After studying this chapter you should be able to: Define privilege audits, describe how usage audits can protect security, list the methodologies used for monitoring to detect security-related anomalies, describe the different monitoring tools.
Conducting Security Audits Contents v Define privilege audits v Describe how usage audits can protect security v List the methodologies used for monitoring to detect security-related anomalies v Describe the different monitoring tools Privilege Auditing v A privilege can be considered a subject’s access level over an object v Principle of least privilege v Users should be given only the minimal amount of privileges necessary to perform his or her job function v Privilege auditing v Reviewing a subject’s privileges over an object v Requires knowledge of privilege management, how privileges are assigned, and how to audit these security settings Privilege Management v The process of assigning and revoking privileges to objects v The roles of owners and custodians are generally wellestablished v The responsibility for privilege management can be either centralized or decentralized Centralized and Decentralized Structures v In a centralized structure v One unit is responsible for all aspects of assigning or revoking privileges v All custodians are part of that unit v Promotes uniform security policies v Slows response, frustrates users v A decentralized organizational structure for privilege management v Delegates the authority for assigning or revoking privileges more closely to the geographic location or end user v Requires IT staff at each location to manage privileges Assigning Privileges v The foundation for assigning privileges v The existing access control model for the hardware or software being used v Recall that there are four major access control models: v Mandatory Access Control (MAC) v Discretionary Access Control (DAC) v Role Based Access Control (RBAC) v Rule Based Access Control (RBAC) Auditing System Security Settings v Auditing system security settings for user privileges involves: v A regular review of user access and rights v Using group policies v Implementing storage and retention policies v User access and rights review v It is important to periodically review user access privileges and rights v Most organizations have a written policy that mandates regular reviews Auditing System Security Settings User Access and Rights Review (continued) v Reviewing user access rights for logging into the network can be performed on the network server v Reviewing user permissions over objects can be viewed on the network server User Access and Rights Review (continued) Log Management Benefits v A routine review and analysis of logs helps identify v Security incidents v Policy violations v Fraudulent activity v Operational problems v Logs can also help resolve problems Log Management Benefits v Logs help v Perform auditing analysis v The organization’s internal investigations v Identify operational trends and long-term problems v Demonstrate requirements compliance with laws and regulatory Change Management v A methodology for making changes and keeping track of those changes v Two major types of changes v Any change in system architecture v New servers, routers, etc v Data classification v Documents moving from Confidential to Standard, or Top Secret to Secret Change Management Team (CMT) v Created to oversee changes v Any proposed change must first be approved by the CMT v The team typically has: v Representatives from all areas of IT (servers, network, enterprise server, etc.) v Network security v Upper-level management Change Management Team (CMT) Duties v Review proposed changes v Ensure that the risk and impact of the planned change is clearly understood v Recommend approval, disapproval, deferral, or withdrawal of a requested change v Communicate proposed and approved changes to coworkers Contents v Define privilege audits v Describe how usage audits can protect security v List the methodologies used for monitoring to detect security-related anomalies v Describe the different monitoring tools Anomaly-based Monitoring v Detecting abnormal traffic v Baseline v A reference set of data against which operational data is compared v Whenever there is a significant deviation from this baseline, an alarm is raised v Advantage v Detect the anomalies quickly Anomaly-based Monitoring v Disadvantages v False positives v Alarms that are raised when there is no actual abnormal behavior v Normal behavior can change easily and even quickly v Anomaly-based monitoring is subject to false positives Signature-based Monitoring v Compares activities against signatures v Requires access to an updated database of signatures v Weaknesses v The signature databases must be constantly updated v As the number of signatures grows the behaviors must be compared against signatures an increasingly large number of v New attacks will be missed, because there is no signature for them Behavior-based Monitoring v Adaptive and proactive instead of reactive v Uses the “normal” processes and actions as the standard v Continuously analyzes the behavior of processes and programs on a system v Alerts the user if it detects any abnormal actions v Advantage v Not necessary to update signature files or compile a baseline of statistical behavior Behavior-based Monitoring Monitoring Tools v Performance baselines and monitors v Performance baseline v A reference set of data established to create the “norm” of performance for a system or systems v Data is accumulated through the normal operations of the systems and networks through performance monitors v Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made System Monitor v A low-level system program v Monitors hidden activity on a device v Some system monitors have a Web-based interface v System monitors generally have a fully customizable notification system v That lets the owner design the information that is collected and made available Protocol Analyzer v Also called a sniffer v Captures each packet to decode and analyze its contents v Can fully decode application-layer network protocols v The different parts of the protocol can be analyzed for any suspicious behavior ...Contents v Define privilege audits v Describe how usage audits can protect security v List the methodologies used for monitoring to detect security- related anomalies v Describe the different... accessibility Contents v Define privilege audits v Describe how usage audits can protect security v List the methodologies used for monitoring to detect security- related anomalies v Describe the different... computer, a security template can be created v Security template v A method to configure a suite of baseline security settings v On a Microsoft Windows computer, one method to deploy security templates