Docstoc

audit

Document Sample
audit Powered By Docstoc
					Security Audit




                 1
           Security Audit
• Controls
• Security logs
• Risk assessment




                            2
             Steps in Audit
• Starts with policies and procedures in place
• Initially the policy is treated as threat and
  audit focuses on how people and systems
  address the threat
• Interview employees and administrators
• Evaluate technical aspects for security
• Review all data logs
                                                  3
          What to look for in audit?
•   Are passwords difficult to crack?
•   Are there access control lists (ACLs) in place on network devices to control
    who has access to shared data?
•   Are there audit logs to record who accesses data?
•   Are the audit logs reviewed?
•   Are the security settings for operating systems in accordance with accepted
    industry security practices?
•   Have all unnecessary applications and computer services been eliminated for
    each system?
•   Are these operating systems and commercial applications patched to current
    levels?
•   How is backup media stored? Who has access to it? Is it up-to-date?
•   Is there a disaster recovery plan? Have the participants and stakeholders ever
    rehearsed the disaster recovery plan?


                                                                                     4
       What to look for in audit?
• Are there adequate cryptographic tools in place to govern
  data encryption, and have these tools been properly
  configured?
• Have custom-built applications been written with security
  in mind?
• How have these custom applications been tested for
  security flaws?
• How are configuration and code changes documented at
  every level? How are these records reviewed and who
  conducts the review?

                                                              5
         Why do security audit?
•   Assess compliance aspects of policy
•   Assess risk
•   Assess level of security
•   Evaluate security incident response




                                          6
Items to check in an audit
   Category                    High   Med   Low   Other   Total

   CGI abuses                   434   132    97      8     671

   Window s                     148    40    32      5     225

   Denial of Service            122    43    16      2     183

   Gain root remotely           142     1     0      2     145

   General                       32    28    52     15     127

   Misc.                         38    22    38      9     107

   FTP                           64    14    11      1      90

   Gain a shell remotely         62     9     5      0      76

   Remote file access            51    10     2      1      64

   SMTP problems                 42     6     7      3      58    Source: See references
   Backdoors                     41     7     1      2      51

   CISCO                         41     8     1      0      50

   RPC                           16     2    26      2      46

   Default Unix Accounts         34     0     0      0      34

   Firew alls                    10     7    10      0      27

   Window s User Mngmnt           4     5    11      4      24

   Useless services               0     6    15      0      21

   Peer-To-Peer File Sharing      1     3    11      3      18

   SNMP                           5     2     5      0      12

   Finger abuses                  3     4     3      0      10

   Settings                       0     0     0      9       9

   Netw are                       2     3     1      0       6

   Port scanners                  0     0     0      4       4

   NIS                            1     0     1      0       2

   Totals                      1293   352   345     70    2060                             7
 Security Tools
          Tool             Platforms                 Type



COPS/Tiger          Linux, Solaris, Other   Change/Intrusion,
                    Unix                    Detection


Crack               Windows, Linux,         Password cracking
                    Solaris, Other Unix


ISS                 Windows NT, Linux,      Suite - Port scanner,
                    Solaris, HP-UX          network information


nmap                Linux, Solaris, Other   Port Scanner
                    Unix

tcpdump             Linux, Solaris, Other   Network M onitoring
                    Unix

sniffit             Linux, Solaris, Other   Network M onitoring
                    Unix

CyberCop Security   Windows NT, Linux       Suite - Port Scanner,
Scanner                                     Password cracking,
                                            network information


Nessus              Linux, Windows NT,      Exploit tester
                    Other Unix


TripWire            Unix                    Change/Intrusion
                                            Detection
                                                                    8
                  Audit components
•   Preparation                                 10%
•   Reviewing Policy/Docs                       10%
•   Talking/Interviewing                        10%
•   Technical Investigation                     15%
•   Reviewing Data                              20%
•   Writing Up                                  20%
•   Report Presentation                         5%
•   Post Audit Actions                          10%
Source: Tech Support Alert website (see references)
                                                      9
              Audit Process
• Security audit team reports directly to CEO
  or the Board of Directors
• Types of security audits:
  – Firewall (every 6 months)
  – Network (every year)




                                                10
                 Auditors
• Usually third party companies specializing
  in security audit
• For internal audit, people with necessary
  security access privileges
• Technical expertise is a must



                                               11
               References
• Security Audit
  http://www.porcupine.org/auditing/
• Security Audit
  http://www.securityfocus.com/infocus/1697
• How to perform security audit?
  http://www.techsupportalert.com/search/t04
  123.pdf
• Site Security Handbook. RFC 2196
                                           12
                    References
• packetstorm.security.com
   – PacketStorm Security is a very good source of the latest
     security issues.
• www.rootshell.com
   – Rootshell is another source of security issue
     information. This site hasn’t been updated in a while -
     however, the information provided is useful.
• www.l0pht.com
   – L0pht is a “Black Hat” group that performs testing of
     commonly used tools for security issues. L0pht also
     produces a number of useful tools for testing system
     security.
                                                            13
                    References
• www.securityfocus.com
   – Bugtraq is a mailing list for the discussion and
     announcement of computer security vulnerabilities.
     Details of how to subscribe and archive for the mailing
     list can be found at the above website
• www.ntbugtraq.com
   – NTBugtraq is the Windows platform version of the
     Bugtraq mailing list
• www.ciac.org/ciac
   – CIAC (Computer Incident Advisory Capability)
     provides tools and advisory information.
                                                           14
                 References
• www.cs.purdue.edu/coast/coast.html
  – COAST (Computer Operations, Audit and
    Security Technology) is a research project into
    computer security at the Computer Sciences
    Department at Purdue University. COAST also
    boasts a large catalog of security and audit-
    related applications in their ftp archive.
• Security audit
  http://www.insecure.org/nmap
                                                  15

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:14
posted:11/28/2011
language:English
pages:15