guide to network security 1 st edition chapter ten auditing, monitoring, and logging
DESCRIPTION
© 2013 Course Technology/Cengage Learning. All Rights Reserved Objectives (cont’d.) Discuss formal audit programs and how they relate to network environments Describe Certification and Accreditation (C&A) programs implemented by the U.S. federal government and other international agencies 3TRANSCRIPT
Guide to Network Security 1st Edition
Chapter TenAuditing, Monitoring, and Logging
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Objectives
• List the various events that should be monitored in network environments
• Describe the various network logs available for monitoring
• Discuss the various log management, SIEM, and monitoring technologies
• Explain the role that configuration and change management play in auditing the network environment
2
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Objectives (cont’d.)
• Discuss formal audit programs and how they relate to network environments
• Describe Certification and Accreditation (C&A) programs implemented by the U.S. federal government and other international agencies
3
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Introduction
• Auditing definitions– Review of organizational processes for compliance
to policies, standards, or regulations– Procedure for recording and reviewing network or
system events– Periodic self-review of a network environment
• Systems monitoring– Ongoing review of a system or network– Objective: determine if results and events are within
expected bounds
4
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Monitoring Network Systems
• Tracking events that occur on the system• Log
– Detailed chronological record of the operation of a computer system
– Includes system use and modifications
5
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit?
• Event– Any action on the system or device that may be of
interest• Security event
– Event that may affect the system’s security• Process events
– Relates to tasks performed by a computing system– Many processes may be underway simultaneously
6
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit? (cont’d.)
• Operating system process attributes– Memory– Operating system resources– Security attributes– Processor state
• Services– Processes designed to operate without user
interaction– Known as a daemon in Linux environment
7
© 2013 Course Technology/Cengage Learning. All Rights Reserved 8
Figure 10-2 Windows 7 audit policy© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved 9
Figure 10-4 Windows processes© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved 10
Figure 10-6 Windows services© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit? (cont’d.)
• Logon events– Audit systems typically log an event when:
• User logs on or off• Attempt to log on fails• User starts or stops a network session
• Group or permission change events– Attacker methodology: elevate privileges to those of
administrator– Useful to track changes in group membership or
when rights are elevated
11
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit? (cont’d.)
• Resource access events– Track when users or processes access files,
directories, printers, and other system resources• Recording every possible detail for auditing
– Number of events can be astronomical– Capture legitimate events as well as exceptions
12
© 2013 Course Technology/Cengage Learning. All Rights Reserved 13
Table 10-1 Partial list of object access events that can be captured by Windows auditing© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit? (cont’d.)
• Network connection events– Track communication sessions– Can be tracked at system level or at firewalls
• Network data transfer events– Data leakage
• Unauthorized release of data– Track Web sessions and amount of information
transferred– Data leakage prevention
• Implemented as software or an appliance• Looks for sensitive data leaving the network
14
© 2013 Course Technology/Cengage Learning. All Rights Reserved
What to Audit? (cont’d.)
• System restart and shutdown events– Track when systems are booted, restarted, and shut
down• Audit system or log events
– Record various log occurrences• Logs reach capacity; logs are truncated
– Attackers often delete or modify log records to conceal activity
15
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Log Management Policy
• Comprehensive picture of IT environment health– Must collect, review, and retain aggregate logs
• Some logging enabled by default– Others must be specifically activated
• Central logging service– May be a central server
• Log management practices– Storage
• System must be able to handle amount of data generated
16
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Log Management Policy (cont’d.)
• Log management practices (cont’d.)– Retention
• Period of time a log file must be maintained• Understand regulatory requirements
– Baseline• Measures activities during routine conditions
– Encryption• Logs should be encrypted for storage
– Disposal• Log files should be disposed after retention period
17
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Standard OS Logs
• Windows-based logging– Logging managed by event viewer
• Accessible from system control panel– Windows 7 logs divided into two categories
• Windows logs• Applications and services logs
• Windows standard logs– Application log
18
© 2013 Course Technology/Cengage Learning. All Rights Reserved 19
Figure 10-9 Windows Event Viewer© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Standard OS Logs (cont’d.)
• Windows standard logs (cont’d.)– Security log– Setup log– System log– Forwarded events log– Application and services logs
• Admin• Operational• Analytic• Debug
20
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Standard OS Logs (cont’d.)
• Linux-based logging– Files vary by machine– Logs typically located in /var/log/ directory
• Syslog– System logger– Multiple system utilities log using the same
mechanism– Uses a configuration file
21
© 2013 Course Technology/Cengage Learning. All Rights Reserved 22
Figure 10-18 Contents of a simple syslog.conf file© Linux
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Log Management Technology
• Log management tool– Collects events from log files– Processes data– Stores results– Performs notification or alerting as required
• Capabilities of log management technologies– Collect and centralize events to comply with industry
regulations– Retain log information in accordance with company
policy
23
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Log Management Technology (cont’d.)
• Capabilities of log management technologies (cont’d.)– Normalize log information– Correlate events from various sources– Provide searching mechanisms– Provide reporting mechanisms
• Security information and event management (SIEM)– Provides added level of intelligence– Groups events from various technologies,
environments, and locations24
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Log Management Technology (cont’d.)
• Security operations center– Provides operational infrastructure to detect attacks– Staffed with information security professionals
25
Figure 10-20 ArcSight ESM dashboard© HP Enterprise Security, Arc Sight
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Configuration and Change Management (CCM)
• Purpose: manage the effects of changes on an information system or network
• Configuration management– Identification, inventory, and documentation of
current system status• Change management
– Addresses modifications to the base configuration
26
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Configuration Management
• Configuration item– Hardware or software item to be modified and
revised throughout its life cycle• Version
– Recorded state of a revision of software or hardware configuration item
– Format often used: M.N.b• M: major release• N: minor release• b: build within that release
27
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Configuration Management (cont’d.)
• Major release– Significant revision from previous state
• Minor release– Update or patch– Minor revision from previous state
• Build– Snapshot of software linked from various component
modules• Build list
– List of component versions that make up the build
28
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Configuration Management (cont’d.)
• Configuration– Collection of components that make up configuration
item• Revision date
– Date of a particular version or build• Software library
– Collection of configuration items– Usually controlled– Developers use to construct revisions
29
© 2013 Course Technology/Cengage Learning. All Rights Reserved 30
Figure 10-21 Configuration management process© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Change Management
• Seeks to prevent changes that adversely effect system security
• Reduces risk by providing repeatable mechanism for modifications:– In a controlled environment
• Change management process identifies steps required
• Objectives of step-by-step procedure– Identifying, processing, tracking, and documenting
changes
31
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Change Management (cont’d.)
• Step 1: identify change– Define need for change– Submit change request to appropriate decision-
making body• Step 2: evaluate change request
– Factors: viability, correctness, cost, feasibility, and impact on security
• Step 3: implementation decision– Approve, deny, or defer
32
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Change Management (cont’d.)
• Step 4: implement approved change request– Move change from the test environment into
production• Step 5: continuous monitoring
– Purpose: ensure system is operating as intended
33
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing (Formal Review)
• Auditing must be performed by well-qualified individuals
• Generally Accepted Auditing Standards (GASS)– General standards– Standards of field work– Reporting standards
34
© 2013 Course Technology/Cengage Learning. All Rights Reserved
IT Auditing
• Information Systems Audit and Control Association – Published comprehensive standards and guidelines
• Certified Information Systems Auditor Requirements– Five years of work experience– Pass exam covering five job-practice domain areas
• Audit approach– Phase 1: initiation and planning
• Engagement letter specifies service agreement between auditing team and requested entity
35
© 2013 Course Technology/Cengage Learning. All Rights Reserved
IT Auditing (cont’d.)
• Audit approach (cont’d.)– Phase 2: fieldwork
• On-site visit• Target organization must support auditors
– Phase 3: analysis and review• Detailed analysis of site visit findings• Includes statistical analysis
– Phase 4: final reporting• Formal report to the requesting entity
– Phase 5: follow-up• Focuses on areas identified as deficient
36
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Systems Certification, Accreditation, and Authorization
• Accreditation– What authorizes an IT system to process, store, or
transmit information• Certification
– Includes comprehensive evaluation of the security controls of an IT system
– Supports the accreditation process– Determines to what extent the implementation meets
specified security requirements• Reaccreditation and recertification required every
few years37
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing for Government and Classified Information Systems
• Categories of information processed by the federal government– National security information (NSI)– Non-NSI– Intelligence community
• The categories are managed and operated by different government entities
• NSI must be processed on national security systems (NSSs)– More stringent requirements than non-NSS systems
38
© 2013 Course Technology/Cengage Learning. All Rights Reserved 39
Figure 10-22 Three-tiered approach to risk management© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved 40
Figure 10-23 Risk management framework© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing and the ISO 27000 Series
• ISO/IEC 17799– Most widely recognized audit standard– Revised in 2005– Renamed ISO 27002 in 2007– Details are available to those who purchase the
standard
41
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing and the ISO 27000 Series (cont’d.)
• ISO/IEC 27002 coverage areas– Risk assessment and treatment– Security policy– Organization of information security– Asset management– Human resource security– Physical and environmental security– Communications and operations– Access control
42
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing and the ISO 27000 Series (cont’d.)
• ISO/IEC 27002 coverage areas (cont’d.)– Information systems acquisition, development, and
maintenance– Information security incident management– Business continuity management– Compliance
• ISO/IEC 27001– Provides broad overview of approach to
implementing change– “Plan-Do-Check-Act” cycle
43
© 2013 Course Technology/Cengage Learning. All Rights Reserved 44
Figure 10-24 Setting up an information security management system© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing and COBIT
• Control Objectives for Information and Related Technology (COBIT)– Provides advice about implementation of sound
information security controls– Planning tool for information security– Auditing framework controls model
• COBIT presents 34 high level objectives– Objectives cover more than 200 control objectives
• Categorized into four domains
45
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Auditing and COBIT (cont’d.)
• COBIT domains– Plan and organize– Acquire and implement– Deliver and support– Monitor and evaluate
46
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Summary
• Auditing definitions– Ongoing review of system’s functional data to
evaluate proper operation– Periodic self-review of the network environment to
evaluate it against policy requirements• Computer or device log
– Provides detailed chronological records of the use and modification of the system
• Log management includes storage, retention, baselining, encryption, and disposal
47
© 2013 Course Technology/Cengage Learning. All Rights Reserved
Summary (cont’d.)
• Log management solutions aid working with system logs– Capabilities: collect and process events, store and
analyze results, and notify as required• Change and configuration management (CMM)
controls effects of revisions on networks and information systems
• ISO/IEC 27000 series of standards– The most widely recognized model for security
assessment and practice
48