The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J....
24
The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera
-
Upload
francine-jenkins -
Category
Documents
-
view
218 -
download
0
Transcript of The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J....
The Deep Technical Audit:How to Identify and Mitigate Risks Presented in Other Sessions
David J. Goldman
Joseph Nocera
David J. Goldman
Joseph Nocera
Overview
BackgroundWindows Security VulnerabilitiesDealing with SecurityThe Role of the AuditMaintaining a Secure Environment
David J. Goldman
Joseph Nocera
Background
Why this conference existsWindows Security OverviewInternal Security Management
David J. Goldman
Joseph Nocera
Windows Security Vulnerabilities
Loss of Confidentiality, Integrity, Accessibility Denial of Service Enticement Information Undesired Access Inability to recover from breach Inability to prosecute
David J. Goldman
Joseph Nocera
Windows Security Vulnerabilities
Areas of Concern Unneeded Services Incorrect System Configuration Improper Access Control Lists Buffer Overflows Other Code Vulnerabilities Known vs. Unknown
David J. Goldman
Joseph Nocera
Unneeded Services
Services Simple TCP/IP Services FTP, WWW, SMTP, NNTP Telnet Terminal Services, Other Remote Access
(pcAnywhere, ControlIT, etc) “R” Services (rsh, rcmd, rexec, etc.)
Devices Sniffers NFS Key Loggers
David J. Goldman
Joseph Nocera
Incorrect System Configuration
Service Packs/HotfixesGroup MembershipRegistry ValuesSharesUser RightsUser Settings
David J. Goldman
Joseph Nocera
Improper Access Control Lists
SharesRegistry KeysDirectoriesOther Securable Objects System Resources
Printers, Services, Tasks, etc. Active Directory Objects
OUs, GPOs, etc.
David J. Goldman
Joseph Nocera
Buffer Overflows
Core Operating System ComponentsInternet Information Server (IIS)SQL ServerThird-Party Applications
David J. Goldman
Joseph Nocera
Other Code Vulnerabilities
Core Operating System ComponentsThird-Party Applications Custom Developed ApplicationsWeb Pages and Internet Applications
David J. Goldman
Joseph Nocera
Dealing With Security
Overall Security ArchitectureRisk AssessmentData ClassificationAudit the EnvironmentSecurity Design/Implementation PlanMonitor and Control
David J. Goldman
Joseph Nocera
The Role of the Audit
Determine Vulnerable AreasObtain Specific Security InformationAllow for RemediationCheck for ComplianceEnsure Ongoing Security
David J. Goldman
Joseph Nocera
Security Audit Components
The “Fab Five” User Resource System Network Auditing, Logging, and Monitoring
David J. Goldman
Joseph Nocera
User Security
Components User Account Properties Account Policy User Rights Groups
Configuration Issues Passwords – Complexity/Aging/Uniqueness Disabled/Locked Accts Wkstn Restrictions 4 Logon Types Sensitive User Rights Privileged Group Membership
David J. Goldman
Joseph Nocera
Resource Security
Components File Systems File, Folder, and Object Security Shares
Configuration Issues NTFS vs. FAT, EFS DACLs/SACLs – reg, files/folders, printers,
services Shares – who needs read/change/full
David J. Goldman
Joseph Nocera
Resource Security Cont.
Critical Resources %systemroot% (repair, config,
LogFiles) %systemroot%\*.exe \Program Files Inetpub, Inetsrv, IIS data directories
David J. Goldman
Joseph Nocera
System Security
Components Registry Services
Configuration Issues Access Paths - Winreg/AllowedPaths Reg Permissions - Run, RunOnce, AeDebug Reg Values – Restrictanonymous
Crashdump/Clearpagefile, lmcompatibility Installed Services Service Context – System vs. User
David J. Goldman
Joseph Nocera
Network Security
Components Domains and Trusts Protocols Internet Information Server (IIS)
Configuration Issues Relationships – appropriate access What is needed – TCP/IP, NetBIOS, NWLink IIS – WWW, FTP, SMTP, NNTP
David J. Goldman
Joseph Nocera
Auditing, Logging, and Monitoring
Components Audit Policies Event Logs Network Alerts Performance Monitor
Configuration Issues System Events Files and Directories Registry Log Settings
David J. Goldman
Joseph Nocera
Maintaining a Secure Environment
MethodologyToolsImplementation Scripts
David J. Goldman
Joseph Nocera
Security Methodologies
AssessDesignImplementOperate/Maintain
David J. Goldman
Joseph Nocera
Tools
Assessment Security Configuration Manager DumpSec and DumpReg Custom scripts (Visual Basic Scripting)
Implemenetation Security Configuration Manager Resource Kit Utilities Custom Scripts
VB Script, Command Shell, other scripting languages
David J. Goldman
Joseph Nocera
Scripts and Examples
DEMO
David J. Goldman
Joseph Nocera
Conclusion
Holistic Approach to SecurityDetailed planOngoing Process
David Goldman: 646-471-5682 [email protected]
Joseph Nocera: 312-298-2745 [email protected]
