《Security Audit - Wright State University安全审计-莱特州立大学》由会员分享,可在线阅读,更多相关《Security Audit - Wright State University安全审计-莱特州立大学(43页珍藏版)》请在金锄头文库上搜索。
1、Security Audit Prabhaker MatetiWhat is a security audit? Policy based Assessment of risk Examines site methodologies and practices Dynamic Communication What kinds of Security Audits are there? Host Firewall Networks Large networks Security Policies & Documentation What is a security policy? Compone
2、nts Who should write it? How long should it be? Dissemination It walks, it talks, it is alive. RFC 1244 What if a written policy doesnt exist? Other documentation Components of a Security Policy Who can use resources Proper use of the resources Granting access & use System Administrator privileges U
3、ser rights & responsibilities What to do with sensitive information Desired security configurations of systems RFC 1244 Site Security Handbook Defines security policies & procedures Policy violations Interpretation Publicizing Identifying problems Incident response Updating Other Documentation Hardw
4、are/software inventory Network topology Key personnel Emergency numbers Incident logs Why do a Security Audit? Information is power Expectations Measure policy compliance Assessing risk & security level Assessing potential damage Change management Security incident response When to audit? Emergency!
5、 Before prime time Scheduled/maintenance Audit Schedules Individual Host 1224 months Large Networks 1224 months Network 12 months Firewall 6 months How to do a Security Audit Preaudit: verify your tools and environment Audit/review security policy Gather audit information Generate an audit report Ta
6、ke actions based on the reports findings Safeguard data & report Verify your tools and environment The golden rule of auditing Bootstrapping problem Audit tools The Audit platform The Golden Rule of Auditing Verify ALL tools used for the audit are untampered with. If the results of the auditing tool
7、s cannot be trusted, the audit is uselessThe Bootstrapping Problem If the only way to verify that your auditing tools are ok is by using auditing tools, then.Audit Tools Trust? Write them yourself Find a trusted source (person, place) Verify them with a digital signature (MD5) Audit Tools the Hall o
8、f Fame SAINT/SATAN/ISS Nessus lsof /pff Nmap, tcpdump, ipsend MD5/DES/PGP COPS/Tiger Crack The Audit Platform Should have extraordinary security Submit it to a firewall+ type of audit Physical access should be required to use No network services running Choosing a security audit platform: Hardware l
9、aptop computer three kilograms or less graphics display MB memory MB disk ethernet (as many connectors as possible) Choosing a security audit platform: Software Unix / Linux Secured OS OS source code Audit tools Development tools Unix / Linux BSD: FreeBSD, SunOS/Solaris, OpenBSD ? Source code A good
10、 development platform Large body of available literature Audit/review security policy Utilize existing or use standard policy Treat the policy as a potential threat Does it have all the basic components? Are the security configs comprehensive? Examine dissemination procedures Security policy Treat t
11、he policy as a potential threat Bad policies are worse than none at all Good policies are very rare Look for clarity & completeness Poor grammar and spelling are not tolerated Does it Have All the Basic Components? Who can use resources Proper use of the resources Granting access & use System Admini
12、strator privileges User rights & responsibilities What to do with sensitive information Are the security configs comprehensive? Details are important! Addresses specific technical problems (COPSlike tests, network services run, etc.) Allowable trust must be clearly outlined Should specify specific t
13、ools (The TCP wrappers, S/Key, etc.) that are used Must have explicit time schedules of security audits and/or tools used Logfiles must be regularly examined! Examine dissemination procedures Policies are worthless unless people read and understand them Ideally it is distributed and addressed when p
14、eople join org Email is useful for updates, changes Written user acknowledgment necessary Gather audit information Talk to/Interview people Review Documentation Technical Investigation Talk to/Interview people Difficult to describe, easy to do Usually ignored Users, operators, sysadmins, janitors, m
15、anagers Usage & patterns Have they seen/read the security policy? Talk to/Interview people (cont.) What can/cant they do, in own words Could they get root/system privileges? What are systems used for? What are the critical systems? How do they view the security audit? Review Documentation Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs Technic
