Embed

audit

Document Sample

Shared by: HC111110223557

Tags

Stats

views:: 15
posted:: 11/10/2011
language:: English
pages:: 15

Public Domain

Security Audit

1

Security Audit

• Controls

• Security logs

• Risk assessment

2

Steps in Audit

• Starts with policies and procedures in place

• Initially the policy is treated as threat and

audit focuses on how people and systems

address the threat

• Interview employees and administrators

• Evaluate technical aspects for security

• Review all data logs

3

What to look for in audit?

• Are passwords difficult to crack?

• Are there access control lists (ACLs) in place on network devices to control

who has access to shared data?

• Are there audit logs to record who accesses data?

• Are the audit logs reviewed?

• Are the security settings for operating systems in accordance with accepted

industry security practices?

• Have all unnecessary applications and computer services been eliminated for

each system?

• Are these operating systems and commercial applications patched to current

levels?

• How is backup media stored? Who has access to it? Is it up-to-date?

• Is there a disaster recovery plan? Have the participants and stakeholders ever

rehearsed the disaster recovery plan?

4

What to look for in audit?

• Are there adequate cryptographic tools in place to govern

data encryption, and have these tools been properly

configured?

• Have custom-built applications been written with security

in mind?

• How have these custom applications been tested for

security flaws?

• How are configuration and code changes documented at

every level? How are these records reviewed and who

conducts the review?

5

Why do security audit?

• Assess compliance aspects of policy

• Assess risk

• Assess level of security

• Evaluate security incident response

6

Items to check in an audit

Category High Med Low Other Total

CGI abuses 434 132 97 8 671

Windows 148 40 32 5 225

Denial of Service 122 43 16 2 183

Gain root remotely 142 1 0 2 145

General 32 28 52 15 127

Misc. 38 22 38 9 107

FTP 64 14 11 1 90

Gain a shell remotely 62 9 5 0 76

Remote file access 51 10 2 1 64

SMTP problems 42 6 7 3 58 Source: See references

Backdoors 41 7 1 2 51

CISCO 41 8 1 0 50

RPC 16 2 26 2 46

Default Unix Accounts 34 0 0 0 34

Firewalls 10 7 10 0 27

Windows User Mngmnt 4 5 11 4 24

Useless services 0 6 15 0 21

Peer-To-Peer File Sharing 1 3 11 3 18

SNMP 5 2 5 0 12

Finger abuses 3 4 3 0 10

Settings 0 0 0 9 9

Netware 2 3 1 0 6

Port scanners 0 0 0 4 4

NIS 1 0 1 0 2

Totals 1293 352 345 70 2060 7

Security Tools

Tool Platforms Type

COPS/Tiger Linux, Solaris, Other Change/Intrusion,

Unix Detection

Crack Windows, Linux, Password cracking

Solaris, Other Unix

ISS Windows NT, Linux, Suite - Port scanner,

Solaris, HP-UX network information

nmap Linux, Solaris, Other Port Scanner

Unix

tcpdump Linux, Solaris, Other Network Monitoring

Unix

sniffit Linux, Solaris, Other Network Monitoring

Unix

CyberCop Security Windows NT, Linux Suite - Port Scanner,

Scanner Password cracking,

network information

Nessus Linux, Windows NT, Exploit tester

Other Unix

TripWire Unix Change/Intrusion

Detection

8

Audit components

• Preparation 10%

• Reviewing Policy/Docs 10%

• Talking/Interviewing 10%

• Technical Investigation 15%

• Reviewing Data 20%

• Writing Up 20%

• Report Presentation 5%

• Post Audit Actions 10%

Source: Tech Support Alert website (see references)

9

Audit Process

• Security audit team reports directly to CEO

or the Board of Directors

• Types of security audits:

– Firewall (every 6 months)

– Network (every year)

10

Auditors

• Usually third party companies specializing

in security audit

• For internal audit, people with necessary

security access privileges

• Technical expertise is a must

11

References

• Security Audit

http://www.porcupine.org/auditing/

• Security Audit

http://www.securityfocus.com/infocus/1697

• How to perform security audit?

http://www.techsupportalert.com/search/t04

123.pdf

• Site Security Handbook. RFC 2196

12

References

• packetstorm.security.com

– PacketStorm Security is a very good source of the latest

security issues.

• www.rootshell.com

– Rootshell is another source of security issue

information. This site hasn’t been updated in a while -

however, the information provided is useful.

• www.l0pht.com

– L0pht is a “Black Hat” group that performs testing of

commonly used tools for security issues. L0pht also

produces a number of useful tools for testing system

security.

13

References

• www.securityfocus.com

– Bugtraq is a mailing list for the discussion and

announcement of computer security vulnerabilities.

Details of how to subscribe and archive for the mailing

list can be found at the above website

• www.ntbugtraq.com

– NTBugtraq is the Windows platform version of the

Bugtraq mailing list

• www.ciac.org/ciac

– CIAC (Computer Incident Advisory Capability)

provides tools and advisory information.

14

References

• www.cs.purdue.edu/coast/coast.html

– COAST (Computer Operations, Audit and

Security Technology) is a research project into

computer security at the Computer Sciences

Department at Purdue University. COAST also

boasts a large catalog of security and audit-

related applications in their ftp archive.

• Security audit

http://www.insecure.org/nmap

15