Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

http://www.cs.vassar.edu/~jones/GuideToNetworkSecurity/GTNS_PPT_ch10.pptx

Guide to Network Security
1st Edition
Chapter Ten
Auditing, Monitoring, and Logging
Objectives
• List the various events that should be monitored in
network environments
• Describe the various network logs available for
monitoring
• Discuss the various log management, SIEM, and
monitoring technologies
• Explain the role that configuration and change
management play in auditing the network
environment
© 2013 Course Technology/Cengage Learning. All Rights Reserved
2
Objectives (cont’d.)
• Discuss formal audit programs and how they relate
to network environments
• Describe Certification and Accreditation (C&A)
programs implemented by the U.S. federal
government and other international agencies
© 2013 Course Technology/Cengage Learning. All Rights Reserved
3
Introduction
• Auditing definitions
– Review of organizational processes for compliance
to policies, standards, or regulations
– Procedure for recording and reviewing network or
system events
– Periodic self-review of a network environment
• Systems monitoring
– Ongoing review of a system or network
– Objective: determine if results and events are within
expected bounds
© 2013 Course Technology/Cengage Learning. All Rights Reserved
4
Monitoring Network Systems
• Tracking events that occur on the system
• Log
– Detailed chronological record of the operation of a
computer system
– Includes system use and modifications
© 2013 Course Technology/Cengage Learning. All Rights Reserved
5
What to Audit?
• Event
– Any action on the system or device that may be of
interest
• Security event
– Event that may affect the system’s security
• Process events
– Relates to tasks performed by a computing system
– Many processes may be underway simultaneously
© 2013 Course Technology/Cengage Learning. All Rights Reserved
6
What to Audit? (cont’d.)
• Operating system process attributes
–
–
–
–
Memory
Operating system resources
Security attributes
Processor state
• Services
– Processes designed to operate without user
interaction
– Known as a daemon in Linux environment
© 2013 Course Technology/Cengage Learning. All Rights Reserved
7
Figure 10-2 Windows 7 audit policy
© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
8
Figure 10-4 Windows processes
© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
9
Figure 10-6 Windows services
© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
10
What to Audit? (cont’d.)
• Logon events
– Audit systems typically log an event when:
• User logs on or off
• Attempt to log on fails
• User starts or stops a network session
• Group or permission change events
– Attacker methodology: elevate privileges to those of
administrator
– Useful to track changes in group membership or
when rights are elevated
© 2013 Course Technology/Cengage Learning. All Rights Reserved
11
What to Audit? (cont’d.)
• Resource access events
– Track when users or processes access files,
directories, printers, and other system resources
• Recording every possible detail for auditing
– Number of events can be astronomical
– Capture legitimate events as well as exceptions
© 2013 Course Technology/Cengage Learning. All Rights Reserved
12
Table 10-1 Partial list of object access events
that can be captured by Windows auditing
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
13
What to Audit? (cont’d.)
• Network connection events
– Track communication sessions
– Can be tracked at system level or at firewalls
• Network data transfer events
– Data leakage
• Unauthorized release of data
– Track Web sessions and amount of information
transferred
– Data leakage prevention
• Implemented as software or an appliance
• Looks for sensitive data leaving the network
© 2013 Course Technology/Cengage Learning. All Rights Reserved
14
What to Audit? (cont’d.)
• System restart and shutdown events
– Track when systems are booted, restarted, and shut
down
• Audit system or log events
– Record various log occurrences
• Logs reach capacity; logs are truncated
– Attackers often delete or modify log records to
conceal activity
© 2013 Course Technology/Cengage Learning. All Rights Reserved
15
Log Management Policy
• Comprehensive picture of IT environment health
– Must collect, review, and retain aggregate logs
• Some logging enabled by default
– Others must be specifically activated
• Central logging service
– May be a central server
• Log management practices
– Storage
• System must be able to handle amount of data
generated
© 2013 Course Technology/Cengage Learning. All Rights Reserved
16
Log Management Policy (cont’d.)
• Log management practices (cont’d.)
– Retention
• Period of time a log file must be maintained
• Understand regulatory requirements
– Baseline
• Measures activities during routine conditions
– Encryption
• Logs should be encrypted for storage
– Disposal
• Log files should be disposed after retention period
© 2013 Course Technology/Cengage Learning. All Rights Reserved
17
Standard OS Logs
• Windows-based logging
– Logging managed by event viewer
• Accessible from system control panel
– Windows 7 logs divided into two categories
• Windows logs
• Applications and services logs
• Windows standard logs
– Application log
© 2013 Course Technology/Cengage Learning. All Rights Reserved
18
Figure 10-9 Windows Event Viewer
© Microsoft Windows
© 2013 Course Technology/Cengage Learning. All Rights Reserved
19
Standard OS Logs (cont’d.)
• Windows standard logs (cont’d.)
–
–
–
–
–
Security log
Setup log
System log
Forwarded events log
Application and services logs
•
•
•
•
Admin
Operational
Analytic
Debug
© 2013 Course Technology/Cengage Learning. All Rights Reserved
20
Standard OS Logs (cont’d.)
• Linux-based logging
– Files vary by machine
– Logs typically located in /var/log/ directory
• Syslog
– System logger
– Multiple system utilities log using the same
mechanism
– Uses a configuration file
© 2013 Course Technology/Cengage Learning. All Rights Reserved
21
Figure 10-18 Contents of a simple syslog.conf file
© Linux
© 2013 Course Technology/Cengage Learning. All Rights Reserved
22
Log Management Technology
• Log management tool
–
–
–
–
Collects events from log files
Processes data
Stores results
Performs notification or alerting as required
• Capabilities of log management technologies
– Collect and centralize events to comply with industry
regulations
– Retain log information in accordance with company
policy
© 2013 Course Technology/Cengage Learning. All Rights Reserved
23
Log Management Technology (cont’d.)
• Capabilities of log management technologies
(cont’d.)
–
–
–
–
Normalize log information
Correlate events from various sources
Provide searching mechanisms
Provide reporting mechanisms
• Security information and event management
(SIEM)
– Provides added level of intelligence
– Groups events from various technologies,
environments, and locations
© 2013 Course Technology/Cengage Learning. All Rights Reserved
24
Log Management Technology (cont’d.)
• Security operations center
– Provides operational infrastructure to detect attacks
– Staffed with information security professionals
Figure 10-20 ArcSight ESM
dashboard
© HP Enterprise Security, Arc Sight
© 2013 Course Technology/Cengage Learning. All Rights Reserved
25
Configuration and Change
Management (CCM)
• Purpose: manage the effects of changes on an
information system or network
• Configuration management
– Identification, inventory, and documentation of
current system status
• Change management
– Addresses modifications to the base configuration
© 2013 Course Technology/Cengage Learning. All Rights Reserved
26
Configuration Management
• Configuration item
– Hardware or software item to be modified and
revised throughout its life cycle
• Version
– Recorded state of a revision of software or hardware
configuration item
– Format often used: M.N.b
• M: major release
• N: minor release
• b: build within that release
© 2013 Course Technology/Cengage Learning. All Rights Reserved
27
Configuration Management (cont’d.)
• Major release
– Significant revision from previous state
• Minor release
– Update or patch
– Minor revision from previous state
• Build
– Snapshot of software linked from various component
modules
• Build list
– List of component versions that make up the build
© 2013 Course Technology/Cengage Learning. All Rights Reserved
28
Configuration Management (cont’d.)
• Configuration
– Collection of components that make up configuration
item
• Revision date
– Date of a particular version or build
• Software library
– Collection of configuration items
– Usually controlled
– Developers use to construct revisions
© 2013 Course Technology/Cengage Learning. All Rights Reserved
29
Figure 10-21 Configuration management process
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
30
Change Management
• Seeks to prevent changes that adversely effect
system security
• Reduces risk by providing repeatable mechanism
for modifications:
– In a controlled environment
• Change management process identifies steps
required
• Objectives of step-by-step procedure
– Identifying, processing, tracking, and documenting
changes
© 2013 Course Technology/Cengage Learning. All Rights Reserved
31
Change Management (cont’d.)
• Step 1: identify change
– Define need for change
– Submit change request to appropriate decisionmaking body
• Step 2: evaluate change request
– Factors: viability, correctness, cost, feasibility, and
impact on security
• Step 3: implementation decision
– Approve, deny, or defer
© 2013 Course Technology/Cengage Learning. All Rights Reserved
32
Change Management (cont’d.)
• Step 4: implement approved change request
– Move change from the test environment into
production
• Step 5: continuous monitoring
– Purpose: ensure system is operating as intended
© 2013 Course Technology/Cengage Learning. All Rights Reserved
33
Auditing (Formal Review)
• Auditing must be performed by well-qualified
individuals
• Generally Accepted Auditing Standards (GASS)
– General standards
– Standards of field work
– Reporting standards
© 2013 Course Technology/Cengage Learning. All Rights Reserved
34
IT Auditing
• Information Systems Audit and Control Association
– Published comprehensive standards and guidelines
• Certified Information Systems Auditor
Requirements
– Five years of work experience
– Pass exam covering five job-practice domain areas
• Audit approach
– Phase 1: initiation and planning
• Engagement letter specifies service agreement
between auditing team and requested entity
© 2013 Course Technology/Cengage Learning. All Rights Reserved
35
IT Auditing (cont’d.)
• Audit approach (cont’d.)
– Phase 2: fieldwork
• On-site visit
• Target organization must support auditors
– Phase 3: analysis and review
• Detailed analysis of site visit findings
• Includes statistical analysis
– Phase 4: final reporting
• Formal report to the requesting entity
– Phase 5: follow-up
• Focuses on areas identified as deficient
© 2013 Course Technology/Cengage Learning. All Rights Reserved
36
Systems Certification, Accreditation,
and Authorization
• Accreditation
– What authorizes an IT system to process, store, or
transmit information
• Certification
– Includes comprehensive evaluation of the security
controls of an IT system
– Supports the accreditation process
– Determines to what extent the implementation meets
specified security requirements
• Reaccreditation and recertification required every
few years
© 2013 Course Technology/Cengage Learning. All Rights Reserved
37
Auditing for Government and
Classified Information Systems
• Categories of information processed by the federal
government
– National security information (NSI)
– Non-NSI
– Intelligence community
• The categories are managed and operated by
different government entities
• NSI must be processed on national security
systems (NSSs)
– More stringent requirements than non-NSS systems
© 2013 Course Technology/Cengage Learning. All Rights Reserved
38
Figure 10-22 Three-tiered approach to risk management
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
39
Figure 10-23 Risk management framework
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
40
Auditing and the ISO 27000 Series
• ISO/IEC 17799
–
–
–
–
Most widely recognized audit standard
Revised in 2005
Renamed ISO 27002 in 2007
Details are available to those who purchase the
standard
© 2013 Course Technology/Cengage Learning. All Rights Reserved
41
Auditing and the ISO 27000 Series
(cont’d.)
• ISO/IEC 27002 coverage areas
–
–
–
–
–
–
–
–
Risk assessment and treatment
Security policy
Organization of information security
Asset management
Human resource security
Physical and environmental security
Communications and operations
Access control
© 2013 Course Technology/Cengage Learning. All Rights Reserved
42
Auditing and the ISO 27000 Series
(cont’d.)
• ISO/IEC 27002 coverage areas (cont’d.)
– Information systems acquisition, development, and
maintenance
– Information security incident management
– Business continuity management
– Compliance
• ISO/IEC 27001
– Provides broad overview of approach to
implementing change
– “Plan-Do-Check-Act” cycle
© 2013 Course Technology/Cengage Learning. All Rights Reserved
43
Figure 10-24 Setting up an information
security management system
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
44
Auditing and COBIT
• Control Objectives for Information and Related
Technology (COBIT)
– Provides advice about implementation of sound
information security controls
– Planning tool for information security
– Auditing framework controls model
• COBIT presents 34 high level objectives
– Objectives cover more than 200 control objectives
• Categorized into four domains
© 2013 Course Technology/Cengage Learning. All Rights Reserved
45
Auditing and COBIT (cont’d.)
• COBIT domains
–
–
–
–
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate
© 2013 Course Technology/Cengage Learning. All Rights Reserved
46
Summary
• Auditing definitions
– Ongoing review of system’s functional data to
evaluate proper operation
– Periodic self-review of the network environment to
evaluate it against policy requirements
• Computer or device log
– Provides detailed chronological records of the use
and modification of the system
• Log management includes storage, retention,
baselining, encryption, and disposal
© 2013 Course Technology/Cengage Learning. All Rights Reserved
47
Summary (cont’d.)
• Log management solutions aid working with
system logs
– Capabilities: collect and process events, store and
analyze results, and notify as required
• Change and configuration management (CMM)
controls effects of revisions on networks and
information systems
• ISO/IEC 27000 series of standards
– The most widely recognized model for security
assessment and practice
© 2013 Course Technology/Cengage Learning. All Rights Reserved
48
Related documents
Student Textbook List KINDERGARTEN 2014- 2015 School Year Subject
Student Textbook List KINDERGARTEN 2014- 2015 School Year Subject
MARKETING MANAGEMENT
MARKETING MANAGEMENT
Student User Guide – Access Code Registration
Student User Guide – Access Code Registration
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
Download