Requesting Tips on Establishing a Security Awareness Program: Targetting Unix

Hello all-

Someone in my company has recently asked for my help on establishing a security awareness program fousing on Unix. The target audience would be the regular user community; people who would have a business need to login to a Unix system, but would most likely not know anything about security and/or security in Unix. Any thoughts?

My own thoughts were to focus on company standards and policies and throw in some general "good user/bad user" tips.

I was also considering having the audience include the SA group as well. I don't want them to feel insulted, however, I believe it is important that everyone has a good understanding of security and acts upon it. I welcome thoughts on this as well.

In advance: thanks, gracias, danke.

Just a few questions to try to get a bit better perspective:

1. Is this an internal network, or are they accessing the internet via Unix?
2. Do they have e-mail
3. Do they have shared connection/resources with the Windows community.

I think that you can see where I am coming from

Treat them all as idiots.............Most will be.
This will make the knowledgeable feel superior, then hit them with something more technical that brings them back to earth.

Then you can up there education.

Quote:

---

Originally posted here by nihil
Just a few questions to try to get a bit better perspective:

1. Is this an internal network, or are they accessing the internet via Unix?
2. Do they have e-mail
3. Do they have shared connection/resources with the Windows community.

I think that you can see where I am coming from

---

Thanks nihil for the response. In answer to your questions:

1. It is an internal network, but they can access the internet with unix (like with a browser or ftp/sftp).
2. They do not use e-mail from the unix boxes.
3. Yes through SAMBA.

And yes I do see where you are coming from - I think I do I mean. Essentially, trying to establish a framework for what they need to know can be overwhelming. I think I want to start with the basics, like complying with the policies and standards and how best to do that, then move on from there. When I start talking unix to some people here, their eyes glaze over and I think they start thinking about what they are having for supper. Others know unix exists, but does not know what purpose it serves. Still others know it, work with it, but do not know or want to know the reason for security.

Also - thanks to jinxy for the additional information!

KuiXing-2005.

Jinxy has given you the 'blunt as an old box cutter' perspective...nothing wrong with that, really. Depends on how 'touchy feely manager-like' you are.

If you wanna take the touchy-feely angle, consider telling the SA's they are being brought in to #1 help the other users out by having their expertise on hand with the non-SA users, but in a position where the students don't have to outright ask the instructor (this is a legitimate reason, actuallY, not *JUST* B.S.). Also, make sure they understand that they might know most of this stuff, but no one knows everything, and they might learn a new trick or two.

My $0.02

IF they are not tech savy do not confuse them with a bunch of tech jargon. Stick to the basics at first like password policy and no passign out information to people who they are not certain are part of the company. Cover some of the basics of social engineering. Also if they have internet acsess from thier terminals you may want to consider restricting sites to buisness related sites. Just remember that humans are often the weakest link in the chain of security..... god that sounded cheesey

Yes, I was wondering about the possibility of cross infection.

A lot of people think that Unix is mostly unaffected by malware, but it can pass it on to Windows, so the unix guys have to use the same "safe computing" practices. You will need to get that message across loud and clear.

:)

Quote:

---

Originally posted here by ZomBieMann77 and sponsored by Kraft Dinner - Cheesy, it's what's for dinner!
IF they are not tech savy do not confuse them with a bunch of tech jargon. Stick to the basics at first like password policy and no passign out information to people who they are not certain are part of the company. Cover some of the basics of social engineering. Also if they have internet acsess from thier terminals you may want to consider restricting sites to buisness related sites. Just remember that humans are often the weakest link in the chain of security..... god that sounded cheesey

---

I'll go one farther. Humans are ALWAYS the weakest link. Whether users, admins, engineers, or code writers, I'd say MOST problems come from human error at one level or another. Seriously...Slammer, Code Red, Nimda wouldn't have been the beasts they were for many companies if the proper standpoint on network traffic had been taken. It's called the Principle of Least Priviledge, but in another context. Why allow all traffic when you don't need to? "Useability", you say? Psshaw! Let them request ports be opened if and when they need them. (Let them eat cake!)

</rant> ok, so this isn't the most reasonable stance to take. But seriously, most problems come from the fact that people who made decisions did so without considering the whole picture, or without having the proper perspective and training.

Considering what you've told us about this group and environment, I am not sure Social Engineering should be a major point of the material. It should be covered, for sure, but don't bore them with war stories of Mitnick-esque activities.

I'd make sure they know how to reference file ownership and permissions, and what it means.

Code:

---

-rwsr-xr-x root sys 1024 blah blah  bad-ass-ownage.pl*

---

This is a suspicious looking file, and they should recognize it as such and at least know what the permissions mean it will do.

Edit: had to fix the bits in that code block...you'd think I'd know where the damnanble suid goes! :P

Thanks all!

Okay - I threw something together quick for them. I found out the person responsible for actually establishing the program has little to no unix experience either. So we start with the basics - which is adherence to the Company Policies and Standards. Why - because in an audit, I can honestly say that the LCD is still humans; specifically passwords. At this point, we are struggling with a proactive password tester - we are still reactivley checking with John and LC4/5, and passwords are what usually gets us in. It's weird, because here the SA's are busting ahss staying up to date with patches and locking down unnecessary services and permissions, and we can still get in with an old or weak password.

Okay - back to the outline I provided - and FYI - this is a first stab at this type of program for our Unix users and admins - so I know this will continue to evolve. This is what I provided:

1. General
A. All company personnel need to be kept aware of the current:
(1) Information security policies, standards, guidelines and procedures
(2) Their individual duties and responsibilities for information security
(3) And any changes to the above
B. This can be done through:
(1) Presentations, news articles in the Company newspaper, training (class or Web), etc.

2. Specific: Unix
A. Maybe two programs:
(1) One for general users
(2) One for administrators
B. If one or two programs are created the program(s) have to cover all of the IT Policies, as Unix usages can cross over all of the IT Policies.
C. For the general users, the focus should be on:
(1) Access
(A) Server(s) – what do they need to use or not?
(B) Accounts – do they need an account or not?
(C) Visit/Re-visits the Computer Use Policy – special focus on passwords
Protecting information on the server and with their account – the SA should already have checked permissions
D. For the administrators, the focus should be on:
(1) IT Policies (if it was not covered before)
(2) Passwords:
(A) Strength
(B) Age
(C) Account Lockouts
(D) Protecting the password file – shadowed passwords
(E) Services:
(i) What to leave enabled or disabled
(3) Network Vulnerabilities:
(A) What are they, how are they found, what should be done about them...
(B) File permissions:
(i) Giving only what users need
(C) The elimination of World Writeable Files – where the write bit is set so that anyone can write to a file or directory or both
(4) Trust relationships and why to limit them:
(A) Trusts – use of .r* files and commands (e.g, .rhosts, rexec and remsh)
(B) Reference files – use of .netrc files
(5) Mail
(A) Ensuring that any mail use on the servers or workstations has been configured to not allow common vulnerabilities (e.g., on SMTP – disable EXPN and VRFY) – going back to Network Vulnerabilities
(6) Web
(A) Ensuring that whenever a web server or service is needed, that the proper configurations and patches are in place to stop the common vulnerabilities – goes back to Network Vulnerabilities

Again - this was just to be the start - and I am not sure what they will use from my notes, but we'll see and any other suggestions are of course welcome.

KuiXing-2005.

That looks like the beginning of a very good corporate policy.... for the IT department... it will work well if you have the manpower ...

But I _think_ the thrust of your issue is the users themselves.... They need what is called an Acceptable Use Policy, (AUP). Here's mine... It is OS indepenent.... It is my 3 monthly email that gets sent to every user in the companys I manage the networks for....

Quote:

---

To some of you this will be the first time you have seen this message. It is Agency policy to email this to all users every three months. Please read it carefully, it may change from time to time. If you have any questions please call me at (XXX) XXX-XXXX. For those of you that have seen this message before please re-read it to remind yourself of the policies in place regarding the use of this network.

Company users may access this policy at any time by clicking here. ((link not there... duh))

The policies outlined below are for the protection of yourselves and the Wide Area Network, (WAN), managed by mycompany. The policies are put in place to maintain the security and integrity of the network and it’s data. Furthermore, they are designed to restrict the use of Agency computer systems to avoid Agency or personal liability for copyright infringement or other lawsuits be they criminal or civil.

1. This is a business network and is to be used for business purposes only.

2. Under no circumstances are users of this network to attach any electronic device, (Laptops, PDA’s, Wireless Access Points, Thumb Drives etc.), to the network without the prior permission of their network administrator.

3. Under no circumstances are users of this network to download and install software from the internet that is not explicitly authorized by the senior IS staff member of your organization.

4. Under no circumstances are users of this network to install software from the any other media that is not explicitly authorized by the senior IS staff member of your organization.

5. Under no circumstances are users of this network to collect email, be it personal or business, from any mechanism other than the Outlook or Outlook Express that was installed and configured on your computer by IS staff. This means that visiting Hotmail, AOL or any other system on the internet that would provide you access to email is forbidden.

6. Under no circumstances are users of this network to alter the setup of their Outlook or Outlook Express or install an alternative mail client to collect mail from any location other than those set up by IS staff.

7. Under no circumstances are users of this network to use instant messengers such as AOL, MSN, ICQ or any other instant messaging, (chat), system be it installed on your computer or accessed through Internet Explorer or any other system.

8. Under no circumstances are users of this network to install or partake in any file sharing system such as Kazaa, Gnutella, Napster or any other system that allows sharing or downloading of files from sources outside this network.

9. Under no circumstances are users of this network to listen to internet radio, download music or any other media unless the activity is explicitly authorized by the senior IS staff member within your organization.

10. Under no circumstances are users to download, use or publish on Agency computer systems, any work that is copyrighted by others that they do not give full recognition to or do not have written permission from the copyright owner to use.

11. Under no circumstances are users allowed to try to circumvent any system that is put in place by IS staff to limit or restrict the users to business related activity.

12. Under no circumstances are users to participate in any activity that would be deemed by mycompany’s Manager of Information Systems as malicious, (hacking/cracking), be it against internal network resources or external resources except in the case of IS staff authorized to carry out security audits against targets they have explicit written permission from the owner of the system(s) being audited.

mycompany has the right, but not the duty, to monitor any and all traffic passing through it’s network. As such it is very important that you understand that while you are using Agency computer systems, or personally owned systems connected to Agency networks you can have no expectation of privacy. The network is monitored in several ways 24 hours a day, every day and activity is logged, analyzed and archived in such a way that the IS staff can go back to any period on any given day to see exactly who did what, where and when.

I am not simply being a curmugeon - many of these activities present a serious threat to the security of this network. Those that don't present security issues seriously affect the ability of the network to carry the volume of traffic causing legitimate use to slow down to almost a crawl at times. Please abide by the policies outlined above or your supervisor will be notified of your activity and that continued infractions will lead to the blocking of your internet access through to disciplinary action that may result in your termination.

---

That should give you a good start.....