Download Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts
no text concepts found
Transcript 
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 10
Conducting Security Audits
Objectives
• Define privilege audits
• Describe how usage audits can protect security
• List the methodologies used for monitoring to detect
security-related anomalies
• Describe the different monitoring tools
Security+ Guide to Network Security Fundamentals, Third Edition
2
Privilege Auditing
• A privilege can be considered a subject’s access
level over an object
• Principle of least privilege
– Users should be given only the minimal amount of
privileges necessary to perform his or her job function
• Privilege auditing
– Reviewing a subject’s privileges over an object
– Requires knowledge of privilege management, how
privileges are assigned, and how to audit these
security settings
Security+ Guide to Network Security Fundamentals, Third Edition
3
Privilege Management
• Privilege management
– The process of assigning and revoking privileges to
objects
• Whereas the roles of owners and custodians are
generally well-established
– Where those roles fit into the organization often
depends upon how the organization is structured
• The responsibility for privilege management can be
either centralized or decentralized
Security+ Guide to Network Security Fundamentals, Third Edition
4
Privilege Management (continued)
• In a centralized structure
– One unit is responsible for all aspects of assigning or
revoking privileges
– All custodians are part of that unit
• A decentralized organizational structure for privilege
management
– Delegates the authority for assigning or revoking
privileges more closely to the geographic location or
end user
Security+ Guide to Network Security Fundamentals, Third Edition
5
Assigning Privileges
• The foundation for assigning privileges
– The existing access control model for the hardware or
software being used
• Recall that there are four major access control
models:
–
–
–
–
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule Based Access Control (RBAC)
Security+ Guide to Network Security Fundamentals, Third Edition
6
Auditing System Security Settings
• Auditing system security settings for user privileges
involves:
– A regular review of user access and rights
– Using group policies
– Implementing storage and retention policies
• User access and rights review
– It is important to periodically review user access
privileges and rights
– Most organizations have a written policy that
mandates regular reviews
Security+ Guide to Network Security Fundamentals, Third Edition
7
Security+ Guide to Network Security Fundamentals, Third Edition
8
Auditing System Security Settings
(continued)
• User access and rights review (continued)
– Reviewing user access rights for logging into the
network can be performed on the network server
– Reviewing user permissions over objects can be
viewed on the network server
Security+ Guide to Network Security Fundamentals, Third Edition
9
Security+ Guide to Network Security Fundamentals, Third Edition
10
Auditing System Security Settings
(continued)
• Group Policies
– Instead of setting the same configuration baseline on
each computer, a security template can be created
• Security template
– A method to configure a suite of baseline security
settings
• On a Microsoft Windows computer, one method to
deploy security templates is to use Group Policies
– A feature that provides centralized management and
configuration of computers and remote users who are
using Active Directory (AD)
Security+ Guide to Network Security Fundamentals, Third Edition
11
Auditing System Security Settings
(continued)
• The individual elements or settings within group
policies are known as Group Policy Objects (GPOs).
– GPOs are a defined collection of available settings
that can be applied to user objects or AD computers
• Settings are manipulated using administrative
template files that are included within the GPO
Security+ Guide to Network Security Fundamentals, Third Edition
12
Auditing System Security Settings
(continued)
• Storage and retention policies
– Information lifecycle management (ILM)
• A set of strategies for administering, maintaining, and
managing computer storage systems in order to retain
data
– ILM strategies are typically recorded in storage and
retention policies
• Which outline the requirements for data storage
• Data classification
– Assigns a level of business importance, availability,
sensitivity, security and regulation requirements to
data
Security+ Guide to Network Security Fundamentals, Third Edition
13
Auditing System Security Settings
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
14
Auditing System Security Settings
(continued)
• Grouping data into categories often requires the
assistance of the users who save and retrieve the
data on a regular basis
• The next step is to assign the data to different levels
or “tiers” of storage and accessibility
Security+ Guide to Network Security Fundamentals, Third Edition
15
Usage Auditing
• Usage auditing
– Audits what objects a user has actually accessed
– Involves an examination of which subjects are
accessing specific objects and how frequently
• Sometimes access privileges can be very complex
• Usage auditing can help reveal incorrect permissions
• Inheritance
– Permissions given to a higher level “parent” will also
be inherited by a lower level “child”
• Inheritance becomes more complicated with GPOs
Security+ Guide to Network Security Fundamentals, Third Edition
16
Usage Auditing (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
17
Usage Auditing (continued)
• GPO inheritance
– Allows administrators to set a base security policy
that applies to all users in the Microsoft AD
• Other administrators can apply more specific
policies at a lower level
– That apply only to subsets of users or computers
• GPOs that are inherited from parent containers are
processed first
– Followed by the order that policies were linked to a
container object
Security+ Guide to Network Security Fundamentals, Third Edition
18
Usage Auditing (continued)
• A log is a record of events that occur
• Logs are composed of log entries
– Each entry contains information related to a specific
event that has occurred
• Logs have been used primarily for troubleshooting
problems
• Log management
– The process for generating, transmitting, storing,
analyzing, and disposing of computer security log
data
Security+ Guide to Network Security Fundamentals, Third Edition
19
Usage Auditing (continued)
• Security application logs
– Antivirus software
– Remote Access Software
– Automated patch update service
• Security hardware logs
– Network intrusion detection systems and host and
network intrusion prevention systems
– Domain Name System (DNS)
– Authentication servers
– Proxy servers
– Firewalls
Security+ Guide to Network Security Fundamentals
20
Security+ Guide to Network Security Fundamentals, Third Edition
21
Usage Auditing (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
22
Usage Auditing (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
23
Usage Auditing (continued)
• Types of items that should be examined in a firewall
log include:
– IP addresses that are being rejected and dropped
– Probes to ports that have no application services
running on them
– Source-routed packets
– Suspicious outbound connections
– Unsuccessful logins
Security+ Guide to Network Security Fundamentals, Third Edition
24
Usage Auditing (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
25
Usage Auditing (continued)
• Operating system logs
– Event
• An occurrence within a software system that is
communicated to users or other programs outside the
operating system
– System events
• Operational actions that are performed by the operating
system
Security+ Guide to Network Security Fundamentals, Third Edition
26
Usage Auditing (continued)
• System events that are commonly recorded include:
– Client requests and server responses
– Usage information
• Logs based on audit records
– The second common type of security-related
operating system logs
• Audit records that are commonly recorded include:
– Account information
– Operational information
Security+ Guide to Network Security Fundamentals, Third Edition
27
Security+ Guide to Network Security Fundamentals, Third Edition
28
Usage Auditing (continued)
• Log management benefits:
– A routine review and analysis of logs helps to identify
security incidents, policy violations, fraudulent activity,
and operational problems shortly after they have
occurred
– Logs can also be used in providing information for
resolving such problems
– Logs may be useful for performing auditing analysis,
supporting the organization’s internal investigations,
and identifying operational trends and long-term
problems
Security+ Guide to Network Security Fundamentals, Third Edition
29
Security+ Guide to Network Security Fundamentals, Third Edition
30
Usage Auditing (continued)
• It is recommended that organizations enact the
following log management solutions:
– Enact periodic audits
– Establish policies and procedures for log
management
– Maintain a secure log management infrastructure
– Prioritize log management throughout the
organization
– Use log aggregators
– Provide adequate support
Security+ Guide to Network Security Fundamentals, Third Edition
31
Usage Auditing (continued)
• Change management
– Refers to a methodology for making changes and
keeping track of those changes, often manually
– Seeks to approach changes systematically and
provide the necessary documentation of the changes
• Two major types of changes regarding security that
are routinely documented
– Any change in system architecture
– Data classification
Security+ Guide to Network Security Fundamentals, Third Edition
32
Usage Auditing (continued)
• Change management team (CMT)
– Created to oversee changes
– Any proposed change must first be approved by the
CMT
• The team might be typically composed of:
– Representatives from all areas of IT (servers,
network, enterprise server, etc.)
– Network security
– Upper-level management
Security+ Guide to Network Security Fundamentals, Third Edition
33
Usage Auditing (continued)
• The duties of the CMT include:
– Review proposed changes
– Ensure that the risk and impact of the planned
change is clearly understood
– Recommend approval, disapproval, deferral, or
withdrawal of a requested change
– Communicate proposed and approved changes to coworkers
Security+ Guide to Network Security Fundamentals, Third Edition
34
Monitoring Methodologies and Tools
• There are several types of instruments that can be
used on systems and networks to detect securityrelated anomalies
Security+ Guide to Network Security Fundamentals, Third Edition
35
Methodologies for Monitoring
• Anomaly-based monitoring
– Designed for detecting statistical anomalies
– Baseline
• A reference set of data against which operational data
is compared
– Whenever there is a significant deviation from this
baseline, an alarm is raised
• Advantage
– Detect the anomalies quickly
Security+ Guide to Network Security Fundamentals, Third Edition
36
Methodologies for Monitoring
(continued)
• False positives
– Alarms that are raised when there is no actual
abnormal behavior
• Normal behavior can change easily and even
quickly
– Anomaly-based monitoring is subject to false
positives
Security+ Guide to Network Security Fundamentals, Third Edition
37
Methodologies for Monitoring
(continued)
• Signature-based monitoring
– Compares activities against a predefined signature
– Requires access to an updated database of
signatures
• Along with a means to actively compare and match
current behavior against a collection of signatures
• Weaknesses
– The signature databases must be constantly updated
– As the number of signatures grows the behaviors
must be compared against an increasingly large
number of signatures
Security+ Guide to Network Security Fundamentals, Third Edition
38
Methodologies for Monitoring
(continued)
• Behavior-based monitoring
– Designed to be more adaptive and proactive instead
of reactive
– Uses the “normal” processes and actions as the
standard
– Continuously analyzes the behavior of processes and
programs on a system
• Alerts the user if it detects any abnormal actions
• Advantage
– Not necessary to update signature files or compile a
baseline of statistical behavior
Security+ Guide to Network Security Fundamentals, Third Edition
39
Methodologies for Monitoring
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
40
Monitoring Tools
• Performance baselines and monitors
– Performance baseline
• A reference set of data established to create the “norm”
of performance for a system or systems
– Data is accumulated through the normal operations of
the systems and networks through performance
monitors
– Operational data is compared with the baseline data
to determine how closely the norm is being met and if
any adjustments need to be made
Security+ Guide to Network Security Fundamentals, Third Edition
41
Monitoring Tools (continued)
• System monitor
– A low-level system program that uses a notification
engine designed to monitor and track down hidden
activity on a desktop system, server, or even personal
digital assistant (PDA) or cell phone
• Some system monitors have a Web-based interface
• System monitors generally have a fully customizable
notification system
– That lets the owner design the information that is
collected and made available
Security+ Guide to Network Security Fundamentals, Third Edition
42
Monitoring Tools (continued)
• Protocol analyzer
– Also called a sniffer
– Captures each packet to decode and analyze its
contents
– Can fully decode application-layer network protocols
– The different parts of the protocol can be analyzed for
any suspicious behavior
Security+ Guide to Network Security Fundamentals, Third Edition
43
Summary
• A “privilege” can be considered a subject’s access
level over an object
• Auditing system security settings for user privileges
involves a regular review of user access and rights
• Information lifecycle management (ILM) is a set of
strategies for administering, maintaining, and
managing computer storage systems in order to
retain data
• Usage auditing involves an examination of which
subjects are accessing specific objects and how
frequently
Security+ Guide to Network Security Fundamentals, Third Edition
44
Summary (continued)
• Logs related to computer security have become
particularly important
• Change management refers to a methodology for
making changes and keeping track of those changes,
often manually
• Monitoring involves examining network traffic,
activity, transactions, or behavior in order to detect
security-related anomalies
Security+ Guide to Network Security Fundamentals, Third Edition
45
Related documents
Internet Marketing Fundamentals
Internet Marketing Fundamentals
sch1sec3fundamentalsofmarketing2
sch1sec3fundamentalsofmarketing2
Database Design for the Web
Database Design for the Web
Computer science
Computer science
Assignment 1
Assignment 1
Cpas - Madison Central High / Overview
Cpas - Madison Central High / Overview
Organizing Data and Information
Organizing Data and Information
Chapter 3: Organizing Data and Information
Chapter 3: Organizing Data and Information
marketing - RCS Technology Integration Pages
marketing - RCS Technology Integration Pages
Hardware and Software
Hardware and Software
Computer Forensics
Computer Forensics
Database Security and Auditing
Database Security and Auditing
Advantages of Web Publishing
Advantages of Web Publishing
Certificate: Program and Project Management
Certificate: Program and Project Management
2.03_Basic_Human_Needs
2.03_Basic_Human_Needs
CIS3360: Security in Computing (online session, Spring 2012)
CIS3360: Security in Computing (online session, Spring 2012)
Computer Forensics
Computer Forensics
Chapter1
Chapter1
Virtual Private Databases
Virtual Private Databases
LAB 1: Circuit Simulation Fundamentals
LAB 1: Circuit Simulation Fundamentals
Cemeent
Cemeent
FY 2004-2005 - FSM National Public Auditor
FY 2004-2005 - FSM National Public Auditor