9780840024220 ppt ch10

Guide to Network Security
1st Edition
Chapter Ten
Auditing, Monitoring, and Logging

© 2013 Course Technology/Cengage Learning. All Rights Reserved
Objectives
• List the various events that should be monitored in
network environments
• Describe the various network logs available for
monitoring
• Discuss the various log management, SIEM, and
monitoring technologies
• Explain the role that configuration and change
management play in auditing the network
environment
2

Objectives (cont’d.)
• Discuss formal audit programs and how they relate
to network environments
• Describe Certification and Accreditation (C&A)
programs implemented by the U.S. federal
government and other international agencies
3

Introduction
• Auditing definitions
– Review of organizational processes for compliance
to policies, standards, or regulations
– Procedure for recording and reviewing network or
system events
– Periodic self-review of a network environment
• Systems monitoring
– Ongoing review of a system or network
– Objective: determine if results and events are within
expected bounds
4

Monitoring Network Systems
• Tracking events that occur on the system
• Log
– Detailed chronological record of the operation of a
computer system
– Includes system use and modifications
5

What to Audit?
• Event
– Any action on the system or device that may be of
interest
• Security event
– Event that may affect the system’s security
• Process events
– Relates to tasks performed by a computing system
– Many processes may be underway simultaneously
6

What to Audit? (cont’d.)
• Operating system process attributes
– Memory
– Operating system resources
– Security attributes
– Processor state
• Services
– Processes designed to operate without user
interaction
– Known as a daemon in Linux environment
7

© 2013 Course Technology/Cengage Learning. All Rights Reserved 8
Figure 10-2 Windows 7 audit policy
© Microsoft Windows

Figure 10-4 Windows processes

Figure 10-6 Windows services

• Logon events
– Audit systems typically log an event when:
• User logs on or off
• Attempt to log on fails
• User starts or stops a network session
• Group or permission change events
– Attacker methodology: elevate privileges to those of
administrator
– Useful to track changes in group membership or
when rights are elevated
11

• Resource access events
– Track when users or processes access files,
directories, printers, and other system resources
• Recording every possible detail for auditing
– Number of events can be astronomical
– Capture legitimate events as well as exceptions
12

Table 10-1 Partial list of object access events
that can be captured by Windows auditing
© Cengage Learning 2013

• Network connection events
– Track communication sessions
– Can be tracked at system level or at firewalls
• Network data transfer events
– Data leakage
• Unauthorized release of data
– Track Web sessions and amount of information
transferred
– Data leakage prevention
• Implemented as software or an appliance
• Looks for sensitive data leaving the network
14

• System restart and shutdown events
– Track when systems are booted, restarted, and shut
down
• Audit system or log events
– Record various log occurrences
• Logs reach capacity; logs are truncated
– Attackers often delete or modify log records to
conceal activity
15

Log Management Policy
• Comprehensive picture of IT environment health
– Must collect, review, and retain aggregate logs
• Some logging enabled by default
– Others must be specifically activated
• Central logging service
– May be a central server
• Log management practices
– Storage
• System must be able to handle amount of data
generated
16

Log Management Policy (cont’d.)
• Log management practices (cont’d.)
– Retention
• Period of time a log file must be maintained
• Understand regulatory requirements
– Baseline
• Measures activities during routine conditions
– Encryption
• Logs should be encrypted for storage
– Disposal
• Log files should be disposed after retention period
17

Standard OS Logs
• Windows-based logging
– Logging managed by event viewer
• Accessible from system control panel
– Windows 7 logs divided into two categories
• Windows logs
• Applications and services logs
• Windows standard logs
– Application log
18

Figure 10-9 Windows Event Viewer

Standard OS Logs (cont’d.)
• Windows standard logs (cont’d.)
– Security log
– Setup log
– System log
– Forwarded events log
– Application and services logs
• Admin
• Operational
• Analytic
• Debug
20

Standard OS Logs (cont’d.)
• Linux-based logging
– Files vary by machine
– Logs typically located in /var/log/ directory
• Syslog
– System logger
– Multiple system utilities log using the same
mechanism
– Uses a configuration file
21

Figure 10-18 Contents of a simple syslog.conf file
© Linux

Log Management Technology
• Log management tool
– Collects events from log files
– Processes data
– Stores results
– Performs notification or alerting as required
• Capabilities of log management technologies
– Collect and centralize events to comply with industry
regulations
– Retain log information in accordance with company
policy
23

Log Management Technology (cont’d.)
• Capabilities of log management technologies
(cont’d.)
– Normalize log information
– Correlate events from various sources
– Provide searching mechanisms
– Provide reporting mechanisms
• Security information and event management
(SIEM)
– Provides added level of intelligence
– Groups events from various technologies,
environments, and locations
24

Log Management Technology (cont’d.)
• Security operations center
– Provides operational infrastructure to detect attacks
– Staffed with information security professionals
25
Figure 10-20 ArcSight ESM
dashboard
© HP Enterprise Security, Arc Sight

Configuration and Change
Management (CCM)
• Purpose: manage the effects of changes on an
information system or network
• Configuration management
– Identification, inventory, and documentation of
current system status
• Change management
– Addresses modifications to the base configuration
26

Configuration Management
• Configuration item
– Hardware or software item to be modified and
revised throughout its life cycle
• Version
– Recorded state of a revision of software or hardware
configuration item
– Format often used: M.N.b
• M: major release
• N: minor release
• b: build within that release
27

Configuration Management (cont’d.)
• Major release
– Significant revision from previous state
• Minor release
– Update or patch
– Minor revision from previous state
• Build
– Snapshot of software linked from various component
modules
• Build list
– List of component versions that make up the build
28

Configuration Management (cont’d.)
• Configuration
– Collection of components that make up configuration
item
• Revision date
– Date of a particular version or build
• Software library
– Collection of configuration items
– Usually controlled
– Developers use to construct revisions
29

Figure 10-21 Configuration management process

Change Management
• Seeks to prevent changes that adversely effect
system security
• Reduces risk by providing repeatable mechanism
for modifications:
– In a controlled environment
• Change management process identifies steps
required
• Objectives of step-by-step procedure
– Identifying, processing, tracking, and documenting
changes
31

Change Management (cont’d.)
• Step 1: identify change
– Define need for change
– Submit change request to appropriate decision-
making body
• Step 2: evaluate change request
– Factors: viability, correctness, cost, feasibility, and
impact on security
• Step 3: implementation decision
– Approve, deny, or defer
32

Change Management (cont’d.)
• Step 4: implement approved change request
– Move change from the test environment into
production
• Step 5: continuous monitoring
– Purpose: ensure system is operating as intended
33

Auditing (Formal Review)
• Auditing must be performed by well-qualified
individuals
• Generally Accepted Auditing Standards (GASS)
– General standards
– Standards of field work
– Reporting standards
34

IT Auditing
• Information Systems Audit and Control Association
– Published comprehensive standards and guidelines
• Certified Information Systems Auditor
Requirements
– Five years of work experience
– Pass exam covering five job-practice domain areas
• Audit approach
– Phase 1: initiation and planning
• Engagement letter specifies service agreement
between auditing team and requested entity
35

IT Auditing (cont’d.)
• Audit approach (cont’d.)
– Phase 2: fieldwork
• On-site visit
• Target organization must support auditors
– Phase 3: analysis and review
• Detailed analysis of site visit findings
• Includes statistical analysis
– Phase 4: final reporting
• Formal report to the requesting entity
– Phase 5: follow-up
• Focuses on areas identified as deficient
36

Systems Certification, Accreditation,
and Authorization
• Accreditation
– What authorizes an IT system to process, store, or
transmit information
• Certification
– Includes comprehensive evaluation of the security
controls of an IT system
– Supports the accreditation process
– Determines to what extent the implementation meets
specified security requirements
• Reaccreditation and recertification required every
few years
37

Auditing for Government and
Classified Information Systems
• Categories of information processed by the federal
government
– National security information (NSI)
– Non-NSI
– Intelligence community
• The categories are managed and operated by
different government entities
• NSI must be processed on national security
systems (NSSs)
– More stringent requirements than non-NSS systems
38

Figure 10-22 Three-tiered approach to risk management

Figure 10-23 Risk management framework

Auditing and the ISO 27000 Series
• ISO/IEC 17799
– Most widely recognized audit standard
– Revised in 2005
– Renamed ISO 27002 in 2007
– Details are available to those who purchase the
standard
41

(cont’d.)
• ISO/IEC 27002 coverage areas
– Risk assessment and treatment
– Security policy
– Organization of information security
– Asset management
– Human resource security
– Physical and environmental security
– Communications and operations
– Access control
42

(cont’d.)
• ISO/IEC 27002 coverage areas (cont’d.)
– Information systems acquisition, development, and
maintenance
– Information security incident management
– Business continuity management
– Compliance
• ISO/IEC 27001
– Provides broad overview of approach to
implementing change
– “Plan-Do-Check-Act” cycle
43

Figure 10-24 Setting up an information
security management system

Auditing and COBIT
• Control Objectives for Information and Related
Technology (COBIT)
– Provides advice about implementation of sound
information security controls
– Planning tool for information security
– Auditing framework controls model
• COBIT presents 34 high level objectives
– Objectives cover more than 200 control objectives
• Categorized into four domains
45

Auditing and COBIT (cont’d.)
• COBIT domains
– Plan and organize
– Acquire and implement
– Deliver and support
– Monitor and evaluate
46

Summary
• Auditing definitions
– Ongoing review of system’s functional data to
evaluate proper operation
– Periodic self-review of the network environment to
evaluate it against policy requirements
• Computer or device log
– Provides detailed chronological records of the use
and modification of the system
• Log management includes storage, retention,
baselining, encryption, and disposal
47

Summary (cont’d.)
• Log management solutions aid working with
system logs
– Capabilities: collect and process events, store and
analyze results, and notify as required
• Change and configuration management (CMM)
controls effects of revisions on networks and
information systems
• ISO/IEC 27000 series of standards
– The most widely recognized model for security
assessment and practice
48

9780840024220 ppt ch10

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à 9780840024220 ppt ch10

Similaire à 9780840024220 ppt ch10 (20)

Plus de Kristin Harrison

Plus de Kristin Harrison (19)

Dernier

Dernier (20)

9780840024220 ppt ch10