John wiley sons auditing and security as 400 nt unix networks and disaster recovery plans 2001 (by laxxuss)

Auditing and security: AS/400, W, UNIX, networks, and disaster recovery plans/ Yusufali F.. resources from hackers and computer thieves, corporations neglected the physical security asp

This Page Intentionally Left Blank

This book is printed on acid-free paper @

Copyright 0 2001 by John Wiley and Sons, Inc All rights reserved

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization

through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA

01923, (978) 750-8400, fax (978) 750-4744 Requests to the Publisher for permission should be addressed to the

Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-601 I, fax (212) 850-6008, E-Mail: P E ~ ~ E Q ~ ~ E Y C O M

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional

services If legal advice or other expert assistance is required, the services of a competent professional person should be sought

Musaji, Yusufali F

Auditing and security: AS/400, W, UNIX, networks, and disaster recovery plans/

Yusufali F Musaji

p cm

1 Electronic data processing-Auditing 2 Computer security I Title

ISBN 0-471-38371-6 (cloth: alk paper)

~A76.9.A93 M87 2001

Printed in the United States of America

1 0 9 8 7 6 5 4 3 2 1

This book is dedicated to my g r a n ~ m o t h e ~ Mrs ~ u l s u m b a i ~ u r b h a i ,

who taught me to sacrgce so I could grow

Io my mot he^ Mrs ~ a t i m a ~ u s a j i , who sacri~ced her material

well-being so I could pay my school fees

To my son, Ali Musaji, who taught me perseverance, patience, and

the m a ~ e l s o f l ~ ~

Io my w$e, ~ a o ~ i Musaji, for her love, tolerance, and faith

This Page Intentionally Left Blank

nd the big picture, see their roles within it, continuo

resources from hackers and computer thieves, corporations neglected the physical security

aspects and as a result suffered financial loss from lack of physical security controls, thus becoming easy game for crooks In spite of this, physical security continued to be regarded

as being limited to the perimeter controls and bodyguards at the front doors

Theft or damage to information processing resources, unauthorized d i s c l o s ~ e or era-

sure of proprietary information, and interruption of support for proprietary busin

processes are all risks that managers who own or are responsible for i n f o ~ a t i o n resources

must evaluate Since physical access to information processing resources exposes a com- pany to all of these risks, management must institute physical access controls that are com-

mensurate with the risk and potential loss to the company

The objective of the physical security audit is to determine if mana~ement processes

have been implemented, are effective, and are in compliance with established i n s ~ c t i o n s and standards as formulated in the company security policy they ensure that the com-

pany’s information resources are protected from unauthorize

Chapters 3, 4, 5, and 6 discuss auditing the most advanced platforms: AS/400,

crosoft NT, and Unix

M y are system concepts and architecture important to understand?

do not start by choosing a computer platform They start by choosing m ap

ss needs Because of this, the computer system is very often considered first

should the computer architecture matter? The accelerating rate of change of

e and software technologies necessitates that the system selected has been de- signed with the future in mind Do the platforms accommodate inevitab~e, rapid, and dra-

atic technology changes with m i ~ m u m relative effort? Are the systems future-oriented?

aradoxically, the characteristic of the most advanced design and technology is subtle It

a c c o ~ o d a t e s the rapidly changing hardware and software compo~ents-permitting one

to fully exploit the latest technologies

Is the operating system conceived as a single entity? Are the facilities such as rela-

tional database, communications and networ~ng capabilities, online help, and so on fully

inte~rated into the operating system and the machine?

Successful audits of computer platforms are intended to provide an analysis of the

computing and network hardware components with potential risks and r e c o ~ e n d a t i o n s

If the computing platform is not secure, neither is the company’s data

Chapter 7 continues the discussion of auditing networks ~ o ~ o r a t i o n s deploy net-

works to lower the total cost of network ownership, m ~ i m i ~ e their return on in~estment, provide seamless, enterprise-wide services, enable appli~ations, enhance their perfom-

ance, control network resources, speed up project implementation, and minimi~e risk and

riven by the rush to e-commerce, se rity has rapidly become a mission-critical

component of the corporate IT infrast~cture protecting these mission-critical networ~s from corruption and intrusion, network security has enabled new business applications by

reducing risk and providing a foundation for expanding business with intranet, extranet, and electronic c o m e r c e applications

Therefore, network security should be a continuous cycle, consisting of establis~ng

a security policy that defines the security goals of the enterprise, implementing security in

a comprehensive and layered approach, and auditing the network on a recurrin

sure that good network security is easier and more cost-effective, lso, network security

should ensure that no irregularities have developed as the network evolves, and the results

of the audits should be used to modify the security policy and the technology implementa- tion as needed

i

Chapter 8 discusses auditing the disaster recovery plan Large pools of shared data- bases, t i m e - s h ~ n ~ , vast teleprocessing networks, t e l e c o ~ u ~ c a t i o n s connections to non- company facilities, multiple distributed printers and systems, and thousands of users char- acterize the state-of-the-art computer centers in corporations Disruption of service or the intentional or inadve~ent destruction of data could potentially bring business processes to

a halt

Across this entire computer i n f r a s ~ c ~ r e , the Information Security (IS) processes must be implemented to ensure the confidentiality, integrity, and availability of the com- pany’s information assets The responsibility for the implementation of an effective IS pro- gram is assigned according to the company’s goals and objectives Generally, this respon- sibility is delegated to the information system because of its traditional role as Provider of Service However, IS is often not the Provider of Service for smaller systems that exist at a location Regardless of the organizational roles and responsibilities, the corporate informa- tion officer (CIO) is responsible for the overall implementation

With the emergence of disaster recovery planning, physical security is regarded as the cornerstone to developing a viable disaster recovery plan, The pundits have suddenly pro-

ureka,” and the dawn of physical security as the foundation on which the disas- ter recovery plan can be built has begun to take hold Protecting assets from disasters is now one edge of a double-edged sword with the other edge preventing losses from theft and hu- man errors, which in fact pays partly if not wholly for the costs of disaster recovery plan- ning The auditbr must ensure that the computing environments suppo~ing vital business processes are recoverable in the event of a disaster

Auditing and Security has been developed for IT managers, IT operations manage- ment, and practitioners and students of IT audit The intent of this book is to highli~ht the

areas of computer controls and to present them to the reader in a practical and pragmatic manner Each chapter contains usable audit programs and control methods that can be readily applied to information technology audits As an added value, two presenta- tions are available on the World Wide Web The first presentation is a proposal for invest- ing in a disaster recovery plan and the second is a firewall selection guide Please visit www.wiley.co~musaji The user password is: auditing These documents are in Power- point format

Yusufali F Musaji is the Founder, Director and President of Mi’s Y, Consulting Inc., an IT and Financial Consulting f m specializing in computer consulting Yusufali has a strong computer science and financial background He embraces the full s p e c t ~ m of financial, op- erational, and IT disciplines required of a state-of-the-art organi~ation His functional and technical areas of expertise include system development and implementation, project man- agement, computer security and financial systems

Yusufali F Musaji is widely published in IT, financial, and security j o u ~ a l s re

ser Relations~ps, and has also developed numerous business continuity plans

e holds a Bachelor of Computer Science from York U~versity, Toronto, Canada, and is a C.G.A., CISA and CISSP

information Security throu h Dynamic Culture

Information Securi~ ~anager-L~ader Roles

~ y n a ~ i c Culture Is a Prerequisite for G r o ~ h

Sustaining Culture for Process Improvement

S~ared Responsibility for ~ R l ~ m p l o y e e s Processes

~oundational ~ a i t s and A~ributes

Specific Skills Required by IS ~ana~er-Leaders

Personal Learning Sparks ~rgani~ational Learning

~xecutive Skills Versus ~ a n a g e r - ~ a s i c Skills

r ~ a t for ~ositive ~esolution

ical Access Controls

AS/400 System Concepts and Arc~itecture

System Concepts

~ u l l Integration into the ~ ~ e r a t i n g System and the ~ a c h i n

ased Operating System

Backup and Recovery

Auxiliary Storage Pools

Set Audit oni it or and Audit Log Parameters Turn Auditing On or Off

Select Users to be Audited

Select €vents to be Audited

Select System Calls to be Audited

Interpreting Audit Log Data

~ a n a ~ i n g Audit Log Resources

Administering the Auditing System

Using Auditing in a Diskless ~nvironment

Backup and Recovery in a Secure Enviro~ment

~ a c k u p Security Practices

Recovery Security Practices

~ o u n t i n g and Un~ounting a File System

Shu~ing Down a System Securely

OS1 Layer 6: Presentation Layer

OS1 Layer 7: Application Layer

SI Layer 4: ~ a ~ s p o r t Layer

Audit ails

~ r i v i l e g e ~ User ID Authori~ation

A ~ / 4 0 0 Installed

4A.5 Other Objects

rams that A d o ~ t Authority

~ecurity ~e~erence oni it or

~ecurity ~ccount ~anager

Se~ing File System Perm~ssions

nag in^ Groups

§pecial ~ r o u p s

~ a n a ~ i n g User A ~ ~ o u n t s

~ e t ~ o r k e d and Local Users

~pecial ~uilt-In Accounts

Creating User Accounts

copy in^ User Accounts

~isabling and ~eleting User Accoun~s

omains and Trust

Su~ported ~ e ~ ~ o f k sport Protocols

A~acks and Defenses

Services that ~nhaffce or Impact Security

eat tu res of Secu~i~y

111

P~ysical Access to System Unit

System Key Lock

Limit Security O ~ c e r Access

emote Sign-On ~ontrols

Limit umber of Device Sessions

Automatic Configuration of Virtual Devices

Automatic Confi~uration of Local Devices

A~ention Pro~ram

Violation Reporting and ~ollow-Up

Default Public Access Authori~

is play ~ign-On information

Physical Layer lnte~ace

at^ Link Layer l n t e ~ ~ c e

Application~Level atew way

Stateful InsFection Adv~ntages and ~ i s a ~ v a n t a ~ e s

ire wall Tests

Technical Audit Program

lnterna~ and Firewa~l Confi~uration Security

Plan ~ r g a n i ~ a t i o n and Assignments: For~-~ine-Point Checklist

usiness ~rocess Owner

This Page Intentionally Left Blank

What drives revenue and profit in today’s economy is undoubtedly the mix of hardware,

software, and services Often the di~erentiator for this mix is the highly skilled, motivated,

leading-edged employee who d e t e ~ i n e s the company’s competitiveness and its growth in

the marketplace Growth is linked to satisfied customers whose loyalty is the foundation for

success Thus, the factor that d e t e ~ n e s a company’s growth and its customer satisfaction

is the quality of its employees

Employees are c o ~ t t e d and highly motivated when their work e n v i r o ~ e n t s enable

them to go the extra mile for their customers, their company, and their colleagues This is what

builds a network of d y n ~ c employees who strive to be the best at providing value to their

customers Simil~ly, what mobilizes the employees to understand the elements of the secu-

rity culture and to see its relevance to the company’s business success as well as their own per- sonal success are the dedicated ~ o ~ a t i o n Security (IS) mana~er-leaders It takes dedicated

S mana~er-leaders to guide the ~ a n s f o ~ a ~ o n to a dynamic security-conscious culture

Employees continue to be a company’s greatest asset, perhaps more so now than ever

before That’s why IS manager-leaders must not allow the urgency of their daily workload

to take precedence over the impo~ant time needed for the employee aspects of their roles

ollowing are five factors that con~ibute to customer satisfaction:

Image

., Value

f these, image is considered to be four times more impo~ant than any of the other factors,

Image is a composite of four e loyee-related issues:

Highly skilled employees who are committed to excellence

loyees who are responsive and helpful and who take charge

A company that is customer oriented and easy to do business with

A company you can trust

~ u l ~ l l i n g customer satisfaction on these four issues, e s p ~ i ~ l y ~ i r s t two, is very de-

m nt processes are world class It is not the m

S, rather it is the employee

It is i m p o ~ ~ t to di~erentia

o share responsi~ility for their collective s u ~ c e s ~

IS manager-leade~ roles,

at is the missio~ of IS m

ow does their ~ i s s i o n relate to a c

would a security-conscious culture/co~pa~y look like?

orations-attributed to failure to an sf om cultures in conjunction with ffo~s-has been high

-shap~d chart in E ~ i b i t 1.2, shows the four factors that must be present for

be effectively im~lemented It is not enough to only have reengi- processes will fail without the accompanying changes in job ac- oring methods, and noms and values embedded in the intangible cultural factors below the surface depicted by the ered processes as the visible tip of the iceberg above the sur- ods and ideas on employees will not work, especially if the

e than half the reengineered efforts have failed the crucial im ~ o ~ a n c e of the cultural factors below the sur-

to squander their huge investments in the new processes if estment is dismal ~onse~uently, attention to cultural un-

e word t r ~ n s ~ o r ~ i n g is intended to capture both the journey and the need for dy-

lture This requires modeling the new culture in the way res new relations~ps, and adds value in the evolv-

S is b e c o ~ i ~ g mandatory

loyees ”+ ~ a t i s ~ e d ~ u s t o ~ e r s

ts from a dynamic c u l t ~ e ~ m p l o y e e s , customers, and the share-

ange the e ~ t e ~ a l en~ironment unless you

t is becoming increasingly a p ~ ~ e n t to the

e success of employees and the success of the organization are

e n s ~ ~ n g that employees are seen as drivers of the organization, ustomers and investors, is pivotal to creating d y n ~ c work en-

e ~ p l o y e e satisfaction a central driver in the organization d e ~ a n d s a

to your customer^.^'

eir ~ i s c r e t i o n a ~ e ~ o r t in goals t~at bot^

nd ~ ~ ~ i ~ i z e the c o ~ ~ a n y ~ s success It is this “voluntee~sm”

S of IS m~ager-leaders that enable the these roles, and why a~ention to empl points that provide the outline of a d y n ~ c culture:

ribe a “ d y n a ~ i c c ~ l t ~ r e / c o m ~ a n y ”: The ~ e e - l a y e r e d viors, noms and values, and assumptions-provides a ired dynamic culture

ent

pliance, A dynamic culture/company unleashes the pot en ti^ of employees who are com-

to clear, relevant, and m e a n i n g ~ l purposes that they have helped shape mployees will commit to the new dynamic culture when four factors are in place:

~ Z ~ r i ~ : Staff members understand what the n is-the character- istics of the culture are clear to them and they ate them to others,

eZev~nce: StdT members see the relevance ynamic culture to the com-

'S business success-they see how it wi z the company's customers elp the c o ~ p a n y grow

~ ~ i ~ g ; Staff members see the personal m e ~ i n g of the new

what it means to them personal~y, and they can get excited about it

~nvozve~ent: Staff members want to be, and are, involved in the shaping and de- ployment of the new dynamic cul~re-without involvement9 no co~mitment

it is impractical to involve everyone in shaping a l e-scale change, their chos r~sentatives may be involved Giving employees the choice to be involved is the key point, even if they choose not to be

The need should be for everyone, especially IS manager-leaders, to help § u s t ~ n the jour- ney and not slip back-to be comfortable reinforcin , evolving, and nurturin

culture/company In summary, I manager-leaders enable the dynamic culture that gener- ates a dynamic company9 producing highly satis~ed and loyal customers that fuel company growth

Transfo~ation is about change There are man mo els that describe S

change and organizational change The Change

that are a h e l p ~ l context for cultural change

tural change as follows:

~ h a s e I ; den ti^ needs This phase is su~ported th the push

of the external environment There is also the he com-

pany9s huge investment in reengineerin

state” will be described

manager-leaders also touches on the follow in^:

owever, given that real culture transfo~atio

quire much iteration

hase 2 suggests that if we want

a d y n a ~ c culture/com~any, we

would look like

T r a n s f Q ~ n g any or~ani2ation to a

rogress can appear to be unattai~able-

complishe~ a step at a time The

Lure is made up of behaviors, norms and values, and as

to bring to the surface norms, values, and assum~tions

namic culture/com~any (See Exhibit 1

he most obvious si

r l e ~ ~ e and valuable

les on m a ~ a g e ~ e n t ,

izations To help understand these behaviors in the cont are o r g ~ i z e d around the three foundational o

and team

dynami~ cul~re/company uzzle are as follows:

ynarnic company has six core elements as shown i

Its employees are an energetic global te

It leads in creating value for customers

wins thro~gh technolo

t builds share~older value

It is involved with our ~ o ~ u n i t i e s

t expects teamwork, integrity, respect, a

S on the right things

t is invigorat~d by work that helps it wi

It works by p~nciples-not rules

t is proud of its products and services

t uses what it sells

Its employees are diverse

S and leverages howled

1s accounta~le

cons~icuously shares credit for results,

oyees earn c o m ~ e t i t i ~ e pay and benefits

ecurits comes from its success with its customers

t bas choices to make in ~alancing its work and personal priorities

ts l e a ~ e ~ s create and c o ~ u ~ c a t e a winning strategy

ts lea~ers ~ a l k the talk

loyees need to demonstrate in a dynamic culture

itment; concern for the truth even when it’s un-

o-workers; ability to capitalize on

ositive ~ s w e ~ s to the c ~ e ~ k l i s t , the foll

n a scale of 1 to 5, with 1 be w- e r f o ~ ~ c e ” an being % n a ~ i c ~ ’ ~ s s e s s the en-

#in * Established objectives

* Examples

1, Focusing on winnin~creating best customer value * Targets

* Results

2 Putting customer ~ i r s ~ c o ~ p a n y secondunit third 4 Accoun~~bility

3 Setting aggressive targets

4 Insisting on results

5 Holding employees accountable for their

c o m ~ t m e n t s

Execute

6 Showing concern for quality and productivity

7 Using and being loyal to the company’s products

8 Co~municatin~listening efEectively

9 Welcoming the truth

10 Capitalizing on change

1 l Showing disgust with bureaucracy

12 Putting never-ending attention to skills

improvement

13 C o ~ i t t i n g to being a process-managed business

14 Modeling a worwlife balance

19 Empowering individuals and teams

20 Energetically building cross-functiona~global

teamwork

0 ~ e s t ~ c t u ~ n g / s ~ z e and scale

* Flatter organization

* “Fit in fast” checklist

* “Fit for you” card

o you focus on w i n n i n g ~ n being the leader in creating the best value for your cus- orners, using technology, integrated solutions, and services?

Are you visibly puttin the customer firs~company secon~unit third in all decisions? Are you involved with your c o ~ u n i t y ?

e you driven by a c o ~ o n vision of your purpose?

o you insist on results versus effort?

o you earn competitive pay and benefits based on personal and company results?

Do you hold employees accountable for their c o ~ t m e n t s ?

Do you show b once^ for quality and productivity?

Do you have a fierce loyalty to the company’s products and services?

o you proudly use what you sell?

o you practice outstanding co~munications~istening with c u s t o ~ e r s and col- leagues?

Do you elc come the t ~ t h , even when it’s unpleasant?

Is provocative inquiry encouraged?

Do you capitalize on change and quickly adopt new jobslroles and structure?

e you open to new ideas?

o you show disgust with bureaucracy?

Do you h o w what to do and do it?

o you work continuously to improve your skills?

Does your management and measu~ement system support you becoming a process- managed business?

e you modeling worldlife balance?

Do you work on the right things?

re you invigorated by your work?

Are you making intelligent choices about balancing your personal life p ~ o ~ t i e s ?

o you model respect, integrity, teamwork, and excellence personally?

o you expect respect, integrity, teamwork, and excellence from your colleagues?

o you value diverse, dynamic colleagues?

o you share and leverage ~ o ~ l e d g e broadly?

Do you act unburdened by b o u n d ~ e s of place or thought?

o you conspicuously share credit for results?

G Do you willingly help others in your global c o ~ p a n y ?

Are you empowe~n individuals and teams?

by ~ r i n c i ~ l e s , not rules?

you ener~etically and visibly dis~layin cross-~nctional t e ~ w o r k ? iscussions with others in the CO valuable to assess

and to decide what c

he three c o m ~ t m e n t s of the n o m categories

Execute

Team

The four values are

spect and excellence, may appear to have the

reinforces the need to engage in dialogue to

u~derstood by all

o ~ ~ a n i e s require systems, stru~tures, and ~rocesses to o

these include the follo~ing:

agement and measurement syste archical or tea~-based S

hese are strong levers to affect behavior since they

culture, often im~licitly They

with a ~ i ~of bu- i ~ u ~

ever lose s i ~ h t of its s t r ~ t e g i ~ ~ i s i o ~

arly when they work as

Id be re~ected in the more di~lcult to dis- about them-it’s

our unconscious9 built- nclude latent biases and

ct on a~proaches toward team-

n many co~panies9 the terns Z e ~ ~ e r and ~ ~ ~ ~ g e r are used interchan

business processes

1

ne Set of ~ s s ~ ~ t i o ~ s

Employees basically dislike work, are lazy, need * Employees basically love being challenged by

to be coerced and controlled, and prefer to have meaning~l work, and are energized when they help superiors make their decisions for them make decisions decting their work environment

ABOUT TRUST

e Trust is tied to position power; superiors are not * Trustwo~hy employees who display character and

questioned because they must have good reasons competence, and who encourage and open two-way

ABOUT M O ~ A T I O N

Extrinsic “carrots and sticks’’ are what motivate e Intrinsic satisfaction is what motivates employees-

ABOUT TIME! FR.AME

e Short-term survivallsuccess is paramount; we can * Long-term surviva~success is paramount; we base our save our way to profits; daily ~uctuations of the actions on the lifetime value of customers and on stock price affect my mood principles; trends in customer and employee

satisfaction affect my mood

Internal competition brings out the best in e Internal competition destroys teamwork, inhibits

employees and should be encouraged to stimulate sharing and leveraging knowledge, and demora~zes high performance; reward systems should promote team members; reward systems should promote

T e ~ i n o l o g y in the area of leadership and m ~ a g e ~ e n t can be a semantic minefield Thou- sands of articles have been written about managers, leaders, and executives There has been

an explosion of books, videos, and speeches about leadersh , especially in the last fifteen years Unfo~unately, most authors are less than crisp in defining th

ever, drawing from the essence of what the expert^'^ say, the follo

overall distinctions between leading and managin

eading is setting the ~irectiQn; s aging is getting there

* Leading focuses on the ZQng-ter~ hQrizQn; managing focuses on sho~-term bottom line

Leading e ~ ~ Z ~ y e e s ; managing processes, systems, and s t ~ c ~ r e s

trolling, directing

Leading is doing the ~ i g ~ t things; mana

paradigms

* Leading is coac~ing, e ~ ~ o ~ e r i n g , f a c i l i t ~ t i ~ g , s e ~ i n g ; managing is ~lanning, con-

* Leading change, ~ e ~ ~ a r a d i g ~ s ; e e ~ m status quo, within

~~ituationally with earned power based on co~petence; m ~ a g i n g from ap-

iness of innovation; m ~ a g i n g craves order

w directions; managing demands proof

ing relies on control

eo The Power of ~ s i o n :

Vision wit~out action is only a dream;

Action without vision is just passing the time;

Vision with action can change the world

m the ‘6com~lete leader” label in Exhibit 1.9, it is noted that the term ing, managing, and doing The working de~nition of l e a ~ e r s ~ p is

“ t ~ e a b i l i ~ to e~ectively S direction and ~ o d e l interpersonal behaviors ( ~ a d i n g ~ ,

a l i g ~ ~ a n a ~ e business an loyees processes to acco~p~ish desired business re-

n ~ ~ i n g ~ , and contribute ers son ally to de~ired business results ( ~ o i n g ~ ~ ~

Administrator

A~dicato~

Complete Leader

Dreamer

HIGH

ws that varying degrees of leading, managing, and doing skills are

is, leadership is the umbrella tem-leading, managing9 and doing are ~ u ~ s e t s of credible leadersh ibit 1.10 also indicates that leadership is expected out the organi~ation-it ust the prerogative of senior mana~ers and execu-

me employees may assume the role of a leader temporarily, in a given situation

nent leaders, such as in senior positions or on some teams In all nts that will ensure business success are the same

The conc~usion is that “ c o ~ p l e t e m ~ a g e r s ” are required to lead and “complete lead-

ers” are required to ma nag^ In terms of the typical or~anization, “manager-leader” applies