IT Regulatory and Standards Compliance Handbook (eBook)

Front Cover 1
The IT Regulatory and Standards Compliance Handbook 4
Copyright Page 5
Lead Author 6
Technical Editors 7
Contents 8
Chapter 1: Introduction to IT Compliance 44
Introduction 45
Does Security Belong within IT? 46
Management Support 46
Job Roles and Responsibilities 46
What Are Audits, Assessments, and Reviews? 48
Audit 48
Inspection and Reviews 49
Penetration Tests and Red Teaming 49
Ethical Attacks 50
Vulnerability Assessment 51
GAP Analysis 51
Black and White Box Testing 51
Tools-Based Scanning 52
Agreed Procedures Review 52
Acceptance Testing 52
Data Conversion 52
The Taxonomy 53
Vulnerability 54
Threat-Source 54
Threat 54
Risk 54
Risk Management 54
The Decision Test of the Process 54
Controls 56
Definition of Internal Control 56
Key Concepts 56
Key Controls 57
Operational Controls 57
General Controls 57
Application Controls 58
IT Governance 58
Other Terms 59
Objectivity 59
Ethics 59
Ethics, “The 10 Commandments of Computer Ethics” 60
Planning 60
Examining and Evaluating Information 61
A Preliminary Survey 61
The Program—Criteria for Defining Procedures 61
The Program 62
Introduction and Background 62
Purpose and Scope of the Report 62
Objectives of the Project 63
Definition of Terms 63
Procedures 63
ISACA 63
CISA 63
COBIT 64
GSNA (SANS/GIAC) 64
IIA (The Institute of Internal Auditors) 64
CIA 64
FISCAM 64
Summary 66
Chapter 2: Evolution of Information Systems 68
Introduction 69
Terminology Used in This Book 70
The Primary Objective of Auditing 70
The Threat Scene 70
Threats 71
Attack Levels 72
Critical 72
High 72
Medium 72
Low 72
Suspicious 73
Modifiers 73
A High Volume of Attacks 73
Skilled and/or Unexpected Attacks 73
Definition Matrix 73
Threat Matrix 75
Targeted Attacks 75
“Hacktivisim” 76
Cyber Terrorism 76
Common Criminals 76
Insider Attacks 77
Miscellaneous Attackers 77
Methods of Attack 77
Information Collection 78
Unobtrusive Public Research 78
Social Engineering 79
Scanning 79
System Break-Ins 79
Follow-up and Continuing Attacks 80
Attack Chaining 80
Vandalism 80
Denial-of-Service (DoS) Attacks 80
Single-Message DoS Attacks 81
Flooding Denial-of-Service (DDoS) Attacks or Distributed DoS Attacks 81
Smurf Attacks 81
Land Attacks 81
Flooding Attacks 81
Hostile Code 82
What Is Hostile Code? 82
Viruses 82
Bombs 82
Trojans 82
Worms 83
Policy > Procedure >
Summary 84
Chapter 3: The Information Systems Audit Program 86
Introduction 87
Audit Checklists 87
Baselines 88
Baselines and Automation 88
Assurance 89
Testing Your Organization’s Security 89
Objectivity 89
Standards and Ethics 89
Protection Testing, Internet Security Assessments, and Ethical Attacks 90
Protection Testing or Internet Assessments 90
Why People Do Protection Testing 91
Penetration Testing or Ethical Attacks Vs Protection Testing 91
Miscellaneous Tests 91
Server Operating System Security Analysis 91
Phone Line Scanning 92
Phone / War dialing Audit Project Tasks 92
Social Engineering 92
BCP/DR Testing: Disaster Readiness Assessment 93
What Is Covered in a BCP/DR Review? 94
What Does BCP Cover? 95
Developing an Audit Manual 95
Preliminary Survey 95
Criteria for Defining Procedures 95
The Program 96
When to Prepare the Program 96
The Final Report 96
Report Standards 97
The Cover Page 97
Table of Contents 97
Summary of Changes 97
Introduction 97
Executive Summary 97
The Body of the Report 98
Summary of Recommendations 98
Appendices 98
Security Management Model 98
Summary 101
Chapter 4: Planning 102
Introduction 103
Performance of Audit Work 103
Planning the Audit 103
The Importance of Planning 104
Examining and Evaluating Information 104
Communicating Results 104
Security Review Methodology 105
Information Asset Identification 105
Information Sensitivity and Criticality Assessment 105
Access Policy Review 106
Security Supporting Functions Review 106
Security Enforcing Functions Review 107
Final Report 108
Scope 108
Audit Planning 110
Summary 115
Chapter 5: Information Gathering 116
Obtaining Information and Issuing Requests 117
Objectivity 117
Security Reviews of IT Systems 117
Security Review Steps 117
Information Asset Identification 117
Information Sensitivity and Criticality Assessment 118
Access Policy Review 118
Security Supporting Functions Review 118
A Review of an Organization’s Security Enforcement Functions 118
Policy Compliance Reviews 119
Third-Party and Government Reviews 119
System Audit Considerations 119
Internal and External Standards 119
Internal Standards 120
External Standards 120
How to Characterize Your Organization 120
Steps in Characterization 121
Administrative Steps 121
Technical Steps 122
Stages of Characterization 122
What Happens if Documentation Is Incomplete or Unavailable? 122
Profile Matrix 123
Risk Factoring 124
Ease of Resolution: The Ease of Removing a Vulnerability 126
Trivial 126
Simple 126
Moderate 126
Difficult 126
What Information Is Required? 127
Information Asset Inventory 127
General Support Systems 127
Critical/Major Applications 127
Risk Assessment 128
Uptime Requirements 128
System Design Documentation 128
System Logical/Infrastructure Diagram 128
Concept of Operations Brief 128
List of Mandatory Requirements (if Any) 129
Risk-Based Requirements 129
List of Critical Configurations 129
Detailed Configuration Documentation 129
Detailed Network Diagrams 130
Policy Documents 130
System Security Policy and Administrative Security 130
Personnel Security 131
Physical Security 131
Communications and Key Management Security 131
Equipment Maintenance and Disposal 131
System Output Disposal 131
Normal and Privileged Access to Systems 131
Media Security 131
Configuration and Change Control 132
User Responsibilities and Awareness 132
Service Provider Responsibilities 132
Access Policy 132
Procedures Documents 132
Operational Support Procedures 132
Change Implementation Procedures 133
Intrusion Detection Procedures 133
System Integrity Testing Procedures 133
System Backup Procedures 133
Plans 134
Contingency Plans 134
Incident Detection and Response Policy 135
Category 1: Attempts to Gain Technical Information on the System 135
Category 2: Unsuccessful Attempts to Subvert the System 135
Category 3: Successful Attempts to Subvert the System 135
Category 4: Major Successful Attempts to Subvert the System 136
Policy Considerations 136
General Background Information 136
Identify LAN products used 137
Review Administrative Documentation 138
Identify level of vendor support 138
Gather information on vendor access to the network for diagnostic purposes 138
Review duties and responsibilities of administrators for proper network security 138
Network Maintenance 139
Review system documentation 139
Understand Network Operations 140
Internal Controls Review 140
Review Audit Trails 141
Review Remote Communications Controls 142
All That Information 142
Side Issues with Gathering Passwords 143
User Name Harvesting 143
More on Planning 144
Research 145
Planning Scope 145
Audit Strategy 145
Scope Also Covers Time 146
Audits Are Projects 146
Password Management 146
Pass Phrases 148
Password Cracking and Guessing 148
Password Guessing 149
Password Cracking 150
Access Control Techniques and Types 150
Discretionary Access Control 152
Mandatory Access Control 152
Lattice-Based Access Control 152
Role-Based Access Control 153
Rule-Based Authorization Checking 153
Bell LaPadula 153
Biba and Clark Wilson 154
Terms and Definitions 155
Summary 157
Notes 157
Chapter 6: Security Policy Overview 158
Introduction 159
The Role of Policy and Procedures in Information Systems Defense 159
SMART 159
Specific 160
Measurable 161
Achievable 161
Realistic 161
Time-Based 161
The Policy Life Cycle Process 162
What’s What? 163
Mission, Vision, and Values Statements 164
The Mission Statement 164
The Vision Statements 165
A Statement of Values 165
Framework 165
Policy 165
Policy Levels 166
High Level Policy 166
Issue-Specific and System-Specific Policy 166
Standard 166
Guideline 167
Process or Procedure 167
Interpreting Policy as an Auditor 168
Simple Steps to Assess the Security Posture 169
System Audit Considerations 169
Security Documentation Evaluation 170
Various Levels of Policy and their Functions 170
The Framework for Issue- and System-Specific Policy 172
Purpose 172
Background 172
Overview or Executive Summary 172
Related documents 173
Cancellation 173
Scope 173
Policy Statement 173
Action 173
Responsibility 173
Compliance or Enforcement 173
Identifying Preventive, Detective and Corrective Controls 174
Preventive Controls 174
Detective Controls 174
Corrective Controls 174
Developing a Security Policy 174
Begin by Talking About the Issue 175
The Use of the English Language in Policy Should Be Simple 175
Policy Should Be Evaluated on Clarity and Conciseness 176
Policy Areas to Be Considered 176
Identification and Authentication 176
Access Control 176
Software Security 176
Physical Access Control 177
Monitoring and Review 177
Incident Management 177
Policy Frameworks 177
An ISO 17799 Summary 177
3. Information Security Policy 177
4. Security organization 178
Information Security Infrastructure 178
Security of Third-Party Access 178
5. Assets Classification and Control 178
Accountability for Assets 178
Information Classification 178
6. Personnel security 178
Security in Job Definition and Resourcing 178
User Training 178
Responding to Incidents 179
7. Physical and Environmental Security 179
Secure Areas 179
Equipment Security 179
8. Communications and Operations Management 179
Operational Procedures and Responsibilities 179
System Planning and Acceptance 179
Protection from Malicious Software 179
Housekeeping 180
Network Management 180
Media Handling and Security 180
Data and Software Exchange 180
9. System Access Control 180
Business Requirement for System Access 180
User Access Management 180
User Responsibilities 180
Network Access Control 180
Computer Access Control 180
Application Access Control 181
Monitoring System Access and Use 181
10. Systems Development and Maintenance 181
Security Requirements 181
Security in Applications 181
Security of Operational Files 181
Security in Development and Support Environments 181
11. Business Continuity Planning 181
Aspects of Business Continuity Planning 182
12. Compliance 182
Compliance with Legal Requirements 182
The SANS Security Policy Project 182
Need an Example Policy or Template? 182
SANS SCORE 182
Example Policy: SANS InfoSec Acceptable Use Policy 183
1.0 Overview 183
2.0 Purpose 184
3.0 Scope 184
4.0 Policy 184
4.1. General Use and Ownership 184
4.2. Security and Proprietary Information 185
4.3. Unacceptable Use 185
System and Network Activities 185
E-mail and Communications Activities 187
4.4. Blogging 187
5.0 Enforcement 187
6.0 Definitions 188
7.0 Revision History 188
More Information 188
Summary 190
Chapter 7: Policy Issues and Fundamentals 192
Introduction 193
The Auditor’s Role in Relation to Policy Creation and Compliance 193
SMART 193
Specific 193
Measurable 194
Attainable 194
Realistic 194
Timely 194
Policy Responsibilities 195
Employees 195
Management 196
Policy Creation 196
Policy Conformance 197
Incident Handling 197
SCORE 198
Security Incident Forms 198
Intellectual Property Incident Handling Forms 198
Standards and Compliance 198
Compliance with Legal Requirements 199
Policy Compliance 199
Third-Party and Government Reviews 199
System Audit Considerations 200
Internal and External Standards 200
Internal Standards 200
External Standards 200
Human Resource (HR) Issues 200
Draft a Policy 201
Summary 202
Chapter 8: Assessing Security Awareness and Knowledge of Policy 204
Introduction 205
Security Awareness and Training 205
Awareness Programs Need to Be Implemented 207
1 Scope, Goals, and Objectives 208
2 Resources 208
The ISMS Committees 209
3 Target Audiences 209
4 Motivation 209
5 Development and Implementation of the Program 210
6 Regular Maintenance 211
7 Periodic Evaluations 211
Awareness 212
Training 212
Education and Professional Development 212
Objectives of an Awareness Program 213
What Is Information Security Awareness Training? 213
Training Description and Scope 213
Method 214
Modify the Awareness Program if Required 214
Time Scales 214
Security Awareness Resource Requirements 214
Detailed Trainer Guide for Conducting the Workshops 214
Introduction 214
Definition of Workshop 214
The Workshop Outline 215
Guidelines for Use of Tools 215
Example Slide Content 216
Introduction: Slide 1 216
Background 216
What Are the Issues: Slide 2 217
What Are the Issues? 217
Dependence on Information Systems for Business Continuity 217
Information Processing Is No Longer Centralized 217
Greater Exposure to Accidents 217
There Is also the Human Element 217
Legal Requirements 218
What Is Information? Slide 3 218
What is Information Security - Slides 4–6 218
What Is Information Security 218
Threats: Slide 7 219
Threats: Slide 7–9 220
Internal Threats 220
Errors and Omissions 220
Disgruntled Employees 220
Threats: Slides 10–14 221
External Threats 221
Threats: Slide 15 221
Environmental/Natural 221
Threats: Slide 16 222
Natural 222
Motives: Slide 17 222
Motives 222
Personal Prestige 222
Targets: Slide 18–19 222
Information Security Documentation: Slide 20 223
Information Security Standards and Guidelines 223
Information Security Procedures 223
Frequently Asked Questions 224
Your Role in Information Security: Slides 21–30 225
Why You Should Be Concerned About Information Security 225
Why Do We Need Controls? 225
People Are Important Too 225
Password and USERID Controls 226
Password Selection Techniques 226
Remote Access 226
Secure Disposal of Information 226
Security Breaches 226
Responsibility 227
Notification 227
Investigation 227
Details to be Reported 227
Accidental Breaches 227
Secure Handling of Information 228
There Are Legal Reasons Why You Should Protect Organization Information 228
Operate A Clean Desk Policy 228
Use Caution When Handling Visitors 229
Software Use 229
Proprietary Software 229
“Borrowing” Software 229
If in Doubt Do Not Copy 230
Using the Organization’s Computers at Home 230
Bringing Your Own Home Computer To The Office 230
Reporting Problems 231
The 10 Commandments of IT Security: Slides 31–32 231
The Future of Security: Slide 33 231
Identification Techniques 231
Summary: Slide 34 232
Where to Get More Information: No Slide at Present 232
System Improvement Monitoring and Checks 232
System Maintenance 233
Testing Knowledge and Security Awareness 234
Sample Managerial Assessment Interview Questionnaire 235
Summary 237
Chapter 9: An Introduction to Network Audit 238
Introduction 239
What Is a Vulnerability Assessment? 239
The Importance of Vulnerability Assessments 239
A Survey of Vulnerability Assessment Tools 239
Nessus: The leading Open Source Vulnerability Assessment Tool 239
NMAP: The King of Network Port Scanners 239
THC-Amap: An Application Fingerprinting Scanner 240
Paketto Keiretsu: Extreme TCP/IP 240
ncops (newer cops) 240
NBTScan: Gathers NetBIOS Info from Windows Networks 240
LSOF: LiSt Open Files 240
Network Mapping 240
Premapping Tasks 241
What the Hackers Want to Know 244
Auditing Perimeter Defenses 244
Network Mapping from Outside Your Firewall 245
Network Mapping from Inside Your Firewall 245
Auditing Routers, Switches, and Other Network Infrastructure 245
The Methodology 246
Phase 1: Gain an Understanding of Your System 246
What a Cracker Does 246
Phase 2: System Design, Configuration and Support Vulnerability Assessment 247
Phase 3: Assessment Planning 248
Phase 4: The Attack 248
Phase 5: Report Preparation 249
Why This Approach Is Different 249
Protection Testing? 249
Penetration Testing or Ethical Attacks Vs Protection Testing 250
Miscellaneous Tests 250
Server Operating System Security Analysis 250
Phone Line Scanning 250
Phone/War dialing Audit Project tasks 251
Social Engineering 251
Network and Vulnerability Scanning 252
Nessus 252
Detached Scans 253
Installation 253
Using this feature to scan your network in background 253
Using the Nessus Client 254
Using this feature to test your network automatically every “X” hours 262
Using this feature to keep one’s KB up-to-date 263
Constant Scanning 265
Initial Setup 265
Before You Start nessusd, Ensure That Sendmail is in Your $PATH ! 265
Keeping your Plugins Up-to-Date 266
Differential Scanning 266
How to Use It 266
More Reading 267
Essential Net Tools (EST) 268
Cerberus Internet Scanner 269
Summary 270
Chapter 10: Auditing Cisco Routers and Switches 272
Introduction 273
Functions of a Router, Its Architectures, and Components 273
Modes of Operation 273
Configuration Files and States 274
How a Router Can Play a Role in Your Security Infrastructure 274
Router Technology: A TCP/IP Perspective 275
Understanding the Auditing Issues with Routers 275
Password Management 276
Service Password Encryption 276
Console Ports 276
Interactive Access 277
TTYs 277
Controlling VTYs and Ensuring VTY Availability 277
Warning Banners 278
Common Management Services 278
SNMP 279
HTTP 279
Logging 279
Sample Router Architectures in Corporate WANs 280
Router Audit Tool (RAT) and Nipper 285
RAT 286
How RAT Works 286
How to Install RAT 287
How to Run RAT 292
Command SYNTAX 298
RAT Configuration Options 298
Options for Downloading Device Configurations 299
Options Affecting Rule Selection and Reporting 299
Options for Selecting RAT Configuration files 300
Nipper 301
Getting Started 302
Using Nipper 302
Customizing the Parameter Settings in Nipper 305
Using the Command Line 305
Modifying the nipper.ini File 306
Other Options 308
Cisco Output Interpreter 308
Cisco Security and Device Manager 309
Security Access Controls Performed by a Router 309
Security of the Router Itself and Auditing for Router Integrity 310
Identifying Security Vulnerabilities 312
Router Audit Steps 312
Sample Commands 313
Cisco Router Check Lists 315
Summary 316
Chapter 11:Testing the Firewall 318
Introduction 319
OS Configuration 320
Firewall Configuration 320
Working with Firewall Builder 322
Building or Only Testing 323
Conflicting Rules 327
System Administration 328
Testing the Firewall Rulebase 328
Identifying Misconfigurations 329
Identifying Vulnerabilities 329
Packet Flow from All Networks 331
Scanning the Network 331
Using nmap 331
Using hping2 334
Change Control 335
Validated Firewalls 335
Manual Validation 337
Automated Rulebase Validation 337
Creating Your Checklist 337
CIS (Center for Internet Security) 338
SANS 339
NSA, NIST and DISA 339
Summary 340
Chapter 12: Auditing and Security with Wireless Technologies 342
Introduction 343
Bluetooth 343
WLAN and Wi-Fi 343
War Driving 344
Capturing Wireless Traffic 344
Analyzing 802.11 traffic 344
WLAN discovery 346
Investigating Rogue WLANs 346
Conducting Wireless Site Surveys 347
Using Maps to Document Wireless Signal Leakage 348
Interference in Wireless Networks 349
Sources of RF Interference 349
Avoiding RF Interference 349
Common Misconceptions with Wireless Security 350
Passive WLAN Traffic Sniffing – from TCPDump to Kismet 351
Techniques for Identifying and Locating Rogue APs 352
Wired-Side Analysis using AP Fingerprinting 352
AP Fingerprinting using Nessus 352
Wireless vs. Wired Side Scanning 353
Wired-Side Scanning 353
Wireless- Side Scanning 353
Automating Centralized Wired-side Scanning for Rogue APs 353
Triangulation Techniques for Locating Transmitters 353
Wireless “Hacker” Tools to Evaluate Your Network 354
NetStumbler 354
Ap4ff 354
PrismStumbler 354
WEPCrack 355
Airsnort 355
WifiScanner 355
Wellenreiter 355
WepLab 355
BTScanner 355
FakeAP 356
Kismet 356
Mognet 356
Designing and Deploying WLAN Intrusion Detection Services 356
Detection 356
Notification 357
Response 357
Pros and Cons 357
Wireless-Side Analysis - Wireless LAN IDS 357
Continuous Rogue Detection 358
Open-source and Commercial Tools for WLAN Monitoring 358
KISMET 359
Running Kismet 359
Cleaning Up 362
KISMET WLAN IDS support 362
Distributed Stationary Analysis with Lightweight Hardware (drone) 363
Expert 802.11 analysis 363
NetStumbler 363
The Backtrack Network Security Suite Linux Distribution 367
Summary 368
Chapter 13: Analyzing the Results 370
Introduction 371
Organizing the Mapping Results 371
Creating Network Maps 371
PBNJ 372
ScanPBNJ default scan options 372
OutputPBNJ 373
Understanding the Map 373
NDIFF 373
Identifying Vulnerabilities 374
Follow-on Activities 375
Using Nmap 375
Example nmap scans 376
Identify live hosts 376
Identify important ports 376
Full scan 376
Prioritizing Vulnerability Fixes 376
Network sniffing 377
NAC (Network Access Control) 377
ARPMON 378
Validating Fixes 378
Benefits of Periodic Network Mapping 378
Looking for Compromised Hosts 381
Configuration Auditing of Key Network Services (DNS, SMTP, etc.) 381
Mail Relays 383
DNS 385
Recursive 385
Zone Transfers 386
Split DNS 386
Split-Split DNS 386
Summary 389
Note 389
Chapter 14: An Introduction to Systems Auditing 390
Introduction 391
Automating the Audit Process 392
Running a Network Scanner at Scheduled Times 392
Run an Integrity Checker 392
There Are Few Limits 392
Progressive Construction of a Comprehensive Audit Program 393
Monitoring 393
Big Brother (.www.bb4.org/.) 393
Host Hardening 393
Turning Off Unnecessary Services 393
Unnecessary Services 394
Turning Off Services in Windows 394
Turning Off Services in UNIX 394
Host-Based IDS 394
Configuring AutoScan 394
Installation 395
Configuring Swatch 395
Install and Configure “Bruce” 395
Process Change Detection System 395
Tripwire 395
Known Vulnerabilities and Exploits 396
Failures to Patch 396
Example Information Systems Security Patch Release Procedures 398
Purpose 398
Details 398
Physical, Electronic and Environmental Security 399
Secured Zones and Appropriate Levels of Security 399
Physical Security Barriers 400
Location of Critical Services 400
Electronic Intruder Detection Systems 400
Security of organization Property Off-Premises 400
Secure Disposal 401
Computer and Network Management 401
Operational Procedures and Responsibilities 401
Documented Operating Procedures 401
Operations Log 401
Segregation of Duties 402
Segregation of Development and Production 402
Outsourcing Management 402
System Management Controls 403
Capacity Planning 403
System Acceptance 403
Configuration Management 403
IT Change Control 403
Security/Integrity Maintenance 404
Malware Protection 404
Housekeeping 405
Backup and Recovery 405
Operations Backup Logs 405
Fault Logging 406
Network Security Controls 406
Media Handling and Security 406
Management of Removable Media 406
Security of System Documentation 406
Banking and Payment Security 407
Security of Office Automation Systems 407
Logical Access Controls 407
Business Driven Access Restrictions 407
Staff Responsibilities 407
Education & Training
User Registration 408
Privilege Management 408
Default and System Passwords 408
Timeouts 409
Login Banners 409
Compliance 409
Legal and Contractual 409
Software Copyright 409
Safeguarding of the organization Records 410
Privacy of Individuals’ Information 410
Training 410
Audit Logging and Reporting 410
Protection of Audit/Account Elements 411
Security Reports 411
IT Compliance with Security Policy 411
Misuse of IT Facilities 411
Reporting of Security Weaknesses and Incidents 411
Password-Cracking Tools 412
Summary 413
Chapter 15: Database Auditing 414
Introduction 415
Database Security 415
Principles for Developing a Database Audit Strategy 416
Check Triggers 416
System Triggers 416
Update, Delete, and Insert Triggers 416
Fine-Grained Audit 417
System Logs 417
Audit Database Access 417
Auditing Changes to the Database Structure 417
Audit Any Use of System Privileges 418
Audit Data Changes to Objects 418
Failed Log-on Attempts 418
Attempts to Access the Database with Nonexistent Users 418
Attempts to Access the Database at Unusual Hours 418
Check for Users Sharing Database Accounts 418
Multiple Access Attempts for Different Users from the Same Terminal 419
Views 419
Integrity Controls 419
Authorization Rules 420
User-Defined Procedures 421
Encryption 421
Client Service Security and Databases 421
Automated Database Audit Solutions 422
Data Access Auditing 424
SQL Injection 425
Tools 425
Specialized Audit software 425
CASE (Computer-Aided Software Engineering) Tools 426
Vulnerability Assessment Tools 430
Introduction to SQL 430
Union All Select 431
INSERT INTO 431
JOIN 431
UNION 431
Key Database terms 431
Database 431
Data Type 432
Field 432
Instance 432
Joins 432
Primary Key 432
Record 432
Stored Procedures 432
Table 432
View 432
Remote Testing 432
Local Security 434
Creating Your Checklist 434
CIS (The Center for Internet Security) 434
SANS 434
NSA, NIST and DISA 435
Considerations in SQL Auditing 435
Microsoft SQL checks 435
Summary 436
Chapter 16: Microsoft Windows Security and Audits 438
Introduction 439
Basic System Information 439
Windows System Information (WSI) 440
Somarsoft DumpSec 440
Somarsoft Hyena 443
Software and Licensing in Hyena 450
Belarc Advisor 450
Patch levels 452
Microsoft Baseline Security Analyzer (MBSA) 452
How to Scan for Patch Levels Using MBSA 455
How to Interpret the MBSA Scan Reports 456
For the Security Update Checks 456
For the administrative vulnerability checks 457
Qfecheck and Hotfix Reports 457
Downloading and Installing Qfecheck 458
Using Qfecheck 459
Network-Based Services 460
Using System Information 460
Using the MMC 461
Using the Command Line 462
TCPView 464
Using TCPView 465
Using Tcpvcon 466
Local Services 467
PsTools Suite 467
Using PsTools 468
Running PsTools in the local host 469
Running PsTools in a remote host 470
Installed Software 470
Using Add or Remove Programs 470
Software Asset Manager (SAM) 471
Security Configuration 471
Microsoft Management Console (MMC) 472
Customizing the Display of Snap-ins in the Console: New Windows 474
Using the Security Configuration and Analysis (SCA) 478
How to Run SCA 478
Creating and using template databases with SCA 479
Scanning System Security 481
Correcting System Security 484
Using Local Security Policy (LSP) 484
Using Center for Internet Security (CIS) Benchmarks 485
Group policy Management 485
GpResult 486
Parameters 486
How to use Active Directory 486
Using Group Policy 488
Using Resultant Set of Policy (RSoP) 492
Service Packs, Patches and Backups 495
Patch Installation 495
Hotfixes, Fixes, Patches, Updates and Work-Around’s 496
Patch Management Systems 496
Windows Software Update Services (WSUS) 496
SMS 497
Auditing and Automation 497
Log aggregation, management and analysis 497
DAD 497
Windows Log Files 499
Windows Scripting Tools 501
WMIC 502
Maintaining a Secure Enterprise 503
Scheduling Automated Tasks 503
Creating Your Checklist 503
CIS (The Center for Internet Security) 504
SANS 504
NSA, NIST and DISA 504
Considerations in Windows Auditing 504
Summary 506
Chapter 17: Auditing UNIX and Linux 508
Introduction 509
Patching and Software Installation 510
The Need for Patches 510
Obtaining and Installing System Patches 511
Validating the Patch Process 512
Failures to Patch 514
Example Information Systems Security Patch Release Procedures 515
Purpose 516
Details 516
Vendor Contacts/Patch Sources 516
Minimizing System Services 517
Guidance for Network Services 517
Unnecessary Services 518
Turning Off Services in UNIX 518
RPC and Portmapper 518
Controlling Services at Boot Time 519
inetd and xinetd 520
Authentication and Validation 520
Logging 523
Syslog and Other Standard Logs 523
System Accounting and Process Accounting 525
Connect Session Statistics 525
Disk Space Utilization 526
Printer Usage 527
Automatic Accounting Commands 527
System Accounting Commands that can be Run Automatically or Manually 528
Manually Executed Commands 528
File System Access Control 529
User-Level Access 531
Special Permissions That Are Set for a File or Directory on the Whole, Not by a Class 532
The set user ID, setuid, or SUID permission 532
The set group ID, setgid, or SGID permission 532
The sticky permission 532
UNIX command is for file permissions 532
Chmod 532
ls or the List command 532
“cat” or Concatenate 533
“man” the UNIX online Manual 533
Usernames, UIDS, the Superuser 533
Blocking Accounts, Expiration, etc. 533
Restricting Superuser Access 534
Disabling .rhosts 534
Additional Security Configuration 534
Network Access Control 535
Use tcpd to limit access to your machine 535
Use ssh instead of telnet, rlogin, rsh and rcp 536
Network Profiling 536
Netstat 536
Lsof 536
Ps 537
Top 538
Kernel Tuning for Security 538
Solaris Kernel Tools 538
Solaris Kernel Parameters 538
ARP 539
IP Parameters 539
TCP Parameters 540
Security for the cron System 541
Backups and Archives 542
tar, dump, and dd 542
tar 542
Compressing and uncompressing tar images 542
dump 543
dd 543
Tricks and Techniques 543
Auditing to Create a Secure Configuration 544
Local Area Security 544
WarLinux 544
Auditor/BackTrack 544
Elive 544
Arudius 544
Building Your Own Auditing Toolkit 545
About ldd 546
Using the Distribution 546
File Integrity Assessment 547
Hardware Integrity 547
Operating System Integrity 548
Data Integrity 548
Finer Points of Find 548
Logical Operations 550
Output Options 550
A Summary of the Find Command 551
Auditing to Maintain a Secure Configuration 552
Operating system version 552
File systems in use 552
Reading Logfiles 552
What Tools to Use 552
Password Assessment Tools 553
Creating your Check List 553
CIS (The Center for Internet Security) 553
SANS 553
NSA, NIST and DISA 554
Considerations in UNIX Auditing 555
Physical Security 555
Network Security 555
Account Security 556
File System Security 557
Security Testing 557
Notes 557
Chapter 18: Auditing Web-Based Applications 558
Introduction 559
Sample Code 559
An Introduction to HTML 561
An Introduction to HTTP 561
Limitations with the Web Browser 562
Hidden Form Elements 563
Authentication in HTTP 563
HTTP Basic Authentication 563
HTTP Digest Authentication 563
HTTP Forms-Based Authentication 565
HTTP Certificate Based Authentication 565
HTTP Entity Authentication (Cookies) 565
Get vs. Post 565
Cookies 566
Persistent Cookie (File Based and Stored on Hard Drive) 566
Session Cookie (Memory Based) 566
Cookie Flow 567
Cookie Headers 567
Cookies and the Law 568
Tracking Cookies 568
Cookies and the Auditor 568
What is a Web Bug? 568
Information-Gathering Attacks 569
User Sign-on Process 571
User Name Harvesting / Password Harvesting 571
Resource Exhaustion 571
User Sign-off Process 572
OS and Web Server Weaknesses 572
Presentation 573
Application 573
Persistent or Database 573
Too Few Layers 573
Buffer Overflows 574
Session Tracking and Management 575
Session Tokens 576
Cryptographic Algorithms for Session Tokens 576
Appropriate Key Space 576
Session Time-out 576
Regeneration of Session Tokens 576
Session Forging/Brute-Forcing Detection and/or Lockout 576
Session Re-Authentication 576
Session Token Transmission 577
Session Tokens on Logout 577
Page Tokens 577
Web Forms 577
Unexpected User Input 577
Input validation 578
Sanitization 578
Error checking 578
Web Browser Security 578
Open Web Application Security Project 578
OWASP 2007 Top 10 578
1 - Cross Site Scripting (XSS) 579
2 - Injection Flaws 579
3 - Malicious File Execution 579
4 - Insecure Direct Object Reference 579
5 - Cross Site Request Forgery (CSRF) 579
6 - Information Leakage and Improper Error Handling 579
7 - Broken Authentication and Session Management 579
8 - Insecure Cryptographic Storage 579
9 - Insecure Communications 579
10 - Failure to Restrict URL Access 580
Development Guides 580
Best Practice Resources 580
Web Vulnerability Database 581
WebScarab Web Auditing Tool 581
WebGoat Learning Tool 583
Fuzzing 583
SQL Injection 584
Cross-Site Scripting 584
Cookie Theft Javascript Examples 584
ASCII 584
HEX 585
Cookie Stealing Code Snippet 586
Nonpersistent Attack 586
Is a Web Server Vulnerable? 586
XSS Protection 586
XSS References 586
XSS (Cross Site Scripting) Cheat Sheet 587
DNS Rebinding Attacks 588
What is the Same-Origin Policy? 589
What Is DNS Pinning? 590
Anti-DNS Pinning (Re-Binding) 592
Anti Anti DNS Pinning 594
Anti Anti Anti DNS Pinning 594
The First Question Is Why? 595
Varieties of DNS Rebinding attacks 595
Traditional Rebinding 596
Spatial Rebinding 596
Case 1: Browser wants an internal IP external but it gets internal address 596
Case 2: Flash/Java wants an internal address but receives an external one 596
Ridiculous or Farfetched? 596
CNiping (Pronounced “Sniping”) 596
What Are Open Network Proxies? 597
Slirpie (Proxy) 597
JSON 597
Distributed Malware 598
Defending Against DNS Rebinding 598
p0wf (Passing Fingerprinting of Web Content Frameworks) 599
Splogging 599
RSS abuse 600
Defenses 600
Creating Your Checklist 601
CIS (The Center for Internet Security) 601
SANS 601
NSA, NIST and DISA 601
Considerations in Web Auditing 602
IIS Specific Information for the Checklist 602
Apache Specific Information for the Checklist 603
Scanning 603
Chapter 19: Other Systems 604
Introduction 605
Mainframes and Legacy Systems 605
What Is a Mainframe? 606
Legacy Systems 607
Reviewing Legacy and Mainframe Systems 608
FTP 610
LPAR (Logical Partition) 610
UML 611
Unified 611
Model 611
Language 612
UML and Processes 612
Further information about UML 613
Code Reviews and Testing Third-Party Software 614
Black box testing 614
White box testing 614
Testing in Combination 615
The Various Levels of Testing 615
Unit testing 615
Integration testing 616
Acceptance testing 616
Regression testing 616
Test Cycles 616
Requirements Analysis 616
Test Planning 616
Test Development 616
Test Execution 617
Test Reporting 617
Retesting the Defects 617
Encryption 617
Summary 619
Chapter 20: Risk Management, Security Compliance, and Audit Controls 620
Introduction 621
What is a Process? 621
Objectives 621
Controls 621
Policies 621
System 621
Risk Analysis 622
Implementing a Risk Mitigation Strategy 623
Plan Do Check Act (PDCA) 623
Plan 623
Do 623
Check 623
Act 623
Risk Management, Security Compliance and Audit Controls 623
Risk Analysis: Techniques and Methods 624
Overview of Risk Methods 624
General Risk Analysis 624
Risk Analysis Models 624
Quantitative 624
Placing a Value on Risk Management 625
Internal Value 625
External Value 625
Total Value 625
ALE – Annualized loss Expectancy 626
EF – Exposure Factor (or likelihood factor) 626
SLE – Single Loss Expectancy 626
ARO – Annualized Rate of Occurrence 626
Qualitative Risk 626
Threats 627
Vulnerabilities 628
FMECA Analysis 628
FMECA Summary 629
CCA - Cause Consequence Analysis 629
Two Tree Types 629
Attack Tree 630
Hardware Theft 630
Vandalize Hardware 631
Disrupt Network Traffic 632
Acquire Bogus User Credentials 634
Gain Root Access 634
Vector Analysis 636
Goal 1: Intercept a network connection for a particular user 636
Goal 2: Denial of service against a particular user or all users 637
Complexity 637
Risk Dynamics 637
Time-Based Analysis (TBA) 638
Monte Carlo Method 638
Some Existing Tools for Risk Analysis 639
Crystal Ball 639
Risk + 640
Cobra 640
OCTAVE 640
Creating an Information Systems Risk Program 640
Risk Assessment 641
The Assessment Process 642
Phase 1 - Preparation and Identification 643
Current Business Practices 643
The Future 643
Identification of Information Assets 643
Information Value 643
Threat Assessment 643
Phase 2 - Security Architecture Analysis 644
Required Security Architecture 644
Identification of Current Security Architecture 644
Phase 3 - Risk Assessment 644
Gap Analysis 644
Risk Assessment 644
Phase 4 - Recommendations 644
Known Deficiencies 644
Risk Management Plan 645
Assessment and Conclusion 645
Risk Management 645
Risk Management is an Issue for Management, not Technology 645
Constraints Analysis 646
Risk Summary 646
Counter Strategy and Counter Measures 647
Business Impact Analysis 648
Defense in Depth 649
Data Classification 649
Summary 650
Notes 650
Chapter 21: Information Systems Legislation 652
Introduction 653
Civil and Criminal Law 653
Legal Requirements 654
Contracts 655
Problems with Electronic Contracting 656
E-mail 657
The Postal Acceptance Rule..xi.. 658
World Wide Web 659
Invitation to Treat, Offers and Acceptance 660
Electronic Signatures 662
Electronic Agency Issues 663
Acceptance in Unilateral Contracts 664
Other Issues in Contractual Formation that Impact Offer and Acceptance 664
Jurisdiction and Communication of Acceptance 664
Jurisdiction 664
Crime (Cybercrime) 665
Electronic Espionage 666
Employee Monitoring 667
Activity Monitor 667
Spy Tool: SpyBuddy 668
Data Protection 669
Hate Crimes, Defamation and the Things We Say 670
Contempt of Court 670
Inciting Racial Hatred 670
Defamation 671
Harassment 674
E-mail Crimes and Violations 674
Chain letter 674
Spamming 674
Mail Bombing 674
Mail Storm 675
Identity Fraud 675
Distributing a Virus or Other Malware 675
Defamation and Injurious Falsehood 676
Harassment and Cyber Stalking 677
Pornography and Obscenity 678
Child Pornography and Obscenity 679
Privacy 681
Searches and the Fourth Amendment 682
Warrants 683
Anton Piller (Civil Search) 683
Authorization 684
License 684
Intellectual Property 684
Copyright 685
Investigating Copyright Status 687
Trademark Infringement 688
Patents and Patent Infringement 689
Evidence Law 690
Interpol and Information Technology Crime 691
Remedy in Tort and Civil Suits 691
Cyber Negligence 692
Vicarious Liability 694
Civil Liability 694
Criminal Liability 696
Reporting an Incident 697
Document Retention 698
Introduction to Document Management Policy 698
Applications to Internal Audit 699
Minimum Document Retention Guidelines 700
U.S. Trends 701
Gramm-Leach-Bliley 701
The Health Insurance Portability Accountability Act 701
The Sarbanes-Oxley Act 701
Destruction of Adverse Documents 702
The Litigation Process of Discovery 702
Expectation of Privacy 702
Acceptable Use Policies 702
Due Care and Due Diligence 703
Electronic Discovery 703
Reviewing and Auditing Contracts 703
Issues with Electronic Contracting 704
Prevention Is the Key 704
Summary 705
Notes 705
Chapter 22: Operations Security 716
Introduction 717
The Concepts of Organizational OPSEC (Operation Security) 717
Administrative Management 719
Fraud 720
The Fraud Triangle 721
Control Categories 722
Deterrent (or Directive) Controls 722
Preventative Controls 722
Detective Controls 723
Corrective Controls 723
Recovery Controls 723
Application Controls 723
Transaction Controls 723
Input Controls 723
Processing Controls 724
Output Controls 724
Change Control 724
Test Controls 724
Operational Controls 724
Hardware Inventory and Configuration 724
Patch Management 724
Configuration Change Management (CCM) 725
Resource Protection 726
Individual Accountability 727
Group vs. Individual Accountability 727
Privileged Users 727
Nonrepudiation 727
Operational Controls 728
Hardware Controls 729
Hardware Maintenance 729
Maintenance Accounts 729
Diagnostic Port Control 729
Hardware Physical Control 729
Protection of Operational Files 730
Intrusion Detection 730
Incident Handling 731
Keep a Log Book 732
Inform the Appropriate People 732
Follow-up Analysis 732
Auditing to Determine What Went Wrong 733
Audit Trails 733
Evidence of Past Incidents 734
Monitoring and Logging 734
Clipping Level 735
Summary 736
Notes 736
Index 738