Copyright 2001 Marchany1 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 Applying Risk Analysis Techniques.

Copyright 2001 Marchany3 Why Bother?  This section will give you some concrete examples of what can happen if you don’t have basic security rules at your site.  Every one of these attacks could have been prevented ahead of time with minimal effort.  The cost to fix it afterwards was much higher!

Copyright 2001 Marchany24 Pay Me Now or Pay Me Later  E = D + R –E = amount of time you’re exposed –D = amount of time it takes to detect an attack –R = amount of time it takes to react to an attack  Easiest way to calculate the cost of an Incident –Multiply average hourly wage * Time * People

Copyright 2001 Marchany25 The Top 10 Vulnerabilities  BIND (Unix/Linux/NT/Win2K)  CGI programs (www servers)  RPC (Tooltalk) (Unix/linux/NT/Win2K)  Microsoft IIS – RDS and others (NT/Win2K)  Sendmail (Unix/Linux)  Sadmind and mountd (Unix/Linux)  Global file sharing (NetBios, NFS, Appleshare)  Weak/no passwords, demo/guest accounts  IMAP/POP buffer overflow  Default SNMP community strings (Network)

Copyright 2001 Marchany27 The Internet Audit Project.77%Webdist#2, #4 15.5%IMAP#9 12.4%Qpopper#9.52%Innd 26.1%Tooltalk#3, #6 10.8%RPC_mountd#3, #6 18.1%BIND#1 12.2%WWW#2 735065Hosts scannedTOTAL Percent VulnerabilityTop 10 #

Copyright 2001 Marchany28 The Top 10 Internet Threats for 2000  Available at www.sans.org/topten.htmlwww.sans.org/topten.html  You should check your systems for these vulnerabilities  The fix is simple. Apply Patches or ServicePaks.  Your sysadmins/netadmins should check your system(s) for the top 10 threats. –Bindview Hackershield – NT systems –SARA, SAINT – Unix/Linux freeware tools

Copyright 2001 Marchany29 References  http://security.vt.edu  www.sans.org www.sans.org –Top 10 threats, Defeating Ddos, etc.  www.nipc.gov www.nipc.gov  www.cornell.edu/CPL www.cornell.edu/CPL  www.securityfocus.com www.securityfocus.com –Early Warning Vulnerability list  www.insecure.org www.insecure.org  www.usdoj.gov/criminal/cybercrime/index.html www.usdoj.gov/criminal/cybercrime/index.html –Federal Search & Seizure Guidelines

Copyright 2001 Marchany31 How the day is going to go  Morning – Principles and Theory –Audit Process and Goals –Time Based Security –Putting it all together  Afternoon – Audit in the Real World –Using CIS Rulers to build audit plans –Applying the process to systems –Putting it all together

Copyright 2001 Marchany32 The Course Goals  Construct a Security Checklist for your site. –Unix –NT  Use this methodology to develop a response to your internal auditors.  Have a repeatable method of defining the $$$ cost of implementing security features at your site. –This method can be used over time to show trends  Develop a set of reports/matrices that can be used to quickly identify the security status of a host at your site.

Copyright 2001 Marchany33 The General Audit Process  Audit Planning –Review pertinent background info, research policies, prepare the audit program  Entrance Conference –Meet w/IS group leaders to let them know what is going on and find out if there any specific areas to check.  Fieldwork –Visiting the IS systems and performing the steps listed in the audit program on a sample of systems.

Copyright 2001 Marchany34 The General Audit Process  Preparing the Audit Report –The report should: State what was done State the results of these actions Present recommendations Include in the appendices the audit checklists used to collect the data.  The Exit Conference –Meet with the people from step 2 and review the results w/them. This is the time to clear up any misunderstandings. Refine the audit report and prepare the recommendations paper.  Report to Upper Management (CEO, CFO, CIO, VP) –Present a summary report of the audit. Provide recommendation and implementation cost estimates.

Copyright 2001 Marchany35 The Auditor’s Goals  Ensure Assets are protected according to company, local,state and federal regulatory policies.  Determine what needs to be done to ensure the protection of the above assets.  Make life miserable for sysadmins…:-) –Not really. They can save a sysadmin if a problem occurs.

Copyright 2001 Marchany36 The Sysadmin’s Goals  Keep the systems up.  Keep users happy and out of our hair.  Keep auditors at arms’ length.  Get more resources to do the job properly.  Wear jeans or shorts to work when everyone else has to wear suits…….

Copyright 2001 Marchany37 The Sysadmin’s Audit Strategy  Turn a perceived weakness (the audit) into a strength (security checklists).  Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures.  The above info can be used to help develop your incident response plan.

Copyright 2001 Marchany38 Time Base Security  The Time Based Security Model provides: A methodology that a security officer can use to quantifiably test and measure the effectiveness of security measures. A set of matrices/reports that can be used by security professionals to assign a $ value to the cost. This figure can be given to mgt. to help them prioritize their security expenditures. Winn Schwartau’s book describes TBS. The following slides discuss his methodology.

Copyright 2001 Marchany39 Time Based Security  Schwartau’s Simple Formula for TBS –Protection (P) - the bank vault –Detection(D) - the alarm system –Reaction(R) - the police  Pt > Dt + Rt Pt - the amount of time the Protection system works Dt - the amount of time needed to detect the attack Rt - the amount of time needed to react to the attack

Copyright 2001 Marchany40 Time Based Security  Pt > Dt + Rt (TBS Law) –If the amount of protection time (Pt) you offer is greater than the sum of the detection time (Dt) and reaction time (Rt), then your systems can be considered secure. –If the detection & reaction times are very fast then you don’t need as strong a Protection mechanism.  KEY: detect anomalous activity and respond ASAP!

Copyright 2001 Marchany41 Time Based Security  TBS Corollary –P < D + R  If it takes longer to detect and respond to an intrusion than the amount of protection time afforded by the protection device, P, then effective security is impossible.  Look at specs for each of the components in your network architecture.

Copyright 2001 Marchany42 Time Based Security  If Pt = Dt + Rt, then Pt implies an Exposure Time, E. –E=D+R  You want D+R -> 0. As your detection & reaction speeds increase, the need for strong Protection decreases. Hmmm…...  Fortress mentality dictates that P must be extremely high because D+R is really slow or non-existent.

Copyright 2001 Marchany43 Measuring Security  Measure D+R (sec/min/hrs/day)  Assume the best: active logging, good AUP (Acceptable Usage Policy), decent IRP (Incident Response Policy) How long does it take to detect an event? (D=x) How long to notify affected parties? How long for them to analyze and respond? (R=y) Out of office? Out to lunch? How long to answer page? –How much damage could be done in D+R time?

Copyright 2001 Marchany44 TBS Methodology  Assume P=0. Build the following matrix –Detection systems in place? No then D=, E= and you have 100% exposure (E). –Reaction System in place? No then R=, E= and you have 100% system exposure(E). –How long does the detection mechanism take to detect an attack? Answer in sec/min/hrs.

Copyright 2001 Marchany45 TBS Methodology - Detection –Once an attack is detected, how are you notified? Logs? Pager? Phone? Future audit trails? –How long does the above take? (sec/min/hr/day) Sitting at your desk: _________ When you’re at lunch: _______ Break time: _______ Headed home: _______ Sleeping: _______ At the movies: _______

Copyright 2001 Marchany46 TBS Methodology - Reaction –Once notified, how long does it take to do something about it? (sec/min/hrs/day) Sitting at your desk: _______ At lunch:_______ On break:_______ Headed home:_______ Sleeping:_______ –How long does it take to determine the cause/effect/solution? Include other folks Onsite: _____ Offsite: _____

Copyright 2001 Marchany47 TBS Methodology - D+R –Severe Attacks: How long does it take to get permission to take any/all steps to protect the net/assets including shutting them down? _____  Add the best-case numbers: ______ s/m/h  Add the worst-case numbers: _____ s/m/h  Exposure Time (E) = ______ to _____ best case worst case

Copyright 2001 Marchany48 Measure Exposure Time - E  Rule of Thumb: Bw/10/bits = Bw/bytes Example: T-1: 1.54Mb/s -> 154KB/s=9.2MB/m  This gives: File Size/Bandwidth=Req. Attack Time or MB/Mb/S=(Attack Time) or F/Bw = T= E (Exposure Time)  If the goal is file theft, the size of the target file F divided by the max. bandwidth of the network path Bw determines the amount of time T needed to get the info.

Copyright 2001 Marchany49 Measure Exposure Time - E  This is 1 measure of risk. Info theft can be measured using T + intrinsic value of info. Remember Bw could be data transfer rates of floppy or tape drives.  Example: A net has Exposure Time, E=(D+R) = 10 minutes and a tape drive with a xfer rate of 6 GB/hr. T = 10 minutes = 1/6 hr, Bw = 6 GB/hr, F=Bw*T= 1GB of data could be stolen before detection/reaction kills the attack.

Copyright 2001 Marchany50 Measure Exposure - External  Bandwidth limiting is an effective response method.  Data Padding: pad the critical files so their size exceeds E. Using the previous example: –E=10 min, Bw=6 Gb/hr. File Size = (1/6 hr)/ (6 Gb/hr) = 1 GB=F All critical files should be padded to 1Gb.

Copyright 2001 Marchany51 TBS - Integrity Attacks  Attacker’s Goal: make undetected, unauthorized changes to data  TBS analysis: Assume you’re an insider w/access to the net & system. How long does it take you to manually get to the target application? _____(s/m/h) How long would a script take to do the same? ______(s/m/h) Once logged into that application, how long does it take as a trusted user to make unauthorized changes to those records? ______(s/m/h)

Copyright 2001 Marchany52 TBS - Integrity Attacks (cont) What steps would a knowledgeable user take to cover their tracks? How long does it take to effect those changes? _______ (s/m/h) Add up the times for manual & automatic navigation. –This gives a target maximum value for E and provides a target guideline for D+R.

Copyright 2001 Marchany53 TBS - Measure the $ Damage  Two Formulas: E=D+R, F/Bw=T If we know E, we can get F if E=T. If we know T, we can get E and D+R.  Coordinate w/Auditors & Mgt. and ask: If a critical file gets out, what would be the financial effect on the company? DoS attacks could cripple the company nets. What is the hourly/daily cost to the company if this happens? What is our legal liability if client records or employee records are compromised?

Copyright 2001 Marchany54 TBS Asset Organization  Information Value –Some info loses value over time. Example: advance notification, Product announcements –Some info’s value is still changing. Example: idea before its time.  4 Categories of Info Assets Company Proprietary - product designs, pricing strategies, patents, source code, customer lists Private Employee - HR records, perf reviews, SSN

Copyright 2001 Marchany55 TBS Information Assets  Information Asset Categories (cont) Customer Private - pricing info, purchase history, non-disclosure info Partner/Gov’t - info assets that don’t fit into the other categories  Risk Categories Critical - if it gets out, we’re out of business Essential - Survivable but a major hit. It’ll hurt but we can spin back to normal Normal - may be embarrassing, disruptive only

Copyright 2001 Marchany56  Prepare matrices listing each asset and risk.  Use the matrices to build an affordable, workable and maintainable security environment.  Prepare separate matrices for criticality (like above), integrity and availability. TBS Info Asset Matrices

Copyright 2001 Marchany57 TBS Review Process  Identify and categorize the Info assets  Specify the logical locations of the assets  Identify the physical locations of the assets  The above info tells us: If critical assets are all over the place then your defenses are spread out and cost more If you have a single point of failure. Negligible info is mixed in with Critical info.  Some info has no place being on the net!

Copyright 2001 Marchany58 Layered TBS  Assume your net has a Firewall, fully patched OS on the DB server and an application Password server (Oracle passwords) in place.  TBS variables –E(db) - Overall Exposure time for the DB –E(pw) – Exposure time for the Appl password –E(os) – Exposure time for the server’s OS –E(fw) – Exposure time for the FW

Copyright 2001 Marchany59 Layered TBS TBS Equations: E(db) = P(pw) + E(fw) + E(os) E(os) > D(os)+R(os) E(fw) > D(fw) + R(fw) E(pw) > D(pw) + R(pw) The intruder needs to overcome E(pw), E(fw) and E(os) in order to get to the data E(db).

Copyright 2001 Marchany60 Layered TBS Conclusions  All assets are NOT created equal and they do NOT deserve equal protection.  Asset distribution by physical and logical separation is a security process but performed under the network architecture and topology banner  Design the killing zones, in other words.

Copyright 2001 Marchany61 TBS Reaction Matrices  Goal: make D+R as small as possible –A smaller R reduces the reliance on a higher P value.  R Components –Notification - tells someone/something that a detection mechanism was triggered. Schwartau’s 3am rule: “notify someone” means “tell someone other than the boss who doesn’t want to be bothered at 3am” which increases the R time.  Fill out the matrix with the target E, R or T times. –This documentation is important since it help mgt. understand the quantitative nature of TBS.  The matrix is based upon AUP, disaster recovery plans, amount of risk the org is willing to take - measured in EXPOSURE TIME - T

Copyright 2001 Marchany63 TBS Reaction Matrix - II The sysadmin represents the greatest room for error by making R unacceptably high. Why? People hesitate to make tough decisions like shut down part of a net. The “sacrifice the pawn to save the king” strategy can be very risky if you don’t have policies in place and MGT support. Automated responses can eliminate this BUT I saw “Colossus: The Forbin Project”…:-)

Copyright 2001 Marchany64 TBS Reaction Matrix  Questions the Reaction Matrix should answer: Is the attack real? What was the goal? Is it ongoing? Did the R-matrix come to the proper conclusion? Was the attack thwarted? Post-mortem analysis? What further steps are needed? Who did it?  Must be empowered by mgt. and policy to limit R. Necessary for TBS to work.

Copyright 2001 Marchany65 TBS - Evaluating Protection  Previous slides used TBS to evaluate D+R.  Applying E=D+R to Access Control (User Logins) –E = max. amt. of time needed to accomplish proper authentication. –D = time needed to detect the authentication request and determine its authenticity. –R = time needed for the detection module to trigger a PROCEED or STOP reaction.  Applying E=D+R to Enterprise Audit Trails –D = time needed for an audit tool to record, analyze, transmit data. –R = time it takes for the detection tool to trigger the reaction and how long the reaction takes.

Copyright 2001 Marchany67 TBS Case Study  Sort of…..  We applied some but not all TBS concepts in our first attempt to determine the status of our asset security.  This process took about 12 months. Security committee met once every 2-3 weeks.  We’re starting the fourth phase and are applying more TBS concepts this time.

Copyright 2001 Marchany68 The Committee  Management and Technical Personnel from the major areas of IS –University Libraries –Educational Technologies –University Network Management Group –University Computing Center –Administrative Information Systems

Copyright 2001 Marchany69 The Committee’s Scope  Information Systems Division only  Identified and prioritized Assets –RISKS associated with those ASSETS –CONTROLS that may applied to the ASSETS to mitigate the RISKS  Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

Copyright 2001 Marchany70 The Committee’s Charge  From our VP for Information Systems  “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service”  “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.”

Copyright 2001 Marchany71 Identifying the Assets  Compiled a list of IS assets (+100 systems)  Categorize them as critical, essential, normal –Critical - VT can’t operate w/o this asset for even a short period of time. –Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap. –Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Copyright 2001 Marchany72 Prioritizing the Assets  The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical.  Some assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Copyright 2001 Marchany73 Prioritizing the Assets  Asset weight values calculated by a simple formula. Weight = sum of vote values. –Criteria: Criticality, Value to the Org, Impact of Outage –Team members vote for the top 5 Assets in order. First place vote = 5 points times # votes received Second place vote = 4 points times #votes received Third place vote = 3 points times # votes received Fourth place vote = 2 points times #votes received Fifth place vote = 1 point times # votes received  This determines the criticality of the assets listed in Exhibit A.

Copyright 2001 Marchany74 Identifying the Risks  A RISK was selected if it caused an incident that would: Be extremely expensive to fix Result in the loss of a critical service Result in heavy, negative publicity especially outside the university Have a high probability of occurring  Risks were prioritized using matrix prioritization technique

Copyright 2001 Marchany75 Prioritizing the Risks  Same as formula for prioritizing Assets  Criteria: –Scope of Impact –Probability of an incident  Weight = sum of vote values  This determines the criticality of the risks shown in Exhibit B

Copyright 2001 Marchany76 Prioritizing the Assets & Risks  The values in the first (white) column of exhibits B and D are the weight values assigned to the asset or risk.  The ordering of the Assets & Risks was determined by simple vote. How many think asset 1 is more critical than asset 2? Same for risks.  The votes are shown in the white squares.

Copyright 2001 Marchany77 Mapping Risks and Assets  We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not –A particular risk actually applied to the asset –Controls exist and/or already in place  The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually.

Copyright 2001 Marchany78 Mapping Risks and Assets  The more critical assets and risks as determined by the matrices in Exhibits B & D, are closer to the upper left corner of the matrix. An example of this is Exhibit E.  The Weights of the Asset-Risk = Asset Weight * Risk Weight)/100. These values are listed in the cells of Exhibit E.

Copyright 2001 Marchany79 Identifying Controls  Specific controls identified by the committee were put in a matrix  The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset

Copyright 2001 Marchany80 Mapping Controls to the R/A Matrix  Exhibit G shows the controls that apply to a particular Asset-Risk pair.  Exhibit F lists controls that could be applied to a Risk.  Example: For the Site 1-Sysadmin Practice pair, the cell shown at the intersection of the 2 items lists controls 7, 13, 14, 30, 33 as possible controls to mitigate the risk on the asset.

Copyright 2001 Marchany81 The Overall Compliance Matrix  This is a 1 page overall report of the status of the Assets listed in Exhibit E (Asset/Risk) matrix.  Assets are listed on the X-axis. Risks are listed on the Y-Axis.  Color codes show whether the Asset is protected from the Risks.  Shown in Appendix 2.

Copyright 2001 Marchany83 The Control Compliance Matrix  Lists the controls from Exhibit F and shows if the control is installed on a particular asset.  A quick way to determine what controls are on which asset.

Copyright 2001 Marchany84 The Individual Action Compliance Matrix  Assets are listed on the X-axis  Risks are listed on the Y-axis. Subcategories of the risks are listed and compliance is shown by color coding the cells.  The Audit Security checklist (shown at the end of Appendix B) contains the actual commands to perform the task.

Copyright 2001 Marchany85 The Audit/Security Checklist - I  The detailed commands used to check an asset.  Based on the Defense Information Infrastructure (DII) and Common Operating Environment (COE) initiative.  We took the checklists from this site, modified them according to our R/A matrix and built checklists for Sun, IBM, NT.  Our thanks to the unknown author who wrote the original document. Checklists are available from http://diicoe.disa.mil/coe  A fragment is shown in Appendix 3. The full document is available from http://security.vt.edu in the Checklists section.http://security.vt.edu

Copyright 2001 Marchany86 The Audit/Security Checklist - II  We’re now using the CIS Benchmark Rulers as our checklists.  The CIS provides a scanning tool that lets us check the status of our systems quickly.  See http://www.cisecurity.org to download the scanning tool and the checklist.http://www.cisecurity.org  Another example of changing times….

Copyright 2001 Marchany87 STAR Lab Exercise  We’re going to walk through the STAR process as a group.  I’ll provide the asset matrix and we are going to rank them.  I’ll provide the risk matrix and we are going to rank them.  We’ll map the asset-risk matrix to see how our votes create an “audit” strategy.  I expect a lively discussion

Copyright 2001 Marchany88 Recommendations  The STAR process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks.  For each asset, as directed by mgt., appropriate staff should: –Review the risks & controls –Add any further risks/controls not identified –Assess the potential cost of an incident –Assess the cost of control purchases and deployment –Analyze cost vs. benefit for each asset –Submit results to mgt. which retains the responsibility to weigh investments and make implementation decisions

Copyright 2001 Marchany89 Conclusions  TBS provides a quantitative, repeatable method of prioritizing your assets.  The matrices provide an easy to read summary of the state of your assets.  These matrices can be used to provide your auditors with the information they need.  The checklist contains the detailed commands to perform the audit/security check.

Copyright 2001 Marchany91 The Top Ten Step-by-Step www.sans.org/topten.htm  The Berkeley Internet Name Domain (BIND)  Common Gateway Interface (CGI) programs  Remote procedure calls (RPC)  IIS’s Remote Data Services  Sendmail  Sadmind & mountd  File sharing over networks  Demo or guest accounts  IMAP and POP  Simple Network Management Protocol (SNMP) default community strings

Copyright 2001 Marchany92 Introduction  This section is designed to give you a brief overview of the top 10 most critical Internet Security threats.  Your audit plans needs to cover the threats described in this section at a minimum.  These aren’t the only threats….just the most common at the moment.

Copyright 2001 Marchany93 So Many Systems, Not Enough Time…..  2.3 million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give….  Unfortunately, it’s the sysadmin.  Not enough training, too many conflicting demands on their time.  The Prime Directive: Keep the system up!  Patch the system? When I have time….

Copyright 2001 Marchany94 Some Pointers About the List  Each item in the list is divided into 4 parts –A description of the vulnerability –The systems affected by the vulnerability –A CVE number identifying the vulnerability –Some suggested corrections  What’s a CVE number? –CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability. –It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number –CVE’s does the same for vulnerabilities.

Copyright 2001 Marchany95 Item #1: BIND  All Internet systems have a hostname and an IP address. –Every home is known by its address and who lives in it. “hey, is that Randy’s house?” “Yeah, it’s at 24 Main St.” –“Randy’s house” = hostname –“24 Main St.” = IP address  BIND (Berkeley Internet Domain) maps hostnames to IP addresses. –It’s the set of “phone books” of the Internet.

Copyright 2001 Marchany96 Item #1: BIND  Every network needs a couple of systems that run BIND. They’re called nameservers.  Old versions of BIND have security holes.The nameservers aren’t always up-to-date. They were when they were installed but that was years ago. It works so why fix it? Right? Wrong!  The Danger: –Hackers get full control of the nameserver and can use it for anything they want.  A Solution –Make sure your version is higher than BIND 8.2.2 patch level 5

Copyright 2001 Marchany97 Item #2: CGI Scripts  CGI = Common Gateway Interface  It’s the language that programmers use to display and read your input to a WWW based form.  Not everyone knows how to use it so WWW server vendors supply examples.  The examples have security holes in them. Some CGI programmers haven’t checked their code.

Copyright 2001 Marchany98 The Second Item – CGI Scripts  All Web servers could be affected by this “feature”.  The Danger –Your WWW pages could be changed a la DOJ, CIA, FBI, Valujet. –Your WWW server could be used to attack other sites  A Solution –Remove unsafe CGI scripts from the WWW server

Copyright 2001 Marchany99 Item #3: Remote Procedure Calls (RPC)  RPC allows a computer to run a program on another computer.  It’s used by computers that share files between them.  Many client – server systems depend on the use of RPC calls.  Unix systems (Solaris, AIX, HP-UX, Linux, Tru64, Irix) were primarily affected but any computer that uses the RPC subsystem is vulnerable

Copyright 2001 Marchany100 Item #3: Remote Procedure Calls (RPC)  The Danger: –Older versions of RPC have security weaknesses that allow hackers to gain full control of your computer(s).  A Solution –Disable the RPC services if you don’t use them –Install the latest vendor patches

Copyright 2001 Marchany101 Item #4: Microsoft Internet Information Server (IIS)  Windows NT and Windows 2000 Web servers use IIS to support web services.  IIS has a component called Remote Data Services (RDS) that could allow a hacker to run remote commands with administrator privileges.

Copyright 2001 Marchany102 Item #4: Microsoft Internet Information Server (IIS)  The Danger: –A hacker can run commands on another system without having to access it directly.  A Solution: –Read the Microsoft technical bulletins that describe how to fix the problem

Copyright 2001 Marchany103 Item #5: Sendmail Weakness  Sendmail is one of the original Internet email programs.  It was a graduate programming project that was never designed to work in a “production” environment.  It became the defacto standard.  Pre-version 8.10 had security problems –Some vendors still ship Sendmail v5.65!  Most vendors shipped their systems with these older versions.

Copyright 2001 Marchany104 Item #5: Sendmail Weakness  The 1988 Internet Worm exploited a problem in sendmail.There are a lot of systems that still run that version of sendmail. Why? It works!  The Danger: –Hackers can run commands on your systems without ever logging into your system. Hackers can take over your machine.  A Solution: –Update to the latest version of sendmail

Copyright 2001 Marchany105 Item #6: sadmind and mountd  Sadmind is used by Solaris applications to run distributed sysadmin operations. It executes the request on the server from a client program. Sounds like RPC? It is.  Mountd controls file sharing across the network using NFS. This is the program that “attaches” a remote disk to your computer.

Copyright 2001 Marchany106 Item #6: sadmind and mountd  The Danger: –Hackers can cause these programs to give them access to root. They can take over your machine. –This was one of the primary ways hackers used to set up the systems used in the recent DDOS attacks against Yahoo, CNN and other sites.  A Solution: –Install the latest vendor patches for sadmind and mountd.

Copyright 2001 Marchany107 Item #7: Global File Sharing  You can share files between computers using tools like Network Neighborhood (Windows), AppleShare(Macintosh) or NFS(Unix).  By default, the access is read-write.  Anyone on the same network could access your files. In the old days, the network was small but now the network is the Internet so anyone anywhere in the world could access your files if you let them.  The problem is that you don’t always know that you’re letting them.

Copyright 2001 Marchany108 Item #7: Global File Sharing  This is a real danger to homes that have direct connect modems.  The Danger: –People can get access to your personal data, for example, your checking account data (if you use MSMoney), your email, etc.  A Solution: –Make sure you know what you’re sharing. –Make sure you know who’s sharing the data with you.

Copyright 2001 Marchany109 Item #8: User Accounts with No Passwords  Some systems come with demo or guest accounts with no passwords or well known passwords.  The initial/default password for VMS system manager account, SYSTEM was MANAGER. The initial password for the Field Service account, FIELD, was SERVICE.  People forgot to change these passwords.  The first thing hackers do is check to see if the defaults passwords were changed. Why waste a lot of effort if the door is unlocked?

Copyright 2001 Marchany110 Item #8: User Accounts with No Passwords  The Danger: –Someone can get complete control of your system. –Someone can get access to your system via a general accounts and then run exploit tools on your systems to get full control of your system.  A Solution: –Change your root, administrator passwords before the systems goes into production. –Run a password checking program to discover who has weak passwords on your system. Do it before the hackers do!

Copyright 2001 Marchany111 Item #9: IMAP, POP Vulnerabilities  IMAP and POP are two common email protocols that provide additional features to email users.  They allow users to access their email accounts from anywhere on the Internet.  Firewalls usually allow email using these services to pass through the firewall.  Quality control of the software is inconsistent most of the time.

Copyright 2001 Marchany112 Item#9: IMAP, POP Vulnerabilities  The Danger: –Hackers can gain access to your internal network if they can subvert IMAP or POP mail server systems. –If successful, they gain complete control of your system.  A Solution: –Make sure you’ve installed the latest patches. –Run the services on your mail servers only.

Copyright 2001 Marchany113 Item #10: SNMP Vulnerabilities  Simple Network Management Protocol (SNMP) is used by network managers to monitor the status, performance and availability of the network.  The Net Mgrs can remotely manage their routers, printers, systems using SNMP.  SNMP has very weak authentication. Its default “password” is “private”.  Everyone knows this.

Copyright 2001 Marchany114 Item #10: SNMP Vulnerabilities  The Danger: –Hackers can gain control of network devices such as routers. They could shut them down. –They can map your network w/o your knowledge.  A Solution: –Pick strong community strings (passwords) for your SNMP devices. –Make the MIBs read only.

Copyright 2001 Marchany115 Summary  Most of the successful system and network attacks exploit a small set of vulnerabilities.  The Top 10 list briefly describes this set of vulnerabilities and gives you references to learning more about them.  More importantly, it gives you some suggested fixes for the problem.  You have the basis for an effective audit plan.  Our individual security depends on our mutual security.

Copyright 2001 Marchany116 Summary  You won’t eliminate all of your exposure by closing these 10 holes. Constant vigilance and awareness is the best defense.  The consequences of failure could drive your company out of business.  There’ll be another top 10 items to inspect in the future but at least we got rid of these items.

Copyright 2001 Marchany117 What have we just done? u The Top 10 threats meet our TBS risk criteria: Have a high probability of occurring Result in the loss of a critical service Be extremely expensive to fix later Result in heavy, negative publicity

Copyright 2001 Marchany119 Applying TBS to the real world!  Top Ten Vulnerabilities, the vulnerabilities responsible for most hacks  Apply TBS as an approach to an effective understandable security policy –Basics –Perimeter –Unix –NT –Windows 2000

Copyright 2001 Marchany120 The TBS Audit Layers  A complete IT audit is a set of component audits. You should be able to measure E, D and R times for each layer of the security architecture.  Components –Procedural: E = D+R –Perimeter(Firewall): E = D+R –UNIX: E = D+R –NT/Windows 2000: E =D+R

Copyright 2001 Marchany121 CIS Rulers  Rulers list a set of minimal actions that need to be done on a host system.  This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others)  Can’t develop your own set? Use these!  http://www.cisecurity.org

Copyright 2001 Marchany122 CIS Rulers: A Security and Audit Checklist  Level 1 –Mandatory Actions required regardless of the host’s location or function.  Level 2 –Dependent on your network topology –Different for switched nets vs. shared nets vs. wireless nets, etc.

Copyright 2001 Marchany123 CIS Rulers: Security Checklist & Audit Plan  Level 3 –Application Specific (WWW, FTP, DB, Auth)  Procedural –Examines the policies in place. –This is the policy review checklist. FTP WWW DB Mail Switched Wireless Non Switched LEVEL 1 Level 3 Level 2

Copyright 2001 Marchany124 CIS Rulers: Procedural  General Administration Policies  Key security tool installed  User Accounts and environment  System Logs  Network File sharing  General Email Issues  This review is done during the Audit Planning Phase of the audit process

Copyright 2001 Marchany125 CIS Ruler: Procedural  General Administration Policies –Acceptable Use Policy –Backup Policy –Security Administrator duties –Whois Contact Information (Tech/Admin) –System changelogs (Source Revision Control) –Incident Response –Minimum software requirements –User, temp, system account policies –Patches

Copyright 2001 Marchany126 CIS Ruler Example: Backups · Does a backup policy exist? · Do backup logs exist? · What data is backed up · How often data is backed up · Type of backup (full, differential, etc.) · How the backups are scheduled and verified · How the backup media is handled and labeled · How the backup media is stored · How long the backup media is retained · How backup media is rotated and expired · How backup data is recovered

Copyright 2001 Marchany127 CIS Ruler: Procedural  Key security tools installed –Network routers implement minimum filtering requirements –Verify network routers are properly configured and monitored for in/out traffic –Are all firewalls properly configured and monitored for in/out traffic –The above rules prevent DDOS attacks from affecting other nets.

Copyright 2001 Marchany128 CIS Ruler: Procedural  User Accounts and Environment –Remove obsolete user entries from system  System Logs –How long are they kept? Are they secured?  Network file sharing –Review what filesystems this system can access –Review what filesystems this system exports  Email Policy –Abuse Policy?

Copyright 2001 Marchany129 CIS Ruler: Written Documentation and Policies u Where is it? u Is it available to anyone that needs it? u Is it up to date? u Is anything major missing (SGI policies, but no HP policies)?

Copyright 2001 Marchany130 CIS Ruler Example: Security Policy  Purpose - the reason for the policy.  Related documents – lists any documents (or other policy) that affect the contents of this policy.  Cancellation - identifies any existing policy that is cancelled when this policy becomes effective.  Background - provides amplifying information on the need for the policy.  Scope - states the range of coverage for the policy (to whom or what does the policy apply?).  Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization.  Action - specifies what actions are necessary and when they are to be accomplished.  Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated.

Copyright 2001 Marchany131 Procedural: Incident Response Plan  Are the six Incident Response steps covered? –Preparation –Identification –Containment –Eradication –Recovery –Lessons Learned (if there are no lessons learned documents either the plan isn’t followed or no incidents have occurred).

Copyright 2001 Marchany134 Procedural: Training & Education  Do technical people have the training to do their job competently?  Are there standards their skills can be measured against?  Are there standards of compliance that ensure they are using their training in accordance with policy?

Copyright 2001 Marchany136 Procedural: Windows 2000  These are based on the SANS “Securing Windows 2000” booklet.  Least Privilege Principle  Avoid granting unnecessary Admin privs.  Limit Domain Trust.  Restrict modems in workstations and servers.  Limit access to sniffer software (Network Monitor).

Copyright 2001 Marchany137 Procedural: Windows 2000  Keep system software updated.  Update and Practice a Recovery Plan.  Require strong passwords.  Require password protected screen savers.  Establish Auditing and Review Policies.  Require Administrators to have a User and Administrator account.  Require antivirus software.  Install host based IDS.  Perform periodical low-level security audits.

Copyright 2001 Marchany138 CIS Procedural Ruler Review  Procedural rulers give you a starting point for determining your site’s policy pie  These policies include acceptable use, privacy, incident response, accountability, backup and any other appropriate action  The CIS procedural ruler is a consensus list of practices done at the charter members sites.

Copyright 2001 Marchany139 CIS Level 1 Ruler: Unix  Patches  Key Security Tools Installed  System Access, authentication, authorization  User Accounts and Environment  Kernel Level TCP/IP tuning  Kernel Tuning

Copyright 2001 Marchany141 CIS Level 1 Ruler: Unix  Minimize RPC network services  Minimize standalone network services  General Email Issues  X11/CDE  General Administration Policies  Specific Servers –www, ftp, DB, Mail, NFS, Directory, Print, Syslog

Copyright 2001 Marchany142 CIS Level 1 Unix Ruler - Patches  Define a regular procedure for checking, assessing, testing and applying the latest vendor recommended and security patches.  Keep 3 rd party application patches updated.  Why? –The first line of defense is proper patch/Service Pack installation. –Patches are living and need to be updated regularly

Copyright 2001 Marchany143 CIS Level 1 Unix Ruler: Security Tools  These tools help decrease your detection time, D  Install the latest version of TCP Wrappers on appropriate network services  SSH for login, file copy and X11 encryption  Install crypto file signature function to monitor changes in critical system binaries and config files (tripwire)

Copyright 2001 Marchany144 CIS Level 1 Unix Ruler: Security Tools  Install Portsentry or similar personal FW software  Run NTP or some other time sync tool  Run “logcheck” or similar syslog analysis or monitoring tool  Install the latest version of sudo

Copyright 2001 Marchany145 CIS Level 1 Unix Ruler: Access, Authorization  No trusted hosts features:.rhosts,.shosts or /etc/hosts.equiv  Create appropriate banner for any network interactive service  Restrict direct root login to system console  Verify shadow password file format is used  Verify PAM configuration

Copyright 2001 Marchany146 CIS Level 1 Unix Ruler: Kernel- Level TCP/IP Tuning  System handling of ICMP packets is secured  System handling of source routed packets secured  System handling of broadcast packets secured  Use strong TCP Initial Sequence Numbers  Harden against TCP SYN Flood attacks

Copyright 2001 Marchany147 CIS Level 1 Unix Ruler: Kernel Level Tuning, Batch Utilities  Enable kernel level auditing  Enable stack protection  Ensure ulimits are defined in /etc/profile and /etc/.login  Restrict batch file access to authorized users  Ensure cron files only readable by root or cron user

Copyright 2001 Marchany148 CIS Level 1 Unix Ruler: UMASK, File Perms, Access  Set daemon umask to 022 or stricter  Set user default umask (022 or 027)  Console EEPROM password enabled?  Check /dev entries for sane ownership and permissions  Mount all filesystems RO or NOSUID  All filesystems except / mounted NODEV

Copyright 2001 Marchany149 CIS Level 1 Unix Ruler: File Perms and Access  Verify passwd, group, shadow file perms  Verify SUID, SGID system binaries  Disable SUID, SGID on binaries only used by root  No World-write dirs in root’s search path  Sticky bit set on all temp directories  No NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled

Copyright 2001 Marchany150 See what we can find  / usr/bin/find / -local -type f -name '.rhosts' -exec ls -al {} \; -exec cat {} \; 2 (.rhosts) /usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal {} \; 2 (SUID files) /usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal {} \; 2 (SGID files) find /$-local –o –prune$ -perm –000002 –print find /name.netrc -print find / -perm –1000

Copyright 2001 Marchany151 Audit Report Example Audit Method Ls –la (list files) against critical files to determine their permissions Finding Several system configuration files in /etc are writable Risk Level: High Security Implication The /etc directory is critical for establishing the operating configuration of many system services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands. Recommendation  Change permissions of all files in /etc to be writable by root or bin only.

Copyright 2001 Marchany152 /dev Permissions Exhibit # ls –l /dev total 72 -rwxr-xr-x 1 root root 26450 Sep 24 1999 MAKEDEV crw------- 1 root sys 14, 4 Apr 17 1999 audio crw------- 1 root sys 14, 20 Apr 17 1999 audio1 brw-rw---- 1 root disk 32, 0 May 5 1998 cm206cd crw--w--w- 1 root root 5, 1 May 26 15:17 console brw------- 1 root floppy 2, 1 May 5 1998 fd1 brw-rw---- 1 root disk 16, 0 May 5 1998 gscd brw-rw---- 1 root disk 3, 0 May 5 1998 hda brw-rw---- 1 root disk 3, 1 May 5 1998 hda1 brw-rw---- 1 root disk 3, 10 May 5 1998 hda10 brw-rw---- 1 root disk 3, 11 May 5 1998 hda11 brw-rw---- 1 root disk 3, 12 May 5 1998 hda12 brw-rw---- 1 root disk 3, 13 May 5 1998 hda13 brw-rw---- 1 root disk 3, 14 May 5 1998 hda14 brw-rw---- 1 root disk 3, 15 May 5 1998 hda15 brw-rw---- 1 root disk 3, 16 May 5 1998 hda16

Copyright 2001 Marchany153 World-Writeable and SUID/SGID Files Audit Method Find commands were executed on the servers to locate all files with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropriate files for later analysis. Finding A large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all users to have write permission. Security Implication World-writeable files allow any user or an intruder to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized user or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: High Recommendation  Review all world-writeable and SUID/SGID files on the system. Using freeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to identify changes and ensure that such changes are approved.  NFS shared files, especially files in /usr, /opt and /var should be exported ‘read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of SUID privilege on NFS mounted files.

Copyright 2001 Marchany154 CIS Level 1 Unix Ruler: System Logging and SSH  Capture messages sent to syslog AUTH facility (enable system logging)  Copy syslogs to central syslog server  Audit failed logins and SU attempts  Enable system accounting  Logins allowed via SSH only (no rsh, rlogin, ftp or telnet)

Copyright 2001 Marchany155 CIS Level 1 Unix Ruler: Reduce Services (/etc/inetd.conf)  Disable name (UDP)  Disable exec/rexec (TCP)  Disable login/rlogin (TCP)  Disable uucp (TCP)  Disable systat (TCP)  Disable netstat (TCP)  Disable time (TCP/UDP)

Copyright 2001 Marchany156 CIS Level 1 Unix Ruler: Reduce Net Services (/etc/inetd.conf)  Disable echo (TCP)  Disable discard (TCP/UDP)  Disable daytime (TCP/UDP)  Disable chargen (TCP/UDP)  Disable rusersd (RPC)  Disable sprayd (RPC)  Disable rwall (RPC)

Copyright 2001 Marchany158 Sample /etc/inetd.conf # Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd This is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of the file is in the notes pages.

Copyright 2001 Marchany159 Output Example Fingerd running Audit Method Telnet localhost 79 to connect with the local system’s finger daemon Finding Fingerd is active Risk Level: Low Security Implication Finger can be used to gain reconnaissance information about the system including the last login time, where a user is logged in from, information about their shell. This information could be used to set up either a social engineering or trust model based attack. Recommendation  If finger is not a business critical application in this environment, disable finger or replace with free tools such as sfinger.

Copyright 2001 Marchany160 CIS Level 1 Unix Ruler: Reduce RPC Network Services  Restrict NFS client request to originate from privileged ports  No filesystem should be exported with root access  Export list restricted to specific range of addresses  Export RO if possible  Export NOSUID if possible

Copyright 2001 Marchany161 CIS Level 1 Unix Ruler: Email, X11/CDE  Use Sendmail v8.9.3 or later. (v8.11.4 is current 6/15/01)  Restrict sendmail ‘prog’ mailer  Verify privileged and checksums for mail programs  Ensure X server is started with Xauth  Use SSH to access X programs on remote hosts

Copyright 2001 Marchany162 CIS Level 1 Unix Ruler: User Accts, Environment  Enforce strong passwords  No null passwords  Remove root equivalent users (UID=0)  No “.” in root PATH  No.files world or group writable  Remove.netrc,.exrc,.dbxrc files  User $HOME dirs should be < 755

Copyright 2001 Marchany163 TBS Example Using E=D+R Security policy: automated script to check password file for users with UID 0 (superuser access) returns user ”zippy”. Syslog is checked: Apr 15 21:07:59 6C: goodnhacked.com telnetd[5020]: connect from some.com Apr 15 21:08:18 6E: goodnhacked.com login[5021]: ?@some.com as zippy IDS returns: 21:07:16.63 badguy.com.26617 > goodnhacked.com.5135: udp 21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp 69 5135 is SGI Object Server with a known vulnerability

Copyright 2001 Marchany164 CIS Level 1 Ruler Review  The previous action items should be done on any Unix system on your network regardless of its function  A similar checklist is being developed for Windows 2000.  The Level 1 rulers impose a minimum security standard on all Unix and Windows 2000 systems.

Copyright 2001 Marchany165 CIS Level 2 Rulers  Once Level 1 rulers have been applied, you pick the appropriate Level 2 ruler.  This is very organization specific. What works at my site might not apply at yours.  Additional service may be disabled if they aren’t needed.

Copyright 2001 Marchany166 CIS Level 2 Ruler: Unix  Kernel-level TCP/IP tuning  Physical Console Security  SSH  Minimize network services  Minimize RPC network services  General email issues  X11/CDE

Copyright 2001 Marchany167 CIS Level 2 Ruler: Unix  Kernel Tuning –Network options for non-router machines –Disable multicast  Physical Console Security –Enable EEPROM password. Who knows it?  SSH –Restrictively configure it

Copyright 2001 Marchany169 CIS Level 2 Ruler: Unix  Minimize network services –Disable tftp –Disable finger –Disable sadmin –Disable rquotad –Disable CDE Tooltalk server (ttdbserverd) –Disable RPC/UDP/TCP ufs –Disable kcms_server

Copyright 2001 Marchany170 CIS Level 2 Ruler: Unix  Disable fontserver  Disable cachefs service  Disable Kerberos server  Disable printer server  Disable gssd  Disable CDE dtspc  Disable rpc.cmsd calendar server

Copyright 2001 Marchany171 CIS Level 2 Ruler: Unix  Minimize Network Services –If FTP service is enabled, see additional level 3 requirements for FTP servers –If tftp is enabled, use the security option –If sadmind is enabled, use the security option

Copyright 2001 Marchany172 CIS Level 2 Ruler: Unix  Minimize RPC network services –Disable NFS server –Disable Automounter –Disable NFS client services –Add ports 2049, 4045 to privileged port list –Disable NIS –Disable NIS+ –Replace rpcbind with more secure version

Copyright 2001 Marchany173 CIS Level 2 Ruler: Unix  General Email Issues –Don’t run sendmail on machines that don’t receive mail –Remove mail aliases which send data to programs (Vacation)  X11/CDE –Disable CDE if not needed –Use the SECURITY extension for X-Server to restrict access

Copyright 2001 Marchany174 CIS Level 2 Ruler Review  Level 2 rulers are site specific.  They are more sensitive to vendor software requirements. For example, a vendor product may require that you enable the dreaded r-commands. You have no choice so you keep an eye on that vulnerability.  They may impose stricter standards.

Copyright 2001 Marchany175 CIS Level 3 Ruler Example: Perimeter Defense  Scope of Impact – The whole site  Probability of Impact – 100% if connected to the Internet  Wide variety of opinions  Every site has a Firewall (FW) of some sort. It may be a packet filtering router or a fancy stateful FW.  What about wireless nets?

Copyright 2001 Marchany176 Firewalls: Where’s the Threat?  FW look to the outside for threats.  Can be circumvented by wireless world.  Don’t prevent internal attacks.  Useless? NO! It’s a component of your layered defense. Remember the TBS Layered Defense equations.  Personal FW software is GOOD! –Makes wireless nets more secure!  What if crimes are committed by someone inside the firewall.

Copyright 2001 Marchany177 Firewalls require management.  Someone has to manage the firewall. –Someone has to assure that the firewall is configured properly. –Someone has to assure that all new applications don’t violate security policies. –Someone has to review firewall logs. –Firewalls generate a HUGE number of logs.

Copyright 2001 Marchany178 Sample Firewall Ruler  Firewalls are one part of a layered defense which should include: –A properly configured border router. –A virus detection solution. –An authentication system for trust management. –Properly configured operating systems and Internet applications. Personal FW software installed on all hosts. –An Intrusion Detection System  Firewalls require monitoring and change control management.

Copyright 2001 Marchany179 TBS and the Perimeter E= D + R Perimeter defenses are the an effective method of “shrinking” D and R and decreasing E. INTERNET ISP E Front End Critical systems located on a screened subnet off of one leg of a firewall. Firewall DNSEmail

Copyright 2001 Marchany180 Example: D&R at the Perimeter Oct 12 01:04:26 ucc3.edu 45725: 8w5d^I: %SEC-6-IPACCESSLOGP: list 190 denied tcp 202.159.123.192(2235) -> 172.20.8.233(3128), 1 packet Oct 12 01:10:14 ucc3.edu 45730: 8w5d^I: %SEC-6-IPACCESSLOGP: list 190 denied tcp 202.159.123.192(2235) -> 172.20.8.233(3128), 3 packets This is a log file from a Cisco router on the perimeter, it indicates the router has blocked two attempts to destination port is 3128, the SQUID Proxy. Note: “denied” implies D and R are working. The times are very small!

Copyright 2001 Marchany181 Pulling the perimeter together  Top Ten blocking, egress filtering  Additional requirements from your site’s security policy  The notes contain a minimal Perimeter audit plan! Top Ten recommendations are shown in notes pages. There are examples of implementations based on this security policy at: http://www.sans.org/giactc/gcfw.htm ( practicals 30 - 35)

Copyright 2001 Marchany182 Section Review  Establishing and testing perimeter defenses is a good way to reduce D and R time.  Top Ten vulnerabilities are generally agreed to be a priority. Top Ten blocking recommendations are the foundation of a security checklist for perimeters  CVE names help ensure sysadmins and auditors are referring to the same threat

Copyright 2001 Marchany183 CIS Unix Ruler Review  CIS Rulers are a good starting point for developing a Unix audit plan  Level 1 ruler defines minimum security standards for all Unix systems  Level 2-3 rulers are more network and function specific  Procedural rulers address policy issues

Copyright 2001 Marchany185 W2K CIS Rulers  CIS Rulers are being developed for Windows 2000 and NT systems  Format is similar to the Unix rulers (levels 1-3)  Work has just started on it  You’re getting a very ROUGH preview of the rulers.

Copyright 2001 Marchany186 Sample W2K level 1 Ruler – Physical Data Security  Enable the end user to protect laptops.  Physically secure servers.  Protect the server from Unattended Reboot. –Protect the SAM with SYSKEY  Protect the Backup Tapes.  Use NTFS disk partitions.  Use Encrypting File System

Copyright 2001 Marchany187 Sample W2K Level 1 Ruler – Security Policy Configuration  Configure the Local Security Policy.  Configure the Account Policy.  Secure Administrator/Guest accounts.  Configure Local Policies.  Enable Audit Policies.  Customize User Rights.

Copyright 2001 Marchany190 Sample W2K Level 1 Ruler – Security Policy Configuration  Customize Security Options –Restrict Anonymous Connections –Allow server operators to schedule tasks (DC only). –Clear virtual Memory Pagefile on shutdown. –Audit access of Global System Objects. –Do Not Display last username in login screen.  Configure Public Key Policy.  Configure IP Security Policy.

Copyright 2001 Marchany191 File System Configuration. (__) Define System Configuration and Service Pack Level (__) During Audit, set browser to see all files (__) System is configured as NTFS file system? (__) System Administrator has a current Emergency Recovery Disk in a locked storage area. (__) Wiping of system page file occurs at system shutdown.

Copyright 2001 Marchany192 Sample W2K Level 1 Ruler  Group Policy  MMC Snap-In  System Tools –Configure Event Log Settings –System Information –Performance Logs & Alerts –Local Users & Groups  Lock out unauth’d Floppy Disk use

Copyright 2001 Marchany193 Sample W2K Level 1 Ruler  Disable unused services –Remove OS2 and POSIX subsystems  Secure Remote control programs (PC Anywhere)  Disable Microsoft Network Client  Additional Utilities –W2K Suppot tools –Resource Kit tools

Copyright 2001 Marchany194 Sample W2K Level 1 Ruler  Freeware, Shareware and Commercial Tools –Use Access Control List Auditing Tools –Audit SP and HotFix levels –Consider installing nmap, WinDump, PGP, Anti-Trojan, L0phtCrack 3, snort

Copyright 2001 Marchany195 Sample W2K Level 1 Ruler – The Registry  Disable auto-run on CD ROM Drives.  Control Remote Registry Access.  Restrict Null User access to named pipes and shares.  Disable Router discovery.  Disable ICMP Redirects.  Remove Administrative Shares.

Copyright 2001 Marchany196 Sample W2K Level 1 Ruler  File Folder and Registry Permissions  Security Analysis and Configuration Tool –Apply standard Incremental Security Templates –Create Custom Policies –Perform analysis of computer  Recovery Options –Baseline System backup –Regular System backup –Remote System backup –NTBackup.exe

Copyright 2001 Marchany197 Sample W2K Level 1 Ruler  Recovery Options (Continued) –Emergency Repair Disks –Safe Mode with or without networking –Safe Mode with command prompt –Recovery Console  Active Directory Services –Domain Controllers and Trust –The Trees vs. the Forest –Enterprise Admins and Schema Admins

Copyright 2001 Marchany198 Sample W2K Level 1 Ruler  Application Security –IIS v5 – CRITICAL! –Telnet Server –File and Printer Sharing –Windows Services for Unix 2.0 –Exchange, Outlook, Outlook Express –SQL  These may be more suited to Level 2

Copyright 2001 Marchany200 Sample VT Level 1 NT Ruler  Installation –Physically secure machine –Enable BIOS boot password, user/admin levels –Install NT on C:, no dual boot, use NTFS –Put bogus name for install –Select only TCP/IP to install –Do NOT install IIS –Do NOT use DHCP –Do NOT use WINS server entries

Copyright 2001 Marchany201 Sample VT Level 1 NT Ruler  Installation –Disable LMHOSTS lookup –Login as Administrator Delete MyBriefCase, Install IIS, IE, Inbox icons –Install post SP5/SP6 hotfixes Install in this order: Winhlp-I, Nddefixi, Lsareqi, Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1, Ipsrfixi

Copyright 2001 Marchany206 Sample VT Level 1 Ruler  Networking –Use network control panel to remove RPC Configuration, NetBIOS Interface, Workstation, Server. –Set service TCP/IP NetBIOS Helper to disabled –Disable Windows NT Networking –Disable WINS Client (TCP/IP) binding –Disable WINS Client (TCP/IP) device

Copyright 2001 Marchany207 Sample VT Level 1 Ruler  Accounts –Set minimum password length to 8 –Lockout after 3 bad attempts –Under Policies-> User Rights Select Right/Access this computer from Network and remove ALL groups listed in the Grant To box Under Show Advanced Rights, select Bypass Traverse Checking, remove Everyone Select Log on Locally and disable guest

Copyright 2001 Marchany208 Sample VT NT Level 1 Ruler  Accounts –Select Policies -> Audit Enable audit events: logon/logoff, user/group mgt, security policy changed, restart, shutdown and system –Open User Manager for Domains Rename Administrator account to Master Remove Description for Master Account Set Master account password to something VERY strong Rename Guest account to DEFUNCT –Allow remote lockout of administrator account only

Copyright 2001 Marchany212 Passwords (__) NT password policies comply with Best Practices for NT Passwords. (__) User passwords are known only by the user. (__) Users are required to maintain unique passwords for each AIS. (__) Passcrack for Windows NT or other password tester is run at least yearly. (__) Password database (SAM) is encrypted. (__) Administrator password is protected to the same level as the data contained on the computer. (__) Password is enabled for screen saver. (Control Panel, Desktop)

Copyright 2001 Marchany216 Sample VT NT Level 1 Ruler  Services/System –Disable unnecessary system services Network DDE, Network DDE DDSM, Schedule, Spooler, Telephony service, distributed DCOM –From System Control Panel, click Startup/Shutdown tab Uncheck Overwrite any Existing File? Uncheck Write debugging info to: Uncheck Automatically Reboot?

Copyright 2001 Marchany217 Sample VT NT Level 1 Ruler  Services/System –Click Display Control Panel Click Screen Save Tab, enable Blank Screen Screen Saver, modify wait to 5 minutes, check the Password Protected box. –Event Logs Open Log->Log settings and increase max size of logs > 2048K

Copyright 2001 Marchany221 Sample VT NT Level 1 Ruler  For the rest of the ruler, go to http://security.vt.edu and look in the Checklists section for Marc’s document http://security.vt.edu  Some may consider his requirements to be really strict but some may like them.

Copyright 2001 Marchany222 Sample Windows 2000 Level 2 Ruler  Rules of Engagement for Active Directory  Developed at VA Tech for our AD structure –Marc Debonis, www.w2k.vt.eduwww.w2k.vt.edu  Allows lower level admins to control their own domains  Not for everyone  Somewhat draconian

Copyright 2001 Marchany223 Sample VT Level 2 Ruler: Active Directory ROE  The Child domain must have at least 1 fulltime peer BDC for the child domain  The child domain controllers must meet Microsoft’s minimum computer hardware requirements  No 3 rd party of Microsoft add-on software are allowed on child domain controllers –IIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services

Copyright 2001 Marchany224 Sample VT Level 2 Ruler: Active Directory ROE  The child domain controllers must be in a backup program and have full recoverability tested  The child domain controllers must allow and not block global policy objects replicated from the root  All W2K hosts must follow prescribed DNS naming conventions (xxx.yyy.vt.edu)

Copyright 2001 Marchany225 Sample VT Level 2 Ruler: Active Directory ROE  All W2K hosts within the child domain will use root AD DDNS server settings. Child DC will use static IP and not run DHCP servers  Child domain will not attempt to create child domains “below” theirs. They will use OU to do this.

Copyright 2001 Marchany226 Sample VT Level 2 Ruler: Active Directory ROE  No non-administrative local logins will be allowed to the child domain controllers. The CDC will be housed in secure areas with controlled access  2 week backups of event/audit logs will be kept and access to them will be given to the AD enterprise admins for security/debugging purposes.

Copyright 2001 Marchany227 Sample VT Level 2 Ruler: Active Directory ROE  All service packs will be installed in a timely manner, coordinated with root AD controller upgrades  Will people buy into this? –Some will, some won’t but those that do are more secure.

Copyright 2001 Marchany229 Today’s Course Goals u Construct a high level Security Checklist from the CIS rulers for your site. – Unix. NT, Windows 2000 u Use TBS to provide a response to your internal auditors and secure your systems. u Use STAR to define the $$$ cost of implementing security features at your site. – This method can be used over time to show trends u Develop a set of reports/matrices that can be used to quickly identify the security status of a host at your site.

Copyright 2001 Marchany230 URLs referred to in this course STAR Matriceshttp://courseware.vt.edu/marchany/STARhttp://courseware.vt.edu/marchany/STAR Sample R/A Documentshttp://security.vt.edu Top Ten Vulnerabiltieshttp://www.sans.org/topten.htm Top Ten Blockinghttp://www.sans.org/giactc/gcfw.htm Egress Filteringhttp://www.sans.org/y2k/egress.htm CVEhttp://cve.mitre.org GIAC Practicalshttp://www.sans.org/giactc/cert.htm RFC 2196http://www.ietf.org/rfc/rfc2196.txthttp://www.ietf.org/rfc/rfc2196.txt Center for Internet Securityhttp://www.cisecurity.org

Copyright 2001 Marchany232 APPENDIX 1  The following matrices are examples of your matrix reports –Exhibit A (ASSET Matrix) –Exhibit B (ASSET WEIGHT Matrix) –Exhibit C (RISKS Matrix) –Exhibit D (RISK WEIGHT Matrix) –Exhibit E (ASSET-RISK Matrix) –Exhibit F (CONTROLS Matrix)

Copyright 2001 Marchany233 APPENDIX 2 The following spreadsheets are the compliance reports. Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors. Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific. Controls Matrix lists what controls are in place for a given system. Individual Action Matrix lists the details of an audit for each node. Did the system comply?

Copyright 2001 Marchany234 APPENDIX 3  The following checklist gives the detailed commands to be performed in the “audit”.  The categories are based on the Risk Matrices in Appendix 1.  The results of the checklist commands are inserted in the Compliance matrices of Appendix 2.  This checklist and the matrices form the overall audit/security checklist package.

Copyright 2001 Marchany235 APPENDIX 4  Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain.  There are 2 strategies: –Protect and Proceed –Pursue and Prosecute

Copyright 2001 Marchany236 Incident Handling: Protect and Proceed ? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined

Copyright 2001 Marchany237 Incident Handling: Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff

Copyright 2001 Marchany238 Appendix 5 – CIS Rulers  The current CIS rulers are found at http://www.cisecurity.org  The W2K ruler is a draft only.  The VT AD ROE is available at http://www.w2k.vt.edu http://www.w2k.vt.edu

Copyright 2001 Marchany240 References –“Time Based Security”, Winn Schwartau, Interpact Press, 1999, ISBN: 0-9628700-4-8 The discussion on TBS was derived from this text. –“Firewalls and Internet Security”, Cheswick & Bellovin, Addison-Wesley, 1994, ISBN: 0-201- 63357-4 –RFC 2196, Guide to Writing a Site Security Policy –http://Diicoe.disa.mil/coe

Copyright 2001 Marchany241 References  The complete Top 10 document can be found in the appendix.  Some WWW sites to visit: –www.sans.orgwww.sans.org –www.cert.orgwww.cert.org –www.nipc.govwww.nipc.gov –www.securityfocus.comwww.securityfocus.com –www.rootshell.comwww.rootshell.com –http://security.vt.edu –www.cornell.edu/CPL

Copyright 2001 Marchany1 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 Applying Risk Analysis Techniques.

Similar presentations

Presentation on theme: "Copyright 2001 Marchany1 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 Applying Risk Analysis Techniques."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Copyright 2001 Marchany1 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 Applying Risk Analysis Techniques.

Similar presentations

Presentation on theme: "Copyright 2001 Marchany1 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 Applying Risk Analysis Techniques."— Presentation transcript:

Similar presentations

About project

Feedback