Break 1321 How to Perform A Security Audit

advertisement
Break 1321
How to Perform A Security Audit
on Your Network
James Oryszczyn
President, TBJ Consulting
LLC
Who Am I
• I am President of TBJ Consulting LLC
• I have been working on Network Security
• for over 15 years
My Credential’s
•
Had a CISSP (Just expired)
•
SANS GIAC Certified in Windows and Auditing
•
Certified on Fortinet Firewall’s, Palo Alto Firewall’s and
Check Point Firewall’s
•
Numerous additional certifications
Agenda
•
•
Discuss What Auditing is?
Discuss Auditing Network devices?
•
Do you Feel your network is secure?
•
Discuss Auditing Firewall’s?
•
Discuss Auditing Windows Servers?
•
Discuss Auditing Active Directory?
•
Discuss Auditing Wireless Networks?
•
Questions?
Questions
•
What are you Concerns ?
•
Who has performed a Security Audit before?
•
Do you Feel your network is secure?
What is Auditing????
•
It is reviewing a configuration against some sort of
policy or documented standard
•
An example is auditing against HIPPA or the PCI
standard, they have set rules and guidelines
•
You can also have this setup with security polices if you
have them. If you don’t have them what are you
auditing against ??????
What is Auditing Cont…????
•
You either need to write the security standard or audit
against an Industry best practice or a guideline…
•
•
How do you find those guidelines?????
The NSA has some great guides on how to secure
network devices and they make a great tool to audit
against. You can find them located here
http://www.nsa.gov/ia/mitigation_guidance/security_config
uration_guides/index.shtml
• Remember, you do not have to do everything in these
guides, but they make a good start.
Auditing Report
•
After your Audit, are you going to write a report of your
finding? If so, who is it going to?
•
You should at least keep some documentation on what
you found and what you changed so you can start
establishing standards for future deployments and also
create a guide for the next time you audit, if you do not
have written policies.
Auditing Networking Devices
Review Switch/Router/Access Point Configurations
Make Sure Passwords are not in clear text
If you have Cisco Devices, this is a great tool
RAT or router Audit tool Located here
http://benchmarks.cisecurity.org/downloads/showsingle/?file=rat.unix.253
Auditing Networking Devices
Cont…
If using JUNOS, follow this guide located here
What is RAT????
RAT is router audit tool. It reviews the Cisco Switch or router
configuration and will make suggestions on how to better
secure it.
In the past, Cisco has some very insecure items enabled by
default. This has gotten much better, but items still need to be
disabled at times
What are you looking for in Routers/
Switches????
• Passwords in clear text. Some devices have this by default
and it is a very bad practice
• Review for protocols such as telnet and http. If found, they
should be replaced with ssh and https if possible.
• VLAN 1 should not be in use if possible and should be
disabled.
• Review the code level to make sure it does not contain any
bugs…
• Should integrate with a Directory Services
What are you looking for in Routers/
Switches Cont????
• NSA has a great guide for Cisco Routers and it can be found
here.
http://www.nsa.gov/ia/mitigation_guidance/security_confi
guration_guides/cisco_router_guides.shtml
• You can also find security guidelines on your
Switch/Router’s vendor’s website.
Auditing Firewall’s
• First and Foremost, do you have some change control
process for firewall changes? If so, review the requests
• If you are a small shop, establish a folder on the network or
a ticket in your help desk system where you track such
changes.
• Also establish some sort of change control policy for
Firewall changes
Auditing Firewall’s Cont…
Below is a short list of what to look for
• Are all of the rules in the firewall commented?
• Do you have redundant or duplicate rules
• Do you have rules that are no longer used?
• Do you have services that are no longer used?
• Do you have rules with any any ???
• Do you have admins who should no longer have access to
the firewall still in the firewall?
Auditing Firewall’s Final Thoughts
• You are looking to make sure that all commented and make
sense
• You want to eliminate rules that are not needed.
• Any Any Rules should not exist
• Dead/unneeded rules should be removed
• Make sure old admins are removed
• Review to make sure you are using secure access to the
firewall.
• This is a great article that discusses what to audit.
http://www.securitymattersmag.com/securitymatters-magazine-article-detail.php?id=765
Auditing Windows Servers
You are again auditing against a standard or best practice. Do
you have standard or best practice?
If not you then need to find one to audit against. I will give you
some general guidelines
Auditing Windows Servers, Cont…
• The first item is to document your servers so you can
review
http://sydiproject.com/home/ is a great tool to do this. You
can review the documentation as a first step.
• The next item is to review the admin username and
password on both the domain and the local servers.
(Should rename local admin user and domain admin user
• You can also use this tool to audit Passwords. They should
not be dog or something like that. Should be changed every
90 days.
• http://ophcrack.sourceforge.net/
Auditing Windows Servers, Cont…
• Patches are also important, Review to make sure you have
the most current patches
• The baseline Security analyzer works well for this, it can be
found here. http://www.microsoft.com/enus/download/details.aspx?id=7558
• Anti Virus is another item that needs to be audited. It
should be up to date and should also be centrally managed.
Finally, I like to audit settings to ensure the proper AV
exclusions are configured. (Find the list here
http://support.microsoft.com/kb/822158)
Auditing Windows Servers, Cont…
• Patches are also important, Review to make sure you have
the most current patches
• Also, audit workstations to ensure that administrative
rights are restricted.
• Audit The Domain admin group, it should have a limited
number of users
• Audit services, The administrator should not be running
services. Scripts exist to audit this.
• This is a good guide to use to Audit Windows 2008 R2
servers.
http://social.technet.microsoft.com/wiki/contents/articles/
1142.windows-server-2008-r2-security-guidance.aspx
Audit Windows File Servers
• Should review how shares are setup. Everyone Should be
removed and authenticated users allowed only.
• NTFS permissions should be reviewed to ensure that the
correct access is assigned. A tool should as dump sec will
help with this audit. http://www.systemtools.com/cgibin/download.pl?DumpAcl
• File shares should be on a separate drive from the
operating system.
• Everyone group should not be used.
• If possible enable Access based Enumeration (You will only
see what you have rights to see.
Audit Windows Active Directory
• This is a good guide, I will highlight a few items to review
• http://technet.microsoft.com/enus/library/cc773365(v=ws.10).aspx
• Domain Controller and Domain Security polices should be
reviewed. Things such as SMB signing, anonymous access,
share enumeration should be reviewed and modified.
• Should also audit password polices, group , etc
• Should look for user accounts that have not been used and
delete
• The guide above is a good read and will provide a good
guideline
Audit Windows Workstations
• Do not need to audit every workstation, only need to audit
one or two.
• Should check and make sure Anti-Virus is updated and
configured
• Should make sure that administrative rights is limited.
• Check for windows update and what the schedule is
• Audit for software, make sure what is installed is suppose
to be installed
Auditing MAC OS X
• Should make sure that software update check is set for
daily
• Make sure automatic login is set to off
• Make sure that you are securing the home folders
permissions with this command sudo chmod go-rx
/Users/username
• Check for a firmware password Apple provides detailed
instructions for Leopard (which apply
to Snow Leopard) here: http://support.apple.com/kb/ht1352
• Disable Bonjour!
• This is a good guide for some quick items to audit.
• http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_h
ardeningtips.pdf
Auditing Wireless Networks
• SSID’s should not be broadcast unless they are public
• WPA2 security should be used on SSID’s, NO WEP
• Public SSID’s should be placed onto a separate VLAN
• Firmware should be reviewed and verified that it is current
.
• If possible, use Radius for internal wireless authication
• Wireless Access Point location should be audited to ensure
they can not be tamper proof.
Auditing Wireless Networks
• Can use a tool such as Kismet
http://www.kismetwireless.net/ to verify SSIDS
• If you want to see how easy your WIFI is to crack, use this
http://www.aircrack-ng.org/
• Wireless Management traffic should be on a dedicated
VLAN
• Insecure protocols such as https and telnet should be
disabled.
• Administration of the wireless network be complete via the
wired network
Auditing Resources
• Here are some good books on Amazon
• http://www.amazon.com/Network-Security-AuditingNetworkingTechnology/dp/1587053527/ref=sr_1_1?ie=UTF8&qid
=1361884868&sr=81&keywords=network+security+audit
• This is another good resource
http://www.amazon.com/Hands-On-Ethical-HackingNetworkDefense/dp/1133935613/ref=sr_1_39?ie=UTF8&qid=1
361885041&sr=839&keywords=network+security+audit
Auditing Resources
• NIST has a guide on Security Self Assessment They are 80053 and 800-53A that can provide a good foundation to start
an audit.
• SANS has some great resources for IT audits and they can
be found here http://itaudit.sans.org/community/checklists and here
http://www.sans.org/score/checklists.php
• Here are some good books on Amazon
• http://www.amazon.com/Network-Security-AuditingNetworkingTechnology/dp/1587053527/ref=sr_1_1?ie=UTF8&qid
=1361884868&sr=8-
Auditing Final Thoughts
• You should be auditing to some sort of standard, if you do
not have a policy or standard, find a best practice to audit
against.
• Pick the low hanging fruit first (Ant-Virus, Passwords and
Patches) as they are the easy to audit, can cause major
issues and are easy to fix.
• Audit your firewall at least once a year to make sure you
are removing old rules and keeping the firewall relevant.
• With new technologies such as IPADs, make sure you are
following a security best practice to ensure they are
secured
• Look for Accounts that are old and need to be removed
• SANS www.sans.org has some great resources.
Survey!!!!!!
If you provide me your Business Card I will provide you an assessment to help with
where to start with an audit
Newsletter and Tech Tips
I write a Monthly Newsletter and send out weekly security tech tips. If you would
like to get unto my list, please provide me with a business card.
Questions?????
Thank You…………
You can contact me at
James@tbjconsulting.com
262-363-9070
Download