There is a period of time between the moments when a device is off and when it is fully booted and operational that the system is not fully protected by its security mechanisms. This time period is known as the initial program load (IPL) and it has numerous vulnerabilities. Without physical security, there are no countermeasures for IPL vulnerabilities. Anyone with physical access to a device can easily exploit its weaknesses during its bootup process. Some IPL vulnerabilities are accessing alternate boot menus, booting to a mobile operating system off of a CD or floppy, and accessing CMOS to alter configuration settings, such as enabling or disabling devices.
Unix Details
For the most part, the CISSP exam is product- and vendor-independent. However, there are a handful of issues specific to Unix that you should aware of. If you have worked with Unix or even Linux, most of these items will be simple review. If you have never touched a Unix system, then read the following items carefully.
On Unix systems, passwords are stored in a password file. The password file is stored as a shadow file so that it does not appear by default in a directory listing. The shadow setting is similar to the file setting of hidden Windows system files. Although this is an improvement, it is not a real security mechanism because everyone knows that the password file is set not to display in a directory listing by default but a simple modification of the directory command parameters reveals all hidden or shadowed files.
438 Chapter 14 Auditing and Monitoring
Summary
Maintaining operations security requires directed efforts in auditing and monitoring. These efforts give rise to detecting attacks and intrusions. This in turn guides the selection of counter- measures, encourages penetration testing, and helps to limit, restrict, and prevent inappropriate activities, crimes, and other threats.
Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.
Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.
Audit trails are the records created by recording information about events and occurrences into a database or log file, and they can be used to, for example, reconstruct an event, extract information about an incident, and prove or disprove culpability. Audit trails provide a passive form of detective security control and serve as a deterrent in the same manner as CCTV or secu- rity guards do. In addition, they can be essential as evidence in the prosecution of criminals.
Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity, includ- ing file and resource access, logon patterns, e-mail, and the use of privileges.
The most privileged account on a Unix system is known as the root. Other powerful accounts with similar levels of access are known as superusers. It is important to restrict access to these types of user accounts to only those people who absolutely need that level of access to perform their work tasks. The root or superuser accounts on Unix are similar to the administrator account(s) on Windows systems. Whenever possible, root and superuser access should be restricted to the local console so that they cannot be used over a network connection.
The two utilities, setuid and setgid, should be closely monitored and their uses logged. These two tools are used to manipulate access to resources. Thus, if they are employed by a non- administrator, or when employed by an administrator in an unapproved fashion, it can indicate security policy violations.
Another important command to monitor is the mount command, which is used to map a local drive letter to a shared network drive. This activity may seem like an efficient method to access network resources. However, it also makes malicious code and intruder attacks easier to imple- ment. When the mount command is used when it is not authorized for use, it could indicate an intrusion or an attempt to create a security loophole.
Finally, Unix systems can be configured to boot into a fixed dedicated security mode where authen- tication is not required. When this is done, anyone accessing the system has complete access to everything at the security level at which the system is currently operating. You can easily determine if a system has been configured to perform this operation if there is a /etc/host.equiv file present.
Removing this file disables this feature.
4335.book Page 438 Wednesday, June 9, 2004 7:01 PM
Exam Essentials 439
Monitoring is a form of auditing that focuses more on the active review of the audited infor- mation or the audited asset. It is most often used in conjunction with performance, but it can be used in a security context as well. The actual tools and techniques used to perform monitor- ing vary greatly between environments and system platforms, but there are several common forms found in most environments: warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools.
Penetration testing is a vigorous attempt to break into your protected network using any means necessary, and it is a common method for testing the strength of your security measures.
Organizations often hire external consultants to perform the penetration testing so the testers are not privy to confidential elements of the security’s configuration, network design, and other internal secrets. Penetration testing methods can include war dialing, sniffing, eavesdropping, radiation monitoring, dumpster diving, and social engineering.
Inappropriate activities may take place on a computer or over the IT infrastructure, and may not be actual crimes, but they are often grounds for internal punishments or termination. Inap- propriate activities include creating or viewing inappropriate content, sexual and racial harass- ment, waste, and abuse.
An IT infrastructure can include numerous vulnerabilities against which there is no immedi- ate or distinct threat and against such threats there are few countermeasures. These types of threats include errors, omissions, fraud, theft, collusion, sabotage, loss of physical and infra- structure support, crackers, espionage, and malicious code. There are, however, steps you can take to lessen the impact of most of these.
Exam Essentials
Understand auditing. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.
Know the types or forms of auditing. Auditing encompasses a wide variety of different activ- ities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, log analysis, and response (some other names for these activities are logging, monitoring, examining alerts, analysis, and even intrusion detection). Be able to explain what each type of auditing activity involves.
Understand compliance checking. Compliance checking (or compliance testing) ensures that all of the necessary and required elements of a security solution are properly deployed and functioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration test- ing. They can also involve auditing and be performed using log analysis tools to determine if any vul- nerabilities for which countermeasures have been deployed have been realized on the system.
Understand the need for frequent security audits. The frequency of an IT infrastructure secu- rity audit or security review is based on risk. You must determine whether sufficient risk exists to warrant the expense and interruption of a security audit on a more or less frequent basis. The frequency of audit reviews should be clearly defined and adhered to.
440 Chapter 14 Auditing and Monitoring
Understand that auditing is an aspect of due care. Security audits and effectiveness reviews are key elements in displaying due care. Senior management must enforce compliance with reg- ular periodic security reviews or they will be held accountable and liable for any asset losses that occur as a result.
Understand audit trails. Audit trails are the records created by recording information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the pros- ecution of criminals.
Understand how accountability is maintained. Accountability is maintained for individual subjects through the use of audit trails. Activities of users and events caused by the actions of users while online can be recorded so users can be held accountable for their actions. This directly promotes good user behavior and compliance with the organization’s security policy.
Know the basic elements of an audit report. Audit reports should all address a few basic or cen- tral concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. They often include many other details specific to the environment, such as time, date, and specific systems. Audit reports can include a wide range of content that focuses on problems/
events/conditions, standards/criteria/baselines, causes/reasons, impact/effect, or solutions/recom- mendations/safeguards.
Understand the need to control access to audit reports. Audit reports include sensitive infor- mation and should be assigned a classification label and handled appropriately. Only people with sufficient privilege should have access to them. An audit report should also be prepared in various versions according to the hierarchy of the organization, providing only the details rel- evant to the position of the staff members they are prepared for.
Understand sampling. Sampling, or data extraction, is the process of extracting elements of data from a large body of data in order to construct a meaningful representation or summary of the whole. There are two forms of sampling: statistical and nonstatistical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. Statistical sampling is used to measure the risk associated with the sampling process.
Understand record retention. Record retention is the act of retaining and maintaining impor- tant information. There should be an organizational policy that defines what information is maintained and for how long. The records in question are usually audit trails of user activity, including file and resource access, logon patterns, e-mail, and the use of privileges. Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely.
Understand monitoring and the uses of monitoring tools. Monitoring is a form of auditing that focuses more on the active review of the audited information or the audited asset. It’s most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT envi- ronment. Although the actual tools and techniques used to perform monitoring vary greatly between
4335.book Page 440 Wednesday, June 9, 2004 7:01 PM
Exam Essentials 441
environments and system platforms, there are several common forms found in most environments:
warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools. Be able to list the various monitoring tools and know when and how to use each tool.
Understand failure recognition and response. On systems that use manual review, failure rec- ognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated.
Understand what penetration testing is and be able to explain the methods used. Organiza- tions use penetration testing to evaluate the strength of their security infrastructure. Know that it involves launching intrusion attacks on your network and be able to explain the methods used: war dialing, sniffing and eavesdropping, radiation monitoring, dumpster diving, and social engineering.
Know what TEMPEST is. TEMPEST is a standard for the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EMI and RF radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdrop- ping, and signal sniffing.
Know what dumpster diving and scavenging are. Dumpster diving and scavenging involve digging through the refuse, remains, or leftovers from an organization or operation in order to discover or infer confidential information. Countermeasures to dumpster diving and scavenging include secure disposal of all garbage. This usually means shredding all documentation and incinerating all shredded material and other waste. Other safeguards include maintaining phys- ical access control and monitoring privilege activity use online.
Understand social engineering. A social engineering attack is an attempt by an attacker to convince an employee to perform an unauthorized activity to subvert the security of an organization. Often the goal of social engineering is to gain access to the IT infrastructure or the physical facility. The only way to protect against social engineering attacks is to thor- oughly train users how to respond and interact with communications as well as with unknown personnel.
Know what inappropriate activities are. Inappropriate activities are actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishments or termination. Some types of inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.
Know that errors and omissions can cause security problems. One of the most common vul- nerabilities and hardest to protect against are errors and omissions. Errors and omissions occur because humans interact with, program, control, and provide data for IT. There are no direct countermeasures to prevent all errors and omissions. Some safeguards against errors and omis- sions include input validators and user training. However, these mechanisms offer only a min- imal reduction in overall errors and omissions encountered in an IT environment.
442 Chapter 14 Auditing and Monitoring
Understand fraud and theft. Fraud and theft are criminal activities that can be perpetrated over computers or made possible by computers. Most of the access controls deployed in a secured environment will reduce fraud and theft, but not every form of these crimes can be pre- dicted and protected against. Both internal authorized users and external unauthorized intrud- ers can exploit your IT infrastructure to perform various forms of fraud and theft. Maintaining an intensive auditing and monitoring program and prosecuting all criminal incidents will help reduce fraud and theft.
Know what collusion is. Collusion is an agreement among multiple people to perform an unauthorized or illegal action. It is hindered by separation of duties, restricted job responsibil- ities, audits, and job rotation, which all reduce the likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme due to the higher risk of detection.
Understand employee sabotage. Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled. Safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compen- sating and recognizing employees for excellence and extra work.
Know how loss of physical and infrastructure support can cause security problems. The loss of physical and infrastructure support is caused by power outages, natural disasters, commu- nication interruptions, severe weather, loss of any core utility or service, disruption of trans- portation, strikes, and national emergencies. It is nearly impossible to predict and protect against events of physical and infrastructure support loss. Disaster recovery and business con- tinuity planning can provide restoration methods if the loss event is severe. In most cases, you must simply wait until the emergency or condition subsides and things return to normal.
Understand espionage. Espionage is the malicious act by an internal employee of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government). Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track the activities of all employees.
4335.book Page 442 Wednesday, June 9, 2004 7:01 PM
Review Questions 443
Review Questions
1. What is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?
A. Penetration testing B. Auditing
C. Risk analysis D. Entrapment
2. Which of the following is not considered a type of auditing activity?
A. Recording of event data B. Data reduction
C. Log analysis
D. Deployment of countermeasures
3. Monitoring can be used to perform all but which of the following?
A. Detect availability of new software patches B. Detect malicious actions by subjects C. Detect attempted intrusions
D. Detect system failures
4. What provides data for re-creating step-by-step the history of an event, intrusion, or system failure?
A. Security policies B. Log files C. Audit reports
D. Business continuity planning
5. What is the frequency of an IT infrastructure security audit or security review based on?
A. Asset value
B. Management discretion C. Risk
D. Level of realized threats
6. Failure to perform which of the following can result in the perception that due care is not being maintained?
A. Periodic security audits
B. Deployment of all available safeguards C. Performance reviews
D. Creating audit reports for shareholders
444 Chapter 14 Auditing and Monitoring
7. Audit trails are considered to be what type of security control?
A. Administrative B. Passive C. Corrective D. Physical
8. Which essential element of an audit report is not considered to be a basic concept of the audit?
A. Purpose of the audit
B. Recommendations of the auditor C. Scope of the audit
D. Results of the audit
9. Why should access to audit reports be controlled and restricted?
A. They contain copies of confidential data stored on the network.
B. They contain information about the vulnerabilities of the system.
C. They are useful only to upper management.
D. They include the details about the configuration of security controls.
10. What are used to inform would-be intruders or those who attempt to violate security policy that their intended activities are restricted and that any further activities will be audited and monitored?
A. Security policies B. Interoffice memos C. Warning banners D. Honey pots
11. Which of the following focuses more on the patterns and trends of data rather than the actual content?
A. Keystroke monitoring B. Traffic analysis C. Event logging D. Security auditing
12. Which of the following activities is not considered a valid form of penetration testing?
A. Denial of service attacks B. Port scanning
C. Distribution of malicious code D. Packet sniffing
4335.book Page 444 Wednesday, June 9, 2004 7:01 PM