AUDITING and SECURITY

Jim Patterson, CISSP, CBCP, CRMJefferson Wells

Introduction

The goals of Security (CIA):

Confidentiality

Integrity

Availability

(They are mutually dependent)

Avoid Audit Findings

Security Considerations Identify Assets

Network Discovery AD Discovery DHCP and DNS Imports File Import (from existing sources)

Assess Vulnerabilities How are vulnerability definitions updated, frequency Map vulnerabilities to industry/vendor nomenclature Types of vulnerabilities found (configuration and

patch) When to do the assessment

Security Considerations

Remediate Vulnerabilities How are remediations updated, frequency Configuration and patch-based remediations Use of industry/vendor nomenclature Different remediation policies for different classes of

assets Different remediation schedules for different classes of

assets Manage rebooting of different classes of assets

Secured Network ModelSecured Network Model

Firewall

The Internet

Open Systems

Mainframe

Customer Sites

IDSIDS

IDS

FirewallFirewall

IDSIDS

ISOC

FirewallFW Mgmt

Activity Reporting and Analysis

IDS

IDS Mgmt

Remote Locations, Remote Access, and

Vendors

IDS

FirewallFirewall

Application DMZs

Windows Server- NT- 2000- 2003

Enterprise Architecture

XP/2000

DMZ

NT2000 2003

ODBC

ReportingDatabase

Solaris Linux HP-UXAIX

System Reach (Mainframe, Windows, UNIX and Linux

SSL

UNIX Server- Solaris- Linux- AIX- HP-UX

Distributed Proxy- XP/2000/2003

Central Console- XP/2000/2003

UNIX/Windows

XP/2000

BIB Web Server

NT 4.0

Enroll/Entitle,ACH, Wire,

Balance

OpenVMS

Business Express

Translation Server

Windows 2000 Servers

OFX/XM

L

HTTP

COM

COM

CO

M

Applications Overview

HTTPS

OpenVMS

EPS Database

Metavante Mainframe

Windows 2000 Servers

MVS

SQLServer 7

Hosted inAnn Arbor

Hosted inMilwaukee

Key

APDTRN01/02/03/04/05/06APDWBE03/04/05

ProdWebDB

PDCOFX Utility ServerAPDWFX01/02

Cash ConECMailerEmail ConnectorServu_FTPCut

Cash Con

SNA ServersAPDSNA03APDSNA04

SN

A

Windows 2000 Servers

NT 4.0 NT 4.0 /SMTP

BE MailPartner BillingClient BillingFunds TransferUpdaterFile MasterFinder FilesSetupBill PayOrder Fulfillment

Oracle 7

User Setup,OFX Routing,Audit Addenda

Oracle 8

NT Scheduler

HT

TP

OFX

/XM

LH

TTP

ODBC

FTP

ActiveServerPages

ADO

UpdateNT Cut Service (NorthernTrust)

ABS101/02

Oracle8

Consumer Access Web Server P51WEB02/03

HTTPS

Business Internet Banking

Admin Workstation(BIB/CA)

Consumer Access

WebSrvItf SDK

ISAPIExport

FileXChangeFW

FileXChange

ISAPIGateway

Framework

ACH FundsTransfer

(Connectware)

MoneyLine

BusinessExpress

TCP

/IP

Sockets

ODBCO

DB

C

ODBC

Service Provider Manager

TCP/IP

P51EPSDB01A

HTTPS

HTTPS

System Security Categories

Status:- Enabled

Key Operating SystemSecurity Patches Applied

Examples:- Users- Groups- Password Settings- Many Others

- Most Recent- Most Critical

Examples:- File Share Programs (Kazaa) - Public Instant Messaging- Desktop Sharing Applications- Custom List

Examples:- USB Hard Drives- Unauthorized Modems- Wireless NIC Cards- Modems with Auto-Answer On- Custom List

Status:- Enabled- Latest Version- Latest Definitions

Audit and Compliance

System SecurityAudit and Compliance

Audit and Complianceis not focused on

Security configuration settings

Antivirus status

Security patch status

Personal firewall status

Unauthorized software

Unauthorized hardware

Industry-known vulnerabilities

Enforcement

Access Control

Patching

Risk Management

Asset Management

Configuration Management

Event Management ModelEvent Management Model

EventCollector

Managerof Managers

Historical Event

Repository

DatabaseQuery/ReportingOperationsDesktops

Notification

Firewalls

IntrusionDetection

Systems

ApplicationsIntrusionDetected!

Auditing System Components

SystemLog

Higher-levelAuditEvents Actions:

EmailPopupReconfigReportAnalyzer

Logger

Notifier

Audit System Structure

Logger Records information, usually controlled by

parameters Analyzer

Analyzes logged information looking for something

Notifier Reports results of analysis

Logger

Type, quantity of information recorded controlled by system or program configuration parameters Tuning what is audited

May be human readable or not If not, usually viewing tools supplied Space available, portability influence storage

format

Example: RACF

Security enhancement package for IBM’s MVS/VM

Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions

View events with LISTUSERS commands

June 1, 2004 Computer Security: Art and Science

16

Example: Windows NT Different logs for different types of events

System event logs record system crashes, component failures, and other system events

Application event logs record events that applications request be recorded

Security event log records security-critical events such as logging in and out, system file accesses, and other events

Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs

overwritten Logging enabled by SACLs and Windows Policy

June 1, 2004 Computer Security: Art and Science

17

Windows NT Sample EntryDate:2/12/2000 Source: SecurityTime: 13:03 Category: Detailed TrackingType: Success EventID: 592User:WINDSOR\AdministratorComputer: WINDSOR

Description:A new process has been created:

New Process ID: 2216594592Image File Name:

\Program Files\Internet Explorer\IEXPLORE.EXECreator Process ID: 2217918496User Name: AdministratorFDomain: WINDSORLogon ID: (0x0,0x14B4c4)

[would be in graphical format]

June 1, 2004 Computer Security: Art and Science

18

Syslog

De facto standard in Unix and networking RFC 3164

UDP transport Log locally or send to collecting server Limited normalization

June 1, 2004 Computer Security: Art and Science

19

Syslog Format PRI field

Facility – part of system generating log 0 – kernel 2 – mail system 6 – line printer

Severity – fully ordered list 0 – Emergency 3 – Error 6 – Informational

Header Time stamp & Host name

Msg

Top 10 Things to Audit in a Win2k Domain

Local Security Policy of one DC 1. Password 2. Lockout policy 3. Audit policy

Account Management, Account Logon, System Policy, Policy Changes

Failure AND Success!

Active Directory Users and Computers 4. Important group memberships

Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops

If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins

One or more Domain Controllers 5. Service Pack Level 6. Dangerous Services

One or more Member Servers 7. Audit Policy

Account Logon, Account Management, System Policy, Policy Change

8. Service Pack Level 9. Dangerous Services 10. Administrator account

Top 10 Things to Audit in a Win2k Domain

June 1, 2004 Computer Security: Art and Science

23

Examples

Using swatch to find instances of telnet from tcpd logs:/telnet/&!/localhost/&!/*.site.com/

Query set overlap control in databases If too much overlap between current query and past queries, do not answer

Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring

June 1, 2004 Computer Security: Art and Science

25

Examples

Using swatch to notify of telnets/telnet/&!/localhost/&!/*.site.com/ mail staff

Query set overlap control in databases Prevents response from being given if too much

overlap occurs Three failed logins in a row disable user

account Notifier disables account, notifies sysadmin

June 1, 2004 Computer Security: Art and Science

27

Examples

Using swatch to find instances of telnet from tcpd logs:/telnet/&!/localhost/&!/*.site.com/

Query set overlap control in databases If too much overlap between current query and past queries, do not answer

Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring

Application Logging

Applications logs made by applications Applications control what is logged Typically use high-level abstractions such as:

su: bishop to root on /dev/ttyp0 Does not include detailed, system call level

information such as results, parameters, etc.

System Logging

Log system events such as kernel actions Typically use low-level events

3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8)3876 ktrace NAMI "/usr/bin/su"3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0)3876 su RET __sysctl 0 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)3876 su RET mmap 671473664/0x2805e0003876 su CALL geteuid3876 su RET geteuid 0

Does not include high-level abstractions such as loading libraries

Contrast

Differ in focus Application logging focuses on application events, like failure

to supply proper password, and the broad operation (what was the reason for the access attempt?)

System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?)

System logs usually much bigger than application logs Can do both, try to correlate them

Access ControlCollection of mechanisms that permits managers of a system to exercise a directing influence over the behavior, use and content of the system

System Access Control Password and other authentication System Auditing

Discretionary Access Control (DAC) Access Control List

Mandatory Access Control (MAC) Reference Monitor

UNIX File System

Ordinary files Directory files Special files

Basic Access Control

From an ls -l command you will see following 1 : Type of file. 2 – 4 : Owner’s permission. 5 – 7 : Group’s permission. 8 – 10 : Other’s permission.

PERMISSION MEANING

- rwx rwx rwx File. Everyone can read, write and execute this.

- rwx r-x r-x File. Everyone can read and execute this but only the owner can write to it.

- r-- r-- --- File. The owner and everyone in his group can only read this file, but the others have no access to it.

d rw- rw- rw- Directory. Everyone can read and write. No one including the owner can traverse it.

l rwx r-x r-x Link. The permissions for a link generally do not matter.

Access Control List - UNIX

An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties

ACLs entry contains

• Attributes:

Defines special file modes such as SETUID, SETGID & Sticky bit

• Base permissions:

Reflect the basic access rights • Extended permissions:

specify, permit, deny

Access Control List

. ACL Entries Description

1. attributes: setuid,setgid,stickybit Special file modes.

2. base permissions Standard Unix file permissions.

3. owner(owner_user): rwx owner and access rights

4. (owner_group): r-x group and access rights

5. others: r-- other's rights

6. extended permissions Additional ACL entries.

7. enabled enabled or disabled

8. permit --x u:some_user, g:some_groupPermits access to the specified user-group

combination in a booleanAND manner.

9. deny rwx g:a_groupForbids access tothe specified user-group combination in a

boolean AND manner.

Auditing

Is a feature which provides accountability to all system activities from file access to network and database

Each audit event such as user login is formatted into fields such as the event type, user id, file names and time

Audit events• Administrative event class

Security administrator events System administrator events Operator events

• Audit event class Describes the operation of the audit system itself

Windows File System

Supports two file system FAT (File Allocation Table)

File system does not record security information such as owner or access permission of a file or directory

NTFS (New Technology Files System) Supports a variety of multi-user security models

NTFS Vs FAT Fault tolerance Access Control by directory or file Can compress individual or directories POSIX support

Access Control List - Windows Data structure of an ACL

ACL size - # of bytes of memory allocated ACL Revision – revision # for the ACL’s data structure ACE Count - # of ACE’s in the ACL

Access Control Entries

Contains the following access control information

• A security identifier (SID)

• An access mask – specifies access rights

• A set of bit flags that determines which child objects can inherit the ACE

• A flag that indicates the type of ACE

ACE Types

3 Generic types

3 Object-Specific ACE types

Type Description

Access-denied Used in a DACL to deny access.

Access-allowed Used in a DACL to allow access.

System-audit Used in a SACL to log attempts to access.

Type Description

Access-denied, object-specific

Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.

Access-allowed, object-specific

Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.

System-audit, object-specific

Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object

Access Rights

Generic Access Rights

Standard Access Rights

Other rights like, SACL access rights, Object-specific access rights, user rights

Constant in Win32 API Meaning

GENERIC_ALL Read, write, and execute access

GENERIC_EXECUTE Execute access

GENERIC_READ Read access

GENERIC_WRITE Write access

Constant in Win32 API Meaning

DELETE The right to delete the object.

READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL.

SYNCHRONIZE The right to use the object for synchronization. Some object types do not support this access right.

WRITE_DAC The right to modify the DACL in the object's security descriptor.

WRITE_OWNER The right to change the owner in the object's security descriptor.

How Access Control Works?

Automated Tools By Category

Enterprise Vulnerability Management Hercules AVR (Citadel) Class 5 AVR (Secure Elements)

Vulnerability Assessment Retina Network Security Scanner (eEye) FoundScan Engine (Foundstone) STAT Scanner (Harris) Internet Scanner (ISS) SiteProtector (ISS) System Scanner (ISS) Microsoft Baseline Security Analyzer

(Microsoft) IP360 Vulnerability Management System

(nCircle) Nessus Scanner (Nessus) SecureScout SP (NexantiS) QualysGuard Scanner (Qualys) SAINT Scanning Engine (Saint) Lightning Console (Tenable) NeWT Scanner (Tenable) WebInspect (SPI Dynamics )

Patch Management System Management Server (Microsoft) Windows Update Service (Microsoft) PatchLink (PatchLink) Big Fix (BigFix) UpdateExpert (St. Bernard) HFNetChk (Shavlik)

Policy Management Active Directory – Group Policy Objects

(Microsoft) Security Policy Management (NetIQ) Enterprise Security Manager (Symantec) Compliance Center (BindView)

Configuration/Asset Management System Management Server (Microsoft) TME (Tivoli) Unicenter (CA) Enterprise Configuration Manager

(Configuresoft) Asset Management Suite (Altiris)

Conclusion

UNIX Vs Windows

Easy to control system configuration on UNIX

ACL's are much more complex than traditional UNIX style permissions

In basic UNIX, it is impossible to give a number of users different access rights

System Security Policy Files

OPERATING SYSTEMS

Examples:» XP (NSA Guidelines)» Win 2000 (NIST Guidelines, NSA Guidelines, SANS Step-By-Step)» Win 2003 (MS Windows Server

2003 Security Guide) » NT (SANS Guidelines, MS

Security White Paper, US Navy)» Linux (SANS Step-By-Step)» Solaris (SANS Step-By-Step)» AIX (IBM Guidelines)» HP-UX (HP Guidelines)» UNIX Samples» BlockSP2» Services List» Services Pack

APPLICATIONS

Examples:» Applications List» Internet Explorer» Word 2000 and Excel 2000 Macro Settings» IIS Lockdown Guidelines» IIS Metabase Sample

INSTALLED HARDWARE / SOFTWARE

Examples:» Anti-Virus» Hardware List » USB Storage» Installed Modems

PATCHING

Examples:» MS Fixes» SUN Patches

REGULATIONS

Examples:» Sarbanes-Oxley » HIPAA» FISMA» GLBA» ISO17799

Perfect World (almost): A Scenario Anytime a machine joins (or re-joins) the corporate

network, it is automatically quarantined, assessed, and remediated to bring it into compliance, prior to gaining access to network resources

Every night, critical vulnerability configuration compliance checks are performed on all Windows desktops and remediated if needed

Every Saturday, from 2:00 AM – 3:00 AM, newly approved patches are automatically applied to all Windows desktops

Every Sunday from 2:00 AM – 3:00 AM, all Windows and Unix servers are checked for security policy compliance. Selected items are remediated, others items generate alerts

Perfect World (almost): A Scenario During monthly maintenance intervals, Unix and

Windows servers are fully patched and rebooted if required

Monthly, a full, automated network assessment is performed to independently scan for vulnerabilities

Quarterly, remediation policies are reviewed and updated to incorporate new vulnerability remediations

Critical, zero-day remediations are applied where needed in the enterprise within an hour of notification and remedy availability

Contact Information

Patti WalkerDirector, Technology Risk

Management Phoenix / Las Vegas

 (602) 643-1600 (o)(480) 734-6960 (c)(602) 643-1606 (f)

Jim Patterson, CISSP, CBCP, CRM

Technology Risk Management Phoenix / Las Vegas

 (602) 643-1600 (o)(480) 529-9393 (c)(602) 643-1606 (f)

Jefferson Wells A Manpower Company11811 N. Tatum Blvd., Suite 3076

Phoenix, Arizona  85028