Security Audit Prabhaker Mateti. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.

Slides:

Advertisements

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Advertisements

Linux+ Guide to Linux Certification, Second Edition

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

System Security Scanning and Discovery Chapter 14.

HIPAA Security Standards What’s happening in your office?

Information Security Policies and Standards

1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 3 Linux Installation and Usage.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Payment Card Industry (PCI) Data Security Standard

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Using Freeware Tools for Internet Security Copyright, Peter Shipley Peter shipley Network security associates

Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Linux+ Guide to Linux Certification Chapter Three Linux Installation and Usage.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Intranet, Extranet, Firewall. Intranet and Extranet.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

1 Defining Network Security Security is prevention of unwanted information transfer What are the components? –...Physical Security –…Operational Security.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Network Services CSCI N321 – System and Network Administration Copyright © 2000, 2007 by Scott Orr and the Trustees of Indiana University.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

COMP1321 Digital Infrastructure Richard Henson February 2014.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

Linux Networking and Security

Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Cracking Techniques Onno W. Purbo

File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Chapter 8: Installing Linux The Complete Guide To Linux System Administration.

Role Of Network IDS in Network Perimeter Defense.

2: Operating Systems Networking for Home & Small Business.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Ensuring Information Security through Audit Umesh Kulkarni.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

Security Audit. What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Lecture9: Embedded Network Operating System: cisco IOS

Lecture9: Embedded Network Operating System: cisco IOS

Presentation transcript:

Security Audit Prabhaker Mateti

What is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication

What kinds of Security Audits are there? Host Firewall Networks Large networks

Security Policies & Documentation What is a security policy? Components Who should write it? How long should it be? Dissemination It walks, it talks, it is alive.. RFC 1244 What if a written policy doesn't exist? Other documentation

Components of a Security Policy Who can use resources Proper use of the resources Granting access & use System Administrator privileges User rights & responsibilities What to do with sensitive information Desired security configurations of systems

RFC 1244 ``Site Security Handbook'' Defines security policies & procedures Policy violations Interpretation Publicizing Identifying problems Incident response Updating

Other Documentation Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs

Why do a Security Audit? Information is power Expectations Measure policy compliance Assessing risk & security level Assessing potential damage Change management Security incident response

When to audit? Emergency! Before prime time Scheduled/maintenance

Audit Schedules Individual Host 1224 months Large Networks 1224 months Network 12 months Firewall 6 months

How to do a Security Audit Preaudit: verify your tools and environment Audit/review security policy Gather audit information Generate an audit report Take actions based on the report's findings Safeguard data & report

Verify your tools and environment The golden rule of auditing Bootstrapping problem Audit tools The Audit platform

The Golden Rule of Auditing Verify ALL tools used for the audit are untampered with. If the results of the auditing tools cannot be trusted, the audit is useless

The Bootstrapping Problem If the only way to verify that your auditing tools are ok is by using auditing tools, then..

Audit Tools Trust? Write them yourself Find a trusted source (person, place) Verify them with a digital signature (MD5)

Audit Tools the Hall of Fame SAINT/SATAN/ISS Nessus lsof /pff Nmap, tcpdump, ipsend MD5/DES/PGP COPS/Tiger Crack

The Audit Platform Should have extraordinary security Submit it to a firewall+ type of audit Physical access should be required to use No network services running

Choosing a security audit platform: Hardware laptop computer three kilograms or less graphics display MB memory MB disk ethernet (as many connectors as possible)

Choosing a security audit platform: Software Unix / Linux Secured OS OS source code Audit tools Development tools

Unix / Linux BSD: FreeBSD, SunOS/Solaris, OpenBSD ? Source code A good development platform Large body of available literature

Audit/review security policy Utilize existing or use ``standard'' policy Treat the policy as a potential threat Does it have all the basic components? Are the security configs comprehensive? Examine dissemination procedures

Security policy Treat the policy as a potential threat Bad policies are worse than none at all Good policies are very rare Look for clarity & completeness Poor grammar and spelling are not tolerated

Does it Have All the Basic Components? Who can use resources Proper use of the resources Granting access & use System Administrator privileges User rights & responsibilities What to do with sensitive information

Are the security configs comprehensive? Details are important! Addresses specific technical problems (COPSlike tests, network services run, etc.) Allowable trust must be clearly outlined Should specify specific tools (The TCP wrappers, S/Key, etc.) that are used Must have explicit time schedules of security audits and/or tools used Logfiles must be regularly examined!

Examine dissemination procedures Policies are worthless unless people read and understand them Ideally it is distributed and addressed when people join org Email is useful for updates, changes Written user acknowledgment necessary

Gather audit information Talk to/Interview people Review Documentation Technical Investigation

Talk to/Interview people Difficult to describe, easy to do Usually ignored Users, operators, sysadmins, janitors, managers… Usage & patterns Have they seen/read the security policy?

Talk to/Interview people (cont.) What can/can't they do, in own words Could they get root/system privileges? What are systems used for? What are the critical systems? How do they view the security audit?

Review Documentation Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs

Technical Investigation Run static tools (COPS, Crack, etc.) Check system logs Check system against known vulnerabilities (CERT, bugtraq, CIAC advisories, etc.) Follow startup execution Check static items (config files, etc.) Search for privileged programs (SUID, SGID, run as root) Examine all trust

Technical Investigation (cont.) Check extra network services (NFS, news, httpd, etc.) Check for replacement programs (wuftpd, TCP wrappers, etc.) Code review ``home grown'' programs (CGI's, finger FIFO's, etc.) Run dynamic tools (ps, netstat, lsof, etc.) Actively test defenses (packet filters, TCP wrappers, etc.)

Run Static Tools Nmap SAINT/SATAN/ISS Crack Nessus COPS/Tiger

Follow Startup Execution Boot (P)ROMS init Startup programs (rc.* like files)

Check static items Examine all config files of running processes (inetd.conf, sendmail.cf, etc.) Examine config files of programs that can start up dynamically (ftpd, etc.)

Search for privileged programs Find all SUID/SGID programs Look at all programs executed as root Examine: –Environment –Paths to execution –Configuration files

Examine all Trust rhosts, hosts.equiv NFS, NIS DNS Windowing systems User traffic and interactive flow

Check Extra Network Services NFS/AFS/RFS NIS News WWW/httpd Proxy (telnet, ftp, etc.) Authentication (Kerberos, security tokens, special services) Management Protocols (SNMP, etc.)

Check for replacement programs wuftpd TCP wrappers Logdaemon Xinetd GNU fingerd

Code review ``home grown''/non standard programs Network daemons Anything SUID, SGID Programs run as system account CGI's

Code review, etc(cont.) Bad signs: –external commands (system, shell, etc.) –/usr/ucb/mail –large size –No documentation –No comments in code –No source code available

Actively test defenses packet screens TCP wrappers Other defense programs

Safeguard Data & Report Save for the next audit Do not keep online Use strong encryption if stored electronically Limit distribution to those who ``need to know'' Print out report, sign, and number copies