Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Audit Reports - Public - Internal Audit Report - Password Security - 10/31/2022
Date: October 31, 2022 City of Glendale Internal Audit Report Password Security Securance Consulting . CONFIDENTIAL 2 Provided for: City of Glendale VERSION MANAGEMENT VERSION DATE APPROVED APPROVED BY DESCRIPTION 1.0.0 October 31, 2022 Securance Initial Draft 1.1.0 Securance Client Edits Final Version This report is intended solely for the management of the City of Glendale for its internal use and is not intended to, nor may, be relied upon by any other party (“Third Party”). Neither this deliverable nor its contents may be distributed to, discussed with, or otherwise disclosed to any Third Party without the prior written permission of Securance Consulting. Securance Consulting accepts no liability or responsibility to any Third Party that gains access to this report. © 2022 Securance LLC. Securance Consulting . CONFIDENTIAL 3 Provided for: City of Glendale TABLE OF CONTENTS SECTION I: EXECUTIVE SUMMARY Introduction and Scope ............................................................................................................................................................................................ 4 Finding Legend .......................................................................................................................................................................................................... 5 Summary of Findings ................................................................................................................................................................................................ 6 Conclusion .................................................................................................................................................................................................................. 6 SECTION II: PASSWORD SECURITY AUDIT REPORT Background ................................................................................................................................................................................................................. 7 Specific Objectives and Detailed Scope ................................................................................................................................................................. 7 Approach and Methodology .................................................................................................................................................................................... 7 Findings and Recommendations ............................................................................................................................................................................. 8 SECTION III: SECURANCE VALUE Securance Value ....................................................................................................................................................................................................... 13 Securance Consulting . CONFIDENTIAL 4 Provided for: City of Glendale EXECUTIVE SUMMARY INTRODUCTION AND SCOPE The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with more than 250,784 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In October 2022, Glendale contracted Securance to assess its enterprise password security. The objective of the engagement was to assess enterprise password security and controls. The scope was limited to detailed reviews of the city’s and the police department’s password policies, configurations, and administration. To perform the assessment, we applied our proven methodologies and an approach tailored to Glendale’s IT environment. We compared all findings to industry standards and our internal risk management knowledgebase. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 5 Provided for: City of Glendale FINDING LEGEND: Urgent-Risk (Level 5) – Immediate remediation required. Note: If finding is a technical vulnerability, it provides remote intruders with remote root or administrator capabilities. Critical-Risk (Level 4) – Immediate action recommended, with remediation ASAP. Note: If finding is a technical vulnerability, it provides intruders with remote user, but not remote administrator or root user, capabilities. High-Risk (Level 3) – Immediate action recommended, with remediation in 90 days. Note: If finding is a technical vulnerability, it provides hackers with access to specific information, including security settings, stored on the host. This level of vulnerabilities could result in potential misuse of the host by intruders. Medium-Risk (Level 2) – Action recommended, with remediation in 180 days. Note: If finding is a technical vulnerability, it may expose sensitive information, such as precise versions of services, from the host. With this information, hackers could research potential attacks to try against a host. Low-Risk/Informational (Level 1) – Effective control. No immediate changes recommended. Opportunity for slight improvement. Advisory Comment – Action suggested at the discretion of management. Note: Remediation timeframes are based on best practices and Securance’s experience. Securance Consulting . CONFIDENTIAL 6 Provided for: City of Glendale SUMMARY OF FINDINGS The following section summarizes our findings from the password security assessment. NO. FINDING TITLE 1 Active Directory – City Password Policy ✔ 2 Active Directory – Police Department (PD) Password Policy ✔ 3 Administrator (i.e., Root) Password Management ✔ Findings Totals: 0 0 0 1 2 0 No. 1: Active Directory – City Password Policy – we assessed the city’s password management process. Based on our assessment, the password management practices are effective and aligned with a national framework and standard. No. 2: Active Directory – Police Department (PD) Password Policy – we assessed PD’s password management process. Based on our assessment, PD’s password security policy is compliant with the Commission on Accreditation for Law Enforcement Agencies (CALEA) standards. Administrator (i.e., Root) Password Management – we assessed the management and administration of privileged account access. Based on our assessment, we recommend modifying the configuration standard to include language on the creation and configuration of administrator and root passwords. CONCLUSION Based on our assessment, knowledge of Glendale’s password security management, and cybersecurity consulting experience, we believe that Glendale’s password management processes and controls are effective. The remainder of this report provides a detailed analysis of our approach, methodology, and observations. Securance Consulting . CONFIDENTIAL 7 Provided for: City of Glendale PASSWORD SECURITY AUDIT REPORT BACKGROUND The City of Glendale (Glendale) is a vibrant and welcoming metropolitan city with more than 250,784 residents and nearly 2,000 employees working together to make it the community of choice. Glendale prides itself on unmatched customer service and quality of life, both of which are supported by diverse technologies and applications that must remain secure and available. In October 2022, Glendale contracted Securance to assess its enterprise password security. SPECIFIC OBJECTIVES AND SCOPE The objective of the engagement was to assess enterprise password security and controls. The scope was limited to detailed reviews of the city’s and the police department’s password policies, configurations, and administration. APPROACH AND METHODOLOGY Our assessment followed our proven methodology and included the following tasks: • Review of governance documents. • Interviews with IT personnel. • Review of collected evidence. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 8 Provided for: City of Glendale FINDINGS AND RECOMMENDATIONS The following recommendations are based on our assessment and intended to improve Glendale’s password security management. No. 1: Active Directory – City Password Policy We assessed the city’s password management process and noted the following: • The Identity and Access Management Policy governs the creation, configuration, and management of passwords. • The city’s password policy is enforced using Microsoft Active Directory (AD) and is configured as follows: o Require passwords = yes. o Minimum length = 15 characters – this is consistent with NIST Special Publication 800-63B, Section 5.1.1.2, paragraph 9: “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” As such, there should not be a 90-day maximum password age, which would require frequent changes. o Maximum password age = 365 days. o Minimum password age = 7 days. o Complexity enabled = no. o History = 12. o Lockout threshold = 5 invalid attempts. • Multi-factor-authentication (MFA) is implemented for remote access to the city’s technology environment, including Virtual Private Network (VPN) Virtual Desktop Infrastructure (VDI) access. MFA is conditionally implemented for Microsoft Office 365. • Initial passwords and password resets performed by the helpdesk require the helpdesk technicians to verify a requestor’s identity and provide a one-time password. • Where possible, enterprise applications and software-as-a-service (SaaS) applications are integrated with the AD password policy, using industry standard Security Assertion Markup Language (SAML) 2.0. Potential Risk: AD is the primary technology used for controlling user access to network resources, including select applications. As such, it plays a significant role in determining the network’s security posture. Weak passwords are a significant contributor to network breaches. Recommendation: We commend the city’s IT management for implementing an effective password policy aligned with national standards. Securance Consulting . CONFIDENTIAL 9 Provided for: City of Glendale No. 1: Active Directory – City Password Policy Management’s Response: None required. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 10 Provided for: City of Glendale No. 2: Active Directory – Police Department (PD) Password Policy We assessed PD’s password management process and noted the following: o The Identity and Access Management Policy governs the creation, configuration, and management of passwords. o PD’s password policy is enforced using AD and is configured as follows: o Require passwords = yes. o Minimum length = 8 characters. o Maximum password age = 90 days. o Minimum password age = 7 days. o Complexity enabled = yes. o History = 12. o Lockout threshold = 5 invalid attempts. o Lockout duration = 30 minutes. • MFA is implemented for remote access to PD’s environment via NetMotion. Based on our assessment, PD’s password security policy is compliant with the Commission on Accreditation for Law Enforcement Agencies (CALEA) standards. Potential Risk: AD is the primary technology used for controlling user access to network resources, including select applications. As such, it plays a significant role in determining the network’s security posture. Weak passwords are a significant contributor to network breaches. Recommendation: We commend Glendale IT management for implementing an effective password policy for PD that is compliant with CALEA standards. Management’s Response: None required. Securance Consulting . CONFIDENTIAL 11 Provided for: City of Glendale No. 3: Administrator (i.e., Root) Password Management We assessed the management of administrator-level (i.e., root) passwords. These passwords are critical because they are typically used for accounts that have full privileges over a technology or system. Examples include root user accounts on Linux or Unix systems, and administrator accounts on Microsoft operating system servers. These types of accounts are often referred to as privileged accounts. We noted the following controls in place to protect administrator passwords: • The Identity and Access Management Policy governs the creation, configuration, and management of certain privileged account passwords. • A configuration standard defines how infrastructure and appliance passwords should be handled. However, it does not address password syntax. • IT administrators have separate accounts for tasks requiring privileged access. • Microsoft Windows Server administrator passwords are managed by the Local Administrator Password Solution (LAPS). Passwords are randomized, stored in AD, and protected by access control lists, so that only eligible users can read them or request resets. Eligible users are limited to IT administrators using administrator accounts. • Router, switch, firewall, and appliance firmware passwords are maintained in KeePass. KeePass is a free open-source password manager. Using KeePass, IT teams can store passwords in an encrypted database, which can only be unlocked with a master key. Only IT administrators can access KeePass. • The administration of routers, switches, firewalls, and appliances is managed through Terminal Access Controller Access-Control System Plus (TACACS+). TACACS+, which requires the user to provide a username, password, passcode, or other information to access a network device, is integrated with AD. Potential Risk: Passwords are critical to securing access to specific technologies, systems, and network resources. As such, they play a significant role in determining the security posture of an environment. Weak passwords are a significant contributor to technology, system, and network breaches. Recommendation: We commend Glendale’s IT management for implementing an effective process to manage privileged account passwords. We recommend the configuration standard be modified to include password syntax requirements. Securance Consulting . CONFIDENTIAL 12 Provided for: City of Glendale No. 3: Administrator (i.e., Root) Password Management continued Management’s Response: Concur. The Innovation & Technology department will update the current configuration standard to include password syntax requirements by June 30, 2023. Remainder of page left blank intentionally. Securance Consulting . CONFIDENTIAL 13 Provided for: City of Glendale SECURANCE VALUE Securance Consulting would like to THANK YOU for your business. Aside from benefiting from the highest level of service possible, you also received unique advantages that only Securance delivers. Our hands-on approach is tailored to fit the needs of your internal audit and IT departments and unique technology environment. Our technical expertise, outstanding reputation, and personalized attention ensure you receive a level of service surpassed by no other technology risk management firm in the market. As a Securance customer, you can be confident in your sound decision to manage your technology risk by partnering with Securance! 13916 Monroes Business Park, Suite 102 • Tampa, FL 33635 • 877.578.0215 www.securanceconsulting.com