1 / 40

10-Conducting Security Audits

10-Conducting Security Audits. Dr. John P. Abraham Professor UTPA. Privilege Auditing. Person’s access level over an object User should be given minimal amount of privilege necessary to perform his function. Privilege management Process of assigning and revoking privileges

anevay
Download Presentation

10-Conducting Security Audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 10-Conducting Security Audits Dr. John P. Abraham Professor UTPA

  2. Privilege Auditing • Person’s access level over an object • User should be given minimal amount of privilege necessary to perform his function. • Privilege management • Process of assigning and revoking privileges • Assign based on mandatory access control (MAC), Discretionary Access Control (DAC), Role Based Access Control (RBAC) or Rule based Access Control (RBAC) – see Ch 7

  3. Auditing System Security Settings • Regular review of user access rights, using group policies, and implementing storage and retention policies. See a policy on page4 335, figure 10-1. Next slide.

  4. Security+ Guide to Network Security Fundamentals, Third Edition 4

  5. Group policies • Create a configuration baseline. You can deploy this using group policies. Review these policies regularly.

  6. Storage and retention policies • There are laws governing these

  7. Auditing System Security Settings (continued) Storage and retention policies Information lifecycle management (ILM) A set of strategies for administering, maintaining, and managing computer storage systems in order to retain data ILM strategies are typically recorded in storage and retention policies Which outline the requirements for data storage Data classification Assigns a level of business importance, availability, sensitivity, security and regulation requirements to data Security+ Guide to Network Security Fundamentals, Third Edition 8

  8. Auditing System Security Settings (continued) Security+ Guide to Network Security Fundamentals, Third Edition 9

  9. Auditing System Security Settings (continued) Grouping data into categories often requires the assistance of the users who save and retrieve the data on a regular basis The next step is to assign the data to different levels or “tiers” of storage and accessibility Security+ Guide to Network Security Fundamentals, Third Edition 10

  10. Usage Auditing Usage auditing Audits what objects a user has actually accessed Involves an examination of which subjects are accessing specific objects and how frequently Sometimes access privileges can be very complex Usage auditing can help reveal incorrect permissions Inheritance Permissions given to a higher level “parent” will also be inherited by a lower level “child” Inheritance becomes more complicated with GPOs Security+ Guide to Network Security Fundamentals, Third Edition 11

  11. Usage Auditing (continued) Security+ Guide to Network Security Fundamentals, Third Edition 12

  12. Usage Auditing (continued) GPO inheritance Allows administrators to set a base security policy that applies to all users in the Microsoft AD Other administrators can apply more specific policies at a lower level That apply only to subsets of users or computers GPOs that are inherited from parent containers are processed first Followed by the order that policies were linked to a container object Security+ Guide to Network Security Fundamentals, Third Edition 13

  13. Usage Auditing (continued) A log is a record of events that occur Logs are composed of log entries Each entry contains information related to a specific event that has occurred Logs have been used primarily for troubleshooting problems Log management The process for generating, transmitting, storing, analyzing, and disposing of computer security log data Security+ Guide to Network Security Fundamentals, Third Edition 14

  14. Usage Auditing (continued) Security+ Guide to Network Security Fundamentals 15 • Security application logs • Antivirus software • Remote Access Software • Automated patch update service • Security hardware logs • Network intrusion detection systems and host and network intrusion prevention systems • Domain Name System (DNS) • Authentication servers • Proxy servers • Firewalls

  15. Security+ Guide to Network Security Fundamentals, Third Edition 16

  16. Usage Auditing (continued) Security+ Guide to Network Security Fundamentals, Third Edition 17

  17. Usage Auditing (continued) Security+ Guide to Network Security Fundamentals, Third Edition 18

  18. Usage Auditing (continued) Types of items that should be examined in a firewall log include: IP addresses that are being rejected and dropped Probes to ports that have no application services running on them Source-routed packets Suspicious outbound connections Unsuccessful logins Security+ Guide to Network Security Fundamentals, Third Edition 19

  19. Usage Auditing (continued) Security+ Guide to Network Security Fundamentals, Third Edition 20

  20. Usage Auditing (continued) Operating system logs Event An occurrence within a software system that is communicated to users or other programs outside the operating system System events Operational actions that are performed by the operating system Security+ Guide to Network Security Fundamentals, Third Edition 21

  21. Usage Auditing (continued) System events that are commonly recorded include: Client requests and server responses Usage information Logs based on audit records The second common type of security-related operating system logs Audit records that are commonly recorded include: Account information Operational information Security+ Guide to Network Security Fundamentals, Third Edition 22

  22. Security+ Guide to Network Security Fundamentals, Third Edition 23

  23. Usage Auditing (continued) Log management benefits: A routine review and analysis of logs helps to identify security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred Logs can also be used in providing information for resolving such problems Logs may be useful for performing auditing analysis, supporting the organization’s internal investigations, and identifying operational trends and long-term problems Security+ Guide to Network Security Fundamentals, Third Edition 24

  24. Security+ Guide to Network Security Fundamentals, Third Edition 25

  25. Usage Auditing (continued) It is recommended that organizations enact the following log management solutions: Enact periodic audits Establish policies and procedures for log management Maintain a secure log management infrastructure Prioritize log management throughout the organization Use log aggregators Provide adequate support Security+ Guide to Network Security Fundamentals, Third Edition 26

  26. Usage Auditing (continued) Change management Refers to a methodology for making changes and keeping track of those changes, often manually Seeks to approach changes systematically and provide the necessary documentation of the changes Two major types of changes regarding security that are routinely documented Any change in system architecture Data classification Security+ Guide to Network Security Fundamentals, Third Edition 27

  27. Usage Auditing (continued) Change management team (CMT) Created to oversee changes Any proposed change must first be approved by the CMT The team might be typically composed of: Representatives from all areas of IT (servers, network, enterprise server, etc.) Network security Upper-level management Security+ Guide to Network Security Fundamentals, Third Edition 28

  28. Usage Auditing (continued) The duties of the CMT include: Review proposed changes Ensure that the risk and impact of the planned change is clearly understood Recommend approval, disapproval, deferral, or withdrawal of a requested change Communicate proposed and approved changes to co-workers Security+ Guide to Network Security Fundamentals, Third Edition 29

  29. Monitoring Methodologies and Tools There are several types of instruments that can be used on systems and networks to detect security-related anomalies Security+ Guide to Network Security Fundamentals, Third Edition 30

  30. Methodologies for Monitoring Anomaly-based monitoring Designed for detecting statistical anomalies Baseline A reference set of data against which operational data is compared Whenever there is a significant deviation from this baseline, an alarm is raised Advantage Detect the anomalies quickly Security+ Guide to Network Security Fundamentals, Third Edition 31

  31. Methodologies for Monitoring (continued) False positives Alarms that are raised when there is no actual abnormal behavior Normal behavior can change easily and even quickly Anomaly-based monitoring is subject to false positives Security+ Guide to Network Security Fundamentals, Third Edition 32

  32. Methodologies for Monitoring (continued) Signature-based monitoring Compares activities against a predefined signature Requires access to an updated database of signatures Along with a means to actively compare and match current behavior against a collection of signatures Weaknesses The signature databases must be constantly updated As the number of signatures grows the behaviors must be compared against an increasingly large number of signatures Security+ Guide to Network Security Fundamentals, Third Edition 33

  33. Methodologies for Monitoring (continued) Behavior-based monitoring Designed to be more adaptive and proactive instead of reactive Uses the “normal” processes and actions as the standard Continuously analyzes the behavior of processes and programs on a system Alerts the user if it detects any abnormal actions Advantage Not necessary to update signature files or compile a baseline of statistical behavior Security+ Guide to Network Security Fundamentals, Third Edition 34

  34. Methodologies for Monitoring (continued) Security+ Guide to Network Security Fundamentals, Third Edition 35

  35. Monitoring Tools Performance baselines and monitors Performance baseline A reference set of data established to create the “norm” of performance for a system or systems Data is accumulated through the normal operations of the systems and networks through performance monitors Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made Security+ Guide to Network Security Fundamentals, Third Edition 36

  36. Monitoring Tools (continued) System monitor A low-level system program that uses a notification engine designed to monitor and track down hidden activity on a desktop system, server, or even personal digital assistant (PDA) or cell phone Some system monitors have a Web-based interface System monitors generally have a fully customizable notification system That lets the owner design the information that is collected and made available Security+ Guide to Network Security Fundamentals, Third Edition 37

  37. Monitoring Tools (continued) Protocol analyzer Also called a sniffer Captures each packet to decode and analyze its contents Can fully decode application-layer network protocols The different parts of the protocol can be analyzed for any suspicious behavior Security+ Guide to Network Security Fundamentals, Third Edition 38

  38. Summary A “privilege” can be considered a subject’s access level over an object Auditing system security settings for user privileges involves a regular review of user access and rights Information lifecycle management (ILM) is a set of strategies for administering, maintaining, and managing computer storage systems in order to retain data Usage auditing involves an examination of which subjects are accessing specific objects and how frequently Security+ Guide to Network Security Fundamentals, Third Edition 39

  39. Summary (continued) Logs related to computer security have become particularly important Change management refers to a methodology for making changes and keeping track of those changes, often manually Monitoring involves examining network traffic, activity, transactions, or behavior in order to detect security-related anomalies Security+ Guide to Network Security Fundamentals, Third Edition 40

More Related