For prepared shops, we hope to find that since they protected and centralized audit information, they can analyze the information and can be certain that the log records have integrity. They should also have a well-defined incident response plan that includes recovery and disclosure.
Unprepared shops can try to determine the root cause, plug the hole and only "trust" that it doesn't happen again. What signs of suspicious activity do admins sometimes overlook?
Here are the worst oversights:
- New users added to the system
- Change in file permissions
- Introduction of new software
- New port usage
- Multiple failed logins, file access, etc.
These red flags are often "overlooked" because of the number of logs that administrators need to monitor. Too much security information results in information overload and makes it difficult to find the needle in the haystack. Tools are available to collect, correlate and analyze this log information in an efficient manner. What best practices do you suggest for an IT shop that wants to catch vulnerabilities and fix them?
This can be a challenge for certain organizations. Creating and maintaining baseline policies can be a substantial task. Many access control and policy compliance tools offer baseline best practices to help organizations initially create their policies. Many security advisories like storage area networks provide some best practices that can also serve as a starting point for baselines.
The secondary issue is being able to deploy new baselines and policies across all systems in a consistent manner. This usually requires the use of a central policy management tool or some creative scripting.
A superuser is one who has a very high level of privileges on a system. A root user is a superuser in Linux. Root can access/modify/delete any resource on a Linux system. For example, a person logged on as root can modify and delete system audit logs, which results in unreliable accountability information. This unmonitored and unrestricted access can lead to many exploits and untraceable suspicious activity. (Root is normally a shared ID and anything done as root is always logged as root -- not a specific user). Many hackers and malicious codes will also try to gain access to Linux systems as superuser so they can maximize damage. How are most companies managing access control today? What's right and wrong about that?
Access to systems can be granted through different ways. Authentication can vary from basic /etc/passwd file to a Lightweight Directory Access Protocol (LDAP) and possibly biometrics. Pluggable Authentication Module (PAM) has given Linux various ways to account for authentication. Many organizations are beginning to use a central credential store for authentication. This allows users to be defined and managed in one place, allowing for easier user management and consistent password policy.
If biometrics is used, it allows organizations to bypass the use of passwords and have stronger authentication into their systems. Once authenticated, users must be authorized to the resource they have access to, and this is usually determined by the group they belong to. More advanced organizations use access control technologies to provide a greater level of granularity and to ease the administration of user groups.
Inconsistent policies have been the downfall of good intentioned access control policies. Making sure that we have well-defined role-based access controls will help us manage and enforce the right access to the right resources. In addition, the inability to manage policies across a variety of platforms is a problem.