Auditing Networks, Perimeters and Systems
Download
Report
Transcript Auditing Networks, Perimeters and Systems
Applying Risk Analysis
Techniques to Information
Systems
Randy Marchany
VA Tech Computing Center
Blacksburg, VA 24060
[email protected]
540-231-9523
Copyright 2001 Marchany
1
Unit 1: Pay Me Now or Pay
Me Later
Why we need to check our
infrastructure
Copyright 2001 Marchany
2
Why Bother?
This section will give you some concrete
examples of what can happen if you don’t
have basic security rules at your site.
Every one of these attacks could have been
prevented ahead of time with minimal
effort.
The cost to fix it afterwards was much
higher!
Copyright 2001 Marchany
3
Copyright 2001 Marchany
4
Copyright 2001 Marchany
5
Copyright 2001 Marchany
6
Copyright 2001 Marchany
7
Copyright 2001 Marchany
8
Copyright 2001 Marchany
9
Copyright 2001 Marchany
10
Copyright 2001 Marchany
11
Copyright 2001 Marchany
12
Copyright 2001 Marchany
13
Copyright 2001 Marchany
14
Copyright 2001 Marchany
15
Copyright 2001 Marchany
16
Copyright 2001 Marchany
17
Copyright 2001 Marchany
18
Copyright 2001 Marchany
19
Copyright 2001 Marchany
20
Copyright 2001 Marchany
21
Copyright 2001 Marchany
22
Copyright 2001 Marchany
23
Pay Me Now or Pay Me Later
E = D + R
– E = amount of time you’re exposed
– D = amount of time it takes to detect an attack
– R = amount of time it takes to react to an attack
Easiest way to calculate the cost of an
Incident
– Multiply average hourly wage * Time * People
Copyright 2001 Marchany
24
The Top 10 Vulnerabilities
BIND (Unix/Linux/NT/Win2K)
CGI programs (www servers)
RPC (Tooltalk) (Unix/linux/NT/Win2K)
Microsoft IIS – RDS and others (NT/Win2K)
Sendmail (Unix/Linux)
Sadmind and mountd (Unix/Linux)
Global file sharing (NetBios, NFS, Appleshare)
Weak/no passwords, demo/guest accounts
IMAP/POP buffer overflow
Default SNMP community strings (Network)
Copyright 2001 Marchany
25
Percent
.77%
15.5%
12.4%
.52%
26.1%
10.8%
18.1%
12.2%
735065
Vulnerability
Webdist
IMAP
Qpopper
Innd
Tooltalk
RPC_mountd
BIND
WWW
Hosts scanned
Copyright 2001 Marchany
Top 10 #
#2, #4
#9
#9
#3, #6
#3, #6
#1
#2
TOTAL
26
The Internet Audit Project
Percent
Vulnerability
Top 10 #
.77%
Webdist
#2, #4
15.5%
12.4%
.52%
26.1%
10.8%
18.1%
12.2%
735065
IMAP
Qpopper
Innd
Tooltalk
RPC_mountd
BIND
WWW
Hosts scanned
#9
#9
Copyright 2001 Marchany
#3, #6
#3, #6
#1
#2
TOTAL
27
The Top 10 Internet Threats for
2000
Available at www.sans.org/topten.html
You should check your systems for these
vulnerabilities
The fix is simple. Apply Patches or
ServicePaks.
Your sysadmins/netadmins should check
your system(s) for the top 10 threats.
– Bindview Hackershield – NT systems
– SARA, SAINT – Unix/Linux freeware tools
Copyright 2001 Marchany
28
References
http://security.vt.edu
www.sans.org
– Top 10 threats, Defeating Ddos, etc.
www.nipc.gov
www.cornell.edu/CPL
www.securityfocus.com
– Early Warning Vulnerability list
www.insecure.org
www.usdoj.gov/criminal/cybercrime/index.html
– Federal Search & Seizure Guidelines
Copyright 2001 Marchany
29
Unit 2: TBS & Star –
Theory and Practice
TBS – Time Based Security
STAR – Security Targetting and Analysis
of Risk
Copyright 2001 Marchany
30
How the day is going to go
Morning – Principles and Theory
– Audit Process and Goals
– Time Based Security
– Putting it all together
Afternoon – Audit in the Real World
– Using CIS Rulers to build audit plans
– Applying the process to systems
– Putting it all together
Copyright 2001 Marchany
31
The Course Goals
Construct a Security Checklist for your site.
– Unix
– NT
Use this methodology to develop a response to your
internal auditors.
Have a repeatable method of defining the $$$ cost of
implementing security features at your site.
– This method can be used over time to show trends
Develop a set of reports/matrices that can be used to
quickly identify the security status of a host at your site.
Copyright 2001 Marchany
32
The General Audit Process
Audit Planning
– Review pertinent background info, research policies,
prepare the audit program
Entrance Conference
– Meet w/IS group leaders to let them know what is
going on and find out if there any specific areas to
check.
Fieldwork
– Visiting the IS systems and performing the steps listed
in the audit program on a sample of systems.
Copyright 2001 Marchany
33
The General Audit Process
Preparing the Audit Report
– The report should:
•
•
•
•
State what was done
State the results of these actions
Present recommendations
Include in the appendices the audit checklists used to collect the data.
The Exit Conference
– Meet with the people from step 2 and review the results w/them.
This is the time to clear up any misunderstandings. Refine the audit
report and prepare the recommendations paper.
Report to Upper Management (CEO, CFO, CIO, VP)
– Present a summary report of the audit. Provide recommendation
and implementation cost estimates.
Copyright 2001 Marchany
34
The Auditor’s Goals
Ensure Assets are protected according to
company, local,state and federal regulatory
policies.
Determine what needs to be done to ensure
the protection of the above assets.
Make life miserable for sysadmins…:-)
– Not really. They can save a sysadmin if a
problem occurs.
Copyright 2001 Marchany
35
The Sysadmin’s Goals
Keep the systems up.
Keep users happy and out of our hair.
Keep auditors at arms’ length.
Get more resources to do the job properly.
Wear jeans or shorts to work when everyone
else has to wear suits…….
Copyright 2001 Marchany
36
The Sysadmin’s Audit Strategy
Turn a perceived weakness (the audit) into
a strength (security checklists).
Develop a set of reporting matrices that can
be used as audit reports or justification for
security expenditures.
The above info can be used to help develop
your incident response plan.
Copyright 2001 Marchany
37
Time Base Security
The Time Based Security Model provides:
• A methodology that a security officer can use to
quantifiably test and measure the effectiveness of
security measures.
• A set of matrices/reports that can be used by
security professionals to assign a $ value to the cost.
This figure can be given to mgt. to help them
prioritize their security expenditures.
• Winn Schwartau’s book describes TBS. The
following slides discuss his methodology.
Copyright 2001 Marchany
38
Time Based Security
Schwartau’s Simple Formula for TBS
– Protection (P) - the bank vault
– Detection(D) - the alarm system
– Reaction(R) - thep police
t
Pt > Dt + Rt
• Pt - the amount of time the Protection system works
• Dt - the amount of time needed to detect the attack
• Rt - the amount of time needed to react to the attack
Copyright 2001 Marchany
39
Time Based Security
Pt > Dt + Rt (TBS Law)
– If the amount of protection time (Pt) you offer is greater
than the sum of the detection time (Dt) and reaction
time (Rt), then your systems can be considered secure.
– If the detection & reaction times are very fast then
you don’t need as strong a Protection mechanism.
KEY: detect anomalous activity and respond
ASAP!
Copyright 2001 Marchany
40
Time Based Security
TBS Corollary
– P<D+ R
If it takes longer to detect and respond to an
intrusion than the amount of protection time
afforded by the protection device, P, then
effective security is impossible.
Look at specs for each of the components in
your network architecture.
Copyright 2001 Marchany
41
Time Based Security
If Pt = Dt + Rt, then Pt implies an
Exposure Time, E.
– E=D+R
You want D+R -> 0. As your detection &
reaction speeds increase, the need for strong
Protection decreases. Hmmm…...
Fortress mentality dictates that P must be
extremely high because D+R is really slow
or non-existent.
Copyright 2001 Marchany
42
Measuring Security
Measure D+R (sec/min/hrs/day)
Assume the best: active logging, good AUP
(Acceptable Usage Policy), decent IRP (Incident
Response Policy)
• How long does it take to detect an event? (D=x)
• How long to notify affected parties? How long for them to
analyze and respond? (R=y) Out of office? Out to lunch? How
long to answer page?
– How much damage could be done in D+R time?
Copyright 2001 Marchany
43
TBS Methodology
Assume P=0. Build the following matrix
– Detection systems in place? No then D= ,
E=
and you have 100% exposure (E).
– Reaction System in place? No then R=
,
E=
and you have 100% system
exposure(E).
– How long does the detection mechanism take to
detect an attack? Answer in sec/min/hrs.
Copyright 2001 Marchany
44
TBS Methodology - Detection
– Once an attack is detected, how are you notified?
Logs? Pager? Phone? Future audit trails?
– How long does the above take? (sec/min/hr/day)
•
•
•
•
•
•
Sitting at your desk: _________
When you’re at lunch: _______
Break time:
_______
Headed home:
_______
Sleeping:
_______
At the movies:
_______
Copyright 2001 Marchany
45
TBS Methodology - Reaction
– Once notified, how long does it take to do
something about it? (sec/min/hrs/day)
•
•
•
•
•
Sitting at your desk: _______
At lunch:
_______
On break:
_______
Headed home:
_______
Sleeping:
_______
– How long does it take to determine the
cause/effect/solution? Include other folks
• Onsite: _____
Offsite:
Copyright 2001 Marchany
_____
46
TBS Methodology - D+R
– Severe Attacks: How long does it take to get
permission to take any/all steps to protect the
net/assets including shutting them down? _____
Add the best-case numbers: ______ s/m/h
Add the worst-case numbers: _____ s/m/h
Exposure Time (E) = ______ to _____
best case
Copyright 2001 Marchany
worst case
47
Measure Exposure Time - E
Rule of Thumb: Bw/10/bits = Bw/bytes
• Example: T-1: 1.54Mb/s -> 154KB/s=9.2MB/m
This gives: File Size/Bandwidth=Req.
Attack Time or MB/Mb/S=(Attack Time) or
F/Bw = T= E (Exposure Time)
If the goal is file theft, the size of the target
file F divided by the max. bandwidth of the
network path Bw determines the amount of
time T needed to get the info.
Copyright 2001 Marchany
48
Measure Exposure Time - E
This is 1 measure of risk. Info theft can be
measured using T + intrinsic value of info.
Remember Bw could be data transfer rates
of floppy or tape drives.
Example: A net has Exposure Time,
E=(D+R) = 10 minutes and a tape drive
with a xfer rate of 6 GB/hr.
• T = 10 minutes = 1/6 hr, Bw = 6 GB/hr, F=Bw*T=
1GB of data could be stolen before
detection/reaction kills the attack.
Copyright 2001 Marchany
49
Measure Exposure - External
Bandwidth limiting is an effective
response method.
Data Padding: pad the critical files so their
size exceeds E. Using the previous
example:
– E=10 min, Bw=6 Gb/hr.
• File Size = (1/6 hr)/ (6 Gb/hr) = 1 GB=F
• All critical files should be padded to 1Gb.
Copyright 2001 Marchany
50
TBS - Integrity Attacks
Attacker’s Goal: make undetected,
unauthorized changes to data
TBS analysis:
• Assume you’re an insider w/access to the net &
system. How long does it take you to manually get
to the target application? _____(s/m/h) How long
would a script take to do the same? ______(s/m/h)
• Once logged into that application, how long does it
take as a trusted user to make unauthorized changes
to those records? ______(s/m/h)
Copyright 2001 Marchany
51
TBS - Integrity Attacks (cont)
• What steps would a knowledgeable user take to
cover their tracks? How long does it take to effect
those changes? _______ (s/m/h)
• Add up the times for manual & automatic
navigation.
– This gives a target maximum value for E and
provides a target guideline for D+R.
Copyright 2001 Marchany
52
TBS - Measure the $ Damage
Two Formulas: E=D+R, F/Bw=T
• If we know E, we can get F if E=T.
• If we know T, we can get E and D+R.
Coordinate w/Auditors & Mgt. and ask:
• If a critical file gets out, what would be the financial
effect on the company?
• DoS attacks could cripple the company nets. What is
the hourly/daily cost to the company if this happens?
• What is our legal liability if client records or
employee records are compromised?
Copyright 2001 Marchany
53
TBS Asset Organization
Information Value
– Some info loses value over time. Example:
advance notification, Product announcements
– Some info’s value is still changing. Example:
idea before its time.
4 Categories of Info Assets
• Company Proprietary - product designs, pricing
strategies, patents, source code, customer lists
• Private Employee - HR records, perf reviews, SSN
Copyright 2001 Marchany
54
TBS Information Assets
Information Asset Categories (cont)
• Customer Private - pricing info, purchase history,
non-disclosure info
• Partner/Gov’t - info assets that don’t fit into the
other categories
Risk Categories
• Critical - if it gets out, we’re out of business
• Essential - Survivable but a major hit. It’ll hurt but
we can spin back to normal
• Normal - may be embarrassing, disruptive only
Copyright 2001 Marchany
55
TBS Info Asset Matrices
Criticality
Critical
Essential
Normal
Co. Proprietary
Private Employee
Customer Private
Partner/Govt
Prepare matrices listing each asset and risk.
Use the matrices to build an affordable,
workable and maintainable security
environment.
Prepare separate matrices for criticality (like
above), integrity and availability.
Copyright 2001 Marchany
56
TBS Review Process
Identify and categorize the Info assets
Specify the logical locations of the assets
Identify the physical locations of the assets
The above info tells us:
• If critical assets are all over the place then your
defenses are spread out and cost more
• If you have a single point of failure.
• Negligible info is mixed in with Critical info.
Some info has no place being on the net!
Copyright 2001 Marchany
57
Layered TBS
Assume your net has a Firewall, fully
patched OS on the DB server and an
application Password server (Oracle
passwords) in place.
TBS variables
–
–
–
–
E(db) - Overall Exposure time for the DB
E(pw) – Exposure time for the Appl password
E(os) – Exposure time for the server’s OS
E(fw) – Exposure time for the FW
Copyright 2001 Marchany
58
Layered TBS
TBS Equations:
E(db) = P(pw) +
E(fw) + E(os)
E(os) > D(os)+R(os)
E(fw) > D(fw) + R(fw)
E(pw) > D(pw) + R(pw)
The intruder needs to overcome E(pw), E(fw) and E(os)
in order to get to the data E(db).
Copyright 2001 Marchany
59
Layered TBS Conclusions
All assets are NOT created equal and they
do NOT deserve equal protection.
Asset distribution by physical and logical
separation is a security process but
performed under the network architecture
and topology banner
Design the killing zones, in other words.
Copyright 2001 Marchany
60
TBS Reaction Matrices
Goal: make D+R as small as possible
– A smaller R reduces the reliance on a higher P value.
R Components
– Notification - tells someone/something that a detection mechanism
was triggered. Schwartau’s 3am rule: “notify someone” means “tell
someone other than the boss who doesn’t want to be bothered at
3am” which increases the R time.
Fill out the matrix with the target E, R or T times.
– This documentation is important since it help mgt. understand the
quantitative nature of TBS.
The matrix is based upon AUP, disaster recovery plans,
amount of risk the org is willing to take - measured in
EXPOSURE TIME - T
Copyright 2001 Marchany
61
TBS Reaction Matrix - I
Notifica tion Means - REACTION
Desire d Ti me
Predi cte d Ti me
Measu red Time
During Work Hours
ema il to de sk at p eak traffic tim es
ema il to de st a t off-hou rs
ema il whe n no t at des k
pag er with retu rn # or 91 1
pag er with ful l me ssag e
pho ne call to desk
notify 2n d in ch arge
Non Bu sine ss Hou rs
ema il to ho me
ema il whe n no t at hom e
pag er with retu rn # or 91 1
pag er with ful l me ssag e
Phon e call to h ome
Copyright 2001 Marchany
62
TBS Reaction Matrix - II
Detected Event
5 bad password attempts
Multiple Port Scan
Ping of Death
Response
Desired Time
Log/call sysadmin
Shoot person
Reaction #30
Measured Time
The sysadmin represents the greatest room for error by
making R unacceptably high. Why? People hesitate to
make tough decisions like shut down part of a net.
The “sacrifice the pawn to save the king” strategy can
be very risky if you don’t have policies in place and MGT
support. Automated responses can eliminate this BUT I
saw “Colossus: The Forbin Project”…:-)
Copyright 2001 Marchany
63
TBS Reaction Matrix
Questions the Reaction Matrix should
answer:
•
•
•
•
•
Is the attack real? What was the goal? Is it ongoing?
Did the R-matrix come to the proper conclusion?
Was the attack thwarted? Post-mortem analysis?
What further steps are needed?
Who did it?
Must be empowered by mgt. and policy to
limit R. Necessary for TBS to work.
Copyright 2001 Marchany
64
TBS - Evaluating Protection
Previous slides used TBS to evaluate D+R.
Applying E=D+R to Access Control (User Logins)
– E = max. amt. of time needed to accomplish proper
authentication.
– D = time needed to detect the authentication request and
determine its authenticity.
– R = time needed for the detection module to trigger a
PROCEED or STOP reaction.
Applying E=D+R to Enterprise Audit Trails
– D = time needed for an audit tool to record, analyze, transmit
data.
– R = time it takes for the detection tool to trigger the reaction and
how long the reaction takes.
Copyright 2001 Marchany
65
Unit 3: STAR Case Study
How We Did It at VA Tech or how
STAR was born
Copyright 2001 Marchany
66
TBS Case Study
Sort of…..
We applied some but not all TBS concepts
in our first attempt to determine the status
of our asset security.
This process took about 12 months. Security
committee met once every 2-3 weeks.
We’re starting the fourth phase and are
applying more TBS concepts this time.
Copyright 2001 Marchany
67
The Committee
Management and Technical Personnel from
the major areas of IS
–
–
–
–
–
University Libraries
Educational Technologies
University Network Management Group
University Computing Center
Administrative Information Systems
Copyright 2001 Marchany
68
The Committee’s Scope
Information Systems Division only
Identified and prioritized Assets
– RISKS associated with those ASSETS
– CONTROLS that may applied to the ASSETS to
mitigate the RISKS
Did NOT specifically consider assets outside IS
control. However, those assets are included as
clients when considering access to assets we wish
to protect
Copyright 2001 Marchany
69
The Committee’s Charge
From our VP for Information Systems
“Establish whether IS units are taking all
reasonable precautions to protect info
resources and to assure the accurate &
reliable delivery of service”
“Investigate and advise the VPIS as to the
security of systems throughout the
university….Provide documentation of the
security measures in place.”
Copyright 2001 Marchany
70
Identifying the Assets
Compiled a list of IS assets (+100 systems)
Categorize them as critical, essential,
normal
– Critical - VT can’t operate w/o this asset for even a
short period of time.
– Essential - VT could work around the loss of the asset
for up to a week. The asset needs to be returned to
service asap.
– Normal - VT could operate w/o this asset for a finite
period but entities may need to identify alternatives.
Copyright 2001 Marchany
71
Prioritizing the Assets
The network(router, bridges, cabling, etc.)
was treated as a single entity and deemed
critical.
Some assets were classified as critical and
then rank ordered using a matrix
prioritization technique. Each asset was
compared to the other and members voted
on their relative importance. Members
could split their vote.
Copyright 2001 Marchany
72
Prioritizing the Assets
Asset weight values calculated by a simple
formula. Weight = sum of vote values.
– Criteria: Criticality, Value to the Org, Impact of Outage
– Team members vote for the top 5 Assets in order.
•
•
•
•
•
First place vote = 5 points times # votes received
Second place vote = 4 points times #votes received
Third place vote = 3 points times # votes received
Fourth place vote = 2 points times #votes received
Fifth place vote = 1 point times # votes received
This determines the criticality of the assets
listed in Exhibit A.
Copyright 2001 Marchany
73
Identifying the Risks
A RISK was selected if it caused an
incident that would:
• Be extremely expensive to fix
• Result in the loss of a critical service
• Result in heavy, negative publicity especially
outside the university
• Have a high probability of occurring
Risks were prioritized using matrix
prioritization technique
Copyright 2001 Marchany
74
Prioritizing the Risks
Same as formula for prioritizing Assets
Criteria:
– Scope of Impact
– Probability of an incident
Weight = sum of vote values
This determines the criticality of the risks
shown in Exhibit B
Copyright 2001 Marchany
75
Prioritizing the Assets & Risks
The values in the first (white) column of
exhibits B and D are the weight values
assigned to the asset or risk.
The ordering of the Assets & Risks was
determined by simple vote. How many
think asset 1 is more critical than asset 2?
Same for risks.
The votes are shown in the white squares.
Copyright 2001 Marchany
76
Mapping Risks and Assets
We built a matrix that maps the ordered list
of critical assets against the ordered list of
risks regardless of whether or not
– A particular risk actually applied to the asset
– Controls exist and/or already in place
The matrix provides general guidance about
the order each asset/risk is examined. All
assets/risks need to be examined eventually.
Copyright 2001 Marchany
77
Mapping Risks and Assets
The more critical assets and risks as
determined by the matrices in Exhibits B &
D, are closer to the upper left corner of the
matrix. An example of this is Exhibit E.
The Weights of the Asset-Risk = Asset
Weight * Risk Weight)/100. These values
are listed in the cells of Exhibit E.
Copyright 2001 Marchany
78
Identifying Controls
Specific controls identified by the
committee were put in a matrix
The controls were then mapped against a
list of risks and in those cells are the control
ids that can mitigate a particular risk for a
particular asset
Copyright 2001 Marchany
79
Mapping Controls to the R/A
Matrix
Exhibit G shows the controls that apply to a
particular Asset-Risk pair.
Exhibit F lists controls that could be applied
to a Risk.
Example: For the Site 1-Sysadmin Practice
pair, the cell shown at the intersection of the
2 items lists controls 7, 13, 14, 30, 33 as
possible controls to mitigate the risk on the
asset.
Copyright 2001 Marchany
80
The Overall Compliance
Matrix
This is a 1 page overall report of the status
of the Assets listed in Exhibit E
(Asset/Risk) matrix.
Assets are listed on the X-axis. Risks are
listed on the Y-Axis.
Color codes show whether the Asset is
protected from the Risks.
Shown in Appendix 2.
Copyright 2001 Marchany
81
The Asset/Risk Compliance
Matrix
Another way of displaying the report.
Copyright 2001 Marchany
82
The Control Compliance
Matrix
Lists the controls from Exhibit F and shows
if the control is installed on a particular
asset.
A quick way to determine what controls are
on which asset.
Copyright 2001 Marchany
83
The Individual Action
Compliance Matrix
Assets are listed on the X-axis
Risks are listed on the Y-axis. Subcategories
of the risks are listed and compliance is
shown by color coding the cells.
The Audit Security checklist (shown at the
end of Appendix B) contains the actual
commands to perform the task.
Copyright 2001 Marchany
84
The Audit/Security Checklist - I
The detailed commands used to check an asset.
Based on the Defense Information Infrastructure (DII) and
Common Operating Environment (COE) initiative.
We took the checklists from this site, modified them
according to our R/A matrix and built checklists for Sun,
IBM, NT.
Our thanks to the unknown author who wrote the original
document. Checklists are available from
http://diicoe.disa.mil/coe
A fragment is shown in Appendix 3. The full document is
available from http://security.vt.edu in the Checklists
section.
Copyright 2001 Marchany
85
The Audit/Security Checklist - II
We’re now using the CIS Benchmark Rulers
as our checklists.
The CIS provides a scanning tool that lets
us check the status of our systems quickly.
See http://www.cisecurity.org to download
the scanning tool and the checklist.
Another example of changing times….
Copyright 2001 Marchany
86
STAR Lab Exercise
We’re going to walk through the STAR
process as a group.
I’ll provide the asset matrix and we are
going to rank them.
I’ll provide the risk matrix and we are going
to rank them.
We’ll map the asset-risk matrix to see how
our votes create an “audit” strategy.
I expect a lively discussion
Copyright 2001 Marchany
87
Recommendations
The STAR process recommends a general order
which IS should apply scarce resources to perform
a cost benefit analysis for the various assets &
risks.
For each asset, as directed by mgt., appropriate
staff should:
–
–
–
–
–
–
Review the risks & controls
Add any further risks/controls not identified
Assess the potential cost of an incident
Assess the cost of control purchases and deployment
Analyze cost vs. benefit for each asset
Submit results to mgt. which retains the responsibility to weigh
investments and make implementation decisions
Copyright 2001 Marchany
88
Conclusions
TBS provides a quantitative, repeatable method
of prioritizing your assets.
The matrices provide an easy to read summary of
the state of your assets.
These matrices can be used to provide your
auditors with the information they need.
The checklist contains the detailed commands to
perform the audit/security check.
Copyright 2001 Marchany
89
Unit 4:Building Your IT
Audit Plan/Checklist
Sample checklist/audit plans for
Unix, NT and Windows 2000 Active
Directory
Copyright 2001 Marchany
90
The Top Ten Step-by-Step
www.sans.org/topten.htm
The Berkeley Internet
Name Domain (BIND)
Common Gateway
Interface (CGI)
programs
Remote procedure calls
(RPC)
IIS’s Remote Data
Services
Sendmail
Sadmind & mountd
File sharing over
networks
Demo or guest accounts
IMAP and POP
Simple Network
Management Protocol
(SNMP) default
community strings
Copyright 2001 Marchany
91
Introduction
This section is designed to give you a brief
overview of the top 10 most critical Internet
Security threats.
Your audit plans needs to cover the threats
described in this section at a minimum.
These aren’t the only threats….just the most
common at the moment.
Copyright 2001 Marchany
92
So Many Systems, Not Enough
Time…..
2.3 million hosts are connected to the Net
each month. There aren’t 2.3 million
sysadmins. Something has to give….
Unfortunately, it’s the sysadmin.
Not enough training, too many conflicting
demands on their time.
The Prime Directive: Keep the system up!
Patch the system? When I have time….
Copyright 2001 Marchany
93
Some Pointers About the List
Each item in the list is divided into 4 parts
– A description of the vulnerability
– The systems affected by the vulnerability
– A CVE number identifying the vulnerability
– Some suggested corrections
What’s a CVE number?
– CVE = Common Vulnerabilities & Exposures reference
number that is used to uniquely identify a vulnerability.
– It’s like the Dewey Decimal #’s that are used in the
library. You can go to any library and find the same
book using the same Dewey catalog number
– CVE’s does the same for vulnerabilities.
Copyright 2001 Marchany
94
Item #1: BIND
All Internet systems have a hostname and an IP
address.
– Every home is known by its address and who lives in it.
“hey, is that Randy’s house?” “Yeah, it’s at 24 Main
St.”
– “Randy’s house” = hostname
– “24 Main St.” = IP address
BIND (Berkeley Internet Domain) maps
hostnames to IP addresses.
– It’s the set of “phone books” of the Internet.
Copyright 2001 Marchany
95
Item #1: BIND
Every network needs a couple of systems that run
BIND. They’re called nameservers.
Old versions of BIND have security holes.The
nameservers aren’t always up-to-date. They were
when they were installed but that was years ago. It
works so why fix it? Right? Wrong!
The Danger:
– Hackers get full control of the nameserver and can use
it for anything they want.
A Solution
– Make sure your version is higher than BIND 8.2.2
patch level 5
Copyright 2001 Marchany
96
Item #2: CGI Scripts
CGI = Common Gateway Interface
It’s the language that programmers use to
display and read your input to a WWW
based form.
Not everyone knows how to use it so
WWW server vendors supply examples.
The examples have security holes in them.
Some CGI programmers haven’t checked
their code.
Copyright 2001 Marchany
97
The Second Item – CGI Scripts
All Web servers could be affected by this
“feature”.
The Danger
– Your WWW pages could be changed a la DOJ, CIA,
FBI, Valujet.
– Your WWW server could be used to attack other sites
A Solution
– Remove unsafe CGI scripts from the WWW server
Copyright 2001 Marchany
98
Item #3: Remote Procedure Calls
(RPC)
RPC allows a computer to run a program on
another computer.
It’s used by computers that share files between
them.
Many client – server systems depend on the use of
RPC calls.
Unix systems (Solaris, AIX, HP-UX, Linux,
Tru64, Irix) were primarily affected but any
computer that uses the RPC subsystem is
vulnerable
Copyright 2001 Marchany
99
Item #3: Remote Procedure Calls
(RPC)
The Danger:
– Older versions of RPC have security
weaknesses that allow hackers to gain full
control of your computer(s).
A Solution
– Disable the RPC services if you don’t use them
– Install the latest vendor patches
Copyright 2001 Marchany
100
Item #4: Microsoft Internet
Information Server (IIS)
Windows NT and Windows 2000 Web
servers use IIS to support web services.
IIS has a component called Remote Data
Services (RDS) that could allow a hacker to
run remote commands with administrator
privileges.
Copyright 2001 Marchany
101
Item #4: Microsoft Internet
Information Server (IIS)
The Danger:
– A hacker can run commands on another system
without having to access it directly.
A Solution:
– Read the Microsoft technical bulletins that
describe how to fix the problem
Copyright 2001 Marchany
102
Item #5: Sendmail Weakness
Sendmail is one of the original Internet email
programs.
It was a graduate programming project that was
never designed to work in a “production”
environment.
It became the defacto standard.
Pre-version 8.10 had security problems
– Some vendors still ship Sendmail v5.65!
Most vendors shipped their systems with these
older versions.
Copyright 2001 Marchany
103
Item #5: Sendmail Weakness
The 1988 Internet Worm exploited a problem in
sendmail.There are a lot of systems that still run
that version of sendmail. Why? It works!
The Danger:
– Hackers can run commands on your systems without
ever logging into your system. Hackers can take over
your machine.
A Solution:
– Update to the latest version of sendmail
Copyright 2001 Marchany
104
Item #6: sadmind and mountd
Sadmind is used by Solaris applications to
run distributed sysadmin operations. It
executes the request on the server from a
client program. Sounds like RPC? It is.
Mountd controls file sharing across the
network using NFS. This is the program that
“attaches” a remote disk to your computer.
Copyright 2001 Marchany
105
Item #6: sadmind and mountd
The Danger:
– Hackers can cause these programs to give them
access to root. They can take over your
machine.
– This was one of the primary ways hackers used
to set up the systems used in the recent DDOS
attacks against Yahoo, CNN and other sites.
A Solution:
– Install the latest vendor patches for sadmind
and mountd.
Copyright 2001 Marchany
106
Item #7: Global File Sharing
You can share files between computers using tools
like Network Neighborhood (Windows),
AppleShare(Macintosh) or NFS(Unix).
By default, the access is read-write.
Anyone on the same network could access your
files. In the old days, the network was small but
now the network is the Internet so anyone
anywhere in the world could access your files if
you let them.
The problem is that you don’t always know that
you’re letting them.
Copyright 2001 Marchany
107
Item #7: Global File Sharing
This is a real danger to homes that have direct
connect modems.
The Danger:
– People can get access to your personal data, for
example, your checking account data (if you use
MSMoney), your email, etc.
A Solution:
– Make sure you know what you’re sharing.
– Make sure you know who’s sharing the data with you.
Copyright 2001 Marchany
108
Item #8: User Accounts with No
Passwords
Some systems come with demo or guest accounts
with no passwords or well known passwords.
The initial/default password for VMS system
manager account, SYSTEM was MANAGER.
The initial password for the Field Service account,
FIELD, was SERVICE.
People forgot to change these passwords.
The first thing hackers do is check to see if the
defaults passwords were changed. Why waste a lot
of effort if the door is unlocked?
Copyright 2001 Marchany
109
Item #8: User Accounts with No
Passwords
The Danger:
– Someone can get complete control of your system.
– Someone can get access to your system via a general
accounts and then run exploit tools on your systems to
get full control of your system.
A Solution:
– Change your root, administrator passwords before the
systems goes into production.
– Run a password checking program to discover who has
weak passwords on your system. Do it before the
hackers do!
Copyright 2001 Marchany
110
Item #9: IMAP, POP
Vulnerabilities
IMAP and POP are two common email
protocols that provide additional features to
email users.
They allow users to access their email
accounts from anywhere on the Internet.
Firewalls usually allow email using these
services to pass through the firewall.
Quality control of the software is
inconsistent most of the time.
Copyright 2001 Marchany
111
Item#9: IMAP, POP
Vulnerabilities
The Danger:
– Hackers can gain access to your internal
network if they can subvert IMAP or POP mail
server systems.
– If successful, they gain complete control of
your system.
A Solution:
– Make sure you’ve installed the latest patches.
– Run the services on your mail servers only.
Copyright 2001 Marchany
112
Item #10: SNMP Vulnerabilities
Simple Network Management Protocol
(SNMP) is used by network managers to
monitor the status, performance and
availability of the network.
The Net Mgrs can remotely manage their
routers, printers, systems using SNMP.
SNMP has very weak authentication. Its
default “password” is “private”.
Everyone knows this.
Copyright 2001 Marchany
113
Item #10: SNMP Vulnerabilities
The Danger:
– Hackers can gain control of network devices
such as routers. They could shut them down.
– They can map your network w/o your
knowledge.
A Solution:
– Pick strong community strings (passwords) for
your SNMP devices.
– Make the MIBs read only.
Copyright 2001 Marchany
114
Summary
Most of the successful system and network attacks
exploit a small set of vulnerabilities.
The Top 10 list briefly describes this set of
vulnerabilities and gives you references to
learning more about them.
More importantly, it gives you some suggested
fixes for the problem.
You have the basis for an effective audit plan.
Our individual security depends on our mutual
security.
Copyright 2001 Marchany
115
Summary
You won’t eliminate all of your exposure by
closing these 10 holes. Constant vigilance
and awareness is the best defense.
The consequences of failure could drive
your company out of business.
There’ll be another top 10 items to inspect
in the future but at least we got rid of these
items.
Copyright 2001 Marchany
116
What have we just done?
The
Top 10 threats meet our TBS risk
criteria:
•Have
a high probability of occurring
•Result in the loss of a critical service
•Be extremely expensive to fix later
•Result in heavy, negative publicity
Copyright 2001 Marchany
117
Unit 5: Audit Checklists
Based on the CIS Rulers
Procedural, Perimeter, and UNIX
Copyright 2001 Marchany
118
Applying TBS to the real world!
Top Ten Vulnerabilities, the vulnerabilities
responsible for most hacks
Apply TBS as an approach to an effective
understandable security policy
–
–
–
–
–
Basics
Perimeter
Unix
NT
Windows 2000
Copyright 2001 Marchany
119
The TBS Audit Layers
A complete IT audit is a set of component
audits. You should be able to measure E, D
and R times for each layer of the security
architecture.
Components
–
–
–
–
Procedural: E = D+R
Perimeter(Firewall): E = D+R
UNIX: E = D+R
NT/Windows 2000: E =D+R
Copyright 2001 Marchany
120
CIS Rulers
Rulers list a set of minimal actions that need to be
done on a host system.
This is a consensus list derived from security
checklists provided by CIS charter members
(VISA, IIA, ISACA, First Union, Pitney Bowes,
Allstate Insurance, DOJ, Chevron, Shell Oil, VA
Tech, Stanford, Catepillar, Pacific Gas & Electric,
RCMP, DOD CIRT, Lucent, Edu Testing Services
and others)
Can’t develop your own set? Use these!
http://www.cisecurity.org
Copyright 2001 Marchany
121
CIS Rulers: A Security and Audit
Checklist
Level 1
– Mandatory Actions required regardless of the
host’s location or function.
Level 2
– Dependent on your network topology
– Different for switched nets vs. shared nets vs.
wireless nets, etc.
Copyright 2001 Marchany
122
CIS Rulers: Security Checklist &
Audit Plan
Level 3
– Application Specific (WWW, FTP, DB, Auth)
Procedural
– Examines the policies in place.
– This is the policy review checklist.
Level 3
FTP WWW DB Mail
Level 2 Switched Wireless Non Switched
LEVEL 1
Copyright 2001 Marchany
123
CIS Rulers: Procedural
General Administration Policies
Key security tool installed
User Accounts and environment
System Logs
Network File sharing
General Email Issues
This review is done during the Audit
Planning Phase of the audit process
Copyright 2001 Marchany
124
CIS Ruler: Procedural
General Administration Policies
– Acceptable Use Policy
– Backup Policy
– Security Administrator duties
– Whois Contact Information (Tech/Admin)
– System changelogs (Source Revision Control)
– Incident Response
– Minimum software requirements
– User, temp, system account policies
– Patches
Copyright 2001 Marchany
125
CIS Ruler Example: Backups
·
·
·
·
·
·
·
·
·
·
·
Does a backup policy exist?
Do backup logs exist?
What data is backed up
How often data is backed up
Type of backup (full, differential, etc.)
How the backups are scheduled and verified
How the backup media is handled and labeled
How the backup media is stored
How long the backup media is retained
How backup media is rotated and expired
How backup data is recovered
Copyright 2001 Marchany
126
CIS Ruler: Procedural
Key security tools installed
– Network routers implement minimum filtering
requirements
– Verify network routers are properly configured
and monitored for in/out traffic
– Are all firewalls properly configured and
monitored for in/out traffic
– The above rules prevent DDOS attacks from
affecting other nets.
Copyright 2001 Marchany
127
CIS Ruler: Procedural
User Accounts and Environment
– Remove obsolete user entries from system
System Logs
– How long are they kept? Are they secured?
Network file sharing
– Review what filesystems this system can access
– Review what filesystems this system exports
Email Policy
– Abuse Policy?
Copyright 2001 Marchany
128
CIS Ruler: Written
Documentation and Policies
Where is it?
Is it available to anyone that needs it?
Is it up to date?
Is anything major missing (SGI policies, but
no HP policies)?
Copyright 2001 Marchany
129
CIS Ruler Example: Security
Policy
Purpose - the reason for the policy.
Related documents – lists any documents (or other policy) that affect the
contents of this policy.
Cancellation - identifies any existing policy that is cancelled when this policy
becomes effective.
Background - provides amplifying information on the need for the policy.
Scope - states the range of coverage for the policy (to whom or what does the
policy apply?).
Policy statement - identifies the actual guiding principles or what is to be
done. The statements are designed to influence and determine decisions and
actions within the scope of coverage. The statements should be prudent,
expedient, and/or advantageous to the organization.
Action - specifies what actions are necessary and when they are to be
accomplished.
Responsibility - states who is responsible for what. Subsections might identify
who will develop additional detailed guidance and when the policy will be
reviewed and updated.
Copyright 2001 Marchany
130
Procedural: Incident Response
Plan
Are the six Incident Response steps covered?
– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Lessons Learned (if there are no lessons learned
documents either the plan isn’t followed or no incidents
have occurred).
Copyright 2001 Marchany
131
Copyright 2001 Marchany
132
Copyright 2001 Marchany
133
Procedural: Training &
Education
Do technical people have the training to do
their job competently?
Are there standards their skills can be
measured against?
Are there standards of compliance that
ensure they are using their training in
accordance with policy?
Copyright 2001 Marchany
134
Procedural: Physical Security
Consoles in physically secure areas?
Fire suppression?
Backups? Offsite backups?
Network components secured?
Phone wiring secured?
Copyright 2001 Marchany
135
Procedural: Windows 2000
These are based on the SANS “Securing Windows
2000” booklet.
Least Privilege Principle
Avoid granting unnecessary Admin privs.
Limit Domain Trust.
Restrict modems in workstations and servers.
Limit access to sniffer software (Network
Monitor).
Copyright 2001 Marchany
136
Procedural: Windows 2000
Keep system software updated.
Update and Practice a Recovery Plan.
Require strong passwords.
Require password protected screen savers.
Establish Auditing and Review Policies.
Require Administrators to have a User and
Administrator account.
Require antivirus software.
Install host based IDS.
Perform periodical low-level security audits.
Copyright 2001 Marchany
137
CIS Procedural Ruler Review
Procedural rulers give you a starting point
for determining your site’s policy pie
These policies include acceptable use,
privacy, incident response, accountability,
backup and any other appropriate action
The CIS procedural ruler is a consensus list
of practices done at the charter members
sites.
Copyright 2001 Marchany
138
CIS Level 1 Ruler: Unix
Patches
Key Security Tools Installed
System Access, authentication,
authorization
User Accounts and Environment
Kernel Level TCP/IP tuning
Kernel Tuning
Copyright 2001 Marchany
139
CIS Level 1 Ruler: Unix
Batch Utilities: at/cron
UMASK issues
File/Directory Permissions/Access
System Logging
SSH
Minimize network services
Copyright 2001 Marchany
140
CIS Level 1 Ruler: Unix
Minimize RPC network services
Minimize standalone network services
General Email Issues
X11/CDE
General Administration Policies
Specific Servers
– www, ftp, DB, Mail, NFS, Directory, Print,
Syslog
Copyright 2001 Marchany
141
CIS Level 1 Unix Ruler Patches
Define a regular procedure for checking,
assessing, testing and applying the latest
vendor recommended and security patches.
Keep 3rd party application patches updated.
Why?
– The first line of defense is proper patch/Service
Pack installation.
– Patches are living and need to be updated
regularly
Copyright 2001 Marchany
142
CIS Level 1 Unix Ruler:
Security Tools
These tools help decrease your detection
time, D
Install the latest version of TCP Wrappers
on appropriate network services
SSH for login, file copy and X11 encryption
Install crypto file signature function to
monitor changes in critical system binaries
and config files (tripwire)
Copyright 2001 Marchany
143
CIS Level 1 Unix Ruler:
Security Tools
Install Portsentry or similar personal FW
software
Run NTP or some other time sync tool
Run “logcheck” or similar syslog analysis
or monitoring tool
Install the latest version of sudo
Copyright 2001 Marchany
144
CIS Level 1 Unix Ruler: Access,
Authorization
No trusted hosts features: .rhosts, .shosts or
/etc/hosts.equiv
Create appropriate banner for any network
interactive service
Restrict direct root login to system console
Verify shadow password file format is used
Verify PAM configuration
Copyright 2001 Marchany
145
CIS Level 1 Unix Ruler: KernelLevel TCP/IP Tuning
System handling of ICMP packets is
secured
System handling of source routed packets
secured
System handling of broadcast packets
secured
Use strong TCP Initial Sequence Numbers
Harden against TCP SYN Flood attacks
Copyright 2001 Marchany
146
CIS Level 1 Unix Ruler: Kernel
Level Tuning, Batch Utilities
Enable kernel level auditing
Enable stack protection
Ensure ulimits are defined in /etc/profile
and /etc/.login
Restrict batch file access to authorized users
Ensure cron files only readable by root or
cron user
Copyright 2001 Marchany
147
CIS Level 1 Unix Ruler:
UMASK, File Perms, Access
Set daemon umask to 022 or stricter
Set user default umask (022 or 027)
Console EEPROM password enabled?
Check /dev entries for sane ownership and
permissions
Mount all filesystems RO or NOSUID
All filesystems except / mounted NODEV
Copyright 2001 Marchany
148
CIS Level 1 Unix Ruler: File
Perms and Access
Verify passwd, group, shadow file perms
Verify SUID, SGID system binaries
Disable SUID, SGID on binaries only used
by root
No World-write dirs in root’s search path
Sticky bit set on all temp directories
No NIS/NIS+ features in passwd or group
files if NIS/NIS+ is disabled
Copyright 2001 Marchany
149
See what we can find
¨ /usr/bin/find / -local -type f -name '.rhosts' -exec ls -al {} \; -exec cat {} \; 2 (.rhosts)
/usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal {} \; 2 (SUID files)
/usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal {} \; 2 (SGID files)
find /\(-local –o –prune\) -perm –000002 –print
find /name .netrc -print
find / -perm –1000
Copyright 2001 Marchany
150
Audit Report Example
Audit Method
Ls –la (list files) against critical files to determine their
permissions
Finding
Several system configuration files in /etc are writable
Risk Level: High
Security Implication
The /etc directory is critical for establishing the operating
configuration of many system services including startup and
shutdown. If an attacker is able to modify these files, it may be
possible to subvert privileged operating system commands.
Recommendation
¨ Change permissions of all files in /etc to be writable by root or
bin only.
Copyright 2001 Marchany
151
/dev Permissions Exhibit
# ls –l /dev
total 72
-rwxr-xr-x
crw------crw------brw-rw---crw--w--wbrw------brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw----
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
sys
sys
disk
root
floppy
disk
disk
disk
disk
disk
disk
disk
disk
disk
disk
26450
14,
4
14, 20
32,
0
5,
1
2,
1
16,
0
3,
0
3,
1
3, 10
3, 11
3, 12
3, 13
3, 14
3, 15
3, 16
Sep
Apr
Apr
May
May
May
May
May
May
May
May
May
May
May
May
May
Copyright 2001 Marchany
24 1999 MAKEDEV
17 1999 audio
17 1999 audio1
5 1998 cm206cd
26 15:17 console
5 1998 fd1
5 1998 gscd
5 1998 hda
5 1998 hda1
5 1998 hda10
5 1998 hda11
5 1998 hda12
5 1998 hda13
5 1998 hda14
5 1998 hda15
5 1998 hda16
152
World-Writeable and SUID/SGID Files
Audit Method
Find commands were executed on the servers to locate all files with world-writeable permissions
and SUID/SGID permissions. The output was redirected to appropriate files for later analysis.
Finding
A large number of world-writeable and SUID/SGID files were found on the server XYZ. Further,
a number of files in the /usr, /opt and /var directories allow all users to have write permission.
Security Implication
World-writeable files allow any user or an intruder to change the contents of a file, effecting
information integrity. Also, for executable files, an intruder may replace the file with a trojan
horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of
the owner/group. These can be subverted by an unauthorized user or intruder to escalate their
privilege to those of the owner/group of the SUID/SGID file.
Risk Level: High
Recommendation
¨
Review all world-writeable and SUID/SGID files on the system. Using freeware tools like
fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the
review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the
system and store in a secure place. Periodically, check the system against this list to identify
changes and ensure that such changes are approved.
¨
NFS shared files, especially files in /usr, /opt and /var should be exported ‘read-only to
specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like
/tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of
SUID privilege on NFS mounted files.
Copyright 2001 Marchany
153
CIS Level 1 Unix Ruler: System
Logging and SSH
Capture messages sent to syslog AUTH
facility (enable system logging)
Copy syslogs to central syslog server
Audit failed logins and SU attempts
Enable system accounting
Logins allowed via SSH only (no rsh,
rlogin, ftp or telnet)
Copyright 2001 Marchany
154
CIS Level 1 Unix Ruler: Reduce
Services (/etc/inetd.conf)
Disable name (UDP)
Disable exec/rexec (TCP)
Disable login/rlogin (TCP)
Disable uucp (TCP)
Disable systat (TCP)
Disable netstat (TCP)
Disable time (TCP/UDP)
Copyright 2001 Marchany
155
CIS Level 1 Unix Ruler: Reduce
Net Services (/etc/inetd.conf)
Disable echo (TCP)
Disable discard (TCP/UDP)
Disable daytime (TCP/UDP)
Disable chargen (TCP/UDP)
Disable rusersd (RPC)
Disable sprayd (RPC)
Disable rwall (RPC)
Copyright 2001 Marchany
156
CIS Level 1 Ruler: Reduce Net
Services (/etc/inetd.conf)
Disable rstatd (RPC)
Disable rexd (RPC)
Use TCP Wrappers for all enabled network
services (TCP/UDP)
Copyright 2001 Marchany
157
Sample /etc/inetd.conf
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rshd
login
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rlogind
#exec
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rexecd
#comsat dgram
udp
wait
root
/usr/sbin/tcpd
in.comsat
talk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.talkd
ntalk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.ntalkd
This is a fragment of /etc/inetd.conf where shell, login, talk,
and ntalk probably should be commented out. Note the
/usr/sbin/tcpd so this system is probably running
tcpwrappers. More of the file is in the notes pages.
Copyright 2001 Marchany
158
Output Example
Fingerd running
Audit Method
Telnet localhost 79 to connect with the local system’s finger daemon
Finding
Fingerd is active
Risk Level: Low
Security Implication
Finger can be used to gain reconnaissance information about the system including
the last login time, where a user is logged in from, information about their shell.
This information could be used to set up either a social engineering or trust model
based attack.
Recommendation
¨ If finger is not a business critical application in this environment, disable finger
or replace with free tools such as sfinger.
Copyright 2001 Marchany
159
CIS Level 1 Unix Ruler: Reduce
RPC Network Services
Restrict NFS client request to originate
from privileged ports
No filesystem should be exported with root
access
Export list restricted to specific range of
addresses
Export RO if possible
Export NOSUID if possible
Copyright 2001 Marchany
160
CIS Level 1 Unix Ruler: Email,
X11/CDE
Use Sendmail v8.9.3 or later. (v8.11.4 is
current 6/15/01)
Restrict sendmail ‘prog’ mailer
Verify privileged and checksums for mail
programs
Ensure X server is started with Xauth
Use SSH to access X programs on remote
hosts
Copyright 2001 Marchany
161
CIS Level 1 Unix Ruler: User
Accts, Environment
Enforce strong passwords
No null passwords
Remove root equivalent users (UID=0)
No “.” in root PATH
No .files world or group writable
Remove .netrc, .exrc, .dbxrc files
User $HOME dirs should be < 755
Copyright 2001 Marchany
162
TBS Example Using E=D+R
•Security policy: automated script to check password file for
users with UID 0 (superuser access) returns user ”zippy”.
•Syslog is checked:
Apr 15 21:07:59 6C: goodnhacked.com telnetd[5020]: connect from
some.com
Apr 15 21:08:18 6E: goodnhacked.com login[5021]: [email protected] as zippy
•IDS returns:
21:07:16.63 badguy.com.26617 > goodnhacked.com.5135: udp
21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp 69
5135 is SGI Object Server with a known vulnerability
Copyright 2001 Marchany
163
CIS Level 1 Ruler Review
The previous action items should be done
on any Unix system on your network
regardless of its function
A similar checklist is being developed for
Windows 2000.
The Level 1 rulers impose a minimum
security standard on all Unix and Windows
2000 systems.
Copyright 2001 Marchany
164
CIS Level 2 Rulers
Once Level 1 rulers have been applied, you
pick the appropriate Level 2 ruler.
This is very organization specific. What
works at my site might not apply at yours.
Additional service may be disabled if they
aren’t needed.
Copyright 2001 Marchany
165
CIS Level 2 Ruler: Unix
Kernel-level TCP/IP tuning
Physical Console Security
SSH
Minimize network services
Minimize RPC network services
General email issues
X11/CDE
Copyright 2001 Marchany
166
CIS Level 2 Ruler: Unix
Kernel Tuning
– Network options for non-router machines
– Disable multicast
Physical Console Security
– Enable EEPROM password. Who knows it?
SSH
– Restrictively configure it
Copyright 2001 Marchany
167
CIS Level 2 Ruler: Unix
Minimize Network Services
– Disable inetd entirely
– Disable FTP
– Disable Telnet
– Disable rsh/rlogin
– Disable comsat
– Disable talk
– Disable tftp
Copyright 2001 Marchany
168
CIS Level 2 Ruler: Unix
Minimize network services
– Disable tftp
– Disable finger
– Disable sadmin
– Disable rquotad
– Disable CDE Tooltalk server (ttdbserverd)
– Disable RPC/UDP/TCP ufs
– Disable kcms_server
Copyright 2001 Marchany
169
CIS Level 2 Ruler: Unix
Disable fontserver
Disable cachefs service
Disable Kerberos server
Disable printer server
Disable gssd
Disable CDE dtspc
Disable rpc.cmsd calendar server
Copyright 2001 Marchany
170
CIS Level 2 Ruler: Unix
Minimize Network Services
– If FTP service is enabled, see additional level 3
requirements for FTP servers
– If tftp is enabled, use the security option
– If sadmind is enabled, use the security option
Copyright 2001 Marchany
171
CIS Level 2 Ruler: Unix
Minimize RPC network services
– Disable NFS server
– Disable Automounter
– Disable NFS client services
– Add ports 2049, 4045 to privileged port list
– Disable NIS
– Disable NIS+
– Replace rpcbind with more secure version
Copyright 2001 Marchany
172
CIS Level 2 Ruler: Unix
General Email Issues
– Don’t run sendmail on machines that don’t
receive mail
– Remove mail aliases which send data to
programs (Vacation)
X11/CDE
– Disable CDE if not needed
– Use the SECURITY extension for X-Server to
restrict access
Copyright 2001 Marchany
173
CIS Level 2 Ruler Review
Level 2 rulers are site specific.
They are more sensitive to vendor software
requirements. For example, a vendor
product may require that you enable the
dreaded r-commands. You have no choice
so you keep an eye on that vulnerability.
They may impose stricter standards.
Copyright 2001 Marchany
174
CIS Level 3 Ruler Example:
Perimeter Defense
Scope of Impact – The whole site
Probability of Impact – 100% if connected
to the Internet
Wide variety of opinions
Every site has a Firewall (FW) of some sort.
It may be a packet filtering router or a fancy
stateful FW.
What about wireless nets?
Copyright 2001 Marchany
175
Firewalls: Where’s the Threat?
FW look to the outside for threats.
Can be circumvented by wireless world.
Don’t prevent internal attacks.
Useless? NO! It’s a component of your layered
defense. Remember the TBS Layered Defense
equations.
Personal FW software is GOOD!
– Makes wireless nets more secure!
What if crimes are committed by someone inside the firewall.
Copyright 2001 Marchany
176
Firewalls require management.
Someone has to manage the firewall.
– Someone has to assure that the firewall is
configured properly.
– Someone has to assure that all new
applications don’t violate security
policies.
– Someone has to review firewall logs.
– Firewalls generate a HUGE number of
logs.
Copyright 2001 Marchany
177
Sample Firewall Ruler
Firewalls are one part of a layered defense which should
include:
– A properly configured border router.
– A virus detection solution.
– An authentication system for trust management.
– Properly configured operating systems and Internet
applications. Personal FW software installed on all
hosts.
– An Intrusion Detection System
Firewalls require monitoring and change control
management.
Copyright 2001 Marchany
178
TBS and the Perimeter
E= D + R Perimeter defenses are the an effective method of
“shrinking” D and R and decreasing E.
INTERNET
ISP
Front End
Critical systems located on
a screened subnet off of
one leg of a firewall.
E
Firewall
DNS
Copyright 2001 Marchany
Email
179
Example: D&R at the Perimeter
Oct 12 01:04:26 ucc3.edu 45725: 8w5d^I: %SEC-6-IPACCESSLOGP: list
190 denied tcp 202.159.123.192(2235) -> 172.20.8.233(3128), 1 packet
Oct 12 01:10:14 ucc3.edu 45730: 8w5d^I: %SEC-6-IPACCESSLOGP: list
190 denied tcp 202.159.123.192(2235) -> 172.20.8.233(3128), 3 packets
This is a log file from a Cisco router on the perimeter, it indicates
the router has blocked two attempts to destination port is 3128,
the SQUID Proxy. Note: “denied” implies D and R are
working. The times are very small!
Copyright 2001 Marchany
180
Pulling the perimeter together
Top Ten blocking, egress filtering
Additional requirements from your site’s
security policy
The notes contain a minimal Perimeter
audit plan!
Top Ten recommendations are shown in notes pages. There are examples
of implementations based on this security policy at:
http://www.sans.org/giactc/gcfw.htm ( practicals 30 - 35)
Copyright 2001 Marchany
181
Section Review
Establishing and testing perimeter defenses
is a good way to reduce D and R time.
Top Ten vulnerabilities are generally agreed
to be a priority. Top Ten blocking
recommendations are the foundation of a
security checklist for perimeters
CVE names help ensure sysadmins and
auditors are referring to the same threat
Copyright 2001 Marchany
182
CIS Unix Ruler Review
CIS Rulers are a good starting point for
developing a Unix audit plan
Level 1 ruler defines minimum security
standards for all Unix systems
Level 2-3 rulers are more network and
function specific
Procedural rulers address policy issues
Copyright 2001 Marchany
183
Auditing Networks,
Perimeters and Systems
Audit Checklists, Unit 6
Windows
The SANS Institute
Copyright 2001 Marchany
184
W2K CIS Rulers
CIS Rulers are being developed for
Windows 2000 and NT systems
Format is similar to the Unix rulers (levels
1-3)
Work has just started on it
You’re getting a very ROUGH preview of
the rulers.
Copyright 2001 Marchany
185
Sample W2K level 1 Ruler –
Physical Data Security
Enable the end user to protect laptops.
Physically secure servers.
Protect the server from Unattended Reboot.
– Protect the SAM with SYSKEY
Protect the Backup Tapes.
Use NTFS disk partitions.
Use Encrypting File System
Copyright 2001 Marchany
186
Sample W2K Level 1 Ruler –
Security Policy Configuration
Configure the Local Security Policy.
Configure the Account Policy.
Secure Administrator/Guest accounts.
Configure Local Policies.
Enable Audit Policies.
Customize User Rights.
Copyright 2001 Marchany
187
Win2k Audit
(Run MMC -> CTRL M -> Security Templates -> Setup Security)
Copyright 2001 Marchany
188
User Rights
Copyright 2001 Marchany
189
Sample W2K Level 1 Ruler –
Security Policy Configuration
Customize Security Options
– Restrict Anonymous Connections
– Allow server operators to schedule tasks (DC
only).
– Clear virtual Memory Pagefile on shutdown.
– Audit access of Global System Objects.
– Do Not Display last username in login screen.
Configure Public Key Policy.
Configure IP Security Policy.
Copyright 2001 Marchany
190
File System Configuration.
(__) Define System Configuration and Service Pack
Level
(__) During Audit, set browser to see all files
(__) System is configured as NTFS file system?
(__) System Administrator has a current Emergency
Recovery Disk in a locked storage area.
(__) Wiping of system page file occurs at system
shutdown.
Copyright 2001 Marchany
191
Sample W2K Level 1 Ruler
Group Policy
MMC Snap-In
System Tools
– Configure Event Log Settings
– System Information
– Performance Logs & Alerts
– Local Users & Groups
Lock out unauth’d Floppy Disk use
Copyright 2001 Marchany
192
Sample W2K Level 1 Ruler
Disable unused services
– Remove OS2 and POSIX subsystems
Secure Remote control programs (PC
Anywhere)
Disable Microsoft Network Client
Additional Utilities
– W2K Suppot tools
– Resource Kit tools
Copyright 2001 Marchany
193
Sample W2K Level 1 Ruler
Freeware, Shareware and Commercial Tools
– Use Access Control List Auditing Tools
– Audit SP and HotFix levels
– Consider installing nmap, WinDump, PGP,
Anti-Trojan, L0phtCrack 3, snort
Copyright 2001 Marchany
194
Sample W2K Level 1 Ruler –
The Registry
Disable auto-run on CD ROM Drives.
Control Remote Registry Access.
Restrict Null User access to named pipes
and shares.
Disable Router discovery.
Disable ICMP Redirects.
Remove Administrative Shares.
Copyright 2001 Marchany
195
Sample W2K Level 1 Ruler
File Folder and Registry Permissions
Security Analysis and Configuration Tool
– Apply standard Incremental Security Templates
– Create Custom Policies
– Perform analysis of computer
Recovery Options
– Baseline System backup
– Regular System backup
– Remote System backup
– NTBackup.exe
Copyright 2001 Marchany
196
Sample W2K Level 1 Ruler
Recovery Options (Continued)
– Emergency Repair Disks
– Safe Mode with or without networking
– Safe Mode with command prompt
– Recovery Console
Active Directory Services
– Domain Controllers and Trust
– The Trees vs. the Forest
– Enterprise Admins and Schema Admins
Copyright 2001 Marchany
197
Sample W2K Level 1 Ruler
Application Security
– IIS v5 – CRITICAL!
– Telnet Server
– File and Printer Sharing
– Windows Services for Unix 2.0
– Exchange, Outlook, Outlook Express
– SQL
These may be more suited to Level 2
Copyright 2001 Marchany
198
A Sample NT Level 1 Ruler
Installation
Networking
User Accounts
Services/System
Files/Directories
Registry
Applications
Developed by Marc Debonis, VA Tech
Copyright 2001 Marchany
199
Sample VT Level 1 NT Ruler
Installation
– Physically secure machine
– Enable BIOS boot password, user/admin levels
– Install NT on C:, no dual boot, use NTFS
– Put bogus name for install
– Select only TCP/IP to install
– Do NOT install IIS
– Do NOT use DHCP
– Do NOT use WINS server entries
Copyright 2001 Marchany
200
Sample VT Level 1 NT Ruler
Installation
– Disable LMHOSTS lookup
– Login as Administrator
• Delete MyBriefCase, Install IIS, IE, Inbox icons
– Install post SP5/SP6 hotfixes
• Install in this order: Winhlp-I, Nddefixi, Lsareqi,
Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1,
Ipsrfixi
Copyright 2001 Marchany
201
(__) Define Service Pack Level
Start -> Run -> WINVER (works the same for NT 4.0)
Copyright 2001 Marchany
202
Checking for Service Packs
Copyright 2001 Marchany
203
Copyright 2001 Marchany
204
(__) System does not have
un-necessary devices
Start -> Settings -> Control Panel -> Devices.
Copyright 2001 Marchany
205
Sample VT Level 1 Ruler
Networking
– Use network control panel to remove RPC
Configuration, NetBIOS Interface, Workstation,
Server.
– Set service TCP/IP NetBIOS Helper to disabled
– Disable Windows NT Networking
– Disable WINS Client (TCP/IP) binding
– Disable WINS Client (TCP/IP) device
Copyright 2001 Marchany
206
Sample VT Level 1 Ruler
Accounts
– Set minimum password length to 8
– Lockout after 3 bad attempts
– Under Policies-> User Rights
• Select Right/Access this computer from Network
and remove ALL groups listed in the Grant To box
• Under Show Advanced Rights, select Bypass
Traverse Checking, remove Everyone
• Select Log on Locally and disable guest
Copyright 2001 Marchany
207
Sample VT NT Level 1 Ruler
Accounts
– Select Policies -> Audit
• Enable audit events: logon/logoff, user/group mgt, security
policy changed, restart, shutdown and system
– Open User Manager for Domains
•
•
•
•
Rename Administrator account to Master
Remove Description for Master Account
Set Master account password to something VERY strong
Rename Guest account to DEFUNCT
– Allow remote lockout of administrator account only
Copyright 2001 Marchany
208
(__) Auditing is Enabled
User Manager, Policies,Audit
http://www.geek-speak.net/products/ntaudit1.html
Copyright 2001 Marchany
209
Audit Best Practice
Copyright 2001 Marchany
210
Audit Best Practice (2)
Copyright 2001 Marchany
211
Passwords
(__) NT password policies comply with Best Practices for NT Passwords.
(__) User passwords are known only by the user.
(__) Users are required to maintain unique passwords for each AIS.
(__) Passcrack for Windows NT or other password tester is run at least yearly.
(__) Password database (SAM) is encrypted.
(__) Administrator password is protected to the same level as the data contained
on the computer.
(__) Password is enabled for screen saver. (Control Panel, Desktop)
Copyright 2001 Marchany
212
Passfilt
Copyright 2001 Marchany
213
NT 4.0 Start -> Programs -> Administrative Programs -> User Manager
Copyright 2001 Marchany
214
Win2k, My Computer -> Control panel, Administrative
Tools -> Local Security Policy -> Password Policy
Copyright 2001 Marchany
215
Sample VT NT Level 1 Ruler
Services/System
– Disable unnecessary system services
• Network DDE, Network DDE DDSM, Schedule,
Spooler, Telephony service, distributed DCOM
– From System Control Panel, click
Startup/Shutdown tab
• Uncheck Overwrite any Existing File?
• Uncheck Write debugging info to:
• Uncheck Automatically Reboot?
Copyright 2001 Marchany
216
Sample VT NT Level 1 Ruler
Services/System
– Click Display Control Panel
• Click Screen Save Tab, enable Blank Screen Screen
Saver, modify wait to 5 minutes, check the
Password Protected box.
– Event Logs
• Open Log->Log settings and increase max size of
logs > 2048K
Copyright 2001 Marchany
217
Log--> Log Settings
Copyright 2001 Marchany
218
Event View 2000
My Computer -> Control Panel -> Administrative Tools -> Event Viewer
Copyright 2001 Marchany
219
Using dumpel for audit logs
Copyright 2001 Marchany
220
Sample VT NT Level 1 Ruler
For the rest of the ruler, go to
http://security.vt.edu and look in the
Checklists section for Marc’s document
Some may consider his requirements to be
really strict but some may like them.
Copyright 2001 Marchany
221
Sample Windows 2000 Level 2
Ruler
Rules of Engagement for Active Directory
Developed at VA Tech for our AD structure
– Marc Debonis, www.w2k.vt.edu
Allows lower level admins to control their
own domains
Not for everyone
Somewhat draconian
Copyright 2001 Marchany
222
Sample VT Level 2 Ruler: Active
Directory ROE
The Child domain must have at least 1 fulltime
peer BDC for the child domain
The child domain controllers must meet
Microsoft’s minimum computer hardware
requirements
No 3rd party of Microsoft add-on software are
allowed on child domain controllers
– IIS, Certificate Services, Indexing Service, Windows
Media Services, DNS, DHCP, WINS, printer/file
services
Copyright 2001 Marchany
223
Sample VT Level 2 Ruler: Active
Directory ROE
The child domain controllers must be in a
backup program and have full recoverability
tested
The child domain controllers must allow
and not block global policy objects
replicated from the root
All W2K hosts must follow prescribed DNS
naming conventions (xxx.yyy.vt.edu)
Copyright 2001 Marchany
224
Sample VT Level 2 Ruler: Active
Directory ROE
All W2K hosts within the child domain will
use root AD DDNS server settings. Child
DC will use static IP and not run DHCP
servers
Child domain will not attempt to create
child domains “below” theirs. They will use
OU to do this.
Copyright 2001 Marchany
225
Sample VT Level 2 Ruler: Active
Directory ROE
No non-administrative local logins will be
allowed to the child domain controllers. The
CDC will be housed in secure areas with
controlled access
2 week backups of event/audit logs will be
kept and access to them will be given to the
AD enterprise admins for
security/debugging purposes.
Copyright 2001 Marchany
226
Sample VT Level 2 Ruler: Active
Directory ROE
All service packs will be installed in a
timely manner, coordinated with root AD
controller upgrades
Will people buy into this?
– Some will, some won’t but those that do are
more secure.
Copyright 2001 Marchany
227
Whew!
You’ve got a basic strategy for building
security checklist/audit plans for
–
–
–
–
Perimeter
Unix
NT
Windows 2000
Please fill out your comment sheets!
Copyright 2001 Marchany
228
Today’s Course Goals
Construct a high level Security Checklist from the CIS
rulers for your site.
– Unix. NT, Windows 2000
Use TBS to provide a response to your internal auditors
and secure your systems.
Use STAR to define the $$$ cost of implementing security
features at your site.
– This method can be used over time to show trends
Develop a set of reports/matrices that can be used to
quickly identify the security status of a host at your site.
Copyright 2001 Marchany
229
URLs referred to in this course
STAR Matrices
http://courseware.vt.edu/marchany/STAR
Sample R/A Documents
http://security.vt.edu
Top Ten Vulnerabilties
http://www.sans.org/topten.htm
Top Ten Blocking
http://www.sans.org/giactc/gcfw.htm
Egress Filtering
http://www.sans.org/y2k/egress.htm
CVE
http://cve.mitre.org
GIAC Practicals
http://www.sans.org/giactc/cert.htm
RFC 2196
http://www.ietf.org/rfc/rfc2196.txt
Center for Internet Security
http://www.cisecurity.org
Copyright 2001 Marchany
230
Auditing Networks,
Perimeters and Systems
Appendices/Supplemental Material
The SANS Institute
Copyright 2001 Marchany
231
APPENDIX 1
The following matrices are examples of
your matrix reports
–
–
–
–
–
–
Exhibit A (ASSET Matrix)
Exhibit B (ASSET WEIGHT Matrix)
Exhibit C (RISKS Matrix)
Exhibit D (RISK WEIGHT Matrix)
Exhibit E (ASSET-RISK Matrix)
Exhibit F (CONTROLS Matrix)
Copyright 2001 Marchany
232
APPENDIX 2
• The following spreadsheets are the compliance
reports.
• Overall Compliance Report that lists the general
vulnerabilities a system has. This is a quick 1 page
report for mgt. or the auditors.
• Asset/Risk Matrix list whether a system is affected
by a risk. The risks are more specific.
• Controls Matrix lists what controls are in place for
a given system.
• Individual Action Matrix lists the details of an
audit for each node. Did the system comply?
Copyright 2001 Marchany
233
APPENDIX 3
The following checklist gives the detailed
commands to be performed in the “audit”.
The categories are based on the Risk Matrices in
Appendix 1.
The results of the checklist commands are inserted
in the Compliance matrices of Appendix 2.
This checklist and the matrices form the overall
audit/security checklist package.
Copyright 2001 Marchany
234
APPENDIX 4
Your company’s response policy will
dictate the degree of audit record keeping
you’ll have to maintain.
There are 2 strategies:
– Protect and Proceed
– Pursue and Prosecute
Copyright 2001 Marchany
235
Incident Handling:
Protect and Proceed ?
- Which strategy should your organization follow to handle an incident? This
dictates the level of record keeping needed to fulfill the strategy. (RFC2196)
- the protection and preservation of site facilities
- return to normal operations as soon as possible
- actively interfere with intruder attempts
- begin immediate damage assessment and recovery
Use if:
- assets are not well protected
- continued penetration could result in financial risk
- possibility or willingness to prosecute is not present
- user community is unknown
- unsophisticated users and their work is vulnerable
- the site is vulnerable to lawsuits from users if their resources
are undermined
Copyright 2001 Marchany
236
Incident Handling:
Pursue and Prosecute?
- allow intruders to continue their activity until the site can identify them. This
is
recommended by law enforcement agencies
- Use if:
- system assets are well protected
- good backups are available
- asset risks are outweighed by risk of future penetrations
- it's a concentrated and frequent attack
- the site has a natural attraction to intruders, e.g. university, bank
- the site is willing to spend the money and risk to catch the guy
- intruder access can be controlled
- well-developed monitoring tools are available
- you have a technically competent support staff
- management is willing to prosecute
- system administrators know in general what evidence will aid in
prosecution
- there is established contact with law enforcement agencies
- the site has involved their legal staff
Copyright 2001 Marchany
237
Appendix 5 – CIS Rulers
The current CIS rulers are found at
http://www.cisecurity.org
The W2K ruler is a draft only.
The VT AD ROE is available at
http://www.w2k.vt.edu
Copyright 2001 Marchany
238
Appendix 6 – AUP Example
This appendix contains the VA Tech
Acceptable Use Policy and the Acceptable
Use Guidelines
Copyright 2001 Marchany
239
References
– “Time Based Security”, Winn Schwartau,
Interpact Press, 1999, ISBN: 0-9628700-4-8
• The discussion on TBS was derived from this text.
– “Firewalls and Internet Security”, Cheswick &
Bellovin, Addison-Wesley, 1994, ISBN: 0-20163357-4
– RFC 2196, Guide to Writing a Site Security
Policy
– http://Diicoe.disa.mil/coe
Copyright 2001 Marchany
240
References
The complete Top 10 document can be found in
the appendix.
Some WWW sites to visit:
–
–
–
–
–
–
–
www.sans.org
www.cert.org
www.nipc.gov
www.securityfocus.com
www.rootshell.com
http://security.vt.edu
www.cornell.edu/CPL
Copyright 2001 Marchany
241
Course Revision History
Copyright 2001 Marchany
242