For these past few weeks I feel like I've spent most of my time working on a PCI DSS audit. It's the audit which checks whether you've made the standards required by the card processing companies - and gives you the ability to store card numbers. It's an interesting scheme - with many people having mixed views on it's suitaility/workability. I enjoy working to the tough specification, and adding extra bits of security all over.
There's only so many ways in which you can secure a server. Most PCI setups involved using multiple boxes (they have to) - and there's lots of security between the boxes to enhance the security further. However, the PCI audit doesn't just check your procedures and systems to avoid the initial penetration - it also looks to migate the affects should some fortunately soul manage to get in.
Due to my background not being in Computing - there are a few areas that I feel I'm weak on. However, once I can take a look at the problem, it's normally just a case of logic, that 'supa-doopa' programming. In fact, once I'd started programming late in 2008, I realised that the programming was just a tiny part of the process of a programmer - most of the time it was making sure that what was about to be programmed wouldn't create erroneous results.
One program which I've had a love2hate relationship with, that I've now really warmed to, is Samhain. From la-samhna solutions. It's a great program, and kudos goes to the developers for releasing it at open source. I've also really enjoyed using SNORT, ntop, wireshark (formerly ethereal) and the Shorewall firewall. System hardening was an interesting task.. locking the system down to as few users as possible. There's so many different things to take into consideration - you end up with a 3D network of traffic streaming from one server to another.
I imagine this as being a gravity-less environment, with streams of data passing like skycars across the 3D network. I then basically put in roads (the firewall rules) that only allow traffic to be passing
- on ports I know about
- transmitting packets I know about (stateful inspection)
Then, when I turn the firewall on - the gravity gets re-enabled - and any datastreams that aren't supported by the firewall (roads) collapse and are broken.
The most important part of it all though, is the monitoring. Without effective system monitoring - the whole system is useless. You need status colours, and a easy 1 screen display. Events which are expected, such as your developer logging into the server, don't need to trigger a 'critical' error - but can be flagged so the project manager can review them. Sure, it may be easier for a developer to have plaintext lines, spelling out the status - and then expect the Project Manager to read them - but surely it's more fun to have a screen of buttons and colours in front of them. They can immediately see any problems.
But, the main thing I've learnt about all this, is that at the end of the day it's not down to the Sys Admin to secure a system. If the developers don't write their code right - if the company policy regarding logins doesn't prevent changes being made to the live server without PM approval (on pain of death) - then securing it to any level is near pointless.
Needless to say, I'm very happy with what I've been doing the past few weeks - and learned many lessons that I think will stand me in good stead for the future.
Bring on the next PCI audit!