Security Auditing

Security auditing should be a requirement for everyone that is connected to the Internet. There are many tools and programs available to help you test your network or PC at home. A few topics you should read about and have a good general knowledge are:

Firewalls - What they are, how to use one, where to get one,etc.
IDS - Intrusion Detection System
Sniffers - Find out where attacks come from, who sent what packet, etc. Buffer overflow protection - Keep your box safe from this common vulnerability Honey pots - creates virtual systems to trap scanners and hackers Proxy – to help you remain anonymous on the web
SOCKS chain - work through a chain of SOCKS or HTTP proxies to hide your IP

Security auditing can be done for a fee from various companies or done by you to save a few dollars and get more of a “hand on experience” with testing your network or your box at home.. Who knows, you may even learn something. ;) Here are a few things to look for when testing the security of your box:

Vulnerabilities
Malware – Trojans & viruses
NFS &net BIOS - way of sharing file
Network monitoring tools – PC Anywhere, Remote admin, etc
Physical Security – Commonly over looked vulnerability
Wingate - allows a Win95 PC to act as a gateway.
CGI Scripts - poorly written CGI programs are vulnerable to intruders.

These are just a few common and well-known vulnerabilities. For a more detailed list of vulnerabilities visit Http://www.CERT.org

Ports

You should monitor what ports and services are running on your machine. Especially the ones that you don’t recognize. You can find a list of ports and what services run on those ports on any of your favorite search engines. To remove the risk of being attacked, close any application that you find suspicious and view the file’s properties. You should be aware of what ports are open because it gives hackers another place to attack.

Patches, fixes, and updates

For what ever OS, browser, or any other application you use, applying patches are a necessary part of securing your computer. You may have the latest version of X but a week later there’s a number of vulnerabilities, bugs, holes, and flaws discovered. I would recommend checking the company’s web site often for updates and fixes for what ever software, OS, application, etc. you’re using. You may also want to change the default setting or at least take a look at them to make sure they are properly set. Default settings are a common vulnerability. Hundreds of advisories are released daily from various security groups and organizations. One of the largest and well-known organization is the SANS institute. SANS has a large database of advisories, vulnerabilities, and other useful security information. To visit SANS’ web site go to this address: Http://www.SANS.org

Firewalls

Although firewalls are a good method of protecting your computer(s), it shouldn’t be your only line of defense against hackers. Firewalls can provide some degree of protection however, no firewall can detect or stop all attacks, so it’s not sufficient to install a firewall and then ignore all other security measures.


Remote_Access_

The village idiot has returned with another intelligent remark
when he gave me negative points:

did you actualy write this your self?

Yes you idiot I wrote this my self. It's easy to critisize my work,
complain about this and that but when's the last time YOU
posted a tutorial that was hand typed? It's funny how when
someone posts an actual security topic no one replies, but
when you ask general questions and make ignorant threads
you get quite a few replies.. why is that? Perhaps it's cause
this person dosen't know anything about security and dosen't
have anything to contribute. If I were that person I wouldn't
reveal my identity either...
*sighs* Ah well.. I hope this helped
some of you with your understanding of security. ;)

Remote_Access_

It's so nice to see a security related post on a security related site (what a concept eh? ROFL). But RA does bring up some important factors to consider when doing a security audit as part of the overall security process. Remember that security is a process and not just a slipshod affair that you do when you get attacked, hear about attacks or just go through the day-to-day. I will probably do an article on the whole idea of network security process in the Newsletter #2.

Great job, RA!

If doing an audit for a company I would start by asking for their policies.
If doint an audit for an acquaintance, I start by finding out from them what level of security they expect and what their tolerances are for things like down time and time spent as sys adm of their own systems.

Then I try to match those expectations to the technologies that you discussed.

:thumbsup:

Thanks niboreon. :)

Yes, I should have mentioned that you need to have the company's permission
before you do a security audit. Other wise they may mistake you as an attacker
and may even result in you being fired.. don't want that to happen. :D
You should always have the person or persons permission before you test the
security on their computer(s). I just went over the basics of doing an audit but
in the newsletter it will contain more detailed information. If you would like to
add or modify any information on this article for the newsletter send an email
to remote_access_@antionline.org or msmittens@msmittens.com

Remember that security is a process and not just a slipshod affair that you do when you get attacked..

That's correct. You can't maintain security only when your box is being attacked or
scanned. Security is manditory and should be a requirement for everyone.. or at least it should be for those that are interested or concerned about it. BTW, I'd like to hear how you would test you computer for holes, vulnerabilities, etc. What procedures would you take if you preformed an audit?

Remote_Access_

first a good work remote_access.
another good stuyy to read is:
http://rr.sans.org/audit/linux_sec.php
it's more for linux but it's interesting as well and it has heaps of links to that topic

cheers,

If doing an audit for a company I would start by asking for their policies.

I totally agree with you here. I did a subject related to this at uni and the first thing the said was,

"It doesn't matter how good your security is, if you don't have a firm and comprehensive security policy."

The second thing they said was,

"The weakest link in any network's security is always the user."

Makes your think doesn't it.

Originally posted by MsMittens
It's so nice to see a security related post on a security related site (what a concept eh? ROFL).


I have to admit that sometimes my mind wonders off the job and I post un security related threads. I even had the hide to ask for a Tech Support thread <gasp!>...LOL. Anyway, this IS a security site and it's good to see these type of threads back. Good pst R_A....

God post Remote_Access_ :).

MsMittens I'm looking forward to the next number of AO News. Keep up the good work !

niboreon you are right policies and permissions are important and not only for the auditing, its important for the whole process of creating a secure network. Good post !

My 2 cents down the drain..


Words of Wisdom from smirc.
- "The weakest link in any network's security is always the user."


I agree ! My users always trying to give me gray hair and a nervous breakdown, we'll see who wins :D.

Hello RA!

Good day to you! Good Post! You said it straight and clear. Most important of all, it was indeed informative :D

Keep-up the good posts!!!

A blessed day to all!!! :D

_____________________________

"I expect to pass through life but once. If, therefore, there be any kindness I can show, or any good thing I can do for any fellow being, let me do it now… as I shall not pass this way again. " ~William Penn

"The weakest link in any network's security is always the user."

I can't stress how important that factor is also. It dosen't make a difference how much you or your company uses on security software and/or hardware if the end user dosen't know what it's for and how to use it. So far no one has posted on how they would do a security audit and I'm still looking forward to hearning everyone's different procedures and methods of doing so.

Thanks,
Remote_Access_

Great posts R_A_, keep them up!

Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I don´t know about the attachments since I wasn´t around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?

1. Well, when I do a penetration test I follow the following outline:

footprint
enumerate/scan
penetrate
pillage
cover tracks
repeat

(some may recognize this from 'Hacking Exposed', a very good book on the topic which I highly reccommend.

its also important to remember that when you get any info, you should write it down as it may become important later. The password for the admin on one machine, might also be the admin password on another. If you can tie an individual to a username, you will probably see passwords recycled, and if you can get the info knowing which users might be less likely to use strong passwords might also be helpful.

2. Another thing to bear in mind is just how important it is to verify permission to run any scans or exploits on a system. Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin. Further if you run an exploit on an IP that you got from your footprinting, but for some reason that IP doesn't belong to the client, you run some serious risks. So, after you've gotten the IP range, you should verify it with the client and then proceed.

Originally posted by mstrickland
Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin.

In some countries it is strictly illegal to perform these scans.
For instance: in Belgium is a law that can be used to convict people who did scans on the assumption that they were stealing electricity from some1 else. This law is used to catch some crackers in the past... indeed when you perform a scan, the other box responds (and this is a minimal power consumtion in the eyes of the judge and therefor a cost for the 'attacked' one).
there is also a cost for the admin who has to read the logs, if there is prove that your actions caused longer logs than normal you could be convicted on that base, cause there is a certain cost involved.

only a remark ;)

good post RA and don't worry about that pinhead who keeps sending you stuff.

I'm going to have to agree with VictorKaum on this one. It IS often illegal not only in different countries but in the states (or provinces) of those countries which have their own laws.

don't assume any probe/assault is ok unless you are confident beyond reason. Get the legal permission signed off, verify ip etc, then proceed.

Sorry for the incomplete info, as I've only worked in the US thus far, that's the only set of law with which I'm familiar. So its good to hear about the subtleties of rulings from other countries. What other interesting legal issues have people come across in this area?

Originally posted by Pooh-Bear
Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I don´t know about the attachments since I wasn´t around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?

You need to probably send daily or every other day reminders and tips. One place I worked at did that. The number of "sticky notes" disappeared as a result. Make the reminders fun and interesting to read rather than something bothersome. What users need to be reminded is that security is not necessarily a chore or a pain but can be part of the day-to-day routines.

Also, getting users to sign agreements in regards to security (usually referred to as an email policy or acceptable use policy) can be helpful. That puts part of the responsibility on them.

Yeah your right MsMittens, to bad I´ve already quit it.
But how does a 25 year old tech-geek write something funny for stuffy 40 year old academic scientists? ;)