Script for Local User and Group Baselines

Posted on February 1, 2011 by James Tarala

In keeping with my New Year’s resolutions, I want to continue posting information on how an auditor might take advantage of baselines when performing an Information System (IS) audit. Certainly I hope system administrators will be able to take advantage of this information as well when performing their own Control Self Assessments (CSAs).

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

So to get started with our baseline scripts, we are going to use a couple easy scripts to produce a list of the user accounts and the groups on a local Microsoft Windows machine (Windows 2000 or later). In order to produce a list of local user accounts, try the following command:

Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | Select-Object Domain,Name,Disabled

For a list of groups on a local machine, try the following command:

Get-WmiObject Win32_Group -filter "LocalAccount=True" | Select-Object Domain,Name

Now, could we have used WMIC to do much of the same work, of course! But for the sake of this series we are going to use PowerShell instead. Once everyone gets a taste for the simple scripts, then we’ll move on to slightly more difficult ones next. So let’s stay in the same language to be consistent.

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Examples of System Baselines

Posted on January 22, 2011 by James Tarala

Ok, it sounds like we should have one more point of clarification. In our last blog post we posted about a process to follow for creating and maintaining system baselines. But after thinking about it, one more thing auditors, or administrators performing Control Self Assessments (CSAs) might want to consider what types of baselines could be gathered to comprehensively asses a system.

Some baselines an auditor might want to gather would be:

· User accounts / Group memberships

· Running services

· Installed software

· System security configurations

· Installed hardware devices

· Removable devices

· System performance

Most definitely there are more baselines than this that we might consider gathering. But this should be a good place to start on a system. Network devices or applications might want to consider other criteria, but this is a good starting point for systems.

For the rest of the year we have decided to post specific methods for gathering baselines. We want to provide practical methods and scripts for gathering information from systems. We hope they’re helpful to everyone. If you have any requests, please don’t hesitate to drop us a line and let us know!

More Baselining Ideas – The Baselining Process

Posted on January 18, 2011 by James Tarala

So I’ve had some questions about exactly what I mean by baselining and what types of things an auditor should be baselining when they’re examining a system. So let me take a few words to clarify what I meant.

First of all remember, the reason we perform a baseline is to determine if changes to the system change the security level of the system being examined. Ideally we are establishing a baseline of a system in a “known good” or secure state. In government terms this might be likened to a certification and accreditation process. But the idea is to identify a snapshot of what “secure” looks like for a given system. Then by performing subsequent baselines of the system and comparing them to the original, we will be able to see if there are any unauthorized changes to the system and if those unauthorized changes lower the overall security level of the system. This process works for auditors, incident handlers, forensicators, and others looking to assess the security level of a system.

So the baselining process would be:

Build a clean system / declare a system to be secure.
Create a baseline of the system in the “known good” state.
Engage in a healthy change / configuration management process.
Update system baselines after every approved change.
Periodically create a new baseline of the system’s current state.
Compare the most recent baseline to the last “known good” baseline.
Analyze the two baselines for differences.
Repeat / remediate risk if necessary.

We can use this process to look for unauthorized changes. Unauthorized changes to a system very likely can be indicators of a bigger problem, and most definitely something an auditor would want to be aware of when performing an assessment.

Next we’ll cover what to baseline and how…

Baselining as a Primary Audit Tool

Posted on January 4, 2011 by James Tarala

So if I was trapped on a desert island and only had one audit tool that I could have with me to audit the island’s DHARMA systems, which would I want…

For me the answer would have to be baselines. As an auditor, ideally I want to ensure that an organization’s technology systems reflect a conscious decision on the part of the organization. In other words, I want to ensure that technology has been implemented, with a full understanding of the potential risks those systems pose, and that they have been implemented in a systematic, tested, and documented fashion. Or said another way, I don’t want to see an organization deploy systems in an ad hoc manner that exposes them to risk – I want to see controlled implementations.

A huge indicator of a controlled environment is documentation on the system being implemented. Specifically I’m looking for documented system baselines which demonstrates evidence of conscious decisions on the part of the organization to protect and secure their information.

RSA, a security division of EMC, in their Information Security Glossary defines baseline or baselining as the following:

“An effective method for identifying security attacks on a network, baselining starts by measuring normal activity on a network or network device. That measurement is used as threshold, or baseline, to detect unusual patterns or changes in levels of activity. With this method, the security expert can focus efforts on evaluating anomalies instead of looking for them by reviewing huge log files. The term is also used to refer to other security practices. A baseline, or security baseline often refers to an organizational standard for securely configuring network devices. It can also refer to the results of an organization’s first security assessment. This becomes the baseline against which the organization measures improvements and changes.”

For most auditors understanding the concept of a baseline is the easy part. The devil, it turns out, is in the details. The information auditors really want to know is what information should be baselined and then practically how do you go about performing that baseline. Of course the ultimate conclusion to this discussion would be to consider how to integrate baselines with an organization’s efforts for continuous monitoring and automation.

This year one of my goals is to help auditors by providing them resources which will enable them to more efficiently create baselines of their systems and later automate checks of those baselines. To that end I’ve decided this year I will be releasing a number of scripts to help auditors perform baselines of their systems. The scripts that I will be releasing this year will all be Microsoft PowerShell scripts, but I may throw in a few Unix Bash scripts along the way just for some diversity. So enjoy the scripts and feel free to make requests. Most importantly we want to be able to offer resources that will help you in your efforts to better secure your systems.

Wishing you a Happy New Year and a Secure 2011!

Audit Checklists a Day: MySQL Database Audit Checklists (Week in Review)

Posted on April 26, 2010 by James Tarala

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

In our last batch of posts we continued our month of database audit checklists with tweets focusing on MySQL database systems. This month we’ve tried to bring you a series of audit checklist for databases that would help you, regardless of the application system that is the scope of your audit. So many of the business systems we audit utilize databases as backend systems to support the application that we often find ourselves in the situation where we need to audit databases as well. I hope these MySQL checklists help (regardless of what Oracle decides to do with MySQL in the near future).

Also, while many of you on Twitter have already noticed this, we have been using a particular Twitter hashtag when posting our tweets. Each of our daily posts can be found using the hashtag #AuditChecklists.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing MySQL Database Systems:

From Cert-in.org

From NGS Software

From the SANS Institute

From Webmaster2020.com

From MySQL

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Oracle Database Audit Checklists (Week in Review – April 17, 2010)

Posted on April 19, 2010 by James Tarala

Last week we continued our month of database system audit checklists with a week of checklists on how to audit Oracle database systems. Like last week most of these checklists focus on the database server itself, and not the application code, database structure, or permission sets in the database. But at least these should serve as starting points for someone who is auditing technical controls on Oracle systems.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Oracle Database Systems:

From the SANS Institute

From Oracle

From ISACA

From Vgrigorian

From Pete Finnigan

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Microsoft SQL Server Audit Checklists (Week in Review – April 12, 2010)

Posted on April 12, 2010 by James Tarala

Last week we tweeted on audit checklists we thought might be useful when auditing a Microsoft SQL Server. There are so many MSSQL servers deployed today that is seems like you can hardly perform an audit without running into one these days. Maybe you audit a full blown instance of a server, or on the other hand maybe you only see SQL Express or the older MSDE installed. But still they seem to multiply like rabbits. So this week we tried to provide you resources to help with those audits. This also begins our month of database checklists. So every day (work day that is – please don’t make us tweet these on the weekends) – we’ll post a new checklist.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Microsoft SQL Servers:

Microsoft TechNet Checklist

Microsoft MSDN Checklist

TechTarget Checklist

SQLSecurity.com Checklist (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Phone System Audit Checklists (Week in Review – April 5, 2010)

Posted on April 5, 2010 by James Tarala

We focused this week on checklists to help assist you with your audits of phone systems this week. Some of the checklists focus on general audit techniques for phone systems and some of them are particular to Voice over IP systems. I hope these will assist you as you’re auditing more than just network devices. Enjoy!

Audit Checklists for Auditing Phone Systems / PBX / VoIP:

General PBX Audit

General PBX Audit (Old Link Removed)

VoIP Audit

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

DARPA & MIT Partnership – Example of “Leap-Ahead” Technology?

Posted on March 18, 2010 by James Tarala

Yesterday, DARPA and MIT announced the results of a project that has been in development which would allow an organization’s network to function even while under an active attack from a distributed denial of service or similar attack. Overly simplified, it’s a network based, whitelisting solution with the ability to baseline normal traffic patterns and automatically block traffic if it detects that it’s under attack. Think of it like an advanced IPS on steroids.

TheNewNewInternet.com reported on it Thursday and stated:

“Previously, when a system was under cyber attack, the only solution to mitigate the threat was to take the server offline. However, there may now be another option. MIT researchers have developed a system that allows servers and computers to continue to operate even while under cyber attack.

The research, predominately funded by the U.S. Defense Department’s Defense Advanced Research Projects Agency (DARPA), has stood up to outside testing. DARPA hired outside security experts to attempt to bring down the system. According to Martin Rinard, an electrical engineering and computer science professor who led the project, the system exceeded DARPA’s performance criteria in each test.

During normal operations, the system developed by the MIT team monitors any programs running on computers connected to the Internet. This allows the system to determine each computer’s normal behavior range. When an attack occurs, the system does not allow the computers to operate outside of the previously determined range.

“The idea is that you’ve got hundreds of machines out there,” Rinard says. “We’re saying, ‘Okay, fine, you can take out six or 10 of my 200 machines.’” But, he adds, “by observing what happens with the executions of those six or 10 machines, we’ll be able to deploy patches out to protect the rest of the machines (http://tr.im/Sosj).”

So why is this all so interesting and worth repeating? I think this first of all a great example of a public / private partnership in the realm of cybersecurity defense. We simply don’t see enough of this kind of activity. Secondly, I have to appreciate their focus on an automated response to cyber attacks. This has been one of the major premises of the 20 Critical Controls / Consensus Audit Guidelines for quite some time and it’s great to see these groups creating solutions in that same spirit.

Finally I think it’s interesting in light of the mission of DARPA’s National Cyber Range project, which is:

“The National Cyber Range (NCR) is DARPA’s contribution to the new federal Comprehensive National Cyber Initiative (CNCI), providing a “test bed” to produce qualitative and quantitative assessments of the Nation’s cyber research and development technologies. Leveraging DARPA’s history of cutting-edge research, the NCR will revolutionize the state of the art for large-scale cyber testing. Ultimately, the NCR will provide a revolutionary, safe, fully automated and instrumented environment for our national cyber security research organizations to evaluate leap-ahead research, accelerate technology transition, and enable a place for experimentation of iterative and new research directions (http://www.darpa.mil/sto/ia/ncr.html – Link Removed from DARPA’s site).”

So is this an example of a “leap-ahead” research project? We might all have different opinions. But the bottom line is that it appears that the DARPA initiatives are moving forward. Let’s all hope this is just one of many more game changing technologies that we hope to see in the near future from these teams.

Checklists a Day: Virtualization Audit Checklists (Week in Review – February 22, 2010)

Posted on March 1, 2010 by James Tarala

We decided to hit another hot topic this week, so we decided to talk about virtualization. I mean, when you’re not talking about cloud computing security over the family dinner table, you’re probably most likely talking about virtualization security and how it impacts your daily lives (Honey, can you install that new garbage disposal? Of course I can dear, but couldn’t we just virtualize it?). So we’re hoping that these audit checklists will help you as you’re evaluating the controls that protect these environments. You know you’re using them, might as well protect them!

Audit Checklists for Auditing Virtualized Environments:

DISA (Old Link Removed)

Tripwire (Old Link Removed)

VirtualizationAdmin.com

Microsoft

DarkReading

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.