1 / 44

AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells

AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells. In tr oduction. The goals of Security (CIA): Confidentiality Integrity Availability (They are mutually dependent) Avoid Audit Findings. Security Considerations. Identify Assets Network Discovery AD Discovery

jory
Download Presentation

AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRMJefferson Wells

  2. Introduction The goals of Security (CIA): • Confidentiality • Integrity • Availability (They are mutually dependent) • Avoid Audit Findings

  3. Security Considerations • Identify Assets • Network Discovery • AD Discovery • DHCP and DNS Imports • File Import (from existing sources) • Assess Vulnerabilities • How are vulnerability definitions updated, frequency • Map vulnerabilities to industry/vendor nomenclature • Types of vulnerabilities found (configuration and patch) • When to do the assessment

  4. Security Considerations • Remediate Vulnerabilities • How are remediations updated, frequency • Configuration and patch-based remediations • Use of industry/vendor nomenclature • Different remediation policies for different classes of assets • Different remediation schedules for different classes of assets • Manage rebooting of different classes of assets

  5. The Internet IDS Activity Reporting and Analysis Firewall ISOC IDS Application DMZs IDS Mgmt FW Mgmt Firewall IDS IDS Open Systems Firewall Mainframe Firewall Firewall Firewall IDS IDS IDS Remote Locations, Remote Access, and Vendors Customer Sites Secured Network Model

  6. Enterprise Architecture • Central Console • XP/2000/2003 UNIX/Windows NT 2003 2000 • Distributed Proxy • XP/2000/2003 XP/2000 Reporting Database DMZ • Windows Server • NT • 2000 • 2003 ODBC SSL XP/2000 Solaris Linux AIX HP-UX • UNIX Server • Solaris • Linux • AIX • HP-UX System Reach (Mainframe, Windows, UNIX and Linux

  7. Examples: - USB Hard Drives - Unauthorized Modems - Wireless NIC Cards - Modems with Auto-Answer On - Custom List Examples: - File Share Programs (Kazaa) - Public Instant Messaging - Desktop Sharing Applications - Custom List Status: - Enabled - Latest Version - Latest Definitions Status: - Enabled Key Operating System Security Patches Applied - Most Recent - Most Critical Examples: - Users - Groups - Password Settings - Many Others System Security Categories

  8. Audit and Compliance Security configuration settings Antivirus status Security patch status Personal firewall status Unauthorized software Unauthorized hardware Industry-known vulnerabilities Enforcement Access Control Patching Risk Management Asset Management Configuration Management System SecurityAudit and Compliance Audit and Compliance is not focused on

  9. Historical Event Repository Firewalls Operations Desktops Query/Reporting Database Intrusion Detection Event Collector Managerof Managers Systems Intrusion Detected! Applications Notification Event Management Model

  10. Auditing System Components Logger SystemLog Notifier Higher-level Audit Events Actions: Email Popup Reconfig Report Analyzer

  11. Audit System Structure • Logger • Records information, usually controlled by parameters • Analyzer • Analyzes logged information looking for something • Notifier • Reports results of analysis

  12. Logger • Type, quantity of information recorded controlled by system or program configuration parameters • Tuning what is audited • May be human readable or not • If not, usually viewing tools supplied • Space available, portability influence storage format

  13. Example: RACF • Security enhancement package for IBM’s MVS/VM • Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions • View events with LISTUSERS commands

  14. Example: Windows NT • Different logs for different types of events • System event logs record system crashes, component failures, and other system events • Application event logs record events that applications request be recorded • Security event log records security-critical events such as logging in and out, system file accesses, and other events • Logs are binary; use event viewer to see them • If log full, can have system shut down, logging disabled, or logs overwritten • Logging enabled by SACLs and Windows Policy Computer Security: Art and Science

  15. Windows NT Sample Entry Date: 2/12/2000 Source: Security Time: 13:03 Category: Detailed Tracking Type: Success EventID: 592 User: WINDSOR\Administrator Computer: WINDSOR Description: A new process has been created: New Process ID: 2216594592 Image File Name: \Program Files\Internet Explorer\IEXPLORE.EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0x0,0x14B4c4) [would be in graphical format] Computer Security: Art and Science

  16. Syslog • De facto standard in Unix and networking • RFC 3164 • UDP transport • Log locally or send to collecting server • Limited normalization Computer Security: Art and Science

  17. Syslog Format • PRI field • Facility – part of system generating log • 0 – kernel • 2 – mail system • 6 – line printer • Severity – fully ordered list • 0 – Emergency • 3 – Error • 6 – Informational • Header • Time stamp & Host name • Msg Computer Security: Art and Science

  18. Top 10 Things to Audit in a Win2k Domain • Local Security Policy of one DC • 1. Password • 2. Lockout policy • 3. Audit policy • Account Management, Account Logon, System Policy, Policy Changes • Failure AND Success! • Active Directory Users and Computers • 4. Important group memberships • Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops • If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins

  19. Top 10 Things to Audit in a Win2k Domain • One or more Domain Controllers • 5.Service Pack Level • 6. Dangerous Services • One or more Member Servers • 7. Audit Policy • Account Logon, Account Management, System Policy, Policy Change • 8. Service Pack Level • 9. Dangerous Services • 10. Administrator account

  20. Examples • Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*.site.com/ • Query set overlap control in databases • If too much overlap between current query and past queries, do not answer • Intrusion detection analysis engine (director) • Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science

  21. Examples • Using swatch to notify of telnets /telnet/&!/localhost/&!/*.site.com/ mail staff • Query set overlap control in databases • Prevents response from being given if too much overlap occurs • Three failed logins in a row disable user account • Notifier disables account, notifies sysadmin Computer Security: Art and Science

  22. Examples • Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*.site.com/ • Query set overlap control in databases • If too much overlap between current query and past queries, do not answer • Intrusion detection analysis engine (director) • Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science

  23. Application Logging • Applications logs made by applications • Applications control what is logged • Typically use high-level abstractions such as: su: bishop to root on /dev/ttyp0 • Does not include detailed, system call level information such as results, parameters, etc.

  24. System Logging • Log system events such as kernel actions • Typically use low-level events 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8) 3876 ktrace NAMI "/usr/bin/su" 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0) 3876 su RET __sysctl 0 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 3876 su RET mmap 671473664/0x2805e000 3876 su CALL geteuid 3876 su RET geteuid 0 • Does not include high-level abstractions such as loading libraries

  25. Contrast • Differ in focus • Application logging focuses on application events, like failure to supply proper password, and the broad operation (what was the reason for the access attempt?) • System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?) • System logs usually much bigger than application logs • Can do both, try to correlate them

  26. Access ControlCollection of mechanisms that permits managers of a system to exercise a directing influence over the behavior, use and content of the system • System Access Control • Password and other authentication • System Auditing • Discretionary Access Control (DAC) • Access Control List • Mandatory Access Control (MAC) • Reference Monitor

  27. UNIX File System • Ordinary files • Directory files • Special files

  28. Basic Access Control From an ls -l command you will see following • 1 : Type of file. • 2 – 4 : Owner’s permission. • 5 – 7 : Group’s permission. • 8 – 10 : Other’s permission.

  29. Access Control List - UNIX • An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties • ACLs entry contains • Attributes: Defines special file modes such as SETUID, SETGID & Sticky bit • Base permissions: Reflect the basic access rights • Extended permissions: specify, permit, deny

  30. Access Control List .

  31. Auditing • Is a feature which provides accountability to all system activities from file access to network and database • Each audit event such as user login is formatted into fields such as the event type, user id, file names and time • Audit events • Administrative event class • Security administrator events • System administrator events • Operator events • Audit event class • Describes the operation of the audit system itself

  32. Windows File System • Supports two file system • FAT (File Allocation Table) • File system does not record security information such as owner or access permission of a file or directory • NTFS (New Technology Files System) • Supports a variety of multi-user security models • NTFS Vs FAT • Fault tolerance • Access Control by directory or file • Can compress individual or directories • POSIX support

  33. Access Control List - Windows • Data structure of an ACL • ACL size - # of bytes of memory allocated • ACL Revision – revision # for the ACL’s data structure • ACE Count - # of ACE’s in the ACL

  34. Access Control Entries Contains the following access control information • A security identifier (SID) • An access mask – specifies access rights • A set of bit flags that determines which child objects can inherit the ACE • A flag that indicates the type of ACE

  35. ACE Types • 3 Generic types • 3 Object-Specific ACE types

  36. Access Rights • Generic Access Rights • Standard Access Rights • Other rights like, SACL access rights, Object-specific access rights, user rights

  37. How Access Control Works?

  38. Automated Tools By Category • Enterprise Vulnerability Management • Hercules AVR (Citadel) • Class 5 AVR (Secure Elements) • Vulnerability Assessment • Retina Network Security Scanner (eEye) • FoundScan Engine (Foundstone) • STAT Scanner (Harris) • Internet Scanner (ISS) • SiteProtector (ISS) • System Scanner (ISS) • Microsoft Baseline Security Analyzer (Microsoft) • IP360 Vulnerability Management System (nCircle) • Nessus Scanner (Nessus) • SecureScout SP (NexantiS) • QualysGuard Scanner (Qualys) • SAINT Scanning Engine (Saint) • Lightning Console (Tenable) • NeWT Scanner (Tenable) • WebInspect (SPI Dynamics ) • Patch Management • System Management Server (Microsoft) • Windows Update Service (Microsoft) • PatchLink (PatchLink) • Big Fix (BigFix) • UpdateExpert (St. Bernard) • HFNetChk (Shavlik) • Policy Management • Active Directory – Group Policy Objects (Microsoft) • Security Policy Management (NetIQ) • Enterprise Security Manager (Symantec) • Compliance Center (BindView) • Configuration/Asset Management • System Management Server (Microsoft) • TME (Tivoli) • Unicenter (CA) • Enterprise Configuration Manager (Configuresoft) • Asset Management Suite (Altiris)

  39. Conclusion • UNIX Vs Windows • Easy to control system configuration on UNIX • ACL's are much more complex than traditional UNIX style permissions • In basic UNIX, it is impossible to give a number of users different access rights

  40. APPLICATIONS PATCHING OPERATING SYSTEMS Examples: • MS Fixes • SUN Patches Examples: • XP (NSA Guidelines) • Win 2000 (NIST Guidelines, NSA Guidelines, SANS Step-By-Step) • Win 2003 (MS Windows Server 2003 Security Guide) • NT (SANS Guidelines, MS Security White Paper, US Navy) • Linux (SANS Step-By-Step) • Solaris (SANS Step-By-Step) • AIX (IBM Guidelines) • HP-UX (HP Guidelines) • UNIX Samples • BlockSP2 • Services List • Services Pack Examples: • Applications List • Internet Explorer • Word 2000 and Excel 2000 Macro Settings • IIS Lockdown Guidelines • IIS Metabase Sample REGULATIONS Examples: • Sarbanes-Oxley • HIPAA • FISMA • GLBA • ISO17799 INSTALLED HARDWARE / SOFTWARE Examples: • Anti-Virus • Hardware List • USB Storage • Installed Modems System Security Policy Files

  41. Perfect World (almost): A Scenario • Anytime a machine joins (or re-joins) the corporate network, it is automatically quarantined, assessed, and remediated to bring it into compliance, prior to gaining access to network resources • Every night, critical vulnerability configuration compliance checks are performed on all Windows desktops and remediated if needed • Every Saturday, from 2:00 AM – 3:00 AM, newly approved patches are automatically applied to all Windows desktops • Every Sunday from 2:00 AM – 3:00 AM, all Windows and Unix servers are checked for security policy compliance. Selected items are remediated, others items generate alerts

  42. Perfect World (almost): A Scenario • During monthly maintenance intervals, Unix and Windows servers are fully patched and rebooted if required • Monthly, a full, automated network assessment is performed to independently scan for vulnerabilities • Quarterly, remediation policies are reviewed and updated to incorporate new vulnerability remediations • Critical, zero-day remediations are applied where needed in the enterprise within an hour of notification and remedy availability

  43. Contact Information Jim Patterson, CISSP, CBCP, CRM Technology Risk Management Phoenix / Las Vegas (602) 643-1600 (o) (480) 529-9393 (c) (602) 643-1606 (f) Patti Walker Director, Technology Risk Management Phoenix / Las Vegas (602) 643-1600 (o) (480) 734-6960 (c) (602) 643-1606 (f) Jefferson Wells A Manpower Company 11811 N. Tatum Blvd., Suite 3076 Phoenix, Arizona  85028

More Related