Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits...
-
Upload
lilian-cobb -
Category
Documents
-
view
221 -
download
1
Transcript of Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits...
![Page 1: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/1.jpg)
Chapter 10Conducting Security Audits
![Page 2: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/2.jpg)
Objectives
Define privilege auditsDescribe how usage audits can protect
securityList the methodologies used for monitoring to
detect security-related anomaliesDescribe the different monitoring tools
![Page 3: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/3.jpg)
![Page 4: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/4.jpg)
Privilege AuditingA privilege can be considered a subject’s
access level over an objectPrinciple of least privilege
Users should be given only the minimal amount of privileges necessary to perform his or her job function
Privilege auditingReviewing a subject’s privileges over an objectRequires knowledge of privilege management,
how privileges are assigned, and how to audit these security settings
![Page 5: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/5.jpg)
Privilege ManagementThe process of assigning and revoking
privileges to objectsThe roles of owners and custodians are
generally well-establishedThe responsibility for privilege management
can be either centralized or decentralized
![Page 6: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/6.jpg)
Centralized and Decentralized StructuresIn a centralized structure
One unit is responsible for all aspects of assigning or revoking privileges
All custodians are part of that unitPromotes uniform security policiesSlows response, frustrates users
A decentralized organizational structure for privilege managementDelegates the authority for assigning or revoking
privileges more closely to the geographic location or end user
Requires IT staff at each location to manage privileges
![Page 7: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/7.jpg)
Assigning PrivilegesThe foundation for assigning privileges
The existing access control model for the hardware or software being used
Recall that there are four major access control models:Mandatory Access Control (MAC)Discretionary Access Control (DAC)Role Based Access Control (RBAC)Rule Based Access Control (RBAC)
![Page 8: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/8.jpg)
Auditing System Security SettingsAuditing system security settings for user
privileges involves:A regular review of user access and rightsUsing group policiesImplementing storage and retention policies
User access and rights reviewIt is important to periodically review user
access privileges and rightsMost organizations have a written policy that
mandates regular reviews
![Page 9: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/9.jpg)
![Page 10: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/10.jpg)
User Access and Rights Review (continued)Reviewing user access rights for
logging into the network can be performed on the network server
Reviewing user permissions over objects can be viewed on the network server
![Page 11: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/11.jpg)
![Page 12: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/12.jpg)
Group PoliciesInstead of setting the same configuration baseline
on each computer, a security template can be created
Security templateA method to configure a suite of baseline security
settingsOn a Microsoft Windows computer, one method
to deploy security templates is to use Group PoliciesA feature that provides centralized management
and configuration of computers and remote users who are using Active Directory (AD)
![Page 13: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/13.jpg)
Group Policy Objects (GPOs).The individual elements or settings within
group policies are known as Group Policy Objects (GPOs). GPOs are a defined collection of
available settings that can be applied to user objects or AD computers
Settings are manipulated using administrative template files that are included within the GPO
![Page 14: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/14.jpg)
Image from franciosi.org
![Page 15: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/15.jpg)
Storage and Retention PoliciesHealth Insurance Portability and
Accountability Act (HIPPA)Sarbanes-Oxley Act
Require organizations to store data for specified time periods
Require data to be stored securely
![Page 16: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/16.jpg)
HIPPA Sanction for Unlocked Dumpsters
Link Ch 10a
![Page 17: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/17.jpg)
Information Lifecycle Management (ILM)A set of strategies for administering,
maintaining, and managing computer storage systems in order to retain data
ILM strategies are typically recorded in storage and retention policies Which outline the requirements for data
storageData classification
Assigns a level of business importance, availability, sensitivity, security and regulation requirements to data
![Page 18: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/18.jpg)
![Page 19: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/19.jpg)
Data CategoriesGrouping data into categories often requires
the assistance of the users who save and retrieve the data on a regular basis
The next step is to assign the data to different levels or “tiers” of storage and accessibility
![Page 20: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/20.jpg)
![Page 21: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/21.jpg)
Usage AuditingAudits what objects a user has actually accessedInvolves an examination of which subjects are
accessing specific objects and how frequentlySometimes access privileges can be very complexUsage auditing can help reveal incorrect
permissionsInheritance
Permissions given to a higher level “parent” will also be inherited by a lower level “child”
Inheritance becomes more complicated with GPOs
![Page 22: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/22.jpg)
Privilege Inheritance
![Page 23: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/23.jpg)
GPO InheritanceGPO inheritance
Allows administrators to set a base security policy that applies to all users in the Microsoft AD
Other administrators can apply more specific policies at a lower levelThat apply only to subsets of users or computers
GPOs that are inherited from parent containers are processed firstFollowed by the order that policies were linked to
a container object
![Page 24: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/24.jpg)
Log ManagementA log is a record of events that occurLogs are composed of log entries
Each entry contains information related to a specific event that has occurred
Logs have been used primarily for troubleshooting problems
Log managementThe process for generating, transmitting,
storing, analyzing, and disposing of computer security log data
![Page 25: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/25.jpg)
Application and Hardware LogsSecurity application logs
Antivirus softwareRemote Access SoftwareAutomated patch update service
Security hardware logsNetwork intrusion detection systems and host
and network intrusion prevention systemsDomain Name System (DNS)Authentication serversProxy serversFirewalls
![Page 26: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/26.jpg)
Antivirus Logs
![Page 27: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/27.jpg)
DNS Logs
![Page 28: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/28.jpg)
Firewall Logs
![Page 29: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/29.jpg)
Firewall LogsTypes of items that should be examined in a
firewall log include:IP addresses that are being rejected and
droppedProbes to ports that have no application
services running on themSource-routed packets
Packets from outside with false internal source addresses
Suspicious outbound connectionsUnsuccessful logins
![Page 30: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/30.jpg)
Operating System LogsSystem events
Significant actions performed by the operating systemShutting down the systemStarting a service
![Page 31: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/31.jpg)
System EventsSystem events that are commonly recorded
include:Client requests and server responsesUsage information
Logs based on audit recordsThe second common type of security-related
operating system logsAudit records that are commonly recorded include:
Account activity, such as escalating privilegesOperational information, such as application startup
and shutdown
![Page 32: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/32.jpg)
Windows 7 Event Logs
![Page 33: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/33.jpg)
Log Management BenefitsA routine review and analysis of logs
helps identifySecurity incidentsPolicy violationsFraudulent activityOperational problems
Logs can also help resolve problems
![Page 34: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/34.jpg)
Log Management BenefitsLogs help
Perform auditing analysisThe organization’s internal investigations
Identify operational trends and long-term problems
Demonstrate compliance with laws and regulatory requirements
![Page 35: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/35.jpg)
![Page 36: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/36.jpg)
Log Management SolutionsEnact periodic auditsEstablish policies and procedures for log
managementMaintain a secure log management
infrastructurePrioritize log management throughout the
organizationUse log aggregatorsProvide adequate support
![Page 37: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/37.jpg)
Change ManagementA methodology for making changes and
keeping track of those changesTwo major types of changes
Any change in system architectureNew servers, routers, etc.
Data classificationDocuments moving from Confidential to
Standard, or Top Secret to Secret
![Page 38: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/38.jpg)
Change Management Team (CMT)Created to oversee changesAny proposed change must first be approved
by the CMTThe team typically has:
Representatives from all areas of IT (servers, network, enterprise server, etc.)
Network securityUpper-level management
![Page 39: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/39.jpg)
Change Management Team (CMT)Duties
Review proposed changesEnsure that the risk and impact of the
planned change is clearly understoodRecommend approval, disapproval, deferral,
or withdrawal of a requested changeCommunicate proposed and approved
changes to co-workers
![Page 40: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/40.jpg)
![Page 41: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/41.jpg)
Anomaly-based MonitoringDetecting abnormal traffic Baseline
A reference set of data against which operational data is compared
Whenever there is a significant deviation from this baseline, an alarm is raised
AdvantageDetect the anomalies quickly
![Page 42: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/42.jpg)
Anomaly-based MonitoringDisadvantagesFalse positives
Alarms that are raised when there is no actual abnormal behavior
Normal behavior can change easily and even quicklyAnomaly-based monitoring is subject to
false positives
![Page 43: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/43.jpg)
Signature-based MonitoringCompares activities against signaturesRequires access to an updated database of
signaturesWeaknesses
The signature databases must be constantly updated
As the number of signatures grows the behaviors must be compared against an increasingly large number of signatures
New attacks will be missed, because there is no signature for them
![Page 44: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/44.jpg)
Behavior-based MonitoringAdaptive and proactive instead of reactiveUses the “normal” processes and actions as
the standardContinuously analyzes the behavior of
processes and programs on a systemAlerts the user if it detects any abnormal
actionsAdvantage
Not necessary to update signature files or compile a baseline of statistical behavior
![Page 45: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/45.jpg)
Behavior-based Monitoring
![Page 46: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/46.jpg)
Monitoring ToolsPerformance baselines and monitors
Performance baseline A reference set of data established to create the
“norm” of performance for a system or systemsData is accumulated through the normal
operations of the systems and networks through performance monitors
Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made
![Page 47: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/47.jpg)
System MonitorA low-level system programMonitors hidden activity on a deviceSome system monitors have a Web-based
interfaceSystem monitors generally have a fully
customizable notification systemThat lets the owner design the information that
is collected and made available
![Page 48: Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.](https://reader037.fdocuments.us/reader037/viewer/2022110211/56649f165503460f94c2bb41/html5/thumbnails/48.jpg)
Protocol AnalyzerAlso called a snifferCaptures each packet to decode and analyze
its contentsCan fully decode application-layer network
protocolsThe different parts of the protocol can be
analyzed for any suspicious behavior