• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Slide 1 - Federation of Security Professionals
 

Slide 1 - Federation of Security Professionals

on

  • 585 views

 

Statistics

Views

Total Views
585
Views on SlideShare
585
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Business drivers
  • Protecting your assets, and ensuring that your services are continually available, are at the heart of IT security risk management. Developing an effective RM program that focuses on those two areas (and possibly others) will help ensure that you can achieve much easier regulatory compliance.
  • . This slide shows the different types of resources that need to be protected. Just introduce the major elements in the environment, and then click to get the next animation. Go through these slides fairly quickly.
  • Web applications and web services need to be protected from inappropriate (unauthorized) access. This requires a centralized way of defining application access policies, as well as a central enforcement mechanism.
  • . Enterprise Apps: same thing....need to be protected from unauthorized access.
  • For Servers, note the different types of resources that need to be protected. Multiple solutions to solve this problem will generally not be effective. One solution is better, if it can provide a centralized way of protecting all of these diverse resources. Systems need to be protected, not just applications on them. This requires strongly security than is typically available in the native OS. Log files also need to be strongly protected, to avoid the situation where a rogue administrator performs improper actions and then can erase his/her tracks by modifying the log file.
  • Admin rights are very important also, since many companies have too many Superusers who have more access rights than they need. This often leads to increased risk from improper access (either intentional or inadvertent) to critical corporate resources.
  • eAC is a highly effective host based security tool. It has fine granularity on what it can protect that no other operating system can achieve: It runs on multiple platforms include: Windows NT, 2000 AIX, Solaris, HP-UX, Linux NCR, IRIX, Dec UNIX, Unixware,… eTrust AC “proactively” protect your mission critical servers, like web servers, database servers, application servers or file servers. eTrust AC best at stopping the unauthorized access from both internal as well as external. That means nobody can access the system either through a stolen super user account or just by using regular account to gain access to sensitive information. Policy Model Database is a well run and well structured security and user information distribution hierarchical system. It ensures that all the subscribed systems get user information and security policy updates instantly. The out-of-the-box baseline security policies helps deploying eTrust AC a much easier task. They provide a basic security coverage and also allows the administrator to set up the warning mode to monitor the security access in acquiescent mode. eTrust AC can restrict the Administrator as well as Administrators group from being all mighty users on the system. This would greatly reduces the damages that can be caused by hackers or unauthorized personnel, especially on the critical systems. eTrust AC provides tighter and easier methods to protect system resources, making administrator’s tasks a simpler and effective ones when dealing with hackers. The remote administration capability as well as the centralized management features enables administrators to easily manage the systems across different domains, as well as different platforms. This can greatly reduces the requirements on the management costs. eTrust AC works with many different UNIX systems, as well as eTrust products. This can help an enterprise to secure their server environments with the best tool in the market.
  • Illustrates the process for getting access – our product blocks or allows in addition to the native security
  • eTrust Access Control is a system level security software that can prevent external hackings, malicious code intrusion, and internal unauthorized access to critical system resources, including files and processes. There are many features that eTrust Access Control offers, above and beyond what the competitors can do today. In this session, we will highlight the top 5 features that make eTrust Access Control unique and strong in the field. The first one is centralized management, that can help reduce management costs and make administration much more efficient. The second one is role-based security, that include user management and access assignment. The third one is super-user control, that provides the ability to totally lock down the server that it is protecting. The forth one is the self-protection mechanism, that ensures the integrity of the system and eTrust Access Control itself , as well as the components that it has, e.g. auditing. The fifth one is the strong and secure auditing capability that makes the product a strong alerting and forensic tool. Now let’s look at each one in more detail.

Slide 1 - Federation of Security Professionals Slide 1 - Federation of Security Professionals Presentation Transcript

  • Unix Access Control - ICSF – Root Access Controlling/Managing Security Serge Bertini Director Security Solution CA
  • Where do we start?
    • Many different
    • compliance regulations
    • HIPAA (Health Information Portability and Accountability Act)
    • Basel II
    • SOA (Sarbanes-Oxley Act of 2002)
    • VISA CP (Visa International Certificate Policy)
    • PIPEDA (Personal Information Protection and Electronic Documents Act)
    • GLB Act (Gramm-Leach-Bliley Act)
    • OPPA (Online Privacy Protection Act)
    • Many different Guide
    • Best Practices/Frameworks
    • ISO/IEC 17799 (International Standards Organization)
    • ITIL (IT Infrastructure Library)
    • CobiT (Control Objectives for Information and related Technology)
    • COSO (Committee of Sponsoring Organizations)
  • Recent Security Surveys
  • CSI/FBI Computer Crime and Security Survey (2006)
    • “ Unauthorized Access” showed a dramatic increase
      • second most significant contributor to computer crime losses
      • accounts for 24% of overall reported losses
      • showed a significant increase in average dollar loss
    • 52% of organizations surveyed experienced unauthorized use of computer systems in the last 12 months
    • 32% of attacks or misuse were related to unauthorized access to information
    • Over 82% of large organizations reported an identified breach in the last year
  • CERT Insider Threat Survey (2005)
    • Majority of attacks due to:
      • compromised computer accounts
      • unauthorized backdoor accounts
      • use of shared accounts
  • PWC Survey of Canadian Companies (2005)
    • >55% of companies were victims of fraud
    • Average loss of $1.7 million (US)
    • >1/3 of companies reported that company reputation, brand equity and business relationships were negatively affected by the crime
  • PWC Survey of Canadian Companies (2005)
    • 61% of fraudsters were insiders
    • One of top 3 reasons cited for fraud being committed is insufficient controls
    • Survey showed that probability of uncovering economic fraud is strongly dependent on the number and effectiveness of control mechanisms in place
  • Top Control Weakness - SOX
    • CIO Magazine July 1, 2005
    • Failure to properly set up new accounts (and changes to existing accounts)
    • Failure to terminate old accounts in a timely manner
    • Separation of duties
  • Access Management - Business Issues
    • Risk Mitigation
      • Enforce internal access policies
      • Eliminate redundant privileges to reduce risks
      • Track granular access usage
      • Protection of assets (customer Information and trust)
    Proprietary information theft resulted in the greatest financial loss ($70,195,900 was lost among 530 surveyed companies, with the average reported loss being approximately $2.7 million), which are mostly coming from internal unauthorized access . (CSI/FBI 2003)
  • IT Asset Protection: What is it?
    • Asset Protection – Protecting critical corporate resources, of all types, against unauthorized (inadvertent or malicious) access. Requires effective management of all users and their access rights.
    • Let’s look at the types of assets that need protection.....
  • Asset Protection Web User Admin Unix Windows Mainframe Enterprise Apps (ERP/CRM) User
  • Asset Protection Web User Admin Unix Windows Mainframe Enterprise Apps (ERP/CRM) User Web Apps & Web Services
  • Asset Protection Web User Admin Unix Windows Mainframe Enterprise Apps (ERP/CRM) User Web Apps & Web Services Enterprise Apps (SAP, PS, etc.)
  • Asset Protection Web User Admin Unix Windows Mainframe Enterprise Apps (ERP/CRM) User Web Apps & Web Services Enterprise Apps (SAP, PS, etc.)
    • Servers
    • User accounts
    • System files
    • Critical DBs
    • System processes
    • Log/Audit files
  • Asset Protection Web User User Admin Unix Windows Mainframe Enterprise Apps (ERP/CRM) Web Apps & Web Services Enterprise Apps (SAP, PS, etc.)
    • Servers
    • User accounts
    • System files
    • Critical DBs
    • System processes
    • Log/Audit files
    • Admin Rights
    • Root access rights
    • Control system processes
  • Introduction to Access Controls
  • Access Controls
    • Components
    • Administration
      • View and manage user identities
    • Authentication
      • Users properly identified and identities are validated to IT resources
    • Authorization
      • Users can access only what they are allowed to
    • Auditing
      • User access activities and enforcement are logged for daily monitoring, regulatory and investigative purposes
  • Access Control Supports IT Governance
    • Risk Management
      • Consistent access management policies applied across all platforms, systems and applications
      • Enforced separation of duties
      • Elimination of orphaned accounts
      • Consistent audit trails for access control administration based
      • Reduced risk
        • Policy enforcement
        • Reduced errors and omissions via automation of manual processes
        • Reduced fraud and losses through consistent end-to-end policy-based controls
      • Improved transparency of controls
        • Consistent processes, policies, standards and rules, audits and reports, user account co-relation
    • Legal and Regulatory Compliance
      • Improved transparency of controls
      • Improved security controls and privacy protection
      • Improved audit reporting and policy enforcement
      • Improved management review
  • Secure UNIX Access Management
    • with
    • eTrust ™ Access Control
  • UNIX Audit Issues
    • Use of Non-Essential Services
    • Network Access
    • Use of Unauthorized root access
    • No monitoring of access to the root account
    • Inappropriate password and password parameters
    • Removal of idle user accounts
    • Use of Generic Admin ID’s
    • Umask Setting Improperly set
    • Root Password not regularly Changed
    Audit & Monitoring Network Control Root Access Password Quality Account Management
  • eTrust Access Control
    • Know
      • Who : can access resources
      • What : they can do with the resources
      • When : access is allowed
      • Where: access is allowed from
      • Why : access is needed
    • Role-based Access Control
    • Data Confidentiality Protection
    • Host-based Intrusion Prevention (HIP)
    • Centralized Security Management
    • Secure Auditing
  • Access Control HR Dept. DBMS Admin Sales Dept. Internal/External Hackers Web, database and application servers require server security Servers need protection at the host level , regulating all accesses X
  • Access Control - Cross Platform Security
    • Common
    • Denominator
    • Effect
    • due to different OS
    • Lower security
    • High overhead
    • Difficult to manage
    • Elevated and Consistent
    • Security with e Trust AC
    • High security
    • Increased efficiency
    • Easy to manage
  • Native Security Architecture
    • Native Access Control
    OS KERNEL USR1 REQUESTS read (more) /finance/data read open exec setuid etc SYSCALL TABLE UNIX file permission -rw-r--r-- 1 root sys 661 Feb 26 00:18 /finance/data 1 2
  • Access Control Security Enhancement UNIX KERNEL USER AUTHORIZED REQUEST APPROVED REQUEST DENIED USR1 REQUESTS read (more) /finance/data read open exec setuid SYSCALL TABLE Access Ctrl Access Control Rules Database etc USR1 REQUESTS read (more) /market/data 1 2 usr1 read usr3 none usr2 write usr1 none /finance/data /market/data defaccess=NONE defaccess=ALL 2
  • Tracking the Real User
    • eTrust Access Control tracks original login id
  • Security Controls Login File Inbound Network Privilege Process Outbound Network
  • Login Controls
    • Time of Day/Day of Week
    • Source Host
    • Service Used
    • Password Controls
    • Password Propagation and Sync
      • UNIX, NT, LINUX, CA-ACF2, CA-TSS
    • Expiration and account locking
    Login File Inbound Network Privilege Process Outbound Network Essentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements
  • Privilege
    • Limit the privileges of the Administrator account and members of the Administrators group
    • Delegate administrative privileges to users who are not members of the Administrators group and Subdivide administrative tasks so that they can be distributed to a number of special users.
    • Control who can switch user identity to root or other accounts (su)
    • Control which programs can be run under a different account (sudo)
      • Install and manage oracle or sap without needing root access
    • Tripwire Functionality (SUID Programs)
      • Disallow execution of Untrusted Programs
        • iNode Checksum, CRC-32, MD-5 Hash
    Login File Inbound Network Privilege Process Outbound Network Essentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements
  • File/Directory Controls
    • Granular access control for all files
      • /etc/passwd, htdocs, /cgi-bin/*, C:WINNTSYSTEM32*
    • Wildcard options ( * ?)
    • For groups of related files
    • Program pathing
      • Example: Only your application can open certain files
    Login File Inbound Network Privilege Process Outbound Network Essentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements
  • Process
    • Ensure system and application availability
    • Control who can start/stop any daemon
      • For Web server, only the sysadmin and webmaster have access, root user cannot impact
    • In Windows control access of SYSTEM account
    Login File Inbound Network Privilege Process Outbound Network xEssentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements
  • Inbound and Outbound Network
    • Act as a soft Firewall
    • Restrict TCP/IP services based on:
      • Host Name / IP (HOST)
      • Group of Hosts (GHOST)
      • Subnet of Hosts (HOSTNET)
      • Name Pattern (HOSTNP)
    • Can also be defined by Service (TCP)
    • Restrict users from outgoing TCP/IP Services (CONNECT)
      • By Name and Destination
    Login File Inbound Network Switch User Process Outbound Network xEssentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements
  • eTrust AC Deployment
    • User admin
    • Password mgmt
    • Role / Policy def
    • Rule mgmt
    • Logs and report
    ACF/2 Password Synchronization & ACF/2 Authentication Web, Command Line and GUI Based Administration Options eTrust AC eTrust AC PMDB PMDB PMDB eTrust AC eTrust AC
  • Audit and Reporting xEssentional Services Audit & Monitoring Network Control Root Access Password Quality Account Management Core Requirements Security Command Center (Dashboard and Reporting)
  • Top Five Features
    • Super-user control and delegation
        • Super-user (S.P. of Failure) -> reduced and divided
        • Delegated user -> specific and tracked
        • Regular user -> unaffected
    • Role-based security (RBAC)
    • Centralized administration of security policies
    • Stack overflow protection = Host-based Intrusion Prevention / HIP
    • Secure and detailed auditing
    Access Control is your last layer of Protection
  • UNIX Audit Issues
    • Use of Non-Essential Services
    • Network Access
    • Use of Unauthorized root access
    • No monitoring of access to the root account
    • Inappropriate password and password parameters
    • Removal of idle user accounts
    • Use of Generic Admin ID’s
    • Umask Setting Improperly set
    • Root Password not regularly Changed
  • Top Five Benefits
    • Regulatory compliance (data confidentiality)
    • Role separation enforcement
    • Ease of cross platform management
    • Least privilege model realization
    • Audit log integrity assurance
  • Secure UNIX Access Management
    • with
    • eTrust ™ Access Control
    • Thank You.