Security Audit Principles and Practices. Configuring Logging. Overview



Similar documents
Using Debug Commands

Using Debug Commands

Using Debug Commands

Configuring Syslog Server on Cisco Routers with Cisco SDM

Understand Troubleshooting Methodology

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Hands-On Microsoft Windows Server 2008

Windows Operating Systems. Basic Security


The MariaDB Audit Plugin

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Firewalls & Intrusion Detection

Intrusion Detection Systems (IDS)

FISMA / NIST REVISION 3 COMPLIANCE

Find the Who, What, Where and When of Your Active Directory

How To Set Up Foglight Nms For A Proof Of Concept

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

Server Monitoring: Centralize and Win

FreeFlow Core, Version 4.0 August P Xerox FreeFlow Core Security Guide

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Guidelines for Auditing and Logging

Network Management and Monitoring Software

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Tk20 Network Infrastructure

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Configuring System Message Logging

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Complete Patch Management

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Computer Security DD2395

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

McAfee.com Personal Firewall

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Kaseya 2. Quick Start Guide. for VSA 6.1

Log Management and Intrusion Detection

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Security Toolsets for ISP Defense

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

ESET Mobile Security Business Edition for Windows Mobile

Network Monitoring. SAN Discovery and Topology Mapping. Device Discovery. Topology Mapping. Send documentation comments to

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

Nessus and Antivirus. January 31, 2014 (Revision 4)

How To Protect A Network From Attack From A Hacker (Hbss)

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Monitoring Windows Event Logs

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Cisco IOS Embedded Syslog Manager Command Reference

Audit/Logging Repudiation. Security Testing: Testing for What It s NOT supposed to do

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Network Defense Tools

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

NETWRIX EVENT LOG MANAGER

Cyber Self Assessment

White Paper. PCI Guidance: Microsoft Windows Logging

PC Security and Maintenance

The Institute of Internal Auditors Detroit Chapter Presents

AN OVERVIEW OF VULNERABILITY SCANNERS

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

White Paper Instant Messaging (IM) HIPAA Compliance

PCI Wireless Compliance with AirTight WIPS

Fifty Critical Alerts for Monitoring Windows Servers Best Practices

Minimum Requirements for Cencon 4 with Microsoft R SQL 2008 R2 Express

IBM. Vulnerability scanning and best practices

Dell Active Administrator 8.0

INFORMATION SECURITY TRAINING CATALOG (2015)

SANS Top 20 Critical Controls for Effective Cyber Defense

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

McAfee Network Security Platform Administration Course

INSTANT MESSAGING SECURITY

WhatsUp Gold vs. Orion

CS 392/CS Computer Security. Module 17 Auditing

Defining, building, and making use cases work

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

CMS Operational Policy for Separation of Duties for System Security Administration and Auditing

Monitoring Replication

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Installing GFI LANguard Network Security Scanner

Transcription:

Security Audit Principles and Practices Chapter 11 Lecturer: Pei-yih Ting Logging and auditing are two of the most unpleasant chores facing information security professionals. tedious, time-consuming, boring 1 Overview Configuring Logging Configuring Logging What should be logged How long logs must be maintained Configuring Alerts Windows Logging / UNIX Logging Analyzing Log Data Profiling Normal Behavior Detecting Anomalies Data Reduction Maintaining Secure Logs Conducting a Security Audit 3 To configure logging, you should be prepared to answer the questions What activities/events should be logged? How long should logs be maintained? What events should trigger immediate notifications to security administrators? Logging must be configured to the needs of the organization 4

What Should Be Logged? What Should Be Logged? You can t log everything Unless you have a lot of time and resources Someone must review logs Logging has a negative effect on system performance Critical events may be overwritten A prudent approach is to strike a balance between logging important events but not everything What is an important event is defined by the environment to some degree and should be given careful consideration A government intelligence agency protects highly sensitive classified information. He would want to log every access to files that contain the identify of undercover agents. A popular news Web site should protect the integrity of data and try its best maintaining the availability of the Web site. 5 6 Determining How Long Logs Must Be Maintained Configuring Alerts Most operating systems allow you to overwrite log files based on time or file size This choice may be determined by policy, e.g., log files must be kept for a certain amount of time Log files can be archived You may need to maintain a (semi-) permanent record of system activity Back up log files before they are overwritten A common method is to alternate two log files, backing up one file while the other is active 7 With modern operating systems, you can set up alerts that notify administrators when specific events occur For example, immediate notification if a hard drive is full Alert options include E-mail, pagers, Short Message Service (SMS), instant messaging, pop-up windows, and cell phones Typically alerts can be configured differently depending on the severity of the event and the time Only very severe events should trigger a cell phone call in the middle of the night, for example 8

Windows Logging Windows Logging (cont d) Windows uses the Event Viewer as its primary logging mechanism Found in Administrative Tools Event Viewer log files Security log Records security-related events Controlled by a system administrator: types of events, overwrite policy, user Typical information includes failed logon attempts and attempts to exceed privileges Event Viewer log files (cont d) Application log Records events triggered by application software System administrators have control over what events to store System log Contains events recorded by the operating system The system administrator generally has no control over this log Typical events include hardware/software problems: driver failures, harddisk full Other specialized log files include the directory service log, the file replication service log, and the DNS server log 9 10 Windows Logging (cont d) Four types of events are stored in Event Viewer logs Error events are created when a serious problem occurs (corruption of a file system) Warning events are created to alert administrators to potential problems (a disk nearing full) Information events are details of some activities that are not indications of a problem (starting or stopping a service) Success/failure auditing events are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts) Windows Logging (cont d) Windows 2000 Professional System log 11 12

UNIX Logging Analyzing Log Data The primary log facility in UNIX is syslog Very flexible, many options for notification and priority Can write to a remote log file allowing the use of dedicated syslog servers to track all activity on a network Syslog implements eight priority levels LOG_EMERG (emergency), LOG_ALERT (require immediate intervention), LOG_CRIT (critical system events), LOG_ERR (error), LOG_WARNING (warn of potential errors), LOG_NOTICE (information, no error), LOG_INFO (future use), LOG_DEBUG (developers use for debugging) Log data is used to monitor your environment Two main activities Profiling normal behavior to understand typical system behavior at different times and in different parts of your business cycle Detecting anomalies when system activity significantly deviates from the normal behavior you have documented 13 14 Profiling Normal Behavior Detecting Anomalies A snapshot of typical system behavior is called a baseline Baselines can be obtained at the network, system, user, and process level Baselines detail consumption of system resources Baselines will vary significantly based on time of day or business cycle It is the administrator s responsibility to determine the baseline studies appropriate for an organization These will change over time 15 Define anomalies based on thresholds The following questions must be answered How much of a deviation from the norm represents an anomaly? How long must the deviation occur before registering an anomaly? What anomalies should trigger immediate alerts? Anomalies can occur at any level For example, if a user s behavior deviates from normal, it may indicate a serious security event 16

Data Reduction Maintaining Secure Logs When possible, limit the scope of logging activities to that which can reasonably be analyzed However, regulations or policies may stipulate that aggressive logging is necessary Data reduction tools are useful when more data is collected than can be reviewed Often built into security tools that create log files For example, CheckPoint s Firewall-1 allows you to view log files filtered by inbound TCP traffic to a specific port on a specific date Logs themselves must be protected from tampering and corruption Common techniques to secure logs include Remote logging uses a centralized, highly protected, storage location Printer logging creates a paper trail by immediately printing logged activity Cryptographic technology digitally signs log files to ensure that changes can be detected, though the files are vulnerable until they are finalized 17 18 Conducting a Security Audit Checklists Security professionals examine the policies and implementation of the organization s security posture Identify deficiencies and recommend changes The audit team should be well trained and knowledgeable The team may be multidisciplinary including accountants, managers, administrators, and technical professionals Choose a team based on your organization s needs 19 Checklists provide a systematic and consistent approach to completing various tasks in an audit Audit checklists provide a high-level overview of the overall audit process stepwise processes for auditing different classes of systems Configuration checklists contain specific configuration settings Vulnerability checklists contain lists of critical vulnerabilities for each operating system in use MS http://www.microsoft.com/technet/security/chklist/def ault.mspx 20

IP/Port Scanners Vulnerability Scanners IP/Port scanners are used by both crackers and system administrators Use brute-force probing of IP addresses to identify open ports running services that may be vulnerable Administrators can use this information to find rogue systems and services Often set up by legitimate users who want to bypass the red tape of going through administration Rogue systems and services are usually either removed or brought under administrative control Vulnerability scanners are software applications that analyze systems for known vulnerabilities and create reports and suggestions First vulnerability scanner was SATAN in the early 1990s Newer scanners include SARA a descendant of SATAN (UNIX) SAINT a commercially supported scanner (UNIX) Nessus provides a scripting language for writing and sharing security tests (UNIX) Microsoft Baseline Security Analyzer (MBSA) free from Microsoft, downloads the most recent vulnerability database (Windows) 21 22 Integrity Checking Penetration Testing Integrity checking Maintains cryptographic signatures of all protected files to catch tampering Tripwire is the most common tool for file integrity assurance http://sourceforge.net/projects/tripwire/ free for UNIX http://www.tripwire.com/ 30 days trial for Windows Typically used to protect static Web sites and other systems that store critical data that is infrequently changed Penetration testing is a proactive approach used by security auditors The auditor tries to break into the system to find vulnerabilities Many security teams bring in professionals to conduct penetration testing Called white hat hackers Malicious hackers are called black hat hackers Be sure you have proper permission before conducting any type of penetration testing 23 24

Audit Results Summary The job does not end with the audit Common post-audit tasks include Reporting results Prioritizing deficiencies that were found Developing action plans for deficiencies Implementing action plans based on priority and complexity Conducting ongoing monitoring Repeating the audit on a periodic basis 25 Logging is the recording and analysis of system events to determine both normal system activity and anomalies in system activity You should strive for balance in determining what events should be logged Most logging software provides for considerable functionality and flexibility in configuring alerts Be circumspect in how alerts are used The primary Windows logging tool is Event Viewer The primary UNIX logging facility is syslog 26 Summary (cont d) Assignments A profile of normal system activity is called a baseline An anomaly is a significant deviation from a baseline, as determined by thresholds set by the administrator Logs files must be secured to avoid tampering Security auditing is used to identify problems in an organization s security policies and controls A number of tools are available to auditors to assist in finding problems and making recommendations 27 Reading: Chapter 11 Practice 11.7 Challenge Questions Turn in Challenge Exercise 11.2 and 11.4 next week 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information