Presentation is loading. Please wait.

Presentation is loading. Please wait.

San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services

Similar presentations


Presentation on theme: "San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services"— Presentation transcript:

1 San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services

2 Course Introduction  Overview  This course provides a broad overview of Unix security audit technology presented at an advanced fast paced level.   Audience  Security Officers, Internal Auditors, and Systems Implementers in organizations that rely upon complex networked Unix systems environments

3 Course Objectives At the end of the course the student will: 1. Enhance understanding of Unix & network systems security & audit issues 2. Understand Unix default systems & network configurations 3. Identify key objectives and tasks in planning a Unix audit including basic shell commands used in the audit 4. Understand basic and intermediate Unix control objectives 5. Build Unix Control Objectives into a more effective audit plan 6. Develop a detailed control activities testing matrix for the Unix audit

4 Morning Course Agenda Over the next three hours we will learn about: 2. Approaching Unix Systems Architecture from a Security and Audit point of view 3. Understanding the associated security risks & impact of default Unix systems environments 4. Understanding the basis of Unix & TCP/IP control objectives 1. Audit planning considerations in reviewing Unix and network systems environments

5 Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions 1. Unix professionals find limited value in traditional audit approaches 2. Enhancing levels of technical credibility in the Unix audit program is key to success 3. Elements of a successful integrated audit approach include enhanced client relations and communications  To become effective in leveraging the integrated audit approach the auditor should gain insights into member perceptions

6 Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions 4. Traditional audit approaches are best suited for auditing application level control assurance to obtain overall control reliance strategies 5. Integrated audit approaches are best suited for auditing critical infrastructure controls against industry and security best practices 6. Delivering integrated audit approach plans establishes audit as a value added consultant while protecting independence of governance and oversight roles

7 Unix Audit Considerations 1. The Hacker who breaks into a system will probably be someone known to the organization  “Inside Jobs” & Sabotage  Planting time & logic bombs  Changing root passwords on critical systems, recovery is problematic  If you are hacked you probably do not care by whom or for what motivation 2. Trust no one, or be careful about whom you are required to trust  Large simple webs of trust betray weaknesses in the network 3. Don’t trust yourself, or verify everything you do  Stop think & verify!

8 Unix Audit Considerations 4. Make would be intruders believe they will be caught  Information is the merchandise of the computer age  Means to deter must be visible such as banners and messages. Technical and operational countermeasures must be transparent for maximum effectiveness 5. Protect in Layers  The Hacker’s Electronic Playbook runs the various system and network layers  To provide security you must forward deploy adequate protection controls  Understand Defense in depth concepts that single controls are not resilient but as a group provide multiple layers of defense

9 Unix Audit Considerations 7. Make Security a part of the Initial Design  Its always more difficult to retrofit than to proactively design  Minimum Security Baseline Configurations are a must have 8. Disable Unneeded Services, Packages and Features  Unix systems are shipped with all network services enabled and default permissions 6. While planning your security strategy presume the complete failure of any single security layer  Properly designed layer protected system application or service should presume a complete or temporary failure of one layer of security

10 Unix Audit Considerations 9. Before Connecting, Understand and Secure  No matter how urgent - make the time to assess security prior to production release of tools, applications and features  Holistic Security practices can enable the business case and mitigate risk while meeting time to market objectives 10. Prepare for the Worst  Assume that hackers are already scheming to break into your site  Preparation will diminish the security risk of intrusion and compromise  Quantify risk in dollar loss terms Innovative thinking about security systems administration & integrating the audit approach

11 Unix Architecture Principles Minimize Number of Failure Points Minimize Number of Failure Points (Shorten & Limit Critical Paths) (Shorten & Limit Critical Paths) Includes Minimum Security Baseline Configurations Keep services close to those being served Act locally communicate globally Vertically align services with applications, function and mission Network Partitioning

12 Unix Systems Architecture What is an architecture?   The collection of elements that work together to fulfill the intended objective. The Unix operating system is a vast array of elements each providing a feature or function of architecture. Examples:   A local area file-sharing system for a workgroup  A software development platform connected to an interactive service provider   An extranet deployed over public networks to connect various system types over global geographies   Your organizations interactive services & applications – B2B, B2C and so on..

13 Sample Systems Architecture Unix Web Servers Internal Unix Clients Load Balancer External Unix Clients Unix Firewall Perimeter Router & Internet Interior Router Interior Network Switch

14 Unix Systems Architecture Simple vs. Complex Architectures? A Hacker when given a choice would choose a complex system or cluster of systems in an architecture to attack for the following… A Hacker when given a choice would choose a complex system or cluster of systems in an architecture to attack for the following…  Complex systems inherently contain more components and targets of interest  Complex systems have greater likelihood that poor or misconfigured designs are present  A poorly designed or misconfigured element can be an invitation to attack or exploitation  Attacks against complex systems are more likely to go unnoticed  Attacks against complex systems are more likely to go unnoticed. Yet attacks are often directed at simple architectures to gain additional footholds

15 Unix Core Architecture Unix is made of three core elements  KernalShellFile System  Kernal is the heart of the Unix operating system. It role includes managing memory usage, system hardware and software.  Its low level language is below the shell syntax which maintains processes  Shell is a higher level language handling command interpretation and syntax parsing.  Shell syntax is used to develop scripts that provide high level programming functionality.  Common shells include the C Shell, Korn Shell and Bourne Shell

16 Unix Core Architecture The File System  File Systems in Unix divide into 3 categories  Directories Ordinary Files Special Files / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin | ||| /john/cathy | ||||||.profile/mail/pers/games/bin/data

17 Unix Core Architecture The Basic File System / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin /unix is the kernal /etc contains sysadmin files, most are available to regular users also contains the /passwd file. Other files in /etc include: /etc/passwd/etc/utmp/etc/adm/sulog/etc/motd /etc/group/etc/conf/etc/profile

18 Unix Core Architecture The Basic File System / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin /unix is the kernal /dev – contains files for physical devices such as printer and disk drives /tmp – temporary file /lib – directory that contains programs for high level languages /usr – this directory contains directories for each user on the system /bin – contains commands and executable programs

19 Unix Core Architecture Basic File System Navigation 1 / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin | ||| /john/cathy | ||||||.profile/mail/pers/games/bin/data Going back one directory up type in: $ cd.. Or going back to your parent directory just type in “cd”

20 Unix Core Architecture Basic File System Navigation 2 / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin | ||| /john/cathy | ||||||.profile/mail/pers/games/bin/data $ ls /usr/john MailPersGamesBinData Listing file directories assuming your in the parent directory:

21 Unix Core Architecture Basic File System Navigation 3 / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin | ||| /john/cathy | ||||||.profile/mail/pers/games/bin/data $ ls –la /usr/john Total 60 -rwxr-x---5 john bluebox 10 april 9 7:04 mail drxw john bluebox 30 april 2 4:09 pers Note: The total 60 tells you the amount of disk space used in the directory The first column is read in 3 groups of The first group specifies the permissions of the user, the second for groups, the third for others.

22 Unix Core Architecture Basic File System Navigation 4 / root system level | | ||||| /unix/etc/dev/tmp/lib/usr/bin | ||| /john/cathy | ||||||.profile/mail/pers/games/bin/data The CHMOD command changes permission of a directory or a file. You can use symbolic or octal notation. $ chmod o+r mail OR $ chmod 754 mail $ ls –la mail -rwxr-xr--5 john bluebox 10 april 9 7:04 mail

23 Unix Core Architecture Key Concepts to keep in mind  Virtually all information stored on a Unix system is stored in the file system  The file system consists of the operating system (kernel), system files, application programs and data  Device files such as memory, disks and peripherals are actually part of the file system.  File system Permission and access controls are provided for all files including networking and device files  Example: Indirect device references /dev/dsk/c0t3d0s0 is actually a logical link

24 Unix Core Elements & Systems Defaults Why this is important. Anatomy of a systems hack!  Attacker selects target by company or computing / network environment  Goals is to Identify targets Internet footprint  Attacker searches for system identifiers using basic and stealth techniques to evade detection  Version Numbers and Service Banners  IP Address and Host/Domain Name Info  Identify potential targets in decreasing order of likelihood of penetration  Default Unix systems can be “owned” in a matter of minutes

25 Understanding Unix System Defaults First steps in building effective control objectives!  Finishing a full Unix systems installation  Servers use Entire Distribution  Power Work Stations use Developer Distribution Once complete with default file system partitioning now in place its time to configure the system  Low End Work Stations use End User Distribution

26 Understanding Unix System Defaults Our newly installed and configured system now looks more like this..  Basic Unix file system is more permissive than required. We can now determine exactly how to lessen permissiveness of the file system going forward  Various startup scripts and run level commands are configured and running that provide a wide variety of unnecessary services  Local TCPIP Services are configured and running providing almost unlimited network access  Potentially Sensitive Interactive network sessions are not encrypted  System Trust Relationships are pervasive


Download ppt "San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services"

Similar presentations


Ads by Google