Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines...
-
Upload
naomi-wiggins -
Category
Documents
-
view
216 -
download
2
Transcript of Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines...
![Page 1: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/1.jpg)
Security Audit
Prabhaker Mateti
![Page 2: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/2.jpg)
What is a security audit?
• Policy based
• Assessment of risk
• Examines site methodologies and practices
• Dynamic
• Communication
![Page 3: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/3.jpg)
What kinds of Security Audits are there?
• Host
• Firewall
• Networks
• Large networks
![Page 4: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/4.jpg)
Security Policies & Documentation
• What is a security policy? • Components • Who should write it? • How long should it be? • Dissemination • It walks, it talks, it is alive..• RFC 1244 • What if a written policy doesn't exist? • Other documentation
![Page 5: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/5.jpg)
Components of a Security Policy
• Who can use resources
• Proper use of the resources
• Granting access & use
• System Administrator privileges
• User rights & responsibilities
• What to do with sensitive information
• Desired security configurations of systems
![Page 6: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/6.jpg)
RFC 1244 ``Site Security Handbook''
• Defines security policies & procedures • Policy violations • Interpretation • Publicizing • Identifying problems • Incident response • Updating
![Page 7: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/7.jpg)
Other Documentation
• Hardware/software inventory
• Network topology
• Key personnel
• Emergency numbers
• Incident logs
![Page 8: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/8.jpg)
Why do a Security Audit?
• Information is power
• Expectations
• Measure policy compliance
• Assessing risk & security level
• Assessing potential damage
• Change management
• Security incident response
![Page 9: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/9.jpg)
When to audit?
• Emergency!
• Before prime time
• Scheduled/maintenance
![Page 10: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/10.jpg)
Audit Schedules
• Individual Host 12 24 months
• Large Networks 12 24 months
• Network 12 months
• Firewall 6 months
![Page 11: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/11.jpg)
How to do a Security Audit
• Pre audit: verify your tools and environment
• Audit/review security policy
• Gather audit information
• Generate an audit report
• Take actions based on the report's findings
• Safeguard data & report
![Page 12: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/12.jpg)
Verify your tools and environment
• The golden rule of auditing
• Bootstrapping problem
• Audit tools
• The Audit platform
![Page 13: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/13.jpg)
The Golden Rule of Auditing
• Verify ALL tools used for the audit are untampered with.
• If the results of the auditing tools cannot be trusted, the audit is useless
![Page 14: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/14.jpg)
The Bootstrapping Problem
• If the only way to verify that your auditing tools are ok is by using auditing tools, then..
![Page 15: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/15.jpg)
Audit Tools Trust?
• Write them yourself
• Find a trusted source (person, place)
• Verify them with a digital signature (MD5)
![Page 16: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/16.jpg)
Audit Tools the Hall of Fame
• SAINT/SATAN/ISS
• Nessus
• lsof /pff
• Nmap, tcpdump, ipsend
• MD5/DES/PGP
• COPS/Tiger
• Crack
![Page 17: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/17.jpg)
The Audit Platform
• Should have extraordinary security
• Submit it to a firewall+ type of audit
• Physical access should be required to use
• No network services running
![Page 18: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/18.jpg)
Choosing a security audit platform: Hardware
• laptop computer
• three kilograms or less
• graphics display
• MB memory
• MB disk
• ethernet (as many connectors as possible)
![Page 19: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/19.jpg)
Choosing a security audit platform: Software
• Unix / Linux
• Secured OS
• OS source code
• Audit tools
• Development tools
![Page 20: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/20.jpg)
Unix / Linux
• BSD: FreeBSD, SunOS/Solaris, OpenBSD ?
• Source code
• A good development platform
• Large body of available literature
![Page 21: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/21.jpg)
Audit/review security policy
• Utilize existing or use ``standard'' policy
• Treat the policy as a potential threat
• Does it have all the basic components?
• Are the security configs comprehensive?
• Examine dissemination procedures
![Page 22: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/22.jpg)
Security policy
• Treat the policy as a potential threat
• Bad policies are worse than none at all
• Good policies are very rare
• Look for clarity & completeness
• Poor grammar and spelling are not tolerated
![Page 23: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/23.jpg)
Does it Have All the Basic Components?
• Who can use resources
• Proper use of the resources
• Granting access & use
• System Administrator privileges
• User rights & responsibilities
• What to do with sensitive information
![Page 24: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/24.jpg)
Are the security configs comprehensive?
• Details are important! • Addresses specific technical problems • (COPS like tests, network services run, etc.) • Allowable trust must be clearly outlined • Should specify specific tools (The TCP wrappers,
S/Key, etc.) that are used • Must have explicit time schedules of security • audits and/or tools used • Logfiles must be regularly examined!
![Page 25: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/25.jpg)
Examine dissemination procedures
• Policies are worthless unless people read and understand them
• Ideally it is distributed and addressed when people join org
• E mail is useful for updates, changes
• Written user acknowledgment necessary
![Page 26: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/26.jpg)
Gather audit information
• Talk to/Interview people
• Review Documentation
• Technical Investigation
![Page 27: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/27.jpg)
Talk to/Interview people
• Difficult to describe, easy to do
• Usually ignored
• Users, operators, sysadmins, janitors, managers…
• Usage & patterns
• Have they seen/read the security policy?
![Page 28: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/28.jpg)
Talk to/Interview people (cont.)
• What can/can't they do, in own words
• Could they get root/system privileges?
• What are systems used for?
• What are the critical systems?
• How do they view the security audit?
![Page 29: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/29.jpg)
Review Documentation
• Hardware/software inventory
• Network topology
• Key personnel
• Emergency numbers
• Incident logs
![Page 30: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/30.jpg)
Technical Investigation
• Run static tools (COPS, Crack, etc.) • Check system logs • Check system against known vulnerabilities
(CERT, bugtraq, CIAC advisories, etc.) • Follow startup execution • Check static items (config files, etc.) • Search for privileged programs (SUID, SGID, run
as root) • Examine all trust
![Page 31: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/31.jpg)
Technical Investigation (cont.)
• Check extra network services (NFS, news, httpd, etc.)
• Check for replacement programs (wu ftpd, TCP wrappers, etc.)
• Code review ``home grown'' programs (CGI's, finger FIFO's, etc.)
• Run dynamic tools (ps, netstat, lsof, etc.) • Actively test defenses (packet filters, TCP
wrappers, etc.)
![Page 32: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/32.jpg)
Run Static Tools
• Nmap
• SAINT/SATAN/ISS
• Crack
• Nessus
• COPS/Tiger
![Page 33: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/33.jpg)
Follow Startup Execution
• Boot (P)ROMS
• init
• Startup programs (rc.* like files)
![Page 34: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/34.jpg)
Check static items
• Examine all config files of running processes (inetd.conf, sendmail.cf, etc.)
• Examine config files of programs that can start up dynamically (ftpd, etc.)
![Page 35: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/35.jpg)
Search for privileged programs
• Find all SUID/SGID programs
• Look at all programs executed as root
• Examine: – Environment – Paths to execution – Configuration files
![Page 36: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/36.jpg)
Examine all Trust
• rhosts, hosts.equiv
• NFS, NIS
• DNS
• Windowing systems
• User traffic and interactive flow
![Page 37: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/37.jpg)
Check Extra Network Services
• NFS/AFS/RFS • NIS • News • WWW/httpd • Proxy (telnet, ftp, etc.) • Authentication (Kerberos, security tokens, special
services) • Management Protocols (SNMP, etc.)
![Page 38: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/38.jpg)
Check for replacement programs
• wu ftpd
• TCP wrappers
• Logdaemon
• Xinetd
• GNU fingerd
![Page 39: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/39.jpg)
Code review ``home grown''/non standard programs
• Network daemons
• Anything SUID, SGID
• Programs run as system account
• CGI's
![Page 40: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/40.jpg)
Code review, etc(cont.)
• Bad signs: – external commands (system, shell, etc.) – /usr/ucb/mail – large size – No documentation – No comments in code – No source code available
![Page 41: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/41.jpg)
Actively test defenses
• packet screens
• TCP wrappers
• Other defense programs
![Page 42: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/42.jpg)
Safeguard Data & Report
• Save for the next audit
• Do not keep on line
• Use strong encryption if stored electronically
• Limit distribution to those who ``need to know''
• Print out report, sign, and number copies
![Page 43: Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.](https://reader035.fdocuments.net/reader035/viewer/2022062713/56649cda5503460f949a3d7e/html5/thumbnails/43.jpg)