AUDITING and SECURITY
Jim Patterson, CISSP, CBCP, CRMJefferson Wells
Introduction
The goals of Security (CIA):
Confidentiality
Integrity
Availability
(They are mutually dependent)
Avoid Audit Findings
Security Considerations Identify Assets
Network Discovery AD Discovery DHCP and DNS Imports File Import (from existing sources)
Assess Vulnerabilities How are vulnerability definitions updated, frequency Map vulnerabilities to industry/vendor nomenclature Types of vulnerabilities found (configuration and
patch) When to do the assessment
Security Considerations
Remediate Vulnerabilities How are remediations updated, frequency Configuration and patch-based remediations Use of industry/vendor nomenclature Different remediation policies for different classes of
assets Different remediation schedules for different classes of
assets Manage rebooting of different classes of assets
Secured Network ModelSecured Network Model
Firewall
The Internet
Open Systems
Mainframe
Customer Sites
IDSIDS
IDS
FirewallFirewall
IDSIDS
ISOC
FirewallFW Mgmt
Activity Reporting and Analysis
IDS
IDS Mgmt
Remote Locations, Remote Access, and
Vendors
IDS
FirewallFirewall
Application DMZs
Windows Server- NT- 2000- 2003
Enterprise Architecture
XP/2000
DMZ
NT2000 2003
ODBC
ReportingDatabase
Solaris Linux HP-UXAIX
System Reach (Mainframe, Windows, UNIX and Linux
SSL
UNIX Server- Solaris- Linux- AIX- HP-UX
Distributed Proxy- XP/2000/2003
Central Console- XP/2000/2003
UNIX/Windows
XP/2000
BIB Web Server
NT 4.0
Enroll/Entitle,ACH, Wire,
Balance
OpenVMS
Business Express
Translation Server
Windows 2000 Servers
OFX/XM
L
HTTP
COM
COM
CO
M
Applications Overview
HTTPS
OpenVMS
EPS Database
Metavante Mainframe
Windows 2000 Servers
MVS
SQLServer 7
Hosted inAnn Arbor
Hosted inMilwaukee
Key
APDTRN01/02/03/04/05/06APDWBE03/04/05
ProdWebDB
PDCOFX Utility ServerAPDWFX01/02
Cash ConECMailerEmail ConnectorServu_FTPCut
Cash Con
SNA ServersAPDSNA03APDSNA04
SN
A
Windows 2000 Servers
NT 4.0 NT 4.0 /SMTP
BE MailPartner BillingClient BillingFunds TransferUpdaterFile MasterFinder FilesSetupBill PayOrder Fulfillment
Oracle 7
User Setup,OFX Routing,Audit Addenda
Oracle 8
NT Scheduler
HT
TP
OFX
/XM
LH
TTP
ODBC
FTP
ActiveServerPages
ADO
UpdateNT Cut Service (NorthernTrust)
ABS101/02
Oracle8
Consumer Access Web Server P51WEB02/03
HTTPS
Business Internet Banking
Admin Workstation(BIB/CA)
Consumer Access
WebSrvItf SDK
ISAPIExport
FileXChangeFW
FileXChange
ISAPIGateway
Framework
ACH FundsTransfer
(Connectware)
MoneyLine
BusinessExpress
TCP
/IP
Sockets
ODBCO
DB
C
ODBC
Service Provider Manager
TCP/IP
P51EPSDB01A
HTTPS
HTTPS
System Security Categories
Status:- Enabled
Key Operating SystemSecurity Patches Applied
Examples:- Users- Groups- Password Settings- Many Others
- Most Recent- Most Critical
Examples:- File Share Programs (Kazaa) - Public Instant Messaging- Desktop Sharing Applications- Custom List
Examples:- USB Hard Drives- Unauthorized Modems- Wireless NIC Cards- Modems with Auto-Answer On- Custom List
Status:- Enabled- Latest Version- Latest Definitions
Audit and Compliance
System SecurityAudit and Compliance
Audit and Complianceis not focused on
Security configuration settings
Antivirus status
Security patch status
Personal firewall status
Unauthorized software
Unauthorized hardware
Industry-known vulnerabilities
Enforcement
Access Control
Patching
Risk Management
Asset Management
Configuration Management
Event Management ModelEvent Management Model
EventCollector
Managerof Managers
Historical Event
Repository
DatabaseQuery/ReportingOperationsDesktops
Notification
Firewalls
IntrusionDetection
Systems
ApplicationsIntrusionDetected!
Auditing System Components
SystemLog
Higher-levelAuditEvents Actions:
EmailPopupReconfigReportAnalyzer
Logger
Notifier
Audit System Structure
Logger Records information, usually controlled by
parameters Analyzer
Analyzes logged information looking for something
Notifier Reports results of analysis
Logger
Type, quantity of information recorded controlled by system or program configuration parameters Tuning what is audited
May be human readable or not If not, usually viewing tools supplied Space available, portability influence storage
format
Example: RACF
Security enhancement package for IBM’s MVS/VM
Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions
View events with LISTUSERS commands
June 1, 2004 Computer Security: Art and Science
16
Example: Windows NT Different logs for different types of events
System event logs record system crashes, component failures, and other system events
Application event logs record events that applications request be recorded
Security event log records security-critical events such as logging in and out, system file accesses, and other events
Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs
overwritten Logging enabled by SACLs and Windows Policy
June 1, 2004 Computer Security: Art and Science
17
Windows NT Sample EntryDate:2/12/2000 Source: SecurityTime: 13:03 Category: Detailed TrackingType: Success EventID: 592User:WINDSOR\AdministratorComputer: WINDSOR
Description:A new process has been created:
New Process ID: 2216594592Image File Name:
\Program Files\Internet Explorer\IEXPLORE.EXECreator Process ID: 2217918496User Name: AdministratorFDomain: WINDSORLogon ID: (0x0,0x14B4c4)
[would be in graphical format]
June 1, 2004 Computer Security: Art and Science
18
Syslog
De facto standard in Unix and networking RFC 3164
UDP transport Log locally or send to collecting server Limited normalization
June 1, 2004 Computer Security: Art and Science
19
Syslog Format PRI field
Facility – part of system generating log 0 – kernel 2 – mail system 6 – line printer
Severity – fully ordered list 0 – Emergency 3 – Error 6 – Informational
Header Time stamp & Host name
Msg
Top 10 Things to Audit in a Win2k Domain
Local Security Policy of one DC 1. Password 2. Lockout policy 3. Audit policy
Account Management, Account Logon, System Policy, Policy Changes
Failure AND Success!
Active Directory Users and Computers 4. Important group memberships
Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops
If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins
One or more Domain Controllers 5. Service Pack Level 6. Dangerous Services
One or more Member Servers 7. Audit Policy
Account Logon, Account Management, System Policy, Policy Change
8. Service Pack Level 9. Dangerous Services 10. Administrator account
Top 10 Things to Audit in a Win2k Domain
June 1, 2004 Computer Security: Art and Science
23
Examples
Using swatch to find instances of telnet from tcpd logs:/telnet/&!/localhost/&!/*.site.com/
Query set overlap control in databases If too much overlap between current query and past queries, do not answer
Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring
June 1, 2004 Computer Security: Art and Science
25
Examples
Using swatch to notify of telnets/telnet/&!/localhost/&!/*.site.com/ mail staff
Query set overlap control in databases Prevents response from being given if too much
overlap occurs Three failed logins in a row disable user
account Notifier disables account, notifies sysadmin
June 1, 2004 Computer Security: Art and Science
27
Examples
Using swatch to find instances of telnet from tcpd logs:/telnet/&!/localhost/&!/*.site.com/
Query set overlap control in databases If too much overlap between current query and past queries, do not answer
Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring
Application Logging
Applications logs made by applications Applications control what is logged Typically use high-level abstractions such as:
su: bishop to root on /dev/ttyp0 Does not include detailed, system call level
information such as results, parameters, etc.
System Logging
Log system events such as kernel actions Typically use low-level events
3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8)3876 ktrace NAMI "/usr/bin/su"3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0)3876 su RET __sysctl 0 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)3876 su RET mmap 671473664/0x2805e0003876 su CALL geteuid3876 su RET geteuid 0
Does not include high-level abstractions such as loading libraries
Contrast
Differ in focus Application logging focuses on application events, like failure
to supply proper password, and the broad operation (what was the reason for the access attempt?)
System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?)
System logs usually much bigger than application logs Can do both, try to correlate them
Access ControlCollection of mechanisms that permits managers of a system to exercise a directing influence over the behavior, use and content of the system
System Access Control Password and other authentication System Auditing
Discretionary Access Control (DAC) Access Control List
Mandatory Access Control (MAC) Reference Monitor
UNIX File System
Ordinary files Directory files Special files
Basic Access Control
From an ls -l command you will see following 1 : Type of file. 2 – 4 : Owner’s permission. 5 – 7 : Group’s permission. 8 – 10 : Other’s permission.
PERMISSION MEANING
- rwx rwx rwx File. Everyone can read, write and execute this.
- rwx r-x r-x File. Everyone can read and execute this but only the owner can write to it.
- r-- r-- --- File. The owner and everyone in his group can only read this file, but the others have no access to it.
d rw- rw- rw- Directory. Everyone can read and write. No one including the owner can traverse it.
l rwx r-x r-x Link. The permissions for a link generally do not matter.
Access Control List - UNIX
An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties
ACLs entry contains
• Attributes:
Defines special file modes such as SETUID, SETGID & Sticky bit
• Base permissions:
Reflect the basic access rights • Extended permissions:
specify, permit, deny
Access Control List
. ACL Entries Description
1. attributes: setuid,setgid,stickybit Special file modes.
2. base permissions Standard Unix file permissions.
3. owner(owner_user): rwx owner and access rights
4. (owner_group): r-x group and access rights
5. others: r-- other's rights
6. extended permissions Additional ACL entries.
7. enabled enabled or disabled
8. permit --x u:some_user, g:some_groupPermits access to the specified user-group
combination in a booleanAND manner.
9. deny rwx g:a_groupForbids access tothe specified user-group combination in a
boolean AND manner.
Auditing
Is a feature which provides accountability to all system activities from file access to network and database
Each audit event such as user login is formatted into fields such as the event type, user id, file names and time
Audit events• Administrative event class
Security administrator events System administrator events Operator events
• Audit event class Describes the operation of the audit system itself
Windows File System
Supports two file system FAT (File Allocation Table)
File system does not record security information such as owner or access permission of a file or directory
NTFS (New Technology Files System) Supports a variety of multi-user security models
NTFS Vs FAT Fault tolerance Access Control by directory or file Can compress individual or directories POSIX support
Access Control List - Windows Data structure of an ACL
ACL size - # of bytes of memory allocated ACL Revision – revision # for the ACL’s data structure ACE Count - # of ACE’s in the ACL
Access Control Entries
Contains the following access control information
• A security identifier (SID)
• An access mask – specifies access rights
• A set of bit flags that determines which child objects can inherit the ACE
• A flag that indicates the type of ACE
ACE Types
3 Generic types
3 Object-Specific ACE types
Type Description
Access-denied Used in a DACL to deny access.
Access-allowed Used in a DACL to allow access.
System-audit Used in a SACL to log attempts to access.
Type Description
Access-denied, object-specific
Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.
Access-allowed, object-specific
Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.
System-audit, object-specific
Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object
Access Rights
Generic Access Rights
Standard Access Rights
Other rights like, SACL access rights, Object-specific access rights, user rights
Constant in Win32 API Meaning
GENERIC_ALL Read, write, and execute access
GENERIC_EXECUTE Execute access
GENERIC_READ Read access
GENERIC_WRITE Write access
Constant in Win32 API Meaning
DELETE The right to delete the object.
READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL.
SYNCHRONIZE The right to use the object for synchronization. Some object types do not support this access right.
WRITE_DAC The right to modify the DACL in the object's security descriptor.
WRITE_OWNER The right to change the owner in the object's security descriptor.
How Access Control Works?
Automated Tools By Category
Enterprise Vulnerability Management Hercules AVR (Citadel) Class 5 AVR (Secure Elements)
Vulnerability Assessment Retina Network Security Scanner (eEye) FoundScan Engine (Foundstone) STAT Scanner (Harris) Internet Scanner (ISS) SiteProtector (ISS) System Scanner (ISS) Microsoft Baseline Security Analyzer
(Microsoft) IP360 Vulnerability Management System
(nCircle) Nessus Scanner (Nessus) SecureScout SP (NexantiS) QualysGuard Scanner (Qualys) SAINT Scanning Engine (Saint) Lightning Console (Tenable) NeWT Scanner (Tenable) WebInspect (SPI Dynamics )
Patch Management System Management Server (Microsoft) Windows Update Service (Microsoft) PatchLink (PatchLink) Big Fix (BigFix) UpdateExpert (St. Bernard) HFNetChk (Shavlik)
Policy Management Active Directory – Group Policy Objects
(Microsoft) Security Policy Management (NetIQ) Enterprise Security Manager (Symantec) Compliance Center (BindView)
Configuration/Asset Management System Management Server (Microsoft) TME (Tivoli) Unicenter (CA) Enterprise Configuration Manager
(Configuresoft) Asset Management Suite (Altiris)
Conclusion
UNIX Vs Windows
Easy to control system configuration on UNIX
ACL's are much more complex than traditional UNIX style permissions
In basic UNIX, it is impossible to give a number of users different access rights
System Security Policy Files
OPERATING SYSTEMS
Examples:» XP (NSA Guidelines)» Win 2000 (NIST Guidelines, NSA Guidelines, SANS Step-By-Step)» Win 2003 (MS Windows Server
2003 Security Guide) » NT (SANS Guidelines, MS
Security White Paper, US Navy)» Linux (SANS Step-By-Step)» Solaris (SANS Step-By-Step)» AIX (IBM Guidelines)» HP-UX (HP Guidelines)» UNIX Samples» BlockSP2» Services List» Services Pack
APPLICATIONS
Examples:» Applications List» Internet Explorer» Word 2000 and Excel 2000 Macro Settings» IIS Lockdown Guidelines» IIS Metabase Sample
INSTALLED HARDWARE / SOFTWARE
Examples:» Anti-Virus» Hardware List » USB Storage» Installed Modems
PATCHING
Examples:» MS Fixes» SUN Patches
REGULATIONS
Examples:» Sarbanes-Oxley » HIPAA» FISMA» GLBA» ISO17799
Perfect World (almost): A Scenario Anytime a machine joins (or re-joins) the corporate
network, it is automatically quarantined, assessed, and remediated to bring it into compliance, prior to gaining access to network resources
Every night, critical vulnerability configuration compliance checks are performed on all Windows desktops and remediated if needed
Every Saturday, from 2:00 AM – 3:00 AM, newly approved patches are automatically applied to all Windows desktops
Every Sunday from 2:00 AM – 3:00 AM, all Windows and Unix servers are checked for security policy compliance. Selected items are remediated, others items generate alerts
Perfect World (almost): A Scenario During monthly maintenance intervals, Unix and
Windows servers are fully patched and rebooted if required
Monthly, a full, automated network assessment is performed to independently scan for vulnerabilities
Quarterly, remediation policies are reviewed and updated to incorporate new vulnerability remediations
Critical, zero-day remediations are applied where needed in the enterprise within an hour of notification and remedy availability
Contact Information
Patti WalkerDirector, Technology Risk
Management Phoenix / Las Vegas
(602) 643-1600 (o)(480) 734-6960 (c)(602) 643-1606 (f)
Jim Patterson, CISSP, CBCP, CRM
Technology Risk Management Phoenix / Las Vegas
(602) 643-1600 (o)(480) 529-9393 (c)(602) 643-1606 (f)
Jefferson Wells A Manpower Company11811 N. Tatum Blvd., Suite 3076
Phoenix, Arizona 85028