Audit/Logging Repudiation. Security Testing: Testing for What It s NOT supposed to do

Similar documents
Microsoft STRIDE (six) threat categories

Application Intrusion Detection

Security Testing. How security testing is different Types of security attacks Threat modelling

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

FairWarning Mapping to PCI DSS 3.0, Requirement 10

FileCloud Security FAQ

What is Auditing? IT 4823 Information Security Administration. Problems. Uses. Logger. Audit System Structure. Logging. Auditing. Auditing November 7

Cryptography and Network Security

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Newcastle University Information Security Procedures Version 3

Penetration Testing: Lessons from the Field

PUBLIC REPORT. Red Team Testing of the ES&S Unity Voting System. Freeman Craft McGregor Group (FCMG) Red Team

Privacy + Security + Integrity

Guideline on Auditing and Log Management

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Standard: Event Monitoring

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

White Paper. PCI Guidance: Microsoft Windows Logging

USM IT Security Council Guide for Security Event Logging. Version 1.1

Incident Handling Procedure

HIPAA Security. assistance with implementation of the. security standards. This series aims to

INFORMATION TECHNOLOGY SECURITY STANDARDS

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

Secure Software Development Lifecycle. Security... Not getting better

Securing Data on Microsoft SQL Server 2012

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

HIPAA Security Alert

GFI White Paper PCI-DSS compliance and GFI Software products

Chap. 1: Introduction

MS-55096: Securing Data on Microsoft SQL Server 2012


Oracle WebCenter Content

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Windows Operating Systems. Basic Security

Network Security. Introduction. Security services. Players. Conclusions. Distributed information Distributed processing Remote smart systems access

PCI DSS Requirements - Security Controls and Processes

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information System Security

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Firewalls Overview and Best Practices. White Paper

Information Security

What is Auditing? Auditing. Problems. Uses. Audit System Structure. Logger. Reading: Chapter 24. Logging. Slides by M. Bishop are used.

Data Security Incident Response Plan. [Insert Organization Name]

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

IMPLEMENTING FORENSIC READINESS USING PERFORMANCE MONITORING TOOLS

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Security Audit Principles and Practices. Configuring Logging. Overview

Basics of Internet Security

HIPAA Security COMPLIANCE Checklist For Employers

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security Architecture Whitepaper

Supplier Security Assessment Questionnaire

Information Privacy and Security Program Title:

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

The Comprehensive Guide to PCI Security Standards Compliance

Security Implications Associated with Mass Notification Systems

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

IBM i Version 7.2. Security Service Tools

CorreLog Alignment to PCI Security Standards Compliance

Security Event Management. February 7, 2007 (Revision 5)

Introduction...3. Conclusion White paper: IT SECURITY FOR SMART SCHOOLS

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Security Measures for the BOJ Open Network for Electronic Procedures on the Foreign Exchange and Foreign Trade Law

COSC 472 Network Security

Security aspects of e-tailing. Chapter 7

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Nixu SNS Security White Paper May 2007 Version 1.2

Security and Privacy in Cloud Computing

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

CMS Operational Policy for Infrastructure Router Security

A practical guide to IT security

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

Information Security Basic Concepts

SecureAge SecureDs Data Breach Prevention Solution

Intel Enhanced Data Security Assessment Form

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Getting to Know the SQL Server Management Studio

STANDARD ON LOGGING AND MONITORING

Brainloop Cloud Security

External Supplier Control Requirements

Introduction to Security

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Hang Seng HSBCnet Security. May 2016

74% 96 Action Items. Compliance

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Content Teaching Academy at James Madison University

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 5

About Cisco PIX Firewalls

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Transcription:

Audit/Logging Repudiation Laurie Williams williams@csc.ncsu.edu Security Testing: Testing for What It s NOT supposed to do Thompson, Herbert, *, IEEE Security and Privacy, July/Aug 2003, pp. 83-86. 1

Audit Many industries are required by legal and regulatory requirements to be: Auditable all activities that affect user state or balances are formally tracked Traceable it s possible to determine where an activity occurs in all tiers of the application High integrity logs cannot be overwritten or tampered with by local or remote users http://www.owasp.org/index.php/error_handling,_auditing_and_logging CWE 778: Insufficient logging When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. http://cwe.mitre.org/data/definitions/778.html 2

What to log Reading of data file access and what kind of data is read. This not only allows to see if data was read but also by whom and when. Writing of data logs also where and with what mode (append, replace) data was written. This can be used to see if data was overwritten or if a program is writing at all. Modification of any data characteristics, including access control permissions or labels, location in database or file system, or data ownership. Administrators can detect if their configurations were changed. Administrative functions and changes in configuration regardless of overlap (account management actions, viewing any user's data, enabling or disabling logging, etc.) http://www.owasp.org/index.php/error_handling,_auditing_and_logging#logging What to log All authorization attempts (include time) like success/failure, resource or function being authorized, and the user requesting authorization. We can detect password guessing with these logs. These kinds of logs can be fed into an Intrusion Detection system that will detect anomalies. Deletion of any data (object). Sometimes applications are required to have some sort of versioning in which the deletion process can be cancelled. Network communications (bind, connect, accept, etc.). With this information an Intrusion Detection system can detect port scanning and brute force attacks. All authentication events (logging in, logging out, failed logins, etc.) that allow to detect brute force and guessing attacks too. http://www.owasp.org/index.php/error_handling,_auditing_and_logging#logging 3

What to log Reading of data file access and what kind of data is read. This not only allows to see if data was read but also by whom and when. Writing of data logs also where and with what mode (append, replace) data was written. This can be used to see if data was overwritten or if a program is writing at all. Modification of any data characteristics, including access control permissions or labels, location in database or file system, or data ownership. Administrators can detect if their configurations were changed. Administrative functions and changes in configuration regardless of overlap (account management actions, viewing any user's data, enabling or disabling logging, etc.) http://www.owasp.org/index.php/error_handling,_auditing_and_logging#logging CWE 779: Logging Excessive Data While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a system administrator's ability to detect anomalous conditions. This can provide cover for an attacker while attempting to penetrate a system, clutter the audit trail for forensic analysis, or make it more difficult to debug problems in a production environment. Log files can become so large that they consume excessive resources, such as disk and CPU, which can hinder the performance of the system/ cause a denial of service. http://cwe.mitre.org/data/definitions/778.html 4

Log Files Logs should be written so that the log file attributes are such that only new information can be written (older records cannot be rewritten or deleted). Logs should also be written to a write once / read many device such as a CD-R. Copies of log files should be made at regular intervals. Log files should be copied and moved to permanent storage and incorporated into the organization's overall backup http://cwe.mitre.org/data/definitions/285.html CWE 532: Information Leak through Log Files While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. From: http://cwe.mitre.org/data/definitions/532.html 5

Repudiation Attack Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Defs from http://searchsecurity.techtarget.com/sdefinition/0,,sid14_gci761640,00.htmls 6

View Access Log by Patient 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information