James OryszczynPresident, TBJ Consulting LLC

Break 1321 How to Perform A Security Audit

on Your Network

• I am President of TBJ Consulting LLC

• I have been working on Network Security • for over 15 years

Who Am I

My Credential’s

• Had a CISSP (Just expired)

• SANS GIAC Certified in Windows and Auditing

• Certified on Fortinet Firewall’s, Palo Alto Firewall’s and Check Point Firewall’s

• Numerous additional certifications

Agenda• Discuss What Auditing is?• Discuss Auditing Network devices?

• Do you Feel your network is secure?

• Discuss Auditing Firewall’s?

• Discuss Auditing Windows Servers?

• Discuss Auditing Active Directory?

• Discuss Auditing Wireless Networks?

• Questions?

Questions• What are you Concerns ?

• Who has performed a Security Audit before?

• Do you Feel your network is secure?

What is Auditing????• It is reviewing a configuration against some sort of

policy or documented standard

• An example is auditing against HIPPA or the PCI standard, they have set rules and guidelines

• You can also have this setup with security polices if you have them. If you don’t have them what are you auditing against ??????

What is Auditing Cont…????• You either need to write the security standard or audit

against an Industry best practice or a guideline…

• How do you find those guidelines?????• The NSA has some great guides on how to secure

network devices and they make a great tool to audit against. You can find them located here

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml

• Remember, you do not have to do everything in these guides, but they make a good start.

Auditing Report

• After your Audit, are you going to write a report of your finding? If so, who is it going to?

• You should at least keep some documentation on what you found and what you changed so you can start establishing standards for future deployments and also create a guide for the next time you audit, if you do not have written policies.

Auditing Networking Devices

Review Switch/Router/Access Point Configurations

Make Sure Passwords are not in clear text

If you have Cisco Devices, this is a great tool RAT or router Audit tool Located here http://benchmarks.cisecurity.org/downloads/show-single/?file=rat.unix.253

Auditing Networking Devices Cont…

If using JUNOS, follow this guide located here

What is RAT????RAT is router audit tool. It reviews the Cisco Switch or router configuration and will make suggestions on how to better secure it.

In the past, Cisco has some very insecure items enabled by default. This has gotten much better, but items still need to be disabled at times

What are you looking for in Routers/ Switches????

• Passwords in clear text. Some devices have this by default and it is a very bad practice

• Review for protocols such as telnet and http. If found, they should be replaced with ssh and https if possible.

• VLAN 1 should not be in use if possible and should be disabled.

• Review the code level to make sure it does not contain any bugs…

• Should integrate with a Directory Services

What are you looking for in Routers/ Switches Cont????

• NSA has a great guide for Cisco Routers and it can be found here. http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/cisco_router_guides.shtml

• You can also find security guidelines on your Switch/Router’s vendor’s website.

Auditing Firewall’s• First and Foremost, do you have some change control

process for firewall changes? If so, review the requests

• If you are a small shop, establish a folder on the network or a ticket in your help desk system where you track such changes.

• Also establish some sort of change control policy for Firewall changes

Auditing Firewall’s Cont…Below is a short list of what to look for

• Are all of the rules in the firewall commented?

• Do you have redundant or duplicate rules

• Do you have rules that are no longer used?

• Do you have services that are no longer used?

• Do you have rules with any any ???

• Do you have admins who should no longer have access to the firewall still in the firewall?

Auditing Firewall’s Final Thoughts• You are looking to make sure that all commented and make

sense• You want to eliminate rules that are not needed.• Any Any Rules should not exist• Dead/unneeded rules should be removed• Make sure old admins are removed• Review to make sure you are using secure access to the

firewall.• This is a great article that discusses what to audit.

http://www.securitymattersmag.com/security-matters-magazine-article-detail.php?id=765

Auditing Windows ServersYou are again auditing against a standard or best practice. Do you have standard or best practice?

If not you then need to find one to audit against. I will give you some general guidelines

Auditing Windows Servers, Cont…• The first item is to document your servers so you can

reviewhttp://sydiproject.com/home/ is a great tool to do this. You can review the documentation as a first step.

• The next item is to review the admin username and password on both the domain and the local servers. (Should rename local admin user and domain admin user

• You can also use this tool to audit Passwords. They should not be dog or something like that. Should be changed every 90 days.

• http://ophcrack.sourceforge.net/

Auditing Windows Servers, Cont…• Patches are also important, Review to make sure you have

the most current patches

• The baseline Security analyzer works well for this, it can be found here. http://www.microsoft.com/en-us/download/details.aspx?id=7558

• Anti Virus is another item that needs to be audited. It should be up to date and should also be centrally managed. Finally, I like to audit settings to ensure the proper AV exclusions are configured. (Find the list here http://support.microsoft.com/kb/822158)

Auditing Windows Servers, Cont…• Patches are also important, Review to make sure you have

the most current patches• Also, audit workstations to ensure that administrative

rights are restricted. • Audit The Domain admin group, it should have a limited

number of users• Audit services, The administrator should not be running

services. Scripts exist to audit this.• This is a good guide to use to Audit Windows 2008 R2

servers. http://social.technet.microsoft.com/wiki/contents/articles/1142.windows-server-2008-r2-security-guidance.aspx

Audit Windows File Servers• Should review how shares are setup. Everyone Should be

removed and authenticated users allowed only.

• NTFS permissions should be reviewed to ensure that the correct access is assigned. A tool should as dump sec will help with this audit. http://www.systemtools.com/cgi-bin/download.pl?DumpAcl

• File shares should be on a separate drive from the operating system.

• Everyone group should not be used. • If possible enable Access based Enumeration (You will only

see what you have rights to see.

Audit Windows Active Directory• This is a good guide, I will highlight a few items to review• http://technet.microsoft.com/en-us/library/

cc773365(v=ws.10).aspx

• Domain Controller and Domain Security polices should be reviewed. Things such as SMB signing, anonymous access, share enumeration should be reviewed and modified.

• Should also audit password polices, group , etc

• Should look for user accounts that have not been used and delete

• The guide above is a good read and will provide a good guideline

Audit Windows Workstations• Do not need to audit every workstation, only need to audit

one or two.

• Should check and make sure Anti-Virus is updated and configured

• Should make sure that administrative rights is limited.

• Check for windows update and what the schedule is

• Audit for software, make sure what is installed is suppose to be installed

Auditing MAC OS X• Should make sure that software update check is set for

daily

• Make sure automatic login is set to off

• Make sure that you are securing the home folders permissions with this command sudo chmod go-rx /Users/username

• Check for a firmware password Apple provides detailed instructions for Leopard (which apply

to Snow Leopard) here: http://support.apple.com/kb/ht1352• Disable Bonjour!• This is a good guide for some quick items to audit. • http://www.nsa.gov/ia/_files/factsheets/

macosx_10_6_hardeningtips.pdf

Auditing Wireless Networks• SSID’s should not be broadcast unless they are public

• WPA2 security should be used on SSID’s, NO WEP

• Public SSID’s should be placed onto a separate VLAN

• Firmware should be reviewed and verified that it is current.• If possible, use Radius for internal wireless authication

• Wireless Access Point location should be audited to ensure they can not be tamper proof.

Auditing Wireless Networks

• Can use a tool such as Kismet http://www.kismetwireless.net/ to verify SSIDS

• If you want to see how easy your WIFI is to crack, use this http://www.aircrack-ng.org/

• Wireless Management traffic should be on a dedicated VLAN

• Insecure protocols such as https and telnet should be disabled.

• Administration of the wireless network be complete via the wired network

Auditing Resources

• Here are some good books on Amazon• http://

www.amazon.com/Network-Security-Auditing-Networking-Technology/dp/1587053527/ref=sr_1_1?ie=UTF8&qid=1361884868&sr=8-1&keywords=network+security+audit

• This is another good resource http://www.amazon.com/Hands-On-Ethical-Hacking-Network-Defense/dp/1133935613/ref=sr_1_39?ie=UTF8&qid=1361885041&sr=8-39&keywords=network+security+audit

Auditing Resources

• NIST has a guide on Security Self Assessment They are 800-53 and 800-53A that can provide a good foundation to start an audit.

• SANS has some great resources for IT audits and they can be found here http://it-audit.sans.org/community/checklists and here http://www.sans.org/score/checklists.php

• Here are some good books on Amazon• http://www.amazon.com/Network-Security-Auditing-

Networking-Technology/dp/1587053527/ref=sr_1_1?ie=UTF8&qid=1361884868&sr=8-1&keywords=network+security+audit

Auditing Final Thoughts

• You should be auditing to some sort of standard, if you do not have a policy or standard, find a best practice to audit against.

• Pick the low hanging fruit first (Ant-Virus, Passwords and Patches) as they are the easy to audit, can cause major issues and are easy to fix.

• Audit your firewall at least once a year to make sure you are removing old rules and keeping the firewall relevant.

• With new technologies such as IPADs, make sure you are following a security best practice to ensure they are secured

• Look for Accounts that are old and need to be removed• SANS www.sans.org has some great resources.

Survey!!!!!!If you provide me your Business Card I will provide you an assessment to help with where to start with an audit

Newsletter and Tech Tips

I write a Monthly Newsletter and send out weekly security tech tips. If you would like to get unto my list, please provide me with a business card.

Questions?????

Thank You…………

You can contact me at

James@tbjconsulting.com

262-363-9070