Computer Security. What is Auditing? Policies CIS 5370. Prevention Deterrence. Detection. Response Recovery 2. Auditing Chapter 24.



Similar documents
What is Auditing? IT 4823 Information Security Administration. Problems. Uses. Logger. Audit System Structure. Logging. Auditing. Auditing November 7

What is Auditing? Auditing. Problems. Uses. Audit System Structure. Logger. Reading: Chapter 24. Logging. Slides by M. Bishop are used.

Design. Syntactic Issues

CS 392/CS Computer Security. Module 17 Auditing

Goal-Oriented Auditing and Logging

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Audit Logging. Overall Goals

Computer Security DD2395

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Thick Client Application Security

Ingres Backup and Recovery. Bruno Bompar Senior Manager Customer Support

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Audit Trail Administration

Securing Data in Oracle Database 12c

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Chapter 23. Database Security. Security Issues. Database Security

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

White Paper. PCI Guidance: Microsoft Windows Logging

New Security Options in DB2 for z/os Release 9 and 10

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

How To Protect Your Network From Attack From Outside From Inside And Outside

Oracle Database Security. Paul Needham Senior Director, Product Management Database Security

High Level Design Distributed Network Traffic Controller

... Lecture 3 Access Control. Information & Communication Security (WS 14/15) Prof. Dr. Kai Rannenberg

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

BYOD Guidance: BlackBerry Secure Work Space

CA ARCserve and CA XOsoft r12.5 Best Practices for protecting Microsoft Exchange

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

B.Sc (Computer Science) Database Management Systems UNIT-V

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

AxCrypt File Encryption Software for Windows. Quick Installation and Users Guide. Version 1.7 or later. July 2012

AxCrypt File Encryption Software for Windows. Quick Installation Guide. Version January 2008

For Internet Facing and Private Data Systems

Network- vs. Host-based Intrusion Detection

Drawbacks to Traditional Approaches When Securing Cloud Environments

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

PC Security and Maintenance

1 File Processing Systems

Nixu SNS Security White Paper May 2007 Version 1.2

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Audit/Logging Repudiation. Security Testing: Testing for What It s NOT supposed to do

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Guideline on Auditing and Log Management

NetNumen U31 R06. Backup and Recovery Guide. Unified Element Management System. Version: V

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

LISTSERV LDAP Documentation

SonicWALL PCI 1.1 Implementation Guide

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Ohio Supercomputer Center

ASDI Full Audit Guideline Federal Aviation Administration

DATABASE SECURITY, INTEGRITY AND RECOVERY

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

+27O.557+! RM Auditor Additions - Web Monitor. Contents

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Chapter 15 Operating System Security

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Cisco Secure PIX Firewall with Two Routers Configuration Example

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Netwrix Auditor. Administrator's Guide. Version: /30/2015

A Roadmap for Securing IIS 5.0

Application Compatibility Best Practices for Remote Desktop Services

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

SECURITY COMPARISON BETWEEN IBM WEBSPHERE MQ 7.5 AND APACHE ACTIVEMQ 5.9

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Empower TM 2 Software

VMware Data Recovery. Administrator's Guide EN

SysPatrol - Server Security Monitor

CYCLOPE let s talk productivity

Workflow Templates Library

Local Caching Servers (LCS): User Manual

USM IT Security Council Guide for Security Event Logging. Version 1.1

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Procedure Title: TennDent HIPAA Security Awareness and Training

Log Analyzer for Dummies. GIAC GCIH Gold Certification Author: Emilio Valente April 2008

PMOD Installation on Windows Systems

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)


Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Operating System Security Hardening for SAP HANA

CatDV Pro Workgroup Serve r

Columbia University Web Security Standards and Practices. Objective and Scope

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Novell Sentinel Log Manager 1.2 Release Notes. 1 What s New. 1.1 Enhancements to Licenses. Novell. February 2011

Acronis Backup & Recovery 11.5 Quick Start Guide

Transcription:

Computer Security CIS 5370 Auditing Chapter 24 1 A Comprehensive Security Program Prevention Deterrence Policies Detection monitoring Architectures auditing Tools Response Recovery 2 What is Auditing? Process Checking After-the-Fact Did the system work correctly? Logging Verification Real Time Is the system working correctly? 3 1

What is Auditing? Logging Recording events or statistics to provide information about system use and performance Verification Analysis of log records to present information about the system in a clear, understandable manner 4 Value of Auditing Describe security state Determine if system enters unauthorized state Evaluate effectiveness of protection mechanisms Determine which mechanisms are appropriate and working Deter attacks via presence of record 5 Problems Volume Cannot log EVERY action Cannot audit as much as you can log Goal Record actions that show violations Audit actions related to security policy 6 2

Audit System Structure Data Collector Data Classifier Information Analyzer Result Reporter 7 The Audit Cycle Collect data Classify Data Report Results Analyze Data 8 Logger Type, quantity of information recorded controlled by system or program configuration parameters May be human readable or not If not, usually viewing tools supplied Space available, portability influence storage format 9 3

A System Monitor A Intruder The Network C B Monitor Knowledge base D S 10 Example: Windows NT Different logs for different types of events System event logs record system crashes, component failures, and other system events Application event logs record events that applications request be recorded Security event log records security-critical events such as logging in and out, system file accesses, and other events Logs are often binary; use event viewer If log full, can have system shut down, logging disabled, or logs overwritten 11 Analyzer Analyzes one or more logs Logs may come from multiple systems, or a single system May lead to changes in logging May lead to a report of an event 12 4

Log Analysis Syslog Analyzer TCP Dump Analyzer IDS Log Analyzer Other log Analyzer Firewall log Analyzer Another log Analyzer 13 Notifier Informs analyst/security administrator of analysis results May reconfigure logging and/or analysis on basis of results 14 Designing an Audit System Essential component of security mechanisms Goals determine what is logged Idea: auditors want to detect t violations of policy, which provides a set of constraints that the set of possible actions must satisfy So, audit functions that may violate the constraints Constraint p i : action condition 15 5

Example: Bell-LaPadula Simple security condition and *-property S reads O L(S) L(O) S writes O L(S) L(O) To check for violations, on each read and write, must log L(S), L(O), action (read, write), and result (success, failure) Note: need not record S, O! In practice, done to identify the object of the (attempted) violation and the user attempting the violation 16 Remove Tranquility New commands to manipulate security level must also record information S reclassify O to L(O ) L(O) L(S) and L(O ) ) L(S) Log L(O), L(O ), L(S), action (reclassify), and result (success, failure) Again, need not record O or S to detect violation But needed to follow up 17 Example: Chinese Wall Subject S has COI(S) and CD(S) CD H (S) is set of company datasets that S has accessed Object O has COI(O) and CD(O) san(o) iff O contains only sanitized information Constraints S reads O COI(O) COI(S) O (CD(O ) CD H (S)) S writes O (S canread O) O (COI(O) = COI(O ) S canread O san(o )) 18 6

Recording S reads O COI(O) COI(S) O (CD(O ) CD H (S)) Record COI(O), COI(S), CD H (S), CD(O ) if such an O exists, action (read), and result (success, failure) S writes O (S canread O) O (COI(O) = COI(O ) S canread O san(o )) Record COI(O), COI(S), CD H (S), plus COI(O ) and CD(O ) if such an O exists, action (write), and result (success, failure) 19 Implementation Issues Show non-security or find violations? Former requires logging initial state as well as changes Defining violations Does write include append and create directory? Multiple names for one object Logging goes by object and not name Representations can affect this (if you read raw disks, you re reading files; can your auditing system determine which file?) 20 Syntactic Issues Data that is logged may be ambiguous BSM: two optional text fields followed by two mandatory text fields If three fields, which of the optional fields is omitted? Solution: use grammar to ensure welldefined syntax of log files 21 7

Log Sanitization U set of users, P policy defining set of information C(U) that U cannot see; log sanitized when all information in C(U) deleted from log Two types of P C(U) can t leave site People inside site are trusted and information not sensitive to them C(U) can t leave system People inside site not trusted or (more commonly) information sensitive to them Don t log this sensitive information 22 Logging Organization Logging system Log Sanitizer Users Logging g system Sanitizer Log Users Top prevents information from leaving site Users privacy not protected from system administrators, other administrative personnel Bottom prevents information from leaving system Data simply not recorded, or data scrambled before recording 23 Reconstruction Anonymizing sanitizer cannot be undone No way to recover data from this Pseudonymizing sanitizer can be undone Original log can be reconstructed Importance Suppose security analysis requires access to information that was sanitized? 24 8

Generation of Pseudonyms 1. Devise set of pseudonyms to replace sensitive information Replace data with pseudonyms Maintain table mapping pseudonyms to data 2. Use random key to encipher sensitive datum and use secret sharing scheme to share key Used when insiders cannot see unsanitized data, but outsiders (law enforcement) need to Requires t out of n people to read data 25 Application Logging Applications logs made by applications Applications control what is logged Typically use high-level abstractions such as: su: bishop to root on /dev/ttyp0 Does not include detailed, system call level information such as results, parameters, etc. 26 System Logging Log system events such as kernel actions Typically use low-level events 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8) 3876 ktrace NAMI "/usr/bin/su" 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0) 3876 su RET sysctl 0 3876 su CALLmmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 3876 su RET mmap 671473664/0x2805e000 3876 su CALL geteuid 3876 su RET geteuid 0 Does not include high-level abstractions such as loading libraries (as above) 27 9

Contrast Differ in focus Application logging focuses on application events, like failure to supply proper password, and the broad operation (what was the reason for the access attempt?) System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?) System logs usually much bigger than application logs Can do both, try to correlate them 28 Design A posteriori design Need to design auditing mechanism for system not built with security in mind Goal of auditing Detect t any violation of a stated t policy Focus is on policy and actions designed to violate policy Detect actions known to be part of an attempt to breach security Focus on specific actions that have been determined to indicate attacks 29 Detect Violations of Known Policy Goal: does system enter a disallowed state? Two forms State-based auditing Look at current state of system Transition-based auditing Look at actions that transition system from one state to another 30 10

State-Based Auditing Log information about state and determine if state allowed Assumption: you can get a snapshot of system state Snapshot needs to be consistent Non-distributed system needs to be quiescent (static or slow to change) 31 Transition-Based Auditing Log information about action, examine state and proposed transition to determine if the new state is disallowed Note: just analyzing the transition may not be enough; you may need the initial state Tend to use this when specific transitions always require analysis (for example, change of privilege) 32 Example TCP access control mechanism intercepts TCP connections and checks against a list of connections to be blocked Obtains IP address of source of connection Logs IP address, port, and result (allowed/blocked) in log file Purely transition-based (current state not analyzed at all) 33 11

Detect Known Policy Violations Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for known attacks 34 Auditing Mechanisms Systems use different mechanisms Most common is to log all events by default, allow system administrator to disable logging that is unnecessary Two examples One audit system designed for a secure system One audit system designed for nonsecure system 35 Secure Systems Auditing mechanisms integrated into system design and implementation Security officer can configure reporting and logging: To report specific events To monitor accesses by a subject To monitor accesses to an object Controlled at audit subsystem Irrelevant accesses, actions not logged 36 12

File System Auditing What file was accessed? When? For what? By whom? 37 Audit Browsing Goal of browser: present log information in a form easy to understand and use Several reasons to do this: Audit mechanisms may miss problems that auditors will spot Mechanisms may be unsophisticated or make invalid assumptions about log format or meaning Logs usually not integrated; often different formats, syntax, etc. 38 Browsing Techniques Text display Does not indicate relationships between events Hypertext display Indicates local relationships between events Does not indicate global relationships clearly Relational database browsing DBMS performs correlations, so auditor need not know in advance what associations are of interest Preprocessing required, and may limit the associations DBMS can make 39 13

More Browsing Techniques Replay Shows events occurring in order; if multiple logs, intermingles entries Graphing Nodes are entities, edges relationships Often too cluttered to show everything, so graphing selects subsets of events Slicing Show minimum set of log events affecting object Focuses on local relationships, not global ones 40 Example: Visual Audit Browser Frame Visualizer Generates graphical representation of logs Movie Maker Generates sequence of graphs, each event creating a new graph suitably modified Hypertext Generator Produces page per user, page per modified file, summary and index pages Focused Audit Browser Enter node name, displays node, incident edges, and nodes at end of edges 41 Key Points Logging is collection and recording; audit is analysis Need to have clear goals when designing an audit system Auditing should be designed into system, not patched into system after it is implemented Browsing through logs helps auditors determine completeness of audit (and effectiveness of audit mechanisms!) 42 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information