1 / 26

San Francisco Chapter

San Francisco Chapter. Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services Ricallen@deloitte.com. Course Introduction. Overview

laurence
Download Presentation

San Francisco Chapter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services Ricallen@deloitte.com

  2. Course Introduction • Overview • This course provides a broad overview of Unix security audit technology presented at an advanced fast paced level. • Audience • Security Officers, Internal Auditors, and Systems Implementers in organizations that rely upon complex networked Unix systems environments

  3. Course Objectives At the end of the course the student will: Enhance understanding of Unix & network systems security & audit issues • Understand Unix default systems & network configurations • Identify key objectives and tasks in planning a Unix audit including basic shell commands used in the audit Understand basic and intermediate Unix control objectives Build Unix Control Objectives into a more effective audit plan Develop a detailed control activities testing matrix for the Unix audit

  4. Morning Course Agenda Over the next three hours we will learn about: • Audit planning considerations in reviewing Unix and network systems environments Approaching Unix Systems Architecture from a Security and Audit point of view • Understanding the associated security risks & impact of default Unix systems environments • Understanding the basis of Unix & TCP/IP control objectives

  5. Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions • To become effective in leveraging the integrated audit approach the auditor should gain insights into member perceptions Unix professionals find limited value in traditional audit approaches • Enhancing levels of technical credibility in the Unix audit program is key to success • Elements of a successful integrated audit approach include enhanced client relations and communications

  6. Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions Traditional audit approaches are best suited for auditing application level control assurance to obtain overall control reliance strategies • Integrated audit approaches are best suited for auditing critical infrastructure controls against industry and security best practices • Delivering integrated audit approach plans establishes audit as a value added consultant while protecting independence of governance and oversight roles

  7. Unix Audit Considerations • The Hacker who breaks into a system will probably be someone known to the organization • “Inside Jobs” & Sabotage • Planting time & logic bombs • Changing root passwords on critical systems, recovery is problematic • If you are hacked you probably do not care by whom or for what motivation • Trust no one, or be careful about whom you are required to trust • Large simple webs of trust betray weaknesses in the network • Don’t trust yourself, or verify everything you do • Stop think & verify!

  8. Unix Audit Considerations • Make would be intruders believe they will be caught • Information is the merchandise of the computer age • Means to deter must be visible such as banners and messages. Technical and operational countermeasures must be transparent for maximum effectiveness • Protect in Layers • The Hacker’s Electronic Playbook runs the various system and network layers • To provide security you must forward deploy adequate protection controls • Understand Defense in depth concepts that single controls are not resilient but as a group provide multiple layers of defense

  9. Unix Audit Considerations • While planning your security strategy presume the complete failure of any single security layer • Properly designed layer protected system application or service should presume a complete or temporary failure of one layer of security • Make Security a part of the Initial Design • Its always more difficult to retrofit than to proactively design • Minimum Security Baseline Configurations are a must have • Disable Unneeded Services, Packages and Features • Unix systems are shipped with all network services enabled and default permissions

  10. Unix Audit Considerations • Before Connecting, Understand and Secure • No matter how urgent - make the time to assess security prior to production release of tools, applications and features • Holistic Security practices can enable the business case and mitigate risk while meeting time to market objectives • Prepare for the Worst • Assume that hackers are already scheming to break into your site • Preparation will diminish the security risk of intrusion and compromise • Quantify risk in dollar loss terms Innovative thinking about security systems administration & integrating the audit approach

  11. Unix Architecture Principles Network Partitioning Vertically align services with applications, function and mission Keep services close to those being served Act locally communicate globally Minimize Number of Failure Points (Shorten & Limit Critical Paths) Includes Minimum Security Baseline Configurations

  12. Unix Systems Architecture What is an architecture? • The collection of elements that work together to fulfill the intended objective. The Unix operating system is a vast array of elements each providing a feature or function of architecture. • Examples: • A local area file-sharing system for a workgroup • A software development platform connected to an interactive service provider • An extranet deployed over public networks to connect various system types over global geographies • Your organizations interactive services & applications – B2B, B2C and so on..

  13. Sample Systems Architecture Unix Firewall Perimeter Router & Internet Load Balancer External Unix Clients Interior Router Unix Web Servers Interior Network Switch Internal Unix Clients

  14. Unix Systems Architecture Simple vs. Complex Architectures? A Hacker when given a choice would choose a complex system or cluster of systems in an architecture to attack for the following… • Complex systems inherently contain more components and targets of interest • Complex systems have greater likelihood that poor or misconfigured designs are present • A poorly designed or misconfigured element can be an invitation to attack or exploitation • Attacks against complex systems are more likely to go unnoticed. Yet attacks are often directed at simple architectures to gain additional footholds

  15. Unix Core Architecture Unix is made of three core elements • Kernal Shell File System • Kernal is the heart of the Unix operating system. It role includes managing memory usage, system hardware and software. • Its low level language is below the shell syntax which maintains processes • Shell is a higher level language handling command interpretation and syntax parsing. • Shell syntax is used to develop scripts that provide high level programming functionality. • Common shells include the C Shell, Korn Shell and Bourne Shell

  16. Unix Core Architecture • File Systems in Unix divide into 3 categories • Directories Ordinary Files Special Files The File System • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • -----------|---------- • | | | • /john /cathy • ----------------------|-------------------------------- • | | | | | | • .profile /mail /pers /games /bin /data

  17. Unix Core Architecture The Basic File System • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • /unix is the kernal • /etc contains sysadmin files, most are available to regular users also contains the /passwd file. Other files in /etc include: • /etc/passwd • /etc/utmp • /etc/adm/sulog • /etc/motd • /etc/group /etc/conf /etc/profile

  18. Unix Core Architecture The Basic File System • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • /unix is the kernal • /dev – contains files for physical devices such as printer and disk drives • /tmp – temporary file • /lib – directory that contains programs for high level languages • /usr – this directory contains directories for each user on the system • /bin – contains commands and executable programs

  19. Unix Core Architecture Basic File System Navigation 1 • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • -----------|---------- • | | | • /john /cathy • ----------------------|-------------------------------- • | | | | | | • .profile /mail /pers /games /bin /data • Going back one directory up type in: • $ cd .. • Or going back to your parent directory just type in “cd”

  20. Unix Core Architecture • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • -----------|---------- • | | | • /john /cathy • ----------------------|-------------------------------- • | | | | | | • .profile /mail /pers /games /bin /data Basic File System Navigation 2 • $ ls /usr/john • Mail • Pers • Games • Bin • Data • Listing file directories assuming your in the parent directory:

  21. Unix Core Architecture • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • -----------|---------- • | | | • /john /cathy • ----------------------|-------------------------------- • | | | | | | • .profile /mail /pers /games /bin /data Basic File System Navigation 3 • $ ls –la /usr/john • Total 60 • -rwxr-x--- 5 john bluebox 10 april 9 7:04 mail • drxw------ 7 john bluebox 30 april 2 4:09 pers • Note: The total 60 tells you the amount of disk space used in the directory • The first column is read in 3 groups of 3 --- --- --- • The first group specifies the permissions of the user, the second for groups, the third for others.

  22. Unix Core Architecture • / root • ------------------------------------------------------------------- system level • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • -----------|---------- • | | | • /john /cathy • ----------------------|-------------------------------- • | | | | | | • .profile /mail /pers /games /bin /data Basic File System Navigation 4 • The CHMOD command changes permission of a directory or a file. You can use symbolic or octal notation. • $ chmod o+r mail OR • $ chmod 754 mail • $ ls –la mail • -rwxr-xr-- 5 john bluebox 10 april 9 7:04 mail

  23. Unix Core Architecture Key Concepts to keep in mind • Virtually all information stored on a Unix system is stored in the file system • The file system consists of the operating system (kernel), system files, application programs and data • Device files such as memory, disks and peripherals are actually part of the file system. • File system Permission and access controls are provided for all files including networking and device files • Example: Indirect device references /dev/dsk/c0t3d0s0 is actually a logical link to: ../../devices/iommu@f,e0000000/sbus@f,e0001000/espdma@f,800000/sd@3,0:a

  24. Unix Core Elements & Systems Defaults Why this is important. Anatomy of a systems hack! • Attacker selects target by company or computing / network environment • Goals is to Identify targets Internet footprint • Attacker searches for system identifiers using basic and stealth techniques to evade detection • Version Numbers and Service Banners • IP Address and Host/Domain Name Info • Identify potential targets in decreasing order of likelihood of penetration • Default Unix systems can be “owned” in a matter of minutes

  25. Understanding Unix System Defaults First steps in building effective control objectives! • Finishing a full Unix systems installation • Servers use Entire Distribution • Power Work Stations use Developer Distribution • Low End Work Stations use End User Distribution • Once complete with default file system partitioning now in place its time to configure the system

  26. Understanding Unix System Defaults Our newly installed and configured system now looks more like this.. • Basic Unix file system is more permissive than required. We can now determine exactly how to lessen permissiveness of the file system going forward • Various startup scripts and run level commands are configured and running that provide a wide variety of unnecessary services • Local TCPIP Services are configured and running providing almost unlimited network access • Potentially Sensitive Interactive network sessions are not encrypted • System Trust Relationships are pervasive

More Related