guide to network security 1 st edition chapter ten auditing, monitoring, and logging

Guide to Network Security 1st Edition

Chapter TenAuditing, Monitoring, and Logging

© 2013 Course Technology/Cengage Learning. All Rights Reserved

Objectives

• List the various events that should be monitored in network environments

• Describe the various network logs available for monitoring

• Discuss the various log management, SIEM, and monitoring technologies

• Explain the role that configuration and change management play in auditing the network environment

2


Objectives (cont’d.)

• Discuss formal audit programs and how they relate to network environments

• Describe Certification and Accreditation (C&A) programs implemented by the U.S. federal government and other international agencies

3


Introduction

• Auditing definitions– Review of organizational processes for compliance

to policies, standards, or regulations– Procedure for recording and reviewing network or

system events– Periodic self-review of a network environment

• Systems monitoring– Ongoing review of a system or network– Objective: determine if results and events are within

expected bounds

4


Monitoring Network Systems

• Tracking events that occur on the system• Log

– Detailed chronological record of the operation of a computer system

– Includes system use and modifications

5


What to Audit?

• Event– Any action on the system or device that may be of

interest• Security event

– Event that may affect the system’s security• Process events

– Relates to tasks performed by a computing system– Many processes may be underway simultaneously

6


What to Audit? (cont’d.)

• Operating system process attributes– Memory– Operating system resources– Security attributes– Processor state

• Services– Processes designed to operate without user

interaction– Known as a daemon in Linux environment

7

© 2013 Course Technology/Cengage Learning. All Rights Reserved 8

Figure 10-2 Windows 7 audit policy© Microsoft Windows


Figure 10-4 Windows processes© Microsoft Windows


Figure 10-6 Windows services© Microsoft Windows



• Logon events– Audit systems typically log an event when:

• User logs on or off• Attempt to log on fails• User starts or stops a network session

• Group or permission change events– Attacker methodology: elevate privileges to those of

administrator– Useful to track changes in group membership or

when rights are elevated

11



• Resource access events– Track when users or processes access files,

directories, printers, and other system resources• Recording every possible detail for auditing

– Number of events can be astronomical– Capture legitimate events as well as exceptions

12


Table 10-1 Partial list of object access events that can be captured by Windows auditing© Cengage Learning 2013



• Network connection events– Track communication sessions– Can be tracked at system level or at firewalls

• Network data transfer events– Data leakage

• Unauthorized release of data– Track Web sessions and amount of information

transferred– Data leakage prevention

• Implemented as software or an appliance• Looks for sensitive data leaving the network

14



• System restart and shutdown events– Track when systems are booted, restarted, and shut

down• Audit system or log events

– Record various log occurrences• Logs reach capacity; logs are truncated

– Attackers often delete or modify log records to conceal activity

15


Log Management Policy

• Comprehensive picture of IT environment health– Must collect, review, and retain aggregate logs

• Some logging enabled by default– Others must be specifically activated

• Central logging service– May be a central server

• Log management practices– Storage

• System must be able to handle amount of data generated

16


Log Management Policy (cont’d.)

• Log management practices (cont’d.)– Retention

• Period of time a log file must be maintained• Understand regulatory requirements

– Baseline• Measures activities during routine conditions

– Encryption• Logs should be encrypted for storage

– Disposal• Log files should be disposed after retention period

17


Standard OS Logs

• Windows-based logging– Logging managed by event viewer

• Accessible from system control panel– Windows 7 logs divided into two categories

• Windows logs• Applications and services logs

• Windows standard logs– Application log

18


Figure 10-9 Windows Event Viewer© Microsoft Windows


Standard OS Logs (cont’d.)

• Windows standard logs (cont’d.)– Security log– Setup log– System log– Forwarded events log– Application and services logs

• Admin• Operational• Analytic• Debug

20


Standard OS Logs (cont’d.)

• Linux-based logging– Files vary by machine– Logs typically located in /var/log/ directory

• Syslog– System logger– Multiple system utilities log using the same

mechanism– Uses a configuration file

21


Figure 10-18 Contents of a simple syslog.conf file© Linux


Log Management Technology

• Log management tool– Collects events from log files– Processes data– Stores results– Performs notification or alerting as required

• Capabilities of log management technologies– Collect and centralize events to comply with industry

regulations– Retain log information in accordance with company

policy

23


Log Management Technology (cont’d.)

• Capabilities of log management technologies (cont’d.)– Normalize log information– Correlate events from various sources– Provide searching mechanisms– Provide reporting mechanisms

• Security information and event management (SIEM)– Provides added level of intelligence– Groups events from various technologies,

environments, and locations24


Log Management Technology (cont’d.)

• Security operations center– Provides operational infrastructure to detect attacks– Staffed with information security professionals

25

Figure 10-20 ArcSight ESM dashboard© HP Enterprise Security, Arc Sight


Configuration and Change Management (CCM)

• Purpose: manage the effects of changes on an information system or network

• Configuration management– Identification, inventory, and documentation of

current system status• Change management

– Addresses modifications to the base configuration

26


Configuration Management

• Configuration item– Hardware or software item to be modified and

revised throughout its life cycle• Version

– Recorded state of a revision of software or hardware configuration item

– Format often used: M.N.b• M: major release• N: minor release• b: build within that release

27


Configuration Management (cont’d.)

• Major release– Significant revision from previous state

• Minor release– Update or patch– Minor revision from previous state

• Build– Snapshot of software linked from various component

modules• Build list

– List of component versions that make up the build

28


Configuration Management (cont’d.)

• Configuration– Collection of components that make up configuration

item• Revision date

– Date of a particular version or build• Software library

– Collection of configuration items– Usually controlled– Developers use to construct revisions

29


Figure 10-21 Configuration management process© Cengage Learning 2013


Change Management

• Seeks to prevent changes that adversely effect system security

• Reduces risk by providing repeatable mechanism for modifications:– In a controlled environment

• Change management process identifies steps required

• Objectives of step-by-step procedure– Identifying, processing, tracking, and documenting

changes

31


Change Management (cont’d.)

• Step 1: identify change– Define need for change– Submit change request to appropriate decision-

making body• Step 2: evaluate change request

– Factors: viability, correctness, cost, feasibility, and impact on security

• Step 3: implementation decision– Approve, deny, or defer

32


Change Management (cont’d.)

• Step 4: implement approved change request– Move change from the test environment into

production• Step 5: continuous monitoring

– Purpose: ensure system is operating as intended

33


Auditing (Formal Review)

• Auditing must be performed by well-qualified individuals

• Generally Accepted Auditing Standards (GASS)– General standards– Standards of field work– Reporting standards

34


IT Auditing

• Information Systems Audit and Control Association – Published comprehensive standards and guidelines

• Certified Information Systems Auditor Requirements– Five years of work experience– Pass exam covering five job-practice domain areas

• Audit approach– Phase 1: initiation and planning

• Engagement letter specifies service agreement between auditing team and requested entity

35


IT Auditing (cont’d.)

• Audit approach (cont’d.)– Phase 2: fieldwork

• On-site visit• Target organization must support auditors

– Phase 3: analysis and review• Detailed analysis of site visit findings• Includes statistical analysis

– Phase 4: final reporting• Formal report to the requesting entity

– Phase 5: follow-up• Focuses on areas identified as deficient

36


Systems Certification, Accreditation, and Authorization

• Accreditation– What authorizes an IT system to process, store, or

transmit information• Certification

– Includes comprehensive evaluation of the security controls of an IT system

– Supports the accreditation process– Determines to what extent the implementation meets

specified security requirements• Reaccreditation and recertification required every

few years37


Auditing for Government and Classified Information Systems

• Categories of information processed by the federal government– National security information (NSI)– Non-NSI– Intelligence community

• The categories are managed and operated by different government entities

• NSI must be processed on national security systems (NSSs)– More stringent requirements than non-NSS systems

38


Auditing and the ISO 27000 Series

• ISO/IEC 17799– Most widely recognized audit standard– Revised in 2005– Renamed ISO 27002 in 2007– Details are available to those who purchase the

standard

41


Auditing and the ISO 27000 Series (cont’d.)

• ISO/IEC 27002 coverage areas– Risk assessment and treatment– Security policy– Organization of information security– Asset management– Human resource security– Physical and environmental security– Communications and operations– Access control

42


Auditing and the ISO 27000 Series (cont’d.)

• ISO/IEC 27002 coverage areas (cont’d.)– Information systems acquisition, development, and

maintenance– Information security incident management– Business continuity management– Compliance

• ISO/IEC 27001– Provides broad overview of approach to

implementing change– “Plan-Do-Check-Act” cycle

43


Auditing and COBIT

• Control Objectives for Information and Related Technology (COBIT)– Provides advice about implementation of sound

information security controls– Planning tool for information security– Auditing framework controls model

• COBIT presents 34 high level objectives– Objectives cover more than 200 control objectives

• Categorized into four domains

45


Auditing and COBIT (cont’d.)

• COBIT domains– Plan and organize– Acquire and implement– Deliver and support– Monitor and evaluate

46


Summary

• Auditing definitions– Ongoing review of system’s functional data to

evaluate proper operation– Periodic self-review of the network environment to

evaluate it against policy requirements• Computer or device log

– Provides detailed chronological records of the use and modification of the system

• Log management includes storage, retention, baselining, encryption, and disposal

47


Summary (cont’d.)

• Log management solutions aid working with system logs– Capabilities: collect and process events, store and

analyze results, and notify as required• Change and configuration management (CMM)

controls effects of revisions on networks and information systems

• ISO/IEC 27000 series of standards– The most widely recognized model for security

assessment and practice

48

guide to network security 1 st edition chapter ten auditing, monitoring, and logging

Documents