MIS Security Check | Password | Computer Security

MIS Security Check-list

Introduction
Consider your entire organization
When considering security, the best way to avoid obvious breaches of security is to capture the big picture of your installation. Practically, this means that you should work from the outside in, ie. consider security of the building and area, then the actual offices, followed by the network infrastructure, and end with hosts themselves. It's a bit pointless to spend a lot of time securing hosts if anyone can walk into the server room and walk out with a host under each arm. Those things do happen. This is all the more important since most of computer crime is perpetrated by insiders, for obvious ease of action and lack of interest to hackers about the average corporate data. Because it is more exciting to most system administrators, computer books usually concentrate on securing hosts, but sound computer security doesn't deal with just individual computers. You must consider your entire organization.

Prepare for disaster
Generally speaking, check for any single point of failures in your environment, and provide backup solutions. Perform dry runs regularly to make sure everyone knows what to do in case of a breakdown. Post-incident plans must be updated whenever any change is made to your site, and as much as possible, everyone, especially MIS personnel, must be capable of performing the procedures. Plans should also include procedures to solve day-to-day MIS activities, like installing a new host, welcoming a new employee, etc. Also, whenever possible, use fail-safe tools, ie. should the device fail, they should refuse access instead of letting people in. A firewall is not the magic bullet to securing a site. Generally speaking, try to place as many barriers as possible between valued asset and a potential adversary, without this security being too invasive to employees. Remember that an effective security policy requires that every single employee abide by it, and not just the rank-and-files. The more prepared you are to handle break-ins and disasters, the better for the image of the company and the MIS team. In addition, your company may be held responsible legally if your network was used by hackers to launch attacks on other sites. You might want to hire an outside company to test your security at random times.

Usage policy
A usage policy is an important user-oriented document, not just to cover your ass in case someone in your organization steals information that is off-limit for them, but also because it forces you to think about how your organization works from an MIS point of view.

Security policy
A security policy is more MIS-oriented than the user policy, and its goal is to offer a big picture view of security of your organization.

Buildings
Keep in touch with local police authorities about robberies in your area, as thieves are likely to keep using a tactic if it proved successful in a location (eg. burglars pretending to be couriers and stealing unattended portable PCs.) Update this list accordingly, and warn users about those new risks. Also, check with authorities what the regulations are about setting up an alarm system at your site, and whether it can be set up to call up the police automatically when the alarm goes off.

Doors and windows

 

All entrances must be equipped with secure locking devices that cannot be circumvented (key locks, dead bolts, cipher locks, etc.), and hinge pings that are spotwelded or otherwise protected Doors must be constructed of sturdy material (steel, solid core wood), must not exceed the number for safe and efficient operation, and must always be secured when not in active use All ventilators or other possible means of entrance must be covered with steel bars or wire mesh grill All windows must be securely fastened from the inside. Windows accessible from the ground or located on roofs must come with window/glass tamper or breakage protection features, and be protected by steel bars or grill Check that blinds and shades are available to hide valued items from the outside

Locks and keys
    

         

Set up security patrols at random hours during the day, and end-of-workday security checks Check with local police authorities if day- and night-time patrols are scheduled in the neighborhood Access control cards must be clearly different for company personnel and visitors Provide escort for visitors If multiple corporate sites, inter-connect security systems to increase monitoring of sites located in different time zones, and to make travel easier by providing only one electronic badge to each employee Only MIS personnel should have access to the server room Grant users access with the least amount of privilege required to accomplish their job, using user profiles to manage accounts more securily Check the log files created by the application running the electronic locks Set up a procedure to monitor use of all locks and keys. Update when necessary Keep tracks of keys issued, with their number and identification, for both master keys and duplicate keys Keep records of use and turn-in of keys, and check locks quarterly Change locks immediately upon loss or theft of keys If used, master keys must be devoid of marking identifying them as such Only issue keys to authorized employees. Other must use an electronic badge. Keys not in use must be secured in a locked, fireproof safe that is secured to prevent removal

 

  

When making duplicates of master keys, mark them "Do Not Duplicate" and obliterate manufacturer's serial numbers Any visitor, either a corporate employee from another site or an outside guest, must warn MIS of his/her visit as early as possible, so as to provide adequate security (ie. some guest might need to be allowed in areas that are off-limit to standard guests.) Employees from other sites and guests must provide the following information: Name, Location, Visit Start and End Dates, Arrival Time, Access Needs Greater than Week Day (7 AM - 7 PM), Buildings to be Visited (if known), Employee e-mail address, Name of manager, Point of Contact at local site MIS must be informed of loss of access control card ASAP so as to disable access and provide a new, safe badge Guests must return their visitor access control card upon leaving the premises MIS must conduct periodical security inspections, and report any problem so as to implement corrective action

Alarm System
  

Set up either television recording, burglar alarm, or intrusion alarm systems linked to off-site security team. Test them regularly Make sure the television system can record a minimum of four days Check that the alarm systems are backed up automatically, and have an alternate or independent source of power available to cut in and operate automatically

Emergencies
            

Provide adequate protective lighting for all areas Mark emergency routes clearly Write procedures for emergency evacuations (fire, bomb threats, etc.), and exercise plans regularly Train users in fire fighting Provide response to medical emergency (phone numbers to local medical facilities; first aid supplies) Provide electronic-friendly sprinklers in or over the data center/server rooms No possible leaks over computers, especially server room (water pipes, sprinklers, AC units) Alarm systems must be tamper- , and weather resistant Provide security personnel trained in physical security Set up procedure to respond to alarms, including night-time and week-ends The monitoring system must provide sufficient information to investigate any breakin, and remedy Check that fake floors and ceilings cannot be used for break-ins Check that fire extinguishers and other fire fighting equipment are in sufficient number, that they match the type of fire they would be used to put off, and that they're properly secured on walls (no extinguisher lying around)

Offices
 

Install air conditioning to keep hosts (and users :-) cool, at least in the server room Have someone come in at least once a year to maintain AC units

 

 

 

Set up thermometers linked to monitoring software to check the temperature in the server room, and have it page/call or send e-mail if temperature rises In a large site, use a naming convention for rooms (eg. country names, etc.) and a cabling management software to make sure everyone understands which room and which plugs you mean Use asset management software to assure strict accountability of all company assets In highly-sensitive locations, make sure guests are either restricted to safe areas, escorted at all times, and that their bags are checked when they depart (Welcome to Intel :-) Consider printing sensitive information on easily identifiable paper (eg. yellow, orange, or red paper, depending on its importance), and forbid employees to go offsite with top sensitive documents Guests must sign a log when they visit, and register their laptop computers and camera (manufacturer and serial #.) Make sure there's always personnel available to watch entrances, and that they can call security and send an immediate message to everyone in the building should someone try to walk into the office unauthorized (especially important during lunchhour and late at night) Make sure video cameras connected to VCRs are pointing at all exits to help police authorities investigate break-ins

Network
  

 

 

Monitor your WAN links through MRTG, and your LAN through netstat -i (watch for the collision/outpackets, outerrs/outpackets, and inerrs/inpackets ratio) Use proxy servers to control use of bandwidth and to hide information about your private network Set up an alternate, anonymous connection to the Net to let users find information for yet-unannounced products, as the competition could use this information to tell what your company is working on Run monitoring software like Linux-based Netwatch to keep a eye on the use of network bandwitdth, especially on what servers on the Internet users are connecting. Install an intrusion detection server on all servers, both in the DMZ and in the internal network, and do not ignore traffic coming from your internal network. Consider putting a sensor both on your public routers and firewalls so as to be warned of any suspicious traffic (Unix) Do not run NIS if you can avoid it, or consider NIS+. Consider centralized authentication systems like Kerberos, or Samba Have agents run on all servers, so as to keep an eye on log files, disk space, etc. They could consist in Perl or Python scripts, as those have been ported to different environments and offer a rich amount of modules that avoid your reinventing the wheel If you discover that some hosts have been hacked, and you'd like to get in contact with people on remote sites (eg. a host from which the hacker seems to have connected, or MIS personnel at other corporate sites, etc.) to try to catch him redhanded, either use the phone, set up a brand new mail server, or use encrypted e-mails through PGP/GnuPG, as the hacker may have set up tools to snoop on your network, and be warned of your plans.

or have a courier pick them up at night. PGP/GnuPG.) and safes that are not meant to protect magnetic media If resorting to a courier solution. washing machines. as you'll need them after a fire or flood. consider encrypting data. or check how long it would take to be provided with new or temporary equipment by a commercial supplier or other corporate sites If your site is connected to remote sites through alternative links besides the Internet. WinPopup or ICQ) to reduce work disruption while allowing for broadcasts when needed (ie. as breaches of security there could easily end up jeopardizing your own site Remember that any unsecure host on your network can be used to launch an attack on other resources.) Run a live messaging application on all hosts (eg. Test it regularly. if possible.         Remind users that downloading binaries is either forbidden by corporate policy. especially the one flowing on public LANs. whether they are located on your LAN. Watch out for magnets (heated car seats. SSH. Some PBXs lets you use the loudspeaker of digital phones as a PA system. As the Melissa and ILOVEYOU viruses have shown. Unplug any unused . monitors. a suspicious individual is in the building. Set up some hosts loaded with anti-virus software and that can be easily removed from the network to test software downloaded from the Net. or the mail server just crashed). This can be done at different network levels (magic words are SSL/SSLey. make sure those sites also keep an eye on security. or. Could be used to set up a host to sniff passwords. consider setting up a SAN instead LAN  Check if you really need walk-up network connections. Encourage users to p Encrypt all network traffic. unprotected by firewalls. S-HTTP/HTTPS. Abacus/Port Sentry) Backup/restore        Keep a current backup of all data files that your company cannot afford losing after a computer goes south Keep an ad hoc step-by-step restore procedure current. and stop using tapes that show too many access errors As backup jobs use a lot of bandwidth. Either take them home every night. IPSec/CIPE. Add an IDB (ISDN Dial Backup) unit to your routers that goes up should your permanent connection go down. or foreign sites on the Internet. and perform regular restores on bare-metal systems at a remote site to prepare to see your location ruined by a fire or flood Do not keep the latest backup tapes in the location. no rogue. APOP. VPN. a flood. on other corporate sites connected through WAN. Make sure you can decrypt tapes on a bare-metal system after your site has been damaged Perform frequent restores of a few files to check that the backups actually work Remember to clean drive heads regularly. STelnet. or physical break-in. proxy servers. S/MIME. In case your site is ruined by a fire. Used a dynamic firewall (eg. security is only as strong as its weakest link. L2TP/PPTP/PoPToP. etc. leave them in a magnetic media-friendly safe at a nearby bank. If not. either provide a fully-equiped temporary location. should be scheduled at night to make the most of the corporate link to the Net. etc. update it every time you change the configuration of a host. unused network plug.

NDS. If possible. take a look at Samba.x. letting a host listen to all traffic by setting up the port it's connected to from switch.). hardware tokens. Cisco PIX) ) As IPChains is not stateful. filtering routers. NIS. your network can be endangered by UDP or ICMP packets. Generally speaking. Besides Radius and Tacac. 172-16/31. especially for UDP-based applications (Three basic types of firewalls: network-level (screening routers). etc. Consider buying a stand-alone.net) All incoming connections from on-the-road employees through the Internet must use SSH and related tools to ensure encryption Check ACLs on routers and firewalls. Especially remember to disable telnet access from the Net. time-limited tickets (Kerberos). Kerberos.ca.168. ie. crashing when receiving severely mangled packets) Check out reverse path filtering to prevent IP spoofing Set up hubs to forbid hub-mode on ports (ie. and have a monitoring program warn you immediately when a connection goes up Check out authentication systems like challenge/response.x. 192. or even biometric devices . They have fewer moving parts (cooling fans are just about the only mechanical part). stateful firewall instead. if only one host is connected to a given port) Assign descriptive host names in the DNS to make logs more meaningful (eg. aim at using SSO (Single Sign-On) architecture to reduce the number of login/passwords used. and are less likely to run other software besides the firewall part. and PAM. smart cards.Switches                Run Antisniff to try to see if a host is sniffing the network Run tools like Nessus to check what your firewall and routers can withstand (eg. S/Key.dial-access. 174.x) Set up routers and firewalls to log infos to the same central host running syslogd that other hosts are using Do not just rely on ACLs on routers. and only open those you really need and understand. and circuit-level firewalls (eg. keep an up-to-date list of unused network plugs. hence less security risk. LDAP. Assign a MAC address to each port (ie.to hub-mode). one-time passwords (PAP/CHAP. consider limiting it to a restricted local LAN connected to the rest of the network through a firewall + bastion host to limit access only to limited services. Ban any packet coming from the Internet whose source address pertains to the private ranges (10. A context-based firewall is much more secure. and set up DHCP server to not give out IP addresses to unauthorized hosts. If you do need such access. Start by closing all services.att. Use SNMP-capable switches to monitor network use Use bandwidth control tools like Packeteer to prevent denial of service by programs gone haywire Prefer stand-alone firewalls like Cisco PIX over PCs. smart card or finger-print based systems Routers .Firewalls .los-angeles-63-64rs. so present less risk of breaking down. network connection on the patch panel. application-level (proxy servers). digital certificates. Consider using a Radius or Tacac authentication server to centralize the task of authentication users.

if available RAS          Add authentication for dial-out users. unbeknownst to MIS. run separate dial-in and dial-out modem spools Disable the use of the escape sequence +++ to switch to command mode. packet filtering.. and force a disconnect after the thirdto slow down automated password attacks. automated connection on all the phone lines available at your site to check for rogue modems installed by users without noticing MIS) Set a short delay after the first and second failed logins.jtan. Don't tell the user whether the username.. modems inside PBX to allow for remote administration.htm o WinNuke Test Page http://www. Fight IP spoofing coming from your by not letting out any packet whose source address does not belong to your network PBX    If your PBX can be configured remotely through a modem.com/resources/winnuke. Implement both proxies or packet filters. transparent proxying and Fast NAT. change default password/code Check daily logs if available. Once the firewall is set up on your network. the password.html . Zone Labs' ZoneAlarm. especially regarding outgoing calls (hackers using corporate phone system as relay) Set up security codes on all voice mailboxes. Hosts   Install a firewall on all hosts. Do not allow dial-out from an unauthenticated dial-in call If possible. were incorrect. and make sure modems cannot be reprogrammed remotely. Modems should be reset to a standard configuration after each call Check that calls terminate cleanly. or both. modems still connected to the POTS that everyone forgot about. test it regularly from the Internet: o HackerWacker o Shields-UP! http://grc.com/default. to force users to use proxying With switched technologies. You'd be surprised at the number of spyware applications sending out information to the Net without telling you. etc. use Permanent Virtual Circuits or Closed User Groups whenever possible.) All RAS access must require login/password. including client hosts: Free solutions for Windows are Tiny Software's Tiny Personal Firewall. and that the server forces logout from all active sessions Check that no useless RAS access is available (users setting up a modem on their computer. and call-back if available Log Caller ID information if available Maintain an up-to-date register of all your modem lines and conduct regular site checks for unauthorized modems (eg.   Evaluate different methods to hide your private network: masquerading. and Sygate's Personal Firewall.

com/securitytest/index. etc.          Secure-Me/DSLreports http://www.de/vulchk.de/ct/browsercheck/ o DLS Reports http://www.asp o Anti-Trojan.dslreports.sicher-surfen.com/smysecure/index. Germany http://www.ch/cgibin/datenschutz/DSZ_test_start.de/SecurityCheck/default. Set up hosts to limit use of resources (eg.html o QuickInspector for the Web by Shavlik Technologies http://security.com/content/security/cybercop.itsec.conf) Keep compilers and packagers on a removable device to make it difficult for someone to compile and/or install packages (Unix) Consider using xinetd to replace inetd + TCPWrapper (Unix) Remove all unneeded aliases in /etc/aliases (eg. games.sybergen.de.secure-me. especially on your MTA.asp o Virtual Suicide http://suicide.whitehats.Ingenieurbuero Holger Heimann.heise. im Auftrag des Datenschutzbeauftragten des Kantons Zuerich http://www.webtrends.securityspace.pl o Adiscon QuickCheck for Clients.com/pub/scan/ o Whitehats Free DDOS Testing Service http://dev.exchangeantivirus.html o Hochschule Rapperswil.net/ Sygate http://scan.sygatetech. and allow for backup in case of short interruptions Mount as many partitions in read-only as possible.com http://www.netfarmers.com/products/prescan1.mycgiserver.ita.com/SecurityTest/ o WebTrends http://www.pl o The Apostols http://apostols.net.htm o Sandbox Security Test Suite http://www.asp o Remote Security Tester by Ken Kalish http://www.html o Online Trojan Port Scanner (Lockdown?) http://onlinescanner.) o o o .net/ o Personal Security Scanner . Germany http://www.html o ibh . use the noatime attribute in /etc/fstab.smartbotpro.netscreen.net/tools/security/scan. Germany http://www.securityspace. On Unix.html o Secure Design http://www.com/ o Sybergen Online-Security-Check http://www.sdesign.-) http://server142. only root should be able to run echo "1" > /proc/sys/net/ipv4/ip_forward) Require a password when booting in single-user mode Disable or restrict email relaying on your MTAs Run a cache DNS.com/scan/ddos/ddos.com/secureme_go Protect against buffer overflows (StackGuard.net/ o Quick-Test by sicher-surfen.shavlik.mycio.de/cgibin/index. patch the Linux kernel. /etc/limits.com http://www.hsr.html o myCIO.net/camera/ o Security Space https://secure1.com/ E-SOFT/SecuritySpace.com/ o Browser-Check bei heise online (Germany) http://www.anti-trojan. Germany http://www. so as to reduce the need for sending queries to a remote DNS.com/~kalish/ o Security-Port-Scanvon by NetScreen Technologies http://www2.org/tools.sandboxsecurity.com/smysecure/index. Swizerland. use the LIBSAFE set of libraries to protect binaries) Limit what kernel options can be changed while the server is up (eg.

It doesn't take long for hackers to locate such unsecure hosts.. create locked ~/. SUID/SGID in Unix). Start by denying all access in hosts. and su to root.d. /etc/pam.deny. eg. " line in /etc/inittab (Unix) Chmod 0700 /etc/rc. tty1.deny feature. Disable services started up at boot-time by either deleting the symlink in /etc/rc. consider using tools that let you perform only limited tasks as administrator (eg. ~/. ttyp1. and only allow specific access in hosts.).rhosts. and hide which OS and version number is running.equiv files to avoid hackers from creating them (use touch followed by chmod 0) When creating a new user account.                       Remove all unneeded user and group accounts On your mailer. especially system configuration files Implement the undelete or chattr feature. chattr +i /etc/inetd. ICQ) and e-mail Set up hosts to log users out or lock their screen after X minutes of no activity. for added security Do not run unneeded binaries that run as administrator (eg. Add legalese to /etc/issue to warn users. etc.allow and hosts.d/su) Create locked /root/. as this switch is logged. and even then. to make it easier for users to recover files deleted by mistake. Use /etc/securetty to make sure that root can only log on through the console (eg. tty2. the DMZ in front of a firewall). etc. or by changing the leading letter from S to s.d/rcX. although tools like nmap can determine the platform you are running in different ways Take advantage of TCP Wrapper's /etc/hosts.conf) Only use an administrator account when absolutely needed. Use the wheel group to specify who is allowed to su to root. thus granting a regular user admin rights .d/init.allow .forward. especially if that host is connected to the public part of your network (ie. Make sure this tool does not run applications with shell escape. It's much safer that users who telnet into a host first log on as a regular user. and limit this function for console connections (Unix) Disable host reboot through CTRL-ALT-DEL by commenting out the "ca::ctrlaltdel:/sbin/shutdown. Use safe names for hosts.netrc /etc/hosts. and have your monitoring tool check for such files every night Check for all world-writable/everyone files and directories. etc. and have an e-mail sent to MIS so that you know who your reckless users are Disable command-line history log by adding HISTFILESIZE=0 in your local . No rogue hosts: Decommission any host that is no longer being used Do NOT connect a new host to the network until it has been thoroughly secured.rhosts /root/. and change the group ownership to su accordingly (eg.) and NOT through the pseudo-terminals over the network (eg.. sudo). or avoid messing with them in the first place Take advantage of the extended attributes offered by the ext2fs to forbid changed to configuration files (eg. ttyp2.d/* to keep users from checking out boot-time scripts Any failed attempt to connect should trigger an instant message (eg. if available on your system. names should not give away information on their platform or OS version. disable the use of EXPN and VRFY commands Considering disabling remote reboot/shutdown.bash_profile configuration file.

) When running as root. Otherwise. check the nifty utilities from Winternals. consider removing sensitive tools that could be taken advantage of by hackers (compilers. be prepared to drive to the office in the middle of the night if power goes off at this inconvenient time. consider 077 for system configuration files) Check that access to devices is secure (eg. booting with linux single in LILO. etc. or check its configuration so that it does not return important information to remote sites Mail server: For added security. one to send mail. For NT. /dev/*) Keep /tmp in its own partition Authentication .) When setting a password in the BIOS and using auto-shutdown UPS units (with autoreboot set in the BIOS when power returns). under Linux. thus preventing the host to reboot automatically after power resumes. no boot from floppy drive. umask of 022. Boot loaders like LILO can also be set to prompt users for a password before booting an OS. run a tool that monitors sockets to check whether it's trying to upload information to the Internet. learn how to boot as administrator to reset the password (eg. and which version Once the host has all the packages you need. etc. and 077 for root) If available. /usr/bin/su instead of simply su) New files should be created with safe. to enhance performance and security (so a rogue program or hacker filling up a hard disk and crashing this host) To install and upgrade programs. especially root's (ie.                 Check that your PATH is secure.) Files exported through either NFS or Samba should be read-only as often as possible. build a host with different partitions on different hard disks. consider using two hosts. etc. get the habit of always using absolute pathnames to executables (eg. tamper-proof cable to secure host physically to server room. no writable directories to avoid running bogus binaries upload by hackers. Users might want to affix a tamper-proof picture of themselves on their laptop computer to reduce risk of theft In case you either lose the administrator password or it was changed by hackers. the other to receive mail Hard disk     Use file quotas in user home directories Check that the default file permissions are safe (eg. umask of 027 under Unix. check whether the UPS application can send the password over a wire. either remove identd.". unbeknownst to you Restrict physical access (BIOS password. take advantage of package managers like RPM to make it easier to know what packages are installed. secure cases to unable access to jumper to reset passord. and prohibit users from running applications from there Set limits to how much RAM and processes are available to average users When installing a new closed-source software program. no ". set up program so run in chroot() to enhance security OS-permitting. default rights (eg. no root access.) On Unix hosts.

and use MD5 hashes instead of the crypt() function Consider password/account blocking after a predefined number of failed attempts to authenticate Do not create "Joe accounts". NT: Do not set up unneeded trust relationships with other domains Remove all login information (eg. and contact their owner to check if they still need it. make sure you do not delete the leading + sign in /etc/password. without choosing one that they used in the past (Linux and NT. Sample seen on rootprompt: This computer system is for authorized users only. while authentication means checking that the user is indeed who he means he is (ie. ie. Remove guest accounts. enter a password to prove this)  Check if your system supports the use of ACLs such as SubDomain instead of the basic Unix owner-group-world system of authorization . and is a plain-text file. remove those of employees who have definitely left. secure. use shadow passwords instead of relying on /etc/password. a connection to the SMTP port of a mail server should not tell you which MTA is running and its version) Run password cracking software regularly to check that users do not choose unsafe passwords. Remind employees to never write down their password. and change the default to their own. for one. do not use group accounts. If they don't. Display login banner with some legalese to warn hackers that those are not public resources. Individuals using this system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded or examined by any authorized person. including law enforcement. disable their account. All users should use a personal account. check for all unused accounts. put users in a group instead All accounts should have a password If using NIS. as system personnel deem appropriate. In the course of monitoring individuals improperly using the system or in the course of system maintenance. and implement password aging to force them to change their password regularly Change all default passwords on applications you install. test accounts whose password is easy to crack. do not use the same password for all newly-created accounts). On *nix systems. When creating new user accounts. to make logging easier. ie. use a difficult. Anyone using this system consents to these terms. Make sure this banner does not give out any information on the host platform and version #. Any material so recorded may be disclosed as appropriate. and unique password as default to make them safe (ie. Take advantage of password aging to force users to change their password regularly. leaving your Unix system wide-open              Authorization Authorization deals with controlling access to resources. or do not get back to you. After a waiting period. offer this feature) Each month. Utmp is not fool-proof: it will not be updated if a user's shell crashes (hence the user will appear to be still logged on). the activities of authorized users may also be monitored and recorded. safe password (see appendix for how to choose a safe password) Disable all unused accounts. if applicable.

Remember to use a shredder before throwing out useless logs. Maintain a skeptical attitude to determine if a service is truly needed or just a user's whim. Access should be limited to what a user could need to be doing on a host but not more Logging         Things to watch for: system crashes and reboots. and furnished with enough paper. should know before users if something is wrong on the network. on a central host: one for critical information to be sent to you by e-mail and/or printed.) and fingerd. changes in file lengths or dates (use Tripwire). Disable any unneeded services running hosts (Unix: /etc/inettab. as they are more secure distributions Unless absolutely necessary.conf. attempts to write to system. especially if one of your hosts turns out to have been used by hackers as relay to launch attacks on other sites Check with lawyers how much data must be logged by auditing software. Uninstall any service/software that you do not need. do not simply disable them by removing entries in start-up scripts and inet. especially from anonymous/guest accounts. poor system performance. suspicious probes. preferably one that doesn't use a data buffer. /etc/inetd. new user accounts or high activity on a previously low usage account. etc. unexplained.  Check for unowned files regularly Use sudo or equivalent to allow restricted use of root access. Make sure passwords are not logged Check history log Monitor connections and log files Consider logging to different files. anomalies. and check that passwords are not actually logged for anyone to read To avoid log files from using too much disk space. or rotation followed by periodic moving of old log files to permanent storage like CD-Rs in case you need to investigate a break-in in the future. to host private. new files with novel or strange file names. and what the legal restrictions are about logging user personal information Services        Keep two web servers: One in the public part of the LAN to contain files meant for the outside world. tools that either do not require authentication to access resources. Even safer is sending logs to a printer directly attached to each host to avoid sniffing. corporate resources (Search engines on the web can list all files on a weakly protected public web server). ie. pay special attention to any attempt to achieve a different security level by any user or process. etc. denial of service. the other to the regular log file. and work from there. inability of a user to log in due to modifications of his/her account. hence the need for a lot of monitoring tools Choose the "that which is not explicitly permitted is denied" philosophy. consider either compression. or that give out information on your hosts and network . In log files.accounting discrepancies. do not run the r-services (rlogin. NT : Control Panel | Services). Another server in the private part. data modification or deletion. Do the same for FTP and e-mail Run host monitoring tools like WhatsUp to check services running on remote hosts. rsh. suspicious browsing.conf Check for process table attack and related types of denial of service attacks Take a look at Bastille Linux or Debian. Generally speaking.

As a better solution. A free solution for Windows hosts is AVG. TCP session hijacking. IP-directed broadcast (pinq x. SACK (Selective Acknowledgement). eg. RAM. create an empty . and trivial services on trivial hosts. hard disk status. active desynchronization. Beowulf Linux. early desynchronization. to check for open ports and other possible insecurities Famous attacks: TCP/IP sequence-number prediction. TCP ACK storms. etc.rhosts files in user home directories regularly. and delete them. Use a spare hard disk as home to FTP users to prevent hackers from crashing the host by uploading huge files. TCP spoofing. passive attacks.) with a step-by-step procedure on replacing them Use BIOS system monitoring feature (temperature in case. to minimize down time Run scanners like Satan.) Have users turn their monitor off to save power when leaving the office. and document this as part of the security policy If possible. either stand-alone hosts. DDoS.) Have spare hosts and spare parts ready (hard disks. sniffing. and set the sticky bit of user home directories to 1 to forbid users from deleting this file. Ideally. etc.255 with source address is a local address) Run anti-virus software on all hosts. Provide backup hosts for major applications (e-mail. high-availability systems (RAID 5 with hot-pluggable hard disks. monitors. install important services on secure hosts.forward files in case a hacker tried to reroute e-mail Use secure terminals (/etc/securetty) to force admins to first log in with their personal account and su to root To share directories and files from an Unix host. each service should be running on a different machine whose only duty is to provide a specific service. Do the same thing for . etc. This helps to isolate intruders and limit potential harm. stealth scanning (through the FIN packet). Telnet session. services should be placed on hosts according to their security level (ie. Nessus. If this translates into too many servers.rhosts file owned by root and read-only to forbid users from creating one of their own.) All access to resources should be authorized Scan for . Monitor use of hard disk space to watch for warez Try to protect from human error. power supplies.                 Do not rely on a trusted-hosts architecture (/etc/hosts. equiped with auto-shutdown and reboot. fans. considering using Samba instead of NFS for ease of deployment and increased security Consider installing a bastion host to be the point of access of all connections to the Internet (the router should only allow outgoing connections originating from that host) Take a look at outgoing filters to control which sites users can access on the Internet. web server).) Provide guest FTP access instead of anonymous access. a misconfigured host offering temporary degraded service Use UPS on all hosts that require them.equiv. and making sure that all hosts are regularly updated. central host to avoid every user downloading the same update from the Net. Check that the BIOS of each host handles automatic reboot when power resumes. the main UPS sends an SNMP trap that can trigger all other hosts to shutdown. Cops. motherboards. but leave their host running to minimize wear due to frequent power-offs. and to back up their files at night . and SYN Cookies). Security is only as strong as the weakest link in the chain. Trinux. SYN flooding (solutions are Random Early Drop. with automatic updates for a local.

or through applications that do this automatically (Lotus Notes. source control applications. do not allow anonymous hosts from getting an IP address. Norton utilities to make sure a hard disk really is blank and its contents unreadable. Use toll-free phone numbers instead of actual. Never install binaries for which you don't have the source code and didn't check that they come from a reliable source Data       Consider encrypting data files. use MD5 or PGP to check that no hacker has tampered with it. internal numbers. along with phone and fax numbers). Check that DST works and has no impact on applications (source control. do not reveal the name of MIS personnel.     Use secure time server to keep all hosts in sync (especially important for timedependent applications like build machines. floppies. Test upgrade on a test host to check that no application is broken in the process. The best way is to stop the host to be updated. and run dnswalk to check for errors Keep that all software up to date. Monitor use of DHCP leases. Check for suspicious changes made to zone files. as this can be used by hackers to learn about your network Information given in your NIC record for the domains you own: Make them as generic and minimal as possible (eg. Provide classes for all new employees on software used internally . Hard disks. CDs can still contain confidential data. Provide easy-to-use procedure to set up new hosts from secure images to avoid having users install new. the more time you have to take care of tasks that only you can do as administrator. unsecure hosts themselves Users/MIS Personnel    Instruct marketing and sales people to check with MIS before publishing any information on company resources. Either keep those for possible use later. The goal should be to reduce synchronous calls to emergencies that require an immediate response from MIS. through initial training and online knowledge databases (groupware.) This is especially important for theft-prone portables If confidentiality is not an issue but integrity is. Have it look up addresses from DNS and assign static addresses to known hosts. help desk application.) DHCP: If applicable. so as to have the exact same setup Before applying an update. groupware. teach users how to sign files through PGP/GnuPG Add corporate banner to all e-mails Do not just throw away outdated or broken equipments. New or temporary hosts could use anonymous addresses from a DHCP pool DNS: Do not run dynamic DNS until a secure version is available. etc. tapes. Educate users as much as possible. clone its hard disk. or destroy them. Run Tripwire or equivalent to monitor changes to system files. either manually through PGP/GnuPG. or groupware servers). take it off the network and boot off a fresh kernel (usually a read-only boot floppy is good for this) and then run Tripwire to check your files.) The more users can do themselves. and perform upgrade tests on the copy. through a filesystem that supports automatic file encryption. Remember to run eg. When you want to check your machine.

along with heads of departments. masquerading.Employee In. and keeps MIS personnel from working on longer-term projects.) When traveling in groups. fax machines. Require users to change their password regularly. etc.) Check that acronym-based passphrases are used instead of passwords (eg. adding support for virtual domains in sendmail. transformers. employees should not all fly on the same plane When off-site.). contacts. Walls have ears Check appendices in this document on steps for hiring and firing personnel Appendix A . which makes it all the easier for hackers to crack passwords. Have them use passphrases instead. etc. use a private ISP account for this to hide the origin of the article (eg.and off-line list of MIS employees. phone adapters. Dejanews. w45hatgtg "where 45 have all the good times gone" instead of an actual word. This is especially important when posting to newsgroups or inquiring about competitors Watch out for hackers resorting to social engineering to find information (pretending to be with MIS and calling someone in the company to have them change their password. so you know how to reach them at any time Check purchase requests from employees for any unsafe choices Tell users not to share accounts.and Out-Processing . and that you have all the required equipment (PC Card and cable. and works on system-oriented tasks the rest of the time) Reduce inter-dependencies and specialization to a minimum. such and such employee answers calls only at certain hours or certains days. organize a balanced work schedule (eg. or in trash cans. printers.) Remind users not to write down their password. tips. pay attention not to give out confidential information on either the company or its computer infrastucture.                   All interventions should be logged in the help desk application. access control card to the premises if applicable.) Do not leave sensitive documentation on desks. etc. Use shredders for sensitive data Provide a computer use policy so that users know what they can and cannot do with their computer (eg. Make sure all MIS personnel is able to take over someone else's job at short notice. etc. checking trivial web sites or newsgroups. or downloading offensive JPGs. Check that they do not re-use an older password Before leaving for any trip. and ask for a personal account if they need one Check with management if users should be allowed to post to newsgroups from their corporate account If MIS personnel need to ask technical questions to newsgroups that could be used by hackers to break into their site.) Consider setting up a bogus domain name to hide connections from your site (eg. online dictionaries abound on the Internet. installing softwares downloaded from the Net or found in magazines. and feedback to management on MIS activity and the type of problems that occur most often As answering synchronous calls is stressful and boring. check how safe the political and economic situation is. etc. Keep on. etc. posting corporate information in newsgroups. Check password aging. so as to provide history to users and MIS. as they're easy to remember and much more secure than regular passwords. Remind MIS personnel to take advantage of groupware application to document procedures. or on-site if visitors are around.

and.) 6. Do NOT forward e-mails to a new address. Update caller ID and SPID in PBX 5. SMB/CIFS RAS . etc. What are private IP addresses . in case the employee can be expected to return in a short while. Create various accounts (NT user. etc. FDDI. What is sub-netting Your ISP grants your site class C IP network address 207.MIS Personnel Hiring Test WAN       Difference between a repeater. xDSL. personal or ex-customers). What are class and classless IP addresses . should not be allowed in in the premises without an escort Appendix B . explaining that the employee has left and can be reached at such and such phone # or e-mail address 6. NFS. Remove hosts from backup selection list 9.0/24.). If admin passwords were known by employee. and remember to delete them after a given period of time in case the employee is not to return 2. Check with manager or co-workers whether some files should be backed up from employee's workstations. How would you use it to set up 2 networks of your own ? Differences between TCP/IP and Netbeui Explain what the following terms mean: ATM. Hand out documentation on resources available onsite (Phone-HOWTO. phone directory. and Caller ID 8. Lotus Notes. except corporate and known mailing lists (eg. as employee could continue receiving individual corporate e-mails after leaving the company 7.Add account to list. Remove user from all mailing lists and backup jobs 3. Tell user to change passwords immediately. and communicate login/password. X25. Disable all accounts (including RAS) immediately before employee is leaving or is told of his dismissal (disgruntled employees and the like are the most common problem of internal threats). Different standards of routing protocols TCP/IP : What form does an IP address take . cable modem. change them 5. provide access control card Employee Out-Processing 1. Frame-relay. update mug-sheet and organization chart. and choose solid passwords per instructions in user guide 2. unless OKed by management. Add IP address in DHCP and DNS 3. VPN. Remove employee picture from mug-sheet. Make sure security knows that this employee is no longer with the company.130. Add phone # to online phone list 4. a bridge. a router.46. How is an address bound to a NIC . ISDN. and burn CDs or save to tapes before reconditioning hosts 4. Unix e-mail. Disabling is better than deleting.Employee In-Processing 1. NIS. Take picture. backup. NT computer. E-mail: Set up automated answer for incoming mails. FTP.

either random. X2/K56Flex/V90.or sequentialaccess. and what is it for ? What frequency should you choose so that the picture displayed by a monitor doesn't flicker ? . V42. Kermit. V34. BBS. RAID1. BBS. call-back. and type of connectors . V42bis. black-listing. and RAID 5 ? Hardware         Name different manufacturers of microprocessors Different models of the Intel family Different types of RAM How many devices can be connected onto an IDE bus ? SCSI : Speeds. each with its rough storage capacity What's the difference between an incremental and differential backup job ? What's the difference between RAID 0. ZModem. How many devices can be connected onto a single SCSI bus .  Explain what the following terms mean: RS-232. SLIP/PPP. Things to watch for before connecting a new device onto a SCSI bus How many primary partitions does a hard-disk support ? How many cylinders should a hard-disk contain to avoir problems when booting an OS from one of the partitions ? What does MBR stand for. Example of some basic modem AT commands ? LAN          Difference between a hub and a switch ? Maximum number of 10BT hubs that can be linked together using regular plugs ? Name different LAN architectures available Name of the different layers that constitute the OSI/ISO and TCP/IP models Difference between TCP and UDP ? Some well-known port numbers ? What settings does a TCP/IP host need to connect to a LAN ? Name major NOS Different ways to protect a LAN from outside hacking ? Wiring    How many wires are required for 10BT wiring ? For 100BTX ? For 100BT4 ? What do UTP and STP stand for ? When is it necessary to use either one ? What are straight-through and cross-over cables ? PBX    How many wires are required to plug an analog phone into a PBX ? An ISDN phone ? What's SPID (French : SDA) ? Approximate voltage level of a RING signal ? Backup    Name different mass-storage devices currently in use.

X. so that a user is presented with a GUI to log in on a Linux server ? What is an i-node ? Name different file systems supported by Linux. ActiveX. DCOM. and symbolic links ? How does an X server work ? NT    What are the different release numbers of NT ? What is the difference between a workgroup and an NT domain ? What is a DC ? What is Active Directory? What are the benefits to move to AD? . Corba ? What do the following terms mean : Java. netstat. tcpdump. and only access a Linux server for e-mail ? What is a shadow password ? What do SUID/SGID mean. LDAP ? What is the difference between POP and IMAP ? What is Lotus Notes ? What is currently its strong point as compared to Microsoft Exchange ? What is ASCII ? Unicode ? What is a DLL ? What does client/server mean ? Alternative ? What do the following terms mean : DDE. COM.500. main Linux distributions What is POSIX ? What is the point of building a new kernel ? What are modules.d over RC scripts ? How do you set things up. OCX? Name different file systems available on Microsoft platforms What is the difference between FAT and FAT32 ? Name major DBMS vendors Unix/Linux                   Name the two original Unix branches Name the major current flavors of Unix Name the current. OLE. INND. netwatch. how do you set an alias for a host ? How does a DHCP server work ? What are Telnet. What are hard links. POP. nslookup. and when should you use them ? How do you add a new user account into a Linux server ? How to you set a new password for it ? What should you change to unable users to login. VBX. sniffing. tripwire. What is the CPU/bus ratio ? Software             Name some major OS's What do the following terms mean : SNMP. ping. FTP. and when should you use them ? What is Samba ? Can it be used as a DC ? On a DNS server. IMAP. BootP. DNS. Kerberos ? What are run-levels ? When should you use inet. DHCP. NIS/NIS+.

Spammers can easily build themselves mailing lists by scanning such material.) Do not answer any SPAM e-mails. Python. etc. and ask applicant about their use Appendix C . as this can be used by spammers to confirm that an e-mail address is valid. video adapters.). information on corporate infrastructure. DOS batch files. e-mail. jdoe@yaPLEASEREMOVETHISTOMAILMEhoo. transportation means. Office macros) English    Aural comprehension: TOEFL tape riting proficiency: TOEFL MCQs Reading comprehension: TOEFL MCQs Miscellaneous Check applicant's location. can be tapped. If you need to connect to a remote site. LMHOSTS. PearlPerl. and restore this image onto a new PC ? How can you upgrade a stand-alone NT host into a DC ? Is FAT32 supported by NT 4 ? What's an ERD ? What is a trust relationship ? What is an NT service ? Where are user or application parameters saved in Windows 9x and NT ? Development (Proficiency in VB. Use one-time passwords or tunneling to encrypt all data flow between corporate servers and your modem-equipped host . eg. name resolution.User Policy        Read the corporate computer use policy If you receive an e-mail or an instant message asking you to update the password of any of your accounts (NT. HOSTS . Do not use your actual e-mail address when posting to newsgroups or mailing lists.). or check with MIS if the remote site requires setting up an ad hoc connection Remember that telephone lines. Disguise your e-mail address. Visual Test. Contact MIS if your mailbox is filled with it. and commute time If possible perform assessment test: Fill a box with different hardware (NIC. DNS. master browser ? What is an SID ? What happens if you clone the partition of an NT host currently connected to the network. including wireless. Be suspicious of any phone call asking for confidential information (your password. do not answer and ask IT to investigate Contact MIS in case of any malicious and threatening telephone calls. etc. your home page). broadcasts. either use the legitimate corporate connection. etc. and do not post your address in any web page accessible from the Internet (eg. C/C++. WINS.        What do the following terms mean : NetBios.com Do not install a modem to your host.

which makes it all the easier for hackers to crack passwords. or waiting for you through the metal detector.Security Policy The security policy to handle incidents should have the following sections: Goals and objectives. never leave a portable computer unattended (eg. online dictionaries abound on the Internet. contact MIS whenever you detect a situation that you consider is or could be a security or safety incident Appendix D . Use a paper shredder before throwing out confidential data Do not run any software received through the mail or the Internet (e-mail attachments. w45hatgtg "where 45 have all the good times gone" instead of an actual word. use the site PA system if available If available. using your hosts as stepping stone to launch attacks to other sites. etc. transformers. and review the process continuously and make improvements each time a weakness is found. This channel also reduces synchronous interruptions to a minimum. etc.). or fax or copy machines. make sure the portable comes up with a visible tamper-proof corporate sticker to discourage theft MIS monitors network use. notification. etc. Your e-mail and any file on your computer can also be monitored. As explained in RFC 2196.) Do NOT write down passwords. . and bring it to MIS instead. make the most of the corporate groupware or help desk application before calling up MIS.) When traveling in groups. implement measures which will protect your assets in a cost-effective manner. phone adapters. Those contain answers to Frequently Asked Questions (FAQs). etc. and that you have all the required equipment (PC Card and cable. web sites) While on the road. corporate reputation.) Passwords: Instead of regular words. as they may still contain sensitive data (for instance. and history of past incidents. Before leaving for any trip. If no one is available. encrypt all sensitive files (e-mails. Challenge any stranger not wearing an access control card. unauthorized programs being run.              When off-site. etc.). handling. in each area. and is responsible for prohibiting use of to newsgroups and web sites that are not work-related. etc. put your portable in a safe). set up a password in the BIOS. Do not throw away computer equipment.). Walls have ears Do not leave confidential information lying on your desk. determine what you are trying to protect it from (files being accessed or deleted or replaced. at your hotel. access control card to the remote presmises if applicable. determine how likely the threats are. employees should not all fly on the same plane Generally speaking. identification of the incident. always secure it with a lock and cable when working in an office. use acronym-based passphrases (eg. identify what you are trying to protect (files. leaving it at your feet in an airport. with the right tools. disruption of service. and call MIS/security ASAP.) Watch out for hackers resorting to social engineering to find information (pretending to be with MIS and calling someone in the company to have them change their password. pay attention not to give out confidential information on either the company or its computer infrastucture. or on-site if visitors are around. check how safe the political and economic situation is. post-mortem to improve security in the future. data can still be read on a reformated hard drive.

list who will provide and administer it. and hence. or the wages of your staff. this document gives a list of general hints. so remember to check security-related mailing lists and web sites on a daily basis. as e-mail-based virus are all it takes to bring down an entire organisation. but also very boring. No security. and you'll get monkeys.htm Tape Drive Roundup . Appendix E . can be achieved without dedicating significant resources. automate as many tasks as you can. there is no way that anybody will be able to provide you with any acceptable level of security. authorization. Pay peanuts. Perl. To make matters worse.) Also. and who will be allowed to access them.Choosing a backup software   Use encryption. Applications (and their corresponding bugs and breaches of security) are updated constantly. make sure you keep safe copies of your private key on a separate media) Temp stuff http://www. Security is a state of mind. especially as technical and involved as handling day-to-day management of a computer infrastructure.dantz. Threats include unauthorized access to resources and/or information. Performing such daily routine tasks is not only time-consuming. as the Bugtraq mailing list shows. Finally. or the impact of the image or future of the company (break-ins. very likely to be neglected. Python. especially if using a courier company to store tapes off-site Make sure you can restore encrypted tapes on a bare-metal host (eg.linux-mag. nontechnical employees are those most likely to not upgrade to the latest anti-virus and launch any application or click on any e-mail attachement. Hence the need to keep abreast through mailing lists and web sites.pctechguide.The basic goals of security are authentication. Do not assume that because your whole site is secure today. take into account the knowledge required to use computers securely. and hire MIS employees with such coding skills. if using an RSAtype of encryption. Needless to say. confidentiality. new breaches of security are found every single day. and denial of service. Therefore.pl?issue=200101&article=tape_drive .com/ http://www. availability.Which Tape Drive Is Best for Your Linux System? http://www. hardware. That money can be spent on software. that it will remain so tomorrow. the cost of protecting assets should be less than the cost of their loss. confidential information passed on to the competition. keep in mind that. and data integrity. if only because new software and upgrades often means new security flaws.com/cgi-bin/printer. whether it's the amount of work to re-create them (lost files).com/15tape. In order to keep it as universal as possible and avoid having to update it too often. and shell scripts are your friends. For each service that will be provided. and does not deal with particular versions of softwares you might be running. but if you don't take measures to provide these necessary resources.

The former touts higher density and performance. Helical scan writes data diagonally across the entire tape-simultaneously using multiple heads. linear-scan drives have been winning the race with proven market success. models (IDE. Linux.Workstation CastleWood ORB Int IDE $150 Int SCSI $160 Ext SCSI $180 USB $200 2. tape price. $250-600) Mgf = Seagate TapeStor OnStream (15-30GB. $150-600) DI30 (IDE) is Certified for Linux! ADR50 is Certified for Linux! ZIP QIC 120M floppy drive CD-R/CD-RW Server DAT 4mm (DDS) DAT 8mm (AIT) Jaz VXA DLT Exabyte Mammoth-2 Tandberg LTO Optical Magneto optical DVD Drive price. wraps the tape around a rotating drum that contains the heads. while the latter promises increased reliability. Appendix F . using a series of tensioners. int SCSI. it drops down a row and switches direction. That is. Aided by DLT. . when the head reaches the end of the tape. The stationary heads of the linear tape technology are what theoretically give linear-tape drives superior reliability.html&pub=nwc Tape technology is broken into two major categories: helical tape and linear tape. USB). ext SCSI. 25-50GB. The other difference is the way data is written to the tape. TR5 (10-20GB.2GB tapes Travan TR4 (4-8GB $200-500).networkcomputing. Linear scan writes data from front to back in a serpentine method.Unix Security Checklist (from Practical Unix & Internet Security) Preface  Reread your manuals and vendor documentation. standard recording format (can be accessed using non-proprietary software) The Emerging Tape Backup Market http://www. Linear scan uses stationary heads and a less complex tapethreading method.000 rpm and high tension conditions have been quelled by the success and reliability of solutions such as the Sony AIT-2 drive. The main difference between the two is that a helical-scan drive pulls the tape out of the cartridge and. Concerns about the tape stretching or snapping due to drum rotation speeds upward of 7.com/shared/printArticle?article=nc/1114/1114ws3 full.

nonobvious passwords. Develop a positive security policy.' " Chapter 2: Policies and Guidelines           Assess your environment. Don't use your password as the password to another application such as a Multi-User Dungeon (MUD) game. Never record passwords online or send them to another user via electronic mail. Mark your calendar for 6-12 months in the future to reread your manuals. Ensure that authority is matched with responsibility. Don't have different. Become familiar with your users' expectations and experience with UNIX. tokens. Get management involved. in fact. Chapter 1: Introduction     Order other appropriate references on security and computer crime. Consider automatic generation or screening of passwords. a password. by trying to log in on another terminal. Perform a risk assessment and cost-benefit analysis. or any part of your computer. don't make it obvious that what you have written is. Circulate it to all users. Consider use of one-time passwords. don't forget it! After you change your password. Write a letter to your vendors indicating your interest and concem about (insufficient) sottware quality and security features. budget. . Pick strong. Ensure that everything to be protected has an "owner. Ensure that all users know about good password management practices. less secure rules for top-evel management. Do not attach your password to your terminal. or smart cards. and resources available. Set priorities for security and use. Post a reminder above your computer or desk: "Security is not 'Me versus the Users' but 'All of Us versus Them. test it with the su command. Chapter 3: Users and Passwords              Be sure that every person who uses your computer has his or her own account. again. Be sure that every user's account has a password. Pick passwords that are not so difficult to remember that you have to write them down. If you must write down your password. keyboard. Don't use your password on other computer systems under different administrative control. Schedule time to read them when they arrive. What do you need to protect? What are you protecting against? Understand priorities. After you change your password." Work to educate your users on good security practice. or by using the telnet localbost command. Do not write your account name or the name of the computer on the same piece of paper.

Check their ownership and permissions to ensure that they are reasonable. or other appropriate log files on a regular basis for bad su attempts. and sale of cryptography. Never use rot13 as an encryption method to protect data. Avoid use of the root account for routine activities that can be done under a plain user ID. chmod. Scan for device files on your system.avoid obvious or easily guessed words or patterns. Remember. Get in the habit of checking files based on this information. and chgrp operations on files clear the SUID/SGID bits on your system.Chapter 4: Users. Think about how you can assign group IDs to promote appropriate sharing and protection without sharing accounts. Chapter 5: The UNIX Filesystem          Learn about the useful options to your version of the Is command. Determine if write. however ... If your system has "universes" or Context Dependent Files (CDFs). This protection includes use of removable media and encryption. Obtain and install a message digest program (such as MD5). especially if they negatively impact your ability to protect your systems. be sure that all your administrative actions actually scan all the files and directories on your system. Scan the files /var/adm/message. Consider contacting your legislators with your opinions on these laws. especially if it is more than 1024 bytes in length. chown. Never use a login password as an encryption key. Never write SUID/SGID shell scripts. If your system has ACLs. consider superencrypting with Triple-DES. Never give any users. Groups. learn how to use them. . Learn how to use message digests. Chapter 6 Cryptography        Learn about the restrictions your government places on the use. Periodically scan your system for SUID/SGID files. Set your umask to an appropriate value (e. Use the compress command (or similar compression system) on files before encrypting them. If you use the Data Encryption Standard (DES) algorithm for encryption. Choose encryption keys as you would a password. /var/adm/sulog. do not depend on ACLs to protect files on NFS partitions. other than UUCP users. and the Superuser         Ensure that no two regular users are assigned or share the same account. 027 or 077). Think of how to protect especially sensitive files in the event that the root account is compromised. Don't depend on the crypt command to protect anything particularly sensitive. export. Disable SUID on disk partition mounts (local and remote) unless necessary. Restrict access to the su command. or restrict the ability to su to user root su to the user's ID when investigating problem reports rather than exploring as user root.g. the same UID.

Keep your backups under lock and key.don't write it down. consider remounting the filesystems as read-only during backups to prevent changes to file access times. Use the group ID mechanism instead. Do not set up accounts that run single commands. Use PGP to encrypt files and sensitive email. Do not reuse a backup tape too many times. investigate doing backups across a network link to a "hot spare" site. put it in a shell file. Do not set up a single account that is shared by a group of people. or store it online. Avoid proprietary encryption methods whose strengths are not known. and to create and check digital signatures on important files. Ensure that access to your backup tapes during transport and storage is limited to authorized and trusted individuals. system. Chapter 7: Backups                 Make regular backups. Protect your encryption programs against tampering.    Protect your encryption key as you would your password . If possible. and /etc/fstab). If you need to set up an account that can run only a few commands. Be certain that everything on your system is on your backups. If your budget and needs are appropriate. Make periodic paper copies of important files. use the rsh restricted shell. Do not store your backups in the same room as your computer system: consider offsite backup storage. /etc/rc. Make paper copies of critical files for comparison or rebuilding your system (e. Try to completely rebuild your system from a set of backup tapes to be certain that your backup procedures are complete. Think about creating restricted filesystem accounts for special-purpose commands or users. When using software that accesses files directly rather than through the raw devices. Make sure to change the password of every "default" account that came with your UNIX. Do not create "default" or "guest" accounts for visitors. but escrow the keys in case you lose them. /etc/passwd. disable accounts like uucp and daemon so that people cannot use them to log into your system. Make at least every other backup onto a different tape to guard against media failure. Try to restore a few files from your backup tapes on a regular basis. . Consider obtaining a copy of the PGP software and making it available to your users. Instead of logging into the root account. log in to your own account and use su. Chapter 8: Defending Your Accounts         Make sure that every account has a password. Remember to update your backup regimen whenever you update your system or change its configuration..g. Encrypt your backups. Make periodic archive backups of your entire system and keep them forever. because the tapes will eventually fail.

consider the benefits of accountname aliasing. enable it. as these people can use the su command to become the superuser (if applicable). but don't place much faith in results that show no passwords cracked. Tell your users to use longer passwords. make sure that the file /etc/passwd cannot be read anonymously over the network via UUCP or TFTP. modems. set a lifetime between one and six months. You may wish to include cryptographic checksums in the lists. so that they cannot be modified by NFS clients.                   Monitor the format and contents of the /etc/passwd file. If you export filesystems containing system programs. Put time/tty restrictions on login to accounts as appropriate. especially on accounts that may be used across a network link. Establish a system by which accounts are always created with a fixed expiration date and must be renewed to be kept active. Consider cracking your own passwords periodically. and permissions of every program on your system. If possible. Integrity Management        If your system supports immutable files. Do not declare network connections. If possible. Keep copies of this checklist on removable media and use them to determine if any of your system files or programs have been modified. modiflcation time. mount disks read-only if they contain system software. or public terminals as "secure" in the /etc/default/loging or /etc/ttys files. For example. enable it. you can increase the number of encryption rounds from 25 to 200. set your systems to require the root password when rebooting in singleuser mode. Otherwise. Write a daily check script to check for unauthorized changes to files and system directories. use them. If you have shadow password capability. If your software does not support a shadow password file. consider adding password screening or coaching software to assist your users in picking good passwords. contact the vendor and request that such support be added. and on all ancestor directories. if present in your software. you may wish to slighdy alter the algorithm used by crypt 0 to encrypt your password. to help prevent users from picking bad passwords. Make a checkdist listing the size. If you don't have them. enable it. If you are using a central mail server or firewall. if your vendor software allows it. . If your system allows the use of a longer password than the standard crypt() uses. Disable dormant accounts on your computer. If your computer supports password aging. Enable password constraints. Be careful who you put in the wheel group. on their directories. Consider using the Distributed Computing Environment (DCE) or Kerberos for any local network of single-user workstations. you may wish to export these filesystems read-only. consider asking your vendor when they will be supported in your version of UNIX. If your system does not have a shadow password file. Double check the protection attributes on system command and data files. Consider using some form of one-time password or token-based authentication. Disable the accounts of people on extended vacations. If you have source code for your operating system.. Chapter 9. If your system supports the TCB/trusted path mechanism.

This review should include (if they exist on your system) loginlog. you can use comparison checking to detect unauthorized modifications. Set permissions on commands to prevent unauthorized alteration. Chapter 11: Protecting Against Programmed Threats        Be extremely careful about installing new software. Chapter 10: Auditing and Logging                Consider installing a dedicated PC or other non-UNIX machine as a network log host. . Keep a paper log on a per-site and per-machine basis. Never install binaries obtained from untrustworthy sources (like the Usenet). Make an offline list of every SUID and SGID file on your system. Make sure that your utmp file is not world writable. Run integrity checks on your system on a regular basis (see Chapter 9). Review your specialized log files on a regular basis. Determine if there is an intrusion-detection and/or audit-reduction tool available to use with your C2 logs.. Consider adding an automatic log monitor such as Swatch. Scan your system for any user home directories or dot files that are world writ-able or group writable. also have these messages logged to a special hardcopy printer and to another computer on your network. If you process your logs in an automated fashion. aculog. If you can. When installing new software. If you have syslog. Turn on whatever accounting mechanism you may have that logs command usage. craft your filters so that they exclude the things you don't want rather than pass only what you do want. Don't leave any bin or library directories writable by untrustworthy accounts. configure it so that all auth messages are logged to a special file. Be aware that log file entries may be forged and misleading in the event of a carefully crafted attack. Evaluate whether C2 logging on your system is practical and appropriate. Consider installing a simple cron task to save copies of the lastlog file to track logins. xferlog. Consider runting rdist from a protected system on a regular basis to report changes. sulog.g. Be careful to protect your backup copies and comparison programs from potential attackers. Tripwire). Make sure that your log files are on your daily backups before they get reset. install it. If you have backups of critical directories. If so. and others. Consider installing something to check message digests of files (e. This approach will ensure that you see all exceptional condition messages. Run last periodically to see who has been using the system. Have your users check the last login time each time they log in to make sure that nobody else is using their accounts. Be certain that the program and all its data files are stored on read-only media or protected with encryption (or both). Use this program on a regular basis. install it first on a noncritical system on which you can test it and observe any misbehavior or bugs.     Consider making all files on NFS-exported disks owned by user root. Don't include nonstandard directories in your execution path.

and disable the program if necessary. Periodically review configuration files for server programs (e. Watch for unauthorized modification to initialization files in any user or system account. and defenses. Review the use of these commands (and the shell) in all scripts executed by cron. Disable terminal answer-back. or structural failure. eating. If you have a raised floor. Check the placement and recharge status of fire extinguishers on a regular basis. Determine who might have physical access to any of your resources under any circumstances. Chapter 12: Physical Security             Develop a physical security plan that includes a description of your assets. Periodically review mailer alias files for unauthorized changes. Install and regularly clean air filters in your computer room. Have water sensors installed above and below raised floors in your computer room. Never have writ-able directories in your search path. Never have ". threats.) Check the security of your at program. Make sure that the placement and nature of fire-suppression systems will not endanger personnel or equipment more than is necessary. call a FIRST response team or the vendor to confirm the instance before spreading any alarm. Don't use the vi or ex editors in a directory without first checking for a Trojan . including editor start-up files. . and drinking in your computer room or near computer equipment. If you have a dropped ceiling. Verify that any files run from the cron command files cannot be altered or replaced by unauthorized users. Place your computer systems where they will be protected in the event of earthquake. install alarm sensors both above and below the floor.g. too. Strictly prohibit smoking. Make sure that personnel know how to use all fire protection and suppression equipment. Train your users and operators about what to do when an alarm sounds. inetd. put sensors above the ceiling. Disable the automatic command execution feature in GNU Emacs." (the current directory) in your search path.forward files. Make sure that any shared libraries are properly protected and that protections cannot be overridden. explosion. Never write or use SUID or SGID shell scripts unless you are a hoary UNIX wizard. environment.conf.exrc file. Make sure that the devices used for backups are not world readable. get in the habit of typing full pathnames for commands.               If you suspect a network-based worm attack or a virus in widely circulated software. if possible. . perimeter. When running as the superuser. Keep your backups offsite. Have heat and smoke alarms in your computer room. Periodically review all system start-up and configuration files for additions and changes. etc. Check the behavior of your xargs and find commands..

Avoid having glass walls or large windows in your computer room. Beware of insects trying to "bug" your computers. Chapter 13: Personnel Security          Conduct background checks of individuals being considered for sensitive positions. Consider encrypting all of your backups and offline storage. Lock and physically isolate your computers from public access. and connectors from tampering. even if compensated for the overload. Protect power switches and fuses. Have antistatic measures in place. Have disaster-recovery and business-continuation plans in place. tapes and disks) and printouts before disposal. Institute an ongoing user security-awareness program. Physically protect your backups and test them periodically. Consider installing an uninterruptible power supply. Do so with the permission of the applicants. Sanitize media (e. and if it is legally allowable. Examine them periodically. Store computer equipment and magnetic media away from building structural steel members that might conduct electricity after a lightning strike.                    Have temperature and humidity controls in your computer room. In particular. Encrypt sensitive data held on your systems. or incinerators. Check peripheral devices for local onboard storage that can lead to disclosure of information.g. Never use programmable function keys on a terminal for login or password information. Protect all your network cables. Make sure that staff have adequate time and resources to pursue continuing education opportunities. Use bulk erasers. Consider putting motion alarms or other protections in place to protect valuable equipment when personnel are not present. Have recorders to monitor these values over time. Install filtered power and/or surge protectors for all your computer equip ment. and bolts to keep computer equipment from being carried away. Have regular performance reviews and monitoring. Try to resolve potential problems before they become real problems. Have alarms associated with the systems to indicate if values get out of range. Provide comprehensive and appropriate training for all new personnel. shredders. consider using a polygraph examination of the candidate. users should be required to take holiday and vacation leave regularly. Provide refresher training on a regular basis. Make sure that users in sensitive positions are not overloaded with work. If the position is extremely sensitive. . Have applicants and contractors in sensitive positions obtain bonding. and for personnel taking on new assignments. Consider using fiber optic cable for networks. responsibility or stress on a frequent or regular basis. tie-downs. Use locks. terminators. Consider setting autologout on user accounts. if appropriate..

make sure that they are run with the UUCP UID but that they are owned by root. UUCP             Be sure that every UUCP login has a unique password. Set up a different UUCP login for every computer you cornmunicate with via UUCP. weekly. Disable third-party billing to your modem lines. Make sure that incoming modems automatically hang up on an incoming call if the caller logs out or if the caller's login process gets killed. Consider getting CALLER*ID/ANI to trace incoming calls automatically. Do not export UUCP files or commands on a writable NFS partition. Limit UUCP access to the smallest set of directories necessary. . Check permissions on all associated devices and configuration files. Consider making some or all of your UUCP connections use callback to initiate a connection. If there are daily. When any user leaves the organization.cmds file (Version 2 UUCP). Make sure that outgoing modems hang up on the outgoing call if the tip or cu program is exited. Make sure that mail to the UUCP users gets sent to the system administrator. Make sure that there is no way for the local user to reprogram the modem. Log the numbers that call your system. readable only by the UUCP user. Only allow execution of commands by UUCP that are absolutely necessary. Make sure that the ruusend command is not in your L. Apply policies of least privilege and separation of duties where applicable. Make sure that /usr/lib/uucp/L. Make sure that no user becomes irreplaceable. Chapter 14: Thlephone Security              Make sure that incoming modems automatically log out the user if the telephone call gets interrupted. or monthly administrative scripts run by cron to clean up the UUCP system. Consider use of encrypting modems with fixed keys to guard against unauthorized use or eavesdropping.     Monitor users in sensitive positions (without intruding on their privacy) for signs of excess stress or personal problems. Make sure that no UUCP login has /usr/spooI/uucp/uucppublic for its home directory. make sure that access is properly ter minated and duties transferred. Consider getting leased lines and/or callback modems. Do not install call forwarding on any of your incoming lines. Make sure that the tip or cu programs automatically exit if the user gets logged out of the remote machine or if the telephone call is interrupted. Physically protect the modems and phone lines.sys or /usr/lib/uucp/Systems is mode 400. Chapter 15. Consider using separate callout telephone lines with no dial-in capability for callback schemes. Make sure that the files in the /usr/lib/uucp directories can't be read or written remotely or locally with the UUCP system. Audit access to equipment and critical data.

wiz. or to "tunnel" through external networks. Only give UUCP access to the directories to which it needs access. ensure that all UUCP users are listed in the /etc/ftpusers file. Chapter 17: TCP/IP Services                Routinely examine your inetd configuration file. Disable any unneeded network services. Limit the commands which can be executed from offsite to those that are absolutely necessary. Disable UUCP over IP unless you need UUCP. and bin. Examine carefully any other alias that delivers to a program or file. Then. Make sure that your version of the ftpd program is up to date. If the machine has an active FTP service. Consider disabling any services that provide nonessential information to outsiders that might enable them to gather information about your systems. Do not depend on IP addresses or DNS information for authentication. Delete the "decode" alias in your aliases file. The file should also contain the name of any other account that does not belonged to an actual human being. Make sure that /etc/ftpusers contains at least the account names root. uucp. configure any "incoming" directories so that files dropped off cannot then be uploaded without operator intervention. Make sure that all directory permissions and ownership on your ftp account are set correctly. . consider installing the tcpwrapper program to better regulate and log access to your servers. If you support anonymous FTP. Make sure that your sendmail program will not deliver mail directly to a file Make sure that your sendmail program does not have a wizard's password set in the configuration file Limit the number of "trusted users" in your sendmail. If your standard software does not offer this level of control.cf file Make sure that your version of the sendmail program does not support the debug. and usage of. Be sure that the UUCP control files are protected and cannot be read or modified using the UUCP program. your ftp account. TCP/IP Networks    Consider lowAevel encryption mechanisms in enterprise networks. Remove all of the UUCP software and libraries if you aren't going to use them. Frequenfly scan the files in. Do not depend on header information in news articles or email as they can be forged. Disable or delete any uucpd daemon if you aren't using it. You may wish to limit UUCP to the directory /usr/spool/uucppublic. don't have a copy of your real /etc/passwd as an ~ftp/etc/passwd. If your software allows.        Test your mailer to make sure that it will not deliver a file or execute a command that is encapsulated in an address. or kill commands. Chapter 16. contact your vendor and ask when equivalent functionality will be provided as a standard feature in the vendors' systems.

if possible. Disable the rexd RPC service. in . Consider disabling SMTP commands such as VRFY and EXPN with settings in your sendmail configuration. and that. Block NTP connections from outside your organization. 1988. Secure RPC. Be very cautious about installing MUDs. Make sure that all existing . Disable UUCP over IP unless needed. if this is possible on your system. and perhaps against reading by unauthorized users. Make sure that you are running the latest version of the nameserver software (e. remove it. or other servers. Restrict access to your printing software via the /etc/hosts. Consider running the authd daemon for all machines in the local net. get an updated version. Use IP addresses instead of domain names in places where the practice makes sense (e. Disable or replace the finger service with something that provides less information.g. doing this might introduce a vulnerability. Have an alias for every non-user account so that mail to any valid address gets delivered to a person and not to an unmodified mailbox.                                  Make sure that your version of the sendmail program is up to date. . "magic cookies") instead of using xhost. Scan your network connections regularly with netstat.before an attacker does the same.) Make sure that TFTP access. Set up your logindevperm or fbtab files to restrict permissions on frame buffers and devices. Tell your users about the information that the finger program makes available on the network Make sure that your finger program is more recent than November 5.equiv file. Make sure that you have the most recent version of the software. in such cases. If you have a plus sign (+) in your /etc/hosts. or another more tractable network agent. Disable zone transfers in your DNS. Scan your network with tools such as SATAN and ISS to determine if you have uncorrected vulnerabilities . with all published patches in place Make sure that the aliases file cannot be altered by unauthorized individuals.equiv file. Disable rexec service unless needed. Routinely scan your system for suspicious.rhosts files). If you are using POP or IMAP. Enable the best X11 authentication possible in your configuration (e.g. Kerberos.. Configure your NNTP or INND server to restrict who can post articles or transfer Usenet news. Make sure that all files used by the nameserver software are properly protected against tampering. (But beware that most implementations of trusted commands don't understand IP addresses in . configure your system to use APOP or Kerberos for authentication. Block SNMP connections from outside your organization. Do not place usemames in your /etc/hosts.rhosts files on your system. If your X11 Server blocks on null connections. Consider replacing sendmail with smap.lpd file. Consider not allowing users to have .rhosts files. is limited to a single directory containing boot files. IRCs.g. Block incoming RIP packets.rhosts files are protected to mode 600.. use static routes where possible and practical. Make your list of trusted hosts as small as possible.rhosts. if enabled. bind) with all patches applied.

or to only follow links that are owned by the same user that owns the destination of the link. Do not run your server as user root. Limit or prohibit server-side includes. and set its options appropriately (and conservatively). Make sure that your version of portmapper does not do proxy forwarding. configure the program so that it restricts which machines can send requests to your portmapper. Chapter 20: NFS  Program your firewall and routers to block NFS packets. Re-evaluate why you are connected to the network at all. Be extremely cautions about writing and installing CGI scripts or programs. Use netgroups to restrict access to services. Make sure that there is an asterisk (*) in the password field of any line beginning with a plus sign (+) in both the passwd and group files of any NIS client. Configure your server to only allow CGI scripts from a particular directory under your control. Be aware of the potential risks posed by dependence on a limited number of thirdparty providers. enable encryption.. contact your vendor and ask when it will be supported. Chapter 18: WWW Security               Consider running any www server from a Macintosh platform instead of from a UNIX platform. Disable automatic directory listings. Put keylogout in your logout file if you are running secure RPC. Make sure that there is no line beginning with a plus sign (+) in the passwd or group files on any NIS server. understand its limitations. If you are transferring sensitive information over the WWW connection (e. Make sure that your version of ypbind only listens on privileged ports. NIS+. (See the specific programming recommendations in the chapter. Use NIS+ in preference to MS. Set the server to not follow symbolic links. including login. Chapter 19: RPC. Monitor the logs and usage of your WWW service.) Consider using taintperl as the implementation language. and disconnect machines that do not really need to be connected. . and Kerberos           Enable Kerberos or Secure RPC if possible. If this feature is not present. Do not mix WWW and FTP servers on the same machine in the same filesystem hierarchy. Become familiar with all the configuration options for the particular server you use.g. Have it set to run as a nobody user unique to the WWW service. If your version of portmapper has a "securenets" feature. Consider making your www server chroot into a protected directory. if possible. NIS. personal information). If you are using Kerberos. Prevent general access to the server log files.

Use the most complete firewall you can afford and one that makes sense in your environment. rather than creating your own. Consider intemal firewalls as well as extemal firewalls. Mount partitions nodev. Make sure that user accounts have different passwords for machines on different subnets. Consider buying a commercially provided and configured firewall. Chapter 21: Firewalls                  Keep in mind that firewalls should be used in addition to other security measure and not in place of them. Set root ownership on files and directories mounted remotely.or group-writable directories. if available. Don't configure any machine to trust machines outside the local subnet. Set the kemel portmon variable to ignore NFS requests from unprivileged ports. Use the netgroups mechanism to restrict the export of (and thus the ability to remotely mount) filesystems to a small set of local machines. Consider setting a policy of default deny for your firewall. put a screening router in place.) . in TCP mode. using the access= or ro= options. Configure your firewall/bastion hosts to remove all unnecessary services and utilities. Plan on centralizing services such as DNS. Never export a mounted partition on your system to an untrusted machine if the partition has any world. When possible. Configure firewall machines without user accounts and program development utilities. if possible. Mount partitions nosuid unless SUID access is absolutely necessary. email. Rerun the program periodically. Make sure that firewall machines have the highest level of logging. Monitor activity on the firewall regularly.               Use NFS version 3. Monitor who is mounting your NFS partitions (but realize that you may not have a complete picture because of the stateless nature of NFS). Do not export user home directories in a writable mode. Give serious thought to whether or not you really want all your systems to be connected to the rest of the world. Have a central mail machine with MX aliasing and name rewriting. Keep in mind that firewalls can sometirnes fail. For instance. Plan accordingly: periodically test your firewall and have defense in depth for that eventuality. and Usenet on closely guarded bastion hosts. independent subnets. even if a firewall is interposed. Use fsirand on all partitions that are exported. Break your network up into small. if available. replicating disk on local machines may be a safer approach. Reconsider why you want to use NFS. Don't mount NFS directories across subnet boundaries. (See the discussion in the chapter. At the very least. Export filesystems to a small set of hosts. use the secure option for NFS mounts. and think about doing without. Do not export filesystems to yourself! Do not use the root= option when exporting filesystems unless absolutely necessary. Each subnet should have its own NIS server and netgroups domain.

Specifically. .Chapter 22: Wrappers and Proxies     Consider installing the smap proxy in place of the sendmail program to receive mail over the network. Be very cautious about generating and using "random" numbers. Carefully examine the system after a break-in. Observe the 24 general rules presented in the chapter when writing any software. enable them. w. Observe the 14 general rules presented in the chapter when writing any program that will be SUID or SGID. don't panic! Start a diary and/or script file as soon as you discover or suspect a break-in. If a break-in occurs. Install a firewall to prevent network problems. remember that the results retumed by this service are not completely trustworthy. Consider installing the tcpwrapper program to restrict and log access to local network services. See the chapter text for specific . Consider writing your own wrapper programs to provide extra control or logging for your local system. vmstat. Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents. Chapter 25: Denial of Service Attacks and Solutions     If user quotas are available on your system. good state. Chapter 23: Writing Secure SUID and Network Programs        Convey to your vendors your concem about sofiware quality in their products. If a break-in occurs. Observe the 17 general rules presented in the chapter when writing any network server programs. Chapter 24: Discovering a Break-in         Plan ahead: have response plans designed and rehearsed. etc. Don't test new software while running as root. Run machine status-checking programs regularly to watch for unusual activity: ps.there is too much detail to list here. Configure appropriate process and user limits on your system. Run hardcopies of files showing changes and tracing activity. and especially when writing software that needs extra privileges or trust. However. Note and timestamp everything you discover and do. Avoid storing or transmitting passwords in clear text in any application. Initial and time-stamp these copies. be certain that you restore the system to a known. Think about using chroot for privileged programs. Consider installing the ident/authd service on your system to help track network access. consider making a dump of the system to backup media before correcting anything.

g. if you need it. levels of user access and responsibility. Develop contacts with your local law-enforcement personnel. Keep written records of your actions when investigating an incident. . Consider investing in a network monitor appropriate for your network. Configure disk partitions to have sufficient inodes and storage. Make certain that your legal counsel is consulted before you provide locally developed software to others outside your organization. IP addresses. Also determine if you will be required to institute criminal or civil action to recover on your insurance. Chapter 26: Computer Security and US. Formally register copyrights on your locally developed code and databases. Expand your professional training and contacts by attending security training sessions or conferences. Ethernet addresses). Have a spare network connection available. Have all users provide a signature noting their understanding of and agreement to such a statement.        Educate your users on polite methods of sharing system resources. and other materials as you proceed. and other information upon user departure. request a signed statement by a judge requesting (or directing) your "expert" assistance. etc. and sound files. Consider joining security-related organizations. Ensure good physical security for all network cables and connectors. Develop contingency plans and response plans in advance of difficulties. Make your users aware of the dangers of electronic harassment or defamation. Make sure that users understand copyright and license restrictions on commercial software.. images. Keep available an up4o-date paper list of low-level network addresses (e. in writing. pornographic material. Define. Make sure that you have appropriate swap space configured. This includes copyrighted material. Time-stamp and initial media. Do not be unduly hesitant about reporting a computer crime and involving lawenforcement personnel. printouts. and machine names. Keep your backups separate from your machine. Law                    Consult with your legal counsel to determine legal options and liability in the event of a security incident. If called upon to help in an investigation. Consult with your insurance carrier to determine if your insurance covers loss from break-ins. setting the nice to a positive value. Put explicit copyright and/or proprietary property notices in code start-up screens and source code. Prohibit or restrict access to Usenet from organizational machines. Restrict or prohibit access to material that could lead to legal difficulties. Determine if your insurance covers business interruption during an investigation. Replace any "welcome" messages with warnings against unauthorized use. Include an explicit statement about the return of manuals. Run long-running tasks in the background. Monitor disk usage and encourage users to archive and delete old files. Consider coupling this to provision of personal accounts with an independent service provider. Restrict access to cryptographic software from the network. Be aware of other liability concerns. Recommend a disinterested third party to act as an expert. printouts. if possible. trade secrets.

g RFC 1244 Policy for handling incidents:    Overview (goal and objectives in handling the incident) Evalution (how serious is it?) Notification (who should be notified) .org/lasg. and incredibly popular. don't run progs as root. Explore other resources concerning security. Develop a healthy sense of paranoia. mailing lists. Buy another 1000 copies of this book for all your friends and acquaintances. UNIX. dll's. fping gping. Monitor newsgroups. and add to your knowledge and experience. adequate testing. Explore professional opportunities that enable you to network with other professionals. Appendix F: Organizations     Learn more about security. strobe & udp-scan. and fixig security bugs in a timely fashion. seifried. Understand why SUID/SGID files have those permissions. core dump. traceroute -S -p53 x. Appendix B: Important Files   Become familiar with the important files on your system. and other resources that will help you stay current on threats and countermeasures. netcat.com. and the Internet. > zone.Chapter 27: "Who Do You Trust?     Read the chapter. rogue phone plugs. Understand the commands that are available to manipulate processes on your system. Protest when vendors attempt to sell you products advertised with "hacker challenges" instead of more reliable proof of good design and testing.net. Make your vendor aware of your concerns about security. attractive. host -lvt any acme. net view /domain: mydomain. world-writable files + dir. Appendix G: Table of IP Services Read the table and add your own site notes indicating the services you do and do not wish to support. tx alarm if nic set to promiscuous. icmpquery & icmpush.txt). Appendix C: UNIX Processes   Understand how processes work on your system. modems. close tcp 53 on firewall. remove all unneeded sws. The copies will make you intelligent. vrfy/expn mysmtp. spread dial-in phone #s. Trust us on this. Under construction nslookup (ls -d acme. identd to get infos on a running process.

Of the remaining 12. If an attacker breaks into a system account he cannot reach any suid root program.   Response Legal/investigative Documentation logs (records to keep from before/during/after the incident) Temp stuff djbDNS instead of BIND Use tcpserver to replace inetd netstat -an --inet netstat -nl --inet # netstat -ln dnscache There's replacements for. but it's got the funniest web site of the lot. Preferably it should be all of them. Programs like sudo provide other ways to control who may use what program. Many classic programs cannot be set up this way and should not be exposed to the public Internet. . try to explain how it works. I therefore put them all into a directory that only those accounts that correspond to real users can access. Suid programs can be made only accessible to those who need to use them. newsgroups. X's TCP port can be banished. I will however. http and FTP software. As before. The usual way it to create a special group for each class of suid programs you can identify and make each user a member of the groups needed. I've decided to switch to a little known print system called PDQ. On the local machine domain sockets are used. Even better. since it is very different from the way lpd works. For six of the twelve I added extra requirements . dns. and of course Qmail One gruesome night of crawling through man pages. All remaining twelve programs had one thing in common: normally they would only be started by humans. It's not particularly sophisticated. http://feynman. Examples are ping and Xwrapper. or be sufficiently sandboxed that possible damage is limited. 7 had a legitimate reason to be suid root (like su) while the other 5 needed to be suid root for practical reasons but there really should be a better way of doing this. deeply hidden scripts and obscure configuration files reveals that in fact the only one not using port 6000 is the local user. No system account needs to use them. if you just know how. among other things.edu/pdq So I have my standards.tam.a number of special group IDs controls who may access these. that's what documentation is for. Ditto of xdm's UDP port. very well audited. Anything that does interaction with the outside world should either be very trivial. I won't go into detail on installing it.uiuc.

Security Tools                                                 Nessus NetCat TCPDump Snort Saint Ethereal Whisker Internet Security Scanner PortSentry Sniff TripWire Cybercop Scanner HPing 2 Security Auditor's Research Assistant (SARA) Sniff It SATAN IP Filter IP Tables Firewalk Strobe L0pht Crack John The Ripper Hunt OpenSSH TCP Wrappers nTop ping/traceroute/telnet NetBIOS Auditing Tool Scanlogd Sam Spade NFR logcheck Perl Ngrep (Network monitoring with ngrep) Cheops Vetescan Retina Crack/Libcrack Cerberus Internet Scanner Swatch Nemesis LSOF Lids IPTraf IPLog FragRouter Queso Top .

Nagios 2.        Lcrzoex mscan and sscan from Jsbach ADMhack Osiris host integrity monitoring Samhain integrity monitoring Automate Linux Configuration with cfengine By Carla Schroder Nagios ("Nagios is an open source host.0 by Thomas Stocking) Secure remote file management with sshfs by StoneLion . service and network monitoring program".

Sign up to vote on this title
UsefulNot useful