We found that nearly all equipment rooms were non-compliant with the DIA standard in at least one area, ranging from the lack of current fire inspections to unhealthy environmental conditions. Specifically, auditors observed the following conditions, contrasted against the types of environmental controls that should be in place at DIA.

• A data center’s automatic fire suppression system had not been inspected since March 2010. Automatic fire suppression systems should be inspected annually to ensure that they will function properly when needed.

• Three portable fire extinguishers had not been inspected within the last year. To ensure proper functioning of portable fire extinguishers, they should be inspected annually.

• Three equipment rooms did not have any portable fire extinguishers. According to the DIA standard, each equipment room should have a portable fire extinguisher.

• Seven equipment rooms did not have a manual pull fire alarm as required by the DIA standard.

• One equipment room was not constructed with slab-to-slab walls, which are required by the DIA standard. The room also had a gap in the ceiling that could weaken the physical security of the space and increase its fire risk (see Figure 9 in Appendix C).

• Three equipment rooms did not have fire-rated doors to help protect equipment from a fire originating outside the room and to help contain a fire that may originate within the room.

• One equipment room had paper inappropriately stored on the ceiling cable raceway (see Figure 8 in Appendix C). Equipment rooms should be free of any unnecessary flammable materials.

• One equipment room had evidence of rodents and insect infestations (see Figures 4, 5, and 6 in Appendix C). Equipment rooms should be operated in a healthy and safe environment. Rodents not only pose a health hazard to humans

Nearly all equipment rooms were

non-compliant with one or

more aspects of the DIA

standard

P a g e 7


from disease, but they could also damage equipment and chew on cables. Some insects could sting and injure personnel.

• Two equipment rooms were exceptionally dirty. Excessive dust poses a potential fire hazard.

• Two equipment rooms did not have equipment connected to uninterruptible power supplies as required by the DIA standard.

RECOMMENDATIONS To improve the effectiveness of environmental controls for network equipment areas, DIA Technologies should:

2.1. Conduct routine inspections of all equipment areas to ensure compliance with the DIA Technologies Physical Security Standard for Information Systems and Data Networks and have the areas cleaned as necessary.

2.2. Have all automatic and portable fire suppression equipment inspected annually.

2.3. Evaluate any differences between the DIA standard, building codes, and the National Fire Protection Association Standard for the Fire Protection of Information Technology Equipment (NFPA 75) and adjust the DIA standard if necessary; supply rooms with missing equipment, such as portable fire extinguishers and manual pull fire alarms; and make construction and door corrections.

2.4. Remove the flammable material (paper) from the equipment room’s cable raceway.

2.5. In the building with rodent and insect infestations, seal the foundation and walls and install a door sweep to prevent future infestations.

2.6. Install uninterruptible power supplies as necessary.

P a g e 8


FINDING 3 Some Security Policies and Standards Are Incomplete and Outdated and Security Policy Administration Needs Improvement

Security polices and standards for both information security and physical security provide the basis for protecting network equipment as well as data. Accordingly, security policies and standards should be complete, current, and enforced. We found several areas where policies and standards should be expanded, updated, and enforced. We also found five areas where DIA’s security controls were exceptional. Specifically, auditors identified the following conditions indicative of DIA’s inadequate security policies and standards.

• Some important security policies have not been developed and implemented. Specific missing policy areas have been discussed with DIA Technologies but are not listed here for security reasons.

• Some important security policies do not have evidence of management review and approval. Policies are not effective or enforceable without senior management’s support.

• One critical policy has not been updated in over two years. Critical policies should be revisited and updated annually.

• Four equipment areas tested did not meet the DIA standard as being contained within the TSA restricted, sterile, or secured areas. The standard should address all the areas where equipment is located.

• We tested different avenues by which malware could be introduced into the DIA network by remote users. The suite of anti-malware software utilized by DIA was highly effective in protecting the environment. However, the antivirus software was not effective at preventing the introduction of pseudo malware in one environment we tested. This exposure presents an opportunity whereby malware could be introduced into the network.

Audit tests demonstrated that DIA Technologies has exceptional controls in the following five areas:

• The information security awareness program at DIA is excellent. The system is tailored to different types of computer users, provides accurate and prudent advice, and automatically tracks employee completion. The only shortcoming we identified was that the system lacked a module related specifically to DIA’s security policy and procedures. For example, the DIA security policy requires employees and contractors annually to review and acknowledge their agreement with important policies such as the IT User Agreement and the

The information

security awareness program at

DIA is excellent

P a g e 9


Remote Access User Agreement. Incorporating this review and acknowledgement to the existing training program will make it complete.

• Malware prevention controls were highly effective in most cases as discussed above.

• We found no discrepancies in network equipment inventory records for the ten sites we tested. Good network equipment inventory controls are the basis for good network security.

• Over the past year, DIA Technologies’ management improved the information security management system through effective staffing, adequate funding, and focused support for programs.

• Our tests of key information security and network personnel experience, qualifications, and training show that DIA is well staffed to support a strong network security administration function.

RECOMMENDATIONS To ensure that security policies are complete, up-to-date, and enforced, DIA Technologies should:

3.1. Enforce the annual requirement for employees and contractors to review and acknowledge important policies such as the IT User Agreement and the Remote Access User Agreement by either adding them to the automated information security awareness training program or by developing an alternative process.

3.2. Develop and implement the missing security polices discussed with the auditors.

3.3. Ensure that all important security policies have management’s review and approval.

3.4. Ensure that all critical policies are reviewed and updated annually.

3.5. Update the DIA Technologies Physical Security Standard for Information Systems and Data Networks to address all the areas where network equipment is installed.

3.6. Examine and resolve the reasons why the antivirus software did not prevent our test from introducing pseudo malware onto the network.

P a g e 10


APPENDICES Appendix A – Site Test Locations

The Denver International Airport (DIA) network is physically large and has equipment housed in over 190 locations both on and off the airport property. We tested a sample of ten sites to include those that are representative of the following locations:

• Every concourse (A, B, and C) • Main terminal • Airport Office Building • Widely dispersed areas outside of the main terminal and concourse buildings • Area off the main airport property

Figure 2 shows the approximate location for nine of the ten sites tested. One site was not on the airport property and is not shown.

Figure 2 – Aerial Photo of DIA Showing Locations of 9 of the 10 Sites Tested

Note: Site location names are not identified for security reasons.

8

2

3

4

5

6

7

9

10

P a g e 11


Appendix B – Results of Site Location Tests

We tested a sample of ten network equipment locations (as shown in Appendix A). Table 1 shows how each site was ranked according to two vectors: one for physical security of the site and the other for the protection of equipment within the site. Each vector ranked the condition at high, medium, or low to indicate the level of risk to the site or the equipment. The definitions for high, medium, and low were slightly scaled back from the highest standards found in best practices so that they would better reflect DIA’s environment, which includes some mitigating physical controls to help limit risk. For example, some equipment rooms are situated in areas to which the public does not have access. Others are equipped with door sensors that detect when a door is opened without the use of an authorized access card.

Although a failed door lock would normally result in a high physical security risk ranking, auditors assigned some failed door locks a medium risk ranking since the risk was mitigated by the site being situated within a secured area of the airport that prohibited public access. Badge scanning mitigates risk for equipment rooms that require personnel to scan an identification badge upon room entry and room exit. In such cases, if a door is opened without an authorized badge being scanned, the door sensor will trigger an alarm and an airport security guard may be dispatched to investigate the situation.

Table 1 – Results of Site Location Tests

P a g e 12


Note: The site locations are not identified for security reasons.

P a g e 13


Appendix C – Photos of Conditions Observed

The photos in Figures 3 through 9 illustrate some of the conditions observed during testing. For security reasons the locations are not disclosed.

Figure 3 – Door latch obstructed

Figure 4 – Evidence of rodents

Figure 7 – Broken door latch

Figure 6 – More insect infestation

Figure 5 – Gap under door allows insect infestations

Figure 8 – Paper on cable raceway

Figure 9 – Gap in ceiling

P a g e 14


AGENCY RESPONSE

P a g e 15


P a g e 16


P a g e 17


P a g e 18


P a g e 19


P a g e 20


P a g e 21


P a g e 22


DIA Network Security Management - Denver

Documents

Transcript of DIA Network Security Management - Denver