©2000 Deloitte & Touche LLP. Deloitte & Touche refers to Deloitte & Touche LLP and related entities. San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Manager Strategic Security Services Ricallen@deloitte.com Course Introduction  Overview  This course provides a broad overview of Unix This course provides a broad overview of Unix security audit technology presented at an advanced security audit technology presented at an advanced fast paced level. fast paced level.  Audience  Security Officers, Internal Auditors, and Security Officers, Internal Auditors, and Systems Implementers in organizations Systems Implementers in organizations that rely upon complex networked Unix that rely upon complex networked Unix systems environments systems environments Course Objectives At the end of the course the student will: 1. 1. Enhance understanding of Unix & network Enhance understanding of Unix & network systems security & audit issues systems security & audit issues 2. 2. Understand Unix default systems & network Understand Unix default systems & network configurations configurations 3. 3. Identify key objectives and tasks in planning a Identify key objectives and tasks in planning a Unix audit including basic shell commands used Unix audit including basic shell commands used in the audit in the audit 4. 4. Understand basic and intermediate Unix Understand basic and intermediate Unix control objectives control objectives 5. 5. Build Unix Control Objectives into a more Build Unix Control Objectives into a more effective audit plan effective audit plan 6. 6. Develop a detailed control activities testing Develop a detailed control activities testing matrix for the Unix audit matrix for the Unix audit Morning Course Agenda Over the next three hours we will learn about: 2. 2. Approaching Unix Systems Architecture from Approaching Unix Systems Architecture from a Security and Audit point of view a Security and Audit point of view 3. 3. Understanding the associated security risks Understanding the associated security risks & impact of default Unix systems & impact of default Unix systems environments environments 4. 4. Understanding the basis of Unix & Understanding the basis of Unix & TCP/IP control objectives TCP/IP control objectives 1. 1. Audit planning considerations in reviewing Unix Audit planning considerations in reviewing Unix and network systems environments and network systems environments Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions 1. 1. Unix professionals find limited value in Unix professionals find limited value in traditional audit approaches traditional audit approaches 2. 2. Enhancing levels of technical credibility in the Enhancing levels of technical credibility in the Unix audit program is key to success Unix audit program is key to success 3. 3. Elements of a successful integrated audit Elements of a successful integrated audit approach include enhanced client relations and approach include enhanced client relations and communications communications  To become effective in leveraging the integrated To become effective in leveraging the integrated audit approach the auditor should gain insights audit approach the auditor should gain insights into member perceptions into member perceptions Context & Expectation Management I.T. Audit Roles, Responsibilities & Member Perceptions 4. 4. Traditional audit approaches are best suited for Traditional audit approaches are best suited for auditing application level control assurance to auditing application level control assurance to obtain overall control reliance strategies obtain overall control reliance strategies 5. 5. Integrated audit approaches are best suited for Integrated audit approaches are best suited for auditing critical infrastructure controls against auditing critical infrastructure controls against industry and security best practices industry and security best practices 6. 6. Delivering integrated audit approach plans Delivering integrated audit approach plans establishes audit as a value added consultant establishes audit as a value added consultant while protecting independence of governance while protecting independence of governance and oversight roles and oversight roles Unix Audit Considerations 1. 1. The Hacker who breaks into a system will probably The Hacker who breaks into a system will probably be someone known to the organization be someone known to the organization  “ “ Inside Jobs” & Sabotage Inside Jobs” & Sabotage  Planting time & logic bombs Planting time & logic bombs  Changing root passwords on critical systems, Changing root passwords on critical systems, recovery is problematic recovery is problematic  If you are hacked you probably do not care by If you are hacked you probably do not care by whom or for what motivation whom or for what motivation 2. 2. Trust no one, or be careful about whom you are Trust no one, or be careful about whom you are required to trust required to trust  Large simple webs of trust betray Large simple webs of trust betray weaknesses in the network weaknesses in the network 3. 3. Don’t trust yourself, or verify everything you do Don’t trust yourself, or verify everything you do  Stop think & verify! Stop think & verify! Unix Audit Considerations 4. 4. Make would be intruders believe they will be caught Make would be intruders believe they will be caught  Information is the merchandise of the computer age Information is the merchandise of the computer age  Means to deter must be visible such as banners and Means to deter must be visible such as banners and messages. Technical and operational countermeasures messages. Technical and operational countermeasures must be transparent for maximum effectiveness must be transparent for maximum effectiveness 5. 5. Protect in Layers Protect in Layers  The Hacker’s Electronic Playbook runs the various system The Hacker’s Electronic Playbook runs the various system and network layers and network layers  To provide security you must forward deploy adequate To provide security you must forward deploy adequate protection controls protection controls  Understand Defense in depth concepts that single Understand Defense in depth concepts that single controls are not resilient but as a group provide multiple controls are not resilient but as a group provide multiple layers of defense layers of defense Unix Audit Considerations 7. 7. Make Security a part of the Initial Design Make Security a part of the Initial Design  Its always more difficult to retrofit than to Its always more difficult to retrofit than to proactively design proactively design  Minimum Security Baseline Configurations are a Minimum Security Baseline Configurations are a must have must have 8. 8. Disable Unneeded Services, Packages and Disable Unneeded Services, Packages and Features Features  Unix systems are shipped with all network Unix systems are shipped with all network services enabled and default permissions services enabled and default permissions 6. 6. While planning your security strategy presume the While planning your security strategy presume the complete failure of any single security layer complete failure of any single security layer  Properly designed layer protected system Properly designed layer protected system application or service should presume a complete application or service should presume a complete or temporary failure of one layer of security or temporary failure of one layer of security Unix Audit Considerations 9. 9. Before Connecting, Understand and Secure Before Connecting, Understand and Secure  No matter how urgent - make the time to No matter how urgent - make the time to assess security prior to production release of assess security prior to production release of tools, applications and features tools, applications and features  Holistic Security practices can enable the Holistic Security practices can enable the business case and mitigate risk while meeting business case and mitigate risk while meeting time to market objectives time to market objectives 10. 10. Prepare for the Worst Prepare for the Worst  Assume that hackers are already Assume that hackers are already scheming to break into your site scheming to break into your site  Preparation will diminish the security Preparation will diminish the security risk of intrusion and compromise risk of intrusion and compromise  Quantify risk in dollar loss terms Quantify risk in dollar loss terms Innovative thinking about security systems administration & Innovative thinking about security systems administration & integrating the audit approach integrating the audit approach [...]... and so on Sample Systems Architecture Unix Firewall Perimeter Router & Internet Load Balancer External Unix Clients Interior Router Unix Web Servers Interior Network Switch Internal Unix Clients Unix Systems Architecture Simple vs Complex Architectures? A Hacker when given a choice would choose a complex system or cluster of systems in an architecture to attack for the following…  Complex systems inherently... IP Address and Host/Domain Name Info Identify potential targets in decreasing order of likelihood of penetration  Default Unix systems can be “owned” in a matter of minutes Understanding Unix System Defaults First steps in building effective control objectives!  Finishing a full Unix systems installation  Servers use Entire Distribution  Power Work Stations use Developer Distribution  Low End Work... 7:04 mail Unix Core Architecture Key Concepts to keep in mind Virtually all information stored on a Unix system is stored in the file system The file system consists of the operating system (kernel), system files, application programs and data      Device files such as memory, disks and peripherals are actually part of the file system File system Permission and access controls are provided for all... | | | | | | | /unix /etc /dev /tmp /lib /usr /bin /unix is the kernal /dev – contains files for physical devices such as printer and disk drives /tmp – temporary file /lib – directory that contains programs for high level languages /usr – this directory contains directories for each user on the system /bin – contains commands and executable programs Unix Core Architecture Basic File System Navigation... directory The first column is read in 3 groups of 3 - - The first group specifies the permissions of the user, the second for groups, the third for others Unix Core Architecture Basic File System Navigation 4 / root - system level | | | | | | | /unix /etc /dev /tmp /lib /usr /bin -| -| | /john | /cathy | -| | | | | | profile /mail /pers... | | | | | | /unix /etc /dev /tmp /lib /usr /bin /unix is the kernal /etc contains sysadmin files, most are available to regular users also contains the /passwd file Other files in /etc include: /etc/passwd /etc/utmp /etc/adm/sulog /etc/motd /etc/group /etc/conf /etc/profile Unix Core Architecture The Basic File System / root - system level | | | | | | | /unix /etc /dev... Korn Shell and Bourne Shell Unix Core Architecture The File System  File Systems in Unix divide into 3 categories  Directories Ordinary Files Special Files / root - system level | | | | | | | /unix /etc /dev /tmp /lib /usr /bin -| -| | /john | /cathy | -| | profile /mail | | | /pers /games /bin | /data Unix Core Architecture The Basic... Attacks against complex systems are more likely to go unnoticed Yet attacks are often directed at simple unnoticed architectures to gain additional footholds Unix Core Architecture Unix is made of three core elements  Kernal  Kernal is the heart of the Unix operating system It role includes managing memory usage, system hardware and software  Its low level language is below the shell syntax which maintains... an architecture?  The collection of elements that work together to fulfill the intended objective The Unix operating system is a vast array of elements each providing a feature or function of architecture Examples:  A local area file-sharing system for a workgroup    A software development platform connected to an interactive service provider An extranet deployed over public networks to connect... level | | | | | | | /unix /etc /dev /tmp /lib /usr /bin -| -| | /john | /cathy | -| | | | | | profile /mail /pers /games /bin /data Going back one directory up type in: $ cd Or going back to your parent directory just type in “cd” Unix Core Architecture Basic File System Navigation 2 / root - system level | | | | | | | /unix /etc /dev /tmp . audit 4. 4. Understand basic and intermediate Unix Understand basic and intermediate Unix control objectives control objectives 5. 5. Build Unix Control Objectives into a more Build Unix Control. Control Objectives into a more effective audit plan effective audit plan 6. 6. Develop a detailed control activities testing Develop a detailed control activities testing matrix for the Unix audit. default Unix systems environments environments 4. 4. Understanding the basis of Unix & Understanding the basis of Unix & TCP/IP control objectives TCP/IP control objectives 1. 1. Audit