ITS 305 - Security Policies and Auditing

Chapter 15, IT Policy Compliance and Compliance Technologies

Objectives:

This lesson covers chapter 15. It discusses the basic elements in our environment and implementing compliance with policies. Objectives important to this lesson:

1. Baseline elements for IT security
2. Automating security policy compliance
   
3. Compliance technologies and solutions
   
   

Concepts:

Chapter 15

Baseline Elements for IT Security

On page 427, we are given a definition of a security baseline: a set of configurations to achieve a specific security objective. This is general enough that it applies to any hardware or software we might use to apply security policies. It also means that we could have a baseline for one policy or a baseline that serves several policies.

The text gives us an example. The organization in question make a policy about hardening systems that sets specific protocols to be loaded on boot (others will not be loaded), specific ports will be open for traffic (all others will not be open) and the administrator account on the device must be renamed to the operational standard of the organization. This information would be a modification made after the standard build, described below.

The text points out that this sort of baseline would give intrusion detection devices information they need. It would be abnormal, and probably unacceptable, to have packets on the network that use a protocol or are bound for a port that the baseline has forbidden.

The text continues with this idea, noting that an IDS should be watching for other baseline deviations, such as the baseline performance measurement you may make on a server:

• processor activity
• memory usage
• disk (hard drive) activity
• network interface traffic
  

Abnormal activity in these factors may just be deviations caused by increased business activity, but they may indicate an attack on the server. An administrator should look for causes when alerted by the IDS.

On page 428, the text describes using a baseline image as the starting point for any workstation. You may need to create a separate image for each different model of computer your organization uses, which includes the operating system, standard software, and configuration settings for those elements. An image is typically stored as an ISO file, which is single large file that is an archive of everything on an optical disc. In some cases, the image file is stored or published as a series of discs. The text mentions the Symantec product Ghost, which is a commonly used product for creating hardware/software images. The links above go to an article about ISO files, and a Symantec page about Ghost. This link goes to a page that recommends alternatives to Ghost.

Image files are a common starting point. The text mentions that the image must be updated periodically to include patches to programs and the operating system. Until the new image contains those patches, management of patches is typically done through group policies in Active Directory.

Automating security policy compliance

The text discusses several systems that may be used to detect or manage changes in baseline settings. They are not used universally, but their use is recommended. The first three are Microsoft products:

• Microsoft Baseline Security Analyzer (MBSA) - used to scan for problems based on known problems described in an XML download from Microsoft.
• Systems Management Server (SMS) and Systems Center Configuration Manager (SCCM) - Both of these products can scan for problems and deploy software to nodes on a network. SCCM is the more recent of the two products, and it has more features and capabilities, including deploying operating systems across a network..
  

The other products, listed on page 432, may be used to manage workstations running Windows, UNIX, or Linux.

• Nessus - one of a family of scanning products; downloads for Windows, Mac OS X, Linux, FreeBSD
• Nmap - a free scanning product; downloads for Windows, Mac OS X, Linux, FreeBSD, OpenBSD, NetBSD, Sun Solaris, and other operating systems
• Symantec Altiris - a large suite of related products for multiple operating systems
  

On page 435, the text sells us on using tools to automate tedious tasks that administrators would otherwise have to perform. Why tie up an expensive employee for hours if the job can be recorded or coded, and pushed to every station that needs the new configuration? As noted above, SCCM can be used to push changes to a workstation in a Windows network. So can Group Policy. The text shows us an example on page 437. Workstations in three separate parts of the organization are placed in three different Organizational Units in Active Directory. A Group Policy could be configured for each of those units to push software, patches, updates, configuration, or other changes needed by the workstations in any given group.

The text recommends testing the security of our environment with some kind of penetration test, a test that evaluates whether we are at risk to known techniques and exploits.

Compliance Technologies and Solutions

The text lists five technologies that may be used to automate compliance with policies.

• COSO Internal Compliance Framework - This is another set of rules and principles that are loved by accountants, and might be used to create policies and controls. It is not a technological tool, so I do not see why it is in this list.
  
• Security Content Automation Protocol (SCAP) - A protocol developed by NIST that supports tools and methods fo sharing common information.
  
• Simple Network Management Protocol (SNMP) - This protocol has been used to manage network devices for many years. A security flaw in early versions was that commands sent to devices had to include a community string, a prefix that gave the command permission to manage the device. The problem was that the default strings were well known. (If the video below starts at the beginning, skip ahead to 6 minutes and 35 seconds.)
  
  
  
  Message integrity. authentication of senders, and encryption were added in version 3 of SNMP. Obviously, Star Fleet was using an earlier version at the time of this encounter.
• Web-Based Enterprise Management (WBEM) - The text tells us that this is a set of standards for the operation of web based tools, developed by the Distributed Management Task Force. The link in this bullet point leads to their site. So, not exactly a tool as much as some standards for how tools should work.
  
• Digital Signatures - A digital signature is something that can accompany a file (such as a download) that offers proof of the file's source and integrity. The text describes using a digital signature in a Public Key Infrastructure (PKI) setting. In the example in the book, a company creates its own public and private key pair. In practice, these keys may be created by a Certificate Authority (CA) instead. Since the text does not explain it, a brief review (or introduction if you have never seen it):
  
  Public key cryptography is a system that uses two encryption/decryption keys. A person or company must have two keys in this system: a public key and a private key. They are created so that whatever is encrypted with one must be decrypted with the other. The owner of the keys gives the public key to anyone who wants it, but keeps the private key safe from anyone else. This is how SSL encryption on a web site works. I connect to a vendor's web site. I obtain the vendor's public key by making the secure connection. My browser encrypts my credit card data with the vendor's public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the vendor is the only one who can decrypt the data sent through the public key.
  
  
  • In the example in the text, a company creates a public/private key pair.
  • In step two, the company sends a request to a CA (e.g. Verisign) for a digital certificate. The request includes the public key. Including the public key is not necessary if the CA created the key set for the company.
  • The CA confirms that the request is valid. They create a digital certificate that confirms the public key enclosed in the certificate is the actual public key for that company. You will see why this matters in a moment.
  • In step four, the company creates a file that is going to have a digital signature.
  • In step five, the company creates a hash for the file. This will be a unique string of hex characters.
  • In step six, the company encrypts the hash with their private key. This creates a string of characters that can only be decrypted with the company's public key. This encrypted hash is the digital signature.
    
    
    So why do this? Someone who downloads the file also downloads its digital signature. They obtain the certificate either from the company or from the CA, which is better. The downloader hashes the file, then decrypts the signature with the public key from the certificate. The hash from the signature should match the hash the downloader generated. If we trust the certificate, the public key in it could only decrypt a message that was encrypted with the private key of the vendor. Since we have now proven that the encrypted hash was from the vendor, if the hashes match then the file must be as the vendor meant it to be.
    

The lesson ends with a series of suggestions for compliance monitoring. This is not a bad summary for the last few chapters.

• Create a security policy.
• Create a baseline that applies to the policy. This could be an image for a workstation, or it could be the most frequent or desired behavior of employees.
• Watch for changes in rules, regulations, and laws. Update policy as needed.
• Audit your systems, make sure they are working, and change them if they are not.
• Automate checks and services where possible.
• Control the changes that need to be made.