After studying this chapter you should be able to: Define privilege audits, describe how usage audits can protect security, list the methodologies used for monitoring to detect security-related anomalies, describe the different monitoring tools.
Trang 1
Conducting Security Audits
Trang 2v Define privilege audits
v Describe how usage audits can protect security
v List the methodologies used for monitoring to detect security-related anomalies
v Describe the different monitoring tools
Trang 3Privilege Auditing
v A privilege can be considered a subject’s access level over an object
v Principle of least privilege
v Users should be given only the minimal amount of privileges necessary to perform his or her job function
v Privilege auditing
v Reviewing a subject’s privileges over an object
v Requires knowledge of privilege management, how privileges are assigned, and how to audit these security settings
Trang 5Centralized and Decentralized
Structures
v In a centralized structure
v One unit is responsible for all aspects of assigning or revoking privileges
v All custodians are part of that unit
v Promotes uniform security policies
v Slows response, frustrates users
v A decentralized organizational structure for privilege management
v Delegates the authority for assigning or revoking privileges more closely to the geographic location or end user
v Requires IT staff at each location to manage privileges
Trang 6Assigning Privileges
v The foundation for assigning privileges
v The existing access control model for the hardware or software being used
v Recall that there are four major access control models:
v Mandatory Access Control (MAC)
v Discretionary Access Control (DAC)
v Role Based Access Control (RBAC)
v Rule Based Access Control (RBAC)
Trang 7Auditing System Security Settings
v Auditing system security settings for user privileges involves:
v A regular review of user access and rights
v Using group policies
v Implementing storage and retention policies
v User access and rights review
v It is important to periodically review user access privileges and rights
v Most organizations have a written policy that mandates regular reviews
Trang 8Auditing System Security Settings
Trang 9User Access and Rights Review
(continued)
v Reviewing user access rights for logging into the network can be performed on the network server
v Reviewing user permissions over objects can be viewed
on the network server
Trang 10User Access and Rights Review (continued)
Trang 11Group Policies
v Instead of setting the same configuration baseline on each computer, a security template can be created
v Security template
v A method to configure a suite of baseline security settings
v On a Microsoft Windows computer, one method to deploy security templates is to use Group Policies
v A feature that provides centralized management and configuration of computers and remote users who are using Active Directory (AD)
Trang 12Group Policy Objects (GPOs)
v The individual elements or settings within group policies are known as Group Policy Objects (GPOs)
v GPOs are a defined collection of available settings that can be applied to user objects or AD computers
v Settings are manipulated using administrative template files that are included within the GPO
Trang 14Storage and Retention Policies
v Health Insurance Portability and Accountability Act (HIPPA)
v Sarbanes-Oxley Act
v Require organizations to store data for specified time periods
v Require data to be stored securely
Trang 15HIPPA Sanction for Unlocked Dumpsters
Trang 16Information Lifecycle Management
(ILM)
v A set of strategies for administering, maintaining, and managing computer storage systems in order to retain data
v ILM strategies are typically recorded in storage and retention policies
v Which outline the requirements for data storage
v Data classification
v Assigns a level of business importance, availability, sensitivity, security and regulation requirements to data
Trang 17Data Categories
Trang 18v Grouping data into categories often requires the assistance of the users who save and retrieve the data on
a regular basis
v The next step is to assign the data to different levels or
“tiers” of storage and accessibility
Trang 19v Define privilege audits
v Describe how usage audits can protect security
v List the methodologies used for monitoring to detect security-related anomalies
v Describe the different monitoring tools
Trang 20Usage Auditing
v Audits what objects a user has actually accessed
v Involves an examination of which subjects are accessing specific objects and how frequently
v Sometimes access privileges can be very complex
v Usage auditing can help reveal incorrect permissions
Trang 21Privilege Inheritance
Trang 22v That apply only to subsets of users or computers
v GPOs that are inherited from parent containers are processed first
v Followed by the order that policies were linked to a container object
Trang 23Log Management
v A log is a record of events that occur
v Logs are composed of log entries
v Each entry contains information related to a specific event that has occurred
v Logs have been used primarily for troubleshooting problems
v Log management
v The process for generating, transmitting, storing, analyzing, and disposing of computer security log data
Trang 24Application and Hardware Logs
v Security application logs
v Antivirus software
v Remote Access Software
v Automated patch update service
v Security hardware logs
v Network intrusion detection systems and host and network intrusion prevention systems
v Domain Name System (DNS)
v Authentication servers
v Proxy servers
v Firewalls
Trang 25Antivirus Logs
Trang 26DNS Logs
Trang 27Firewall Logs
Trang 28v Types of items that should be examined in a firewall log include:
v IP addresses that are being rejected and dropped
v Probes to ports that have no application services running on them
v Source-routed packets
v Packets from outside with false internal source addresses
v Suspicious outbound connections
v Unsuccessful logins
Trang 29Operating System Logs
v System events
v Significant actions performed by the operating system
v Shutting down the system
v Starting a service
Trang 30System Events
v System events that are commonly recorded include:
v Client requests and server responses
v Usage information
v Logs based on audit records
v The second common type of security-related operating system logs
v Audit records that are commonly recorded include:
v Account activity, such as escalating privileges
v Operational information, such as application startup and shutdown
Trang 31Windows 7 Event Logs
Trang 32Log Management Benefits
v A routine review and analysis of logs helps identify
Trang 33Log Management Benefits
v Logs help
v Perform auditing analysis
v The organization’s internal investigations
v Identify operational trends and long-term problems
v Demonstrate compliance with laws and regulatory requirements
Trang 35Change Management
v A methodology for making changes and keeping track of those changes
v Two major types of changes
v Any change in system architecture
v New servers, routers, etc.
v Data classification
v Documents moving from Confidential to Standard, or Top Secret to Secret
Trang 36Change Management Team (CMT)
v Created to oversee changes
v Any proposed change must first be approved by the CMT
v The team typically has:
v Representatives from all areas of IT (servers, network, enterprise server, etc.)
v Network security
v Upper-level management
Trang 37Change Management Team (CMT)
Duties
v Review proposed changes
v Ensure that the risk and impact of the planned change is clearly understood
v Recommend approval, disapproval, deferral, or withdrawal
of a requested change
v Communicate proposed and approved changes to workers
Trang 38v Define privilege audits
v Describe how usage audits can protect security
v List the methodologies used for monitoring to detect security-related anomalies
v Describe the different monitoring tools
Trang 40v Normal behavior can change easily and even quickly
v Anomaly-based monitoring is subject to false positives
Trang 41Signature-based Monitoring
v Compares activities against signatures
v Requires access to an updated database of signatures
v Weaknesses
v The signature databases must be constantly updated
v As the number of signatures grows the behaviors must be compared against an increasingly large number of signatures
v New attacks will be missed, because there is no signature for them
Trang 42Behavior-based Monitoring
v Adaptive and proactive instead of reactive
v Uses the “normal” processes and actions as the standard
v Continuously analyzes the behavior of processes and programs on a system
v Alerts the user if it detects any abnormal actions
v Advantage
v Not necessary to update signature files or compile a baseline of statistical behavior
Trang 43Behavior-based Monitoring
Trang 45System Monitor
v A low-level system program
v Monitors hidden activity on a device
v Some system monitors have a Web-based interface
v System monitors generally have a fully customizable notification system
v That lets the owner design the information that is collected and made available
Trang 46Protocol Analyzer
v Also called a sniffer
v Captures each packet to decode and analyze its contents
v Can fully decode application-layer network protocols
v The different parts of the protocol can be analyzed for any suspicious behavior