AUDITING and SECURITY Jim Patterson CISSP CBCP CRM

AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells

Introduction The goals of Security (CIA): Ø Confidentiality Ø Integrity Ø Availability (They are mutually dependent) ü Avoid Audit Findings

Security Considerations n n Identify Assets q Network Discovery q AD Discovery q DHCP and DNS Imports q File Import (from existing sources) Assess Vulnerabilities q How are vulnerability definitions updated, frequency q Map vulnerabilities to industry/vendor nomenclature q Types of vulnerabilities found (configuration and patch) q When to do the assessment

Security Considerations n Remediate Vulnerabilities q How are remediations updated, frequency q Configuration and patch-based remediations q Use of industry/vendor nomenclature q Different remediation policies for different classes of assets q Different remediation schedules for different classes of assets q Manage rebooting of different classes of assets

Secured Network Model The Internet IDS Activity Reporting and Analysis Firewall Application DMZs IDS ISOC IDS Mgmt FW Mgmt Firewall IDS Open Systems IDS Firewall Mainframe IDS IDS Customer Sites Remote Locations, Remote Access, and Vendors

Enterprise Architecture Central Console - XP/2000/2003 UNIX/Windows 2003 2000 NT Distributed Proxy - XP/2000/2003 XP/2000 Reporting Database DMZ Windows Server - NT - 2000 - 2003 ODBC SSL XP/2000 Solaris Linux AIX HP-UX System Reach (Mainframe, Windows, UNIX and Linux UNIX Server - Solaris - Linux - AIX - HP-UX

System Security Categories Examples: - File Share Programs (Kazaa) - Public Instant Messaging - Desktop Sharing Applications - Custom List Status: - Enabled Key Operating System Security Patches Applied Examples: - Users - Groups - Password Settings - Many Others Examples: - USB Hard Drives - Unauthorized Modems - Wireless NIC Cards - Modems with Auto-Answe - Custom List Status: - Enabled - Latest Version - Latest Definition - Most Recent - Most Critical

Audit and Compliance Security configuration settings Antivirus status Security patch status Personal firewall status System Security Audit and Compliance Unauthorized software Unauthorized hardware Industry-known vulnerabilities Enforcement Access Control Patching Audit and Compliance is not focused on Risk Management Asset Management Configuration Management

Event Management Model Historical Event Repository Operations Desktops Query/Reporting Firewalls Database Intrusion Detection Manager of Managers Intrusion Detected! Notification Event Collector Systems Applications

Auditing System Components Logger System Log Higher-level Audit Events Analyzer Notifier Actions: Email Popup Reconfig Report

Audit System Structure n Logger q n Analyzer q n Records information, usually controlled by parameters Analyzes logged information looking for something Notifier q Reports results of analysis

Logger n Type, quantity of information recorded controlled by system or program configuration parameters q n Tuning what is audited May be human readable or not q q If not, usually viewing tools supplied Space available, portability influence storage format

Example: RACF n n n Security enhancement package for IBM’s MVS/VM Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions View events with LISTUSERS commands

Example: Windows NT n n Different logs for different types of events q System event logs record system crashes, component failures, and other system events q Application event logs record events that applications request be recorded q Security event log records security-critical events such as logging in and out, system file accesses, and other events Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs overwritten Logging enabled by SACLs and Windows Policy June 1, 2004 Computer Security: Art and Science 16

Windows NT Sample Entry Date: 2/12/2000 Source: Time: 13: 03 Category: Type: Success Event. ID: User: WINDSORAdministrator Computer: WINDSOR Security Detailed Tracking 592 Description: A new process has been created: New Process ID: 2216594592 Image File Name: Program FilesInternet ExplorerIEXPLORE. EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0 x 0, 0 x 14 B 4 c 4) [would be in graphical format] June 1, 2004 Computer Security: Art and Science 17

Syslog n De facto standard in Unix and networking q n n n RFC 3164 UDP transport Log locally or send to collecting server Limited normalization June 1, 2004 Computer Security: Art and Science 18

Syslog Format n PRI field q Facility – part of system generating log n n n q Severity – fully ordered list n n June 1, 2004 0 – Emergency 3 – Error 6 – Informational Header q n 0 – kernel 2 – mail system 6 – line printer Time stamp & Host name Msg Computer Security: Art and Science 19

Top 10 Things to Audit in a Win 2 k Domain n Local Security Policy of one DC q q q n 1. Password 2. Lockout policy 3. Audit policy n Account Management, Account Logon, System Policy, Policy Changes n Failure AND Success! Active Directory Users and Computers q 4. Important group memberships n Domain Admins, Administrators, Account Ops, Server Ops, Backup Ops n If the root domain of the forest also check: Enterprise Admins, Schema Admins, DNSAdmins

Top 10 Things to Audit in a Win 2 k Domain n One or more Domain Controllers q q n 5. Service Pack Level 6. Dangerous Services One or more Member Servers q q 7. Audit Policy n Account Logon, Account Management, System Policy, Policy Change 8. Service Pack Level 9. Dangerous Services 10. Administrator account

Examples n Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*. site. com/ n Query set overlap control in databases q n If too much overlap between current query and past queries, do not answer Intrusion detection analysis engine (director) q June 1, 2004 Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science 23

Examples n Using swatch to notify of telnets /telnet/&!/localhost/&!/*. site. com/ n Query set overlap control in databases q n mail staff Prevents response from being given if too much overlap occurs Three failed logins in a row disable user account q June 1, 2004 Notifier disables account, notifies sysadmin Computer Security: Art and Science 25

Examples n Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*. site. com/ n Query set overlap control in databases q n If too much overlap between current query and past queries, do not answer Intrusion detection analysis engine (director) q June 1, 2004 Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science 27

Application Logging n Applications logs made by applications q q Applications control what is logged Typically use high-level abstractions such as: su: bishop to root on /dev/ttyp 0 q Does not include detailed, system call level information such as results, parameters, etc.

System Logging n Log system events such as kernel actions q Typically use low-level events 3876 ktrace 3876 su 3876 su q CALL NAMI RET CALL RET execve(0 xbfbff 0 c 0, 0 xbfbff 5 cc, 0 xbfbff 5 d 8) "/usr/bin/su" "/usr/libexec/ld-elf. so. 1" xecve 0 __sysctl(0 xbfbff 47 c, 0 x 2805 c 928, 0 xbfbff 478, 0, 0) __sysctl 0 mmap(0, 0 x 8000, 0 x 3, 0 x 1002, 0 xffff, 0, 0, 0) mmap 671473664/0 x 2805 e 000 geteuid 0 Does not include high-level abstractions such as loading libraries

Contrast n n n Differ in focus q Application logging focuses on application events, like failure to supply proper password, and the broad operation (what was the reason for the access attempt? ) q System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail? ) System logs usually much bigger than application logs Can do both, try to correlate them

Access Control Collection of mechanisms that permits managers of a system to exercise a directing influence over the behavior, use and content of the system Ø System Access Control ü ü Ø Discretionary Access Control (DAC) ü Ø Password and other authentication System Auditing Access Control List Mandatory Access Control (MAC) ü Reference Monitor

UNIX File System ü Ordinary files ü Directory files ü Special files

Basic Access Control From an ls -l command you will see following n 1 : Type of file. n 2 – 4 : Owner’s permission. n 5 – 7 : Group’s permission. n 8 – 10 : Other’s permission. PERMISSION MEANING - rwx rwx File. Everyone can read, write and execute this. - rwx r-x File. Everyone can read and execute this but only the owner can write to it. - r-- --- File. The owner and everyone in his group can only read this file, but the others have no access to it. d rw- rw- Directory. Everyone can read and write. No one including the owner can traverse it. l rwx r-x Link. The permissions for a link generally do not matter.

Access Control List - UNIX ü An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties ü ACLs entry contains • • • Attributes: Defines special file modes such as SETUID, SETGID & Sticky bit Base permissions: Reflect the basic access rights Extended permissions: specify, permit, deny

Access Control List. ACL Entries Description 1. attributes: setuid, setgid, stickybit Special file modes. 2. base permissions Standard Unix file permissions. 3. owner(owner_user): rwx owner and access rights 4. (owner_group): r-x group and access rights 5. others: r-- other's rights 6. extended permissions Additional ACL entries. 7. enabled or disabled 8. permit --x u: some_user, g: some_group Permits access to the specified user-group combination in a boolean AND manner. deny rwx g: a_group Forbids access to the specified user-group combination in a boolean AND manner. 9.

Auditing Ø Is a feature which provides accountability to all system activities from file access to network and database Ø Each audit event such as user login is formatted into fields such as the event type, user id, file names and time Ø Audit events • • Administrative event class ü ü ü Security administrator events System administrator events Operator events Audit event class ü Describes the operation of the audit system itself

Windows File System Ø Supports two file system n FAT (File Allocation Table) ü File system does not record security information such as owner or access permission of a file or directory n NTFS (New Technology Files System) ü Supports a variety of multi-user security models Ø NTFS Vs FAT ü ü Fault tolerance Access Control by directory or file Can compress individual or directories POSIX support

Access Control List - Windows n Data structure of an ACL ü ü ü ACL size - # of bytes of memory allocated ACL Revision – revision # for the ACL’s data structure ACE Count - # of ACE’s in the ACL

Access Control Entries Contains the following access control information • A security identifier (SID) • An access mask – specifies access rights • A set of bit flags that determines which child objects can inherit the ACE • A flag that indicates the type of ACE

ACE Types Type Description Access-denied Used in a DACL to deny access. Access-allowed Used in a DACL to allow access. System-audit Used in a SACL to log attempts to access. Ø 3 Generic types Type Description Access-denied, objectspecific Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object. Access-allowed, objectspecific Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object. System-audit, objectspecific Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object Ø 3 Object-Specific ACE types

Access Rights Constant in Win 32 API n Read, write, and execute access GENERIC_EXECUTE Execute access Read access GENERIC_WRITE Generic Access Rights GENERIC_ALL GENERIC_READ n Meaning Write access Standard Access Rights Constant in Win 32 API Meaning DELETE The right to delete the object. READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL. SYNCHRONIZE The right to use the object for synchronization. Some object types do not support this access right. WRITE_DAC The right to modify the DACL in the object's security descriptor. WRITE_OWNER The right to change the owner in the object's security descriptor. § Other rights like, SACL access rights, Object-specific access rights, user rights

How Access Control Works?

Automated Tools By Category n Enterprise Vulnerability Management q q n n Hercules AVR (Citadel) Class 5 AVR (Secure Elements) q q Vulnerability Assessment q q q q Retina Network Security Scanner (e. Eye) Found. Scan Engine (Foundstone) STAT Scanner (Harris) Internet Scanner (ISS) Site. Protector (ISS) System Scanner (ISS) Microsoft Baseline Security Analyzer (Microsoft) IP 360 Vulnerability Management System (n. Circle) Nessus Scanner (Nessus) Secure. Scout SP (Nexanti. S) Qualys. Guard Scanner (Qualys) SAINT Scanning Engine (Saint) Lightning Console (Tenable) Ne. WT Scanner (Tenable) Web. Inspect (SPI Dynamics ) Patch Management q q n Policy Management q q n System Management Server (Microsoft) Windows Update Service (Microsoft) Patch. Link (Patch. Link) Big Fix (Big. Fix) Update. Expert (St. Bernard) HFNet. Chk (Shavlik) Active Directory – Group Policy Objects (Microsoft) Security Policy Management (Net. IQ) Enterprise Security Manager (Symantec) Compliance Center (Bind. View) Configuration/Asset Management q q q System Management Server (Microsoft) TME (Tivoli) Unicenter (CA) Enterprise Configuration Manager (Configuresoft) Asset Management Suite (Altiris)

Conclusion Ø UNIX Vs Windows ü Easy to control system configuration on UNIX ü ACL's are much more complex than traditional UNIX style permissions ü In basic UNIX, it is impossible to give a number of users different access rights

System Security Policy Files OPERATING SYSTEMS Examples: » XP (NSA Guidelines) » Win 2000 (NIST Guidelines, NSA Guidelines, SANS Step-By-Step) » Win 2003 (MS Windows Server 2003 Security Guide) » NT (SANS Guidelines, MS Security White Paper, US Navy) » Linux (SANS Step-By-Step) » Solaris (SANS Step-By-Step) » AIX (IBM Guidelines) » HP-UX (HP Guidelines) » UNIX Samples » Block. SP 2 » Services List » Services Pack APPLICATIONS Examples: » Applications List » Internet Explorer » Word 2000 and Excel 2000 Macro Settings » IIS Lockdown Guidelines » IIS Metabase Sample INSTALLED HARDWARE / SOFTWARE Examples: » Anti-Virus » Hardware List » USB Storage » Installed Modems PATCHING Examples: » MS Fixes » SUN Patches REGULATIONS Examples: » Sarbanes-Oxley » HIPAA » FISMA » GLBA » ISO 17799

Perfect World (almost): A Scenario n n Anytime a machine joins (or re-joins) the corporate network, it is automatically quarantined, assessed, and remediated to bring it into compliance, prior to gaining access to network resources Every night, critical vulnerability configuration compliance checks are performed on all Windows desktops and remediated if needed Every Saturday, from 2: 00 AM – 3: 00 AM, newly approved patches are automatically applied to all Windows desktops Every Sunday from 2: 00 AM – 3: 00 AM, all Windows and Unix servers are checked for security policy compliance. Selected items are remediated, others items generate alerts

Perfect World (almost): A Scenario n n During monthly maintenance intervals, Unix and Windows servers are fully patched and rebooted if required Monthly, a full, automated network assessment is performed to independently scan for vulnerabilities Quarterly, remediation policies are reviewed and updated to incorporate new vulnerability remediations Critical, zero-day remediations are applied where needed in the enterprise within an hour of notification and remedy availability

Contact Information Patti Walker Director, Technology Risk Management Phoenix / Las Vegas (602) 643 -1600 (o) (480) 734 -6960 (c) (602) 643 -1606 (f) Jim Patterson, CISSP, CBCP, CRM Technology Risk Management Phoenix / Las Vegas (602) 643 -1600 (o) (480) 529 -9393 (c) (602) 643 -1606 (f) Jefferson Wells A Manpower Company 11811 N. Tatum Blvd. , Suite 3076 Phoenix, Arizona 85028