Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Transcription

1 Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at

2 How to check compliance with your security policy Introduction: In an age were security is becoming m ore im portant to many organisations, it is im portant for such organisations to document their security policy, just as they would docum ent their marketing policy, client service policy or accounting policies. But the effort of just documenting policies is insufficient, since it is no use going through the effort and costs of developing a security policy and not implementing or updating it. By that same toke n once it is im plemented, it is no use not monitoring com pliance with the policy. Key Control fingerprint Objectives = AF19 for FA27 IT Governance 2F94 998D FDB5 (Cobit) DE3D refers F8B5 Appropriate 06E4 A169 procedures 4E46 exist to ensure policies and procedures are being complied with. Infoworld article Policy o ver policing indicates that security policies should be enforced via regular audits. White paper on Why Security Policies fail indicates that perform ing regular audits helps ensure the success of your security policy implementation. The three sources cited above indicate that not monitoring is a recipe for failure of your security policy. Who is responsible for checking compliance with a security policy RFC2196 Regular com pliance with the security policy should be perform ed by persons independent of defining or im plementing the security policies. As cited above the persons responsible for m onitoring com pliance with the security policy should be independent of the persons im plementing the policy. The concept of independence dictates that the person perform ing the work should be seen to be independent from any relationship to the item in question. This allows the m onitoring to be unbiased. The business unit which best fits this profile are the internal auditors. The internal audit department would also be unable to make any decisions based on the findings and as such the report of findings should be forwarded to a managem ent level that is capable of enforcing that the policy is complied with in all respects. From a logistics and cost perspective, Internal audit are constantly involved in performing audits at various branches or departments of larger Key fingerprint organisations. = AF19 To FA27 add 2F94 an additional 998D FDB5 aspect DE3D of checking F8B5 06E4 security A169 policy 4E46 com pliance would seem logical and cost effective. Thus it is crucial to add ch ecking of security policy com pliance to the Internal audit scope. Page 1 of 8

3 How to design audit procedures based on a security policy Compliance procedures ensure that the control is operating e.g. Control -The policy dictates that all mail m ust be scanned for executable attachments. Operation of control -There must be a mail content scanner in use that searches for the above condition. To check compliance with the above control the Internal Auditor would review the rules included in the content scanner to ensure that it makes provision for executable attachments. The International Auditing Standards dictate that compliance procedures Key fingerprint commonly = AF19 used FA27 are as 2F94 follows: 998D FDB5 DE3D F8B5 06E4 A169 4E46 a. Inspection: Involves examining records, documents and tangible assets. E.g. Reviewing backup logs to ascertain if there were any unsuccessful backups. b. Observation: Physically looking at a procedure being performing by other persons. E.g. Observing physical access control to the server room. c. Computation: In the accounting environment this involves checking the mathematical accuracy of information. However, in the security policy com pliance environm ent, the procedure involves using security tools like Om niguard, ISS system scanner, Kane or Bindview to ascertain the security vulnerabilities in the ope rating system. These findings can be com pared to the organisations security policy on operating system configuration. d. Analytical procedures: Involves analysing inform ation to detect trends. Once a trend has been established the internal auditor would look for deviations from the trend. E.g. Analyising the Intrusion Detection System log with a data extraction and analysis tool like IDEA or ACL to ascertain a trend. Any item that does not com ply with the trend indicates that there could have been an intrusion. Example: Security policy: NCSA security policy on backups: User and production system s are backed up frequently. Scratch and tem porary areas are not backed up. Backup tapes are stored in alternate secure areas. Compliance Procedure: Inspect the backu p schedule to ascertain the frequency of the backups. Inspect the backup log to ascertain what was backed up. Ensure that Key fingerprint the backup = AF19 excluded FA27 2F94 scratch 998D and FDB5 temporary DE3D F8B5 areas. 06E4 A169 4E46 Observe the area where backup tapes are stored to ensure that it is secure. Inspect the m anual log to ascertain if the backup tapes are sent to secure areas to be stored. Confirm with the personnel at the Page 2 of 8

4 alternate secure area that the backup tape from the department in question is stored with them. How to assess the risk of non -compliance: Once internal audit has perform ed the compliance procedures, an audit report on the findings has to be issued. However, the report has to provide meaningful inform ation. In certain environments there may be numerous findings and it is not possible for m anagement to im plement all the security policies within one period. In these environm ents, the report has to list the risk of the findings. This allows management to prioritise and implement the policies addressing the areas of the highest risk. The risk m anifests itself in the threat or vulnerability that faces the Key fingerprint organisations = AF19 IT FA27 infrastructure 2F94 998D e.g. FDB5 an overfull DE3D audit F8B5 log 06E4 that A169 results 4E46 in a denial of service. The risk would be based on the am ount of loss to be incurred by the organisation if the secur ity policy item were not implem ented. Loss can be categorized as follows: 1. Loss of valuable information e.g. Losing debtors balances may impede the ability to collect the outstanding debts. 2. Loss of assets or increase in liabilities e.g. A malicious hacker processing paym ents to himself via the electronic banking facilities of the organisation. 3. Loss of reputation e.g. Litigation against the client due to inaccurate advertising m aterial being posted on their site. This would lead to a loss of reputation in t he m arket place. 4. Loss of profit e.g. Design specifications being leaked to com petitors. This would lead to a loss in market share which manifests itself in a loss in sales. Hence this affects profitability. Real life exam ple: My client is a mining foundr y and they place a large value on the design of their articles. Thus they go to great lengths to secure the server which hosts the Computer Aided Design program. This server is also used to store design specifics. Only engineers are allowed access to this server and all designs are encrypted. If this server had to be compromised they would lose market share as their competitors would gain access to their designs and this would impede their ability to stay in business. They also have tons of m etal which has a large monetary value, but they don t go to great lengths to protect information regarding the m etal as this is not as im portant as the design specifications. The moral of the story is that an asset does not have to be of a large monetary value to be of significance to the organisation. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Miscellaneous Items Besides checking compliance with the security policy, it is just as important to review the procedures surrounding the update and review process of Page 3 of 8

5 the security policy. E.g. Ensuring that a site upda tes their backup policy to include new hosts. It is also im portant to follow up on previous findings to ensure that management has been proactive in im plementing outstanding policies. Sample Compliance Program No. Security Compliance Checking Checking Policy Item Procedure Compliance on NT compliance on Windows Backups Ian Soapy Review the Review the Review the 2000 should perform scheduler to AT/WINAT GUI scheduler. Key full fingerprint backups = AF19 ascertain FA27 2F94 998D command. FDB5 DE3D To F8B5 06E4 Ensure A169 that 4E46 an weekly and when full and display the entry exists for a increm ental incremental scheduled tasks type full backup backups daily. backups are in the following weekly and scheduled. command: increm ental Compare the AT \\ LOCAL > backup daily. schedule to c:/schedule.txt Path: the security Where local is the Start/Settings/ policy. name of the server Control Panel/ and schedule.txt is Task Scheduler/ the name of the output file. Ensure that Review the output Backup is one of file to ensure the the scheduled following appears: tasks. Review the Every M fullback.bat backup schedules by Every double clicking T,W.Th,Fincbak.bat - on the Review the ASCII file increm ental of the fullback.bat backup and incbak.bat files scheduled task to ensure that they and ensure the have been following: appropriately written Run = for full and Increm ental increm ental backups Schedule = Daily respectively. - On the full backup Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 scheduled A169 task 4E46 and ensure the following: Run = hc:off /m normal Checking compliance on Linux/Unix Review /etc/cron.daily and /etc/cron.weekly. Ensure that the dum p command is set to run as follows: In the daily cron schedule Dump with levels 1-5 and In the weekly cron schedule Dump with 0 level. Page 4 of 8

6 Schedule = Weekly. Two copies of Observe th e the backups backup must be made. process to DLT tapes are ensure that to be used for two copies of the backup the backups operation. are made and that DLT Key fingerprint = AF19 tapes FA27 are 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 used. The tapes m ust Observe the be labelled as labelling on follows: the tapes to Date: ensure that it Type: has been Full/incremental labelled Host backed appropriately. up: Hostnam e Drive backed up: C/D/E One copy of the full and increm ental backup should be sent off-site to the Security storage vendor. The other copy of the full and increm ental backup m ust be stored in the fireproof safe. Confirm with the security storage vendor whether a copy of the backup is sent offsite. Inspect the fireproof safe to ensure that one copy of the backup is stored in here. Key A manual fingerprint log = of AF19 Review FA27 the 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 the backup manual log of should be the backups maintained with to ensure the following that it is inform ation: maintained Page 5 of 8

7 inform ation: maintained Successful with the Unsuccessful appropriate Tapes information. overwritten by accident When and where tapes taken offsite Attem pted and successful restores Bad tapes. 2. Key Password fingerprint and = AF19 Account FA27 Policy 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Passwords Review Review the account Review the must: system policy (path: password policy Be a minimum settings to Start/Programs/ (path: Start/Run, length of 8 ensure that Administrative type Gpedit.m sc, characters, the password Tools/User m anager OK Com puter Have a m ixture restrictions for domains/options) Configuration/ of alpha, are on the NT domain Windows numeric and implemented. controller to ensure settings/security special Compliance the setting is as settings/acco unt characters, with these follows: policy/password Be changed settings can Password length = 8 policy). Ensure every 30 da ys, be identified characters the following: The last 5 by using a Password History = Password history passwords tool like Kane 5 previous = 5 passwords cannot be and Bindview passwords remem ber reused. (for NT and Account lockout = 3 Maxim um Account 2000 bad attem pts password age = lockout is after servers) or Lockout duration = 30 days 3 bad access ESM Forever until Minimum attem pts. Omniguard administrator unlocks password length and ISS Maxim um password = 8 characters System age = 30 days. Passwords m ust Scanner (for meet com plexity NT, 2000 and requirements = Linux/Unix enabled servers). User m ust log on to change password = enabled From root, run Linuxconf as follows: [root]#linuxconf Review the password policies under User account/policies/ Password and account policies. Ensure the following: -minimum length for the password = 8 characters -Number of nonalpha characters = 2 -Must change after # days = 30 Review the Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 account A169 lockout 4E46 policy (path: Start/Run, type Gpedit.msc, OK Com puter Page 6 of 8

8 Configuration/ Windows settings/security settings/account policy/lockout policy). Ensure the following: Account lockout duration = 30 minutes Account lockout threshold = 3 invalid logon Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 attempts A169 4E46 Reset account lockout counter after 30 m inutes. Passwords must not be written on postits and stuck to the m onitor. Names should not be used as a password. Passwords process of should be establishing developed passwords. using the first Compare or last letter of their Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 each word in a phrase and to substitute certain alphabets with numbers e.g. Walk through the office and observe if any users have post-its or other pieces of paper attached to the screen. Enquire from those users whether the post-its or other pieces of paper have the passwords. Enquire from a sample of users their responses to the security policy. Page 7 of 8

9 numbers e.g. To be or not to bed 2BON2B Sources: 1. NCSA Security Policies and Procedures, March 19, 1998, l 2. Request For Comments 2196, September 1997, 3. Enterprise Computing, Policy over policin g, August 19, 1996, /cgi -bin/display \ 4. Control Data, Why Security Policies Fail, 1999, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5. Information System s Audit and Control Association, Control Objectives for IT Governance, IT Governance Institute, July Chamber, Andrew, et al. Auditing the IT environment Assessing and measuring Risk and Control, Pitm an Publications, Linda Locher, et al. M icrosoft Windows 2000 Security Technical Reference, Microsoft Press, Red Hat, Red Hat 6.2 Manual, 9. Charles Perkins, et al. MCSE: NT Workstation Study Guide, Network Press 10. International A uditing Statements, Statement of Auditing Standard s Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Page 8 of 8

10 Last Updated: April 5th, 2018 Upcoming Training SANS vlive - SEC401: Security Essentials Bootcamp Style SEC , Apr 09, May 16, 2018 vlive Community SANS Charleston SEC401 Charleston, SC Apr 09, Apr 14, 2018 Community SANS SANS Zurich 2018 Zurich, Switzerland Apr 16, Apr 21, 2018 Live Event SANS London April 2018 London, United Apr 16, Apr 21, 2018 Live Event Kingdom SANS Seattle Spring 2018 Seattle, WA Apr 23, Apr 28, 2018 Live Event Baltimore Spring SEC401: Security Essentials Bootcamp Baltimore, MD Apr 23, Apr 28, 2018 vlive Style SANS Riyadh April 2018 Riyadh, Saudi Arabia Apr 28, May 03, 2018 Live Event SANS Security West 2018 San Diego, CA May 11, May 18, 2018 Live Event SANS Northern VA Reston Spring 2018 Reston, VA May 20, May 25, 2018 Live Event University of North Carolina - SEC401: Security Essentials Charlotte, NC May 21, May 26, 2018 vlive Bootcamp Style SANS Atlanta 2018 Atlanta, GA May 29, Jun 03, 2018 Live Event SANS London June 2018 London, United Jun 04, Jun 12, 2018 Live Event Kingdom Community SANS New York SEC401 New York, NY Jun 04, Jun 09, 2018 Community SANS SANS Rocky Mountain 2018 Denver, CO Jun 04, Jun 09, 2018 Live Event Community SANS Madison SEC401 Madison, WI Jun 18, Jun 23, 2018 Community SANS SANS Cyber Defence Japan 2018 Tokyo, Japan Jun 18, Jun 30, 2018 Live Event SANS Oslo June 2018 Oslo, Norway Jun 18, Jun 23, 2018 Live Event Community SANS Portland SEC401 Portland, OR Jun 18, Jun 23, 2018 Community SANS SANS Crystal City 2018 Arlington, VA Jun 18, Jun 23, 2018 Live Event SANS Minneapolis 2018 Minneapolis, MN Jun 25, Jun 30, 2018 Live Event SANS Vancouver 2018 Vancouver, BC Jun 25, Jun 30, 2018 Live Event Community SANS Nashville SEC401 Nashville, TN Jun 25, Jun 30, 2018 Community SANS SANS Cyber Defence Canberra 2018 Canberra, Australia Jun 25, Jul 07, 2018 Live Event Minneapolis SEC401: Security Essentials Bootcamp Style Minneapolis, MN Jun 25, Jun 30, 2018 vlive SANS London July 2018 London, United Jul 02, Jul 07, 2018 Live Event Kingdom SANS Charlotte 2018 Charlotte, NC Jul 09, Jul 14, 2018 Live Event SANS Cyber Defence Singapore 2018 Singapore, Singapore Jul 09, Jul 14, 2018 Live Event SANSFIRE 2018 Washington, DC Jul 14, Jul 21, 2018 Live Event SANS Malaysia 2018 Kuala Lumpur, Malaysia Jul 16, Jul 21, 2018 Live Event SANSFIRE SEC401: Security Essentials Bootcamp Style Washington, DC Jul 16, Jul 21, 2018 vlive Mentor Session - SEC401 Jacksonville, FL Jul 17, Aug 28, 2018 Mentor