Security Audit

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Security Audit,1,Security Auditing,Definition,Audit log,Audit procedure,Auditor,Audit types,Audit report,Database audit,2,Definition of Security Audit,IS security auditing involves providing independent evaluations of an organizations policies, procedures, standards, measures, and practices for safeguarding electronic information from loss, damage, unintended disclosure, or denial of availability,(U.S. Govt. Accounting Office),Method of examining past activities regarding compliance with reference to organizational policies and industry standards,Goal is to provide external evidence that organizational policies are followed,3,Definition of Security Audit,Helps identify potential vulnerabilities in the system based on audit report,Auditors compare the effectiveness of security with respect to industry standards,4,Audit Log,Types of activities/events to log,Logins (successful, failure, all, none),Physical entry (scan card),Changes to system (e.g., permissions),Changes to sensitive data (e.g., salary),Automation of logging,Length of retention for logged data,One month for login data,One week for physical entry data,One month for system change data,One year for sensitive data,5,Audit Log,Data retention period must fit organizational goals,Data collected must fit organizational culture,Identify critical events to trigger immediate notifications to security administrators,Numerous accesses to a single file,Attempt unauthorized data entries,6,Audit Log,Log only required data (e.g., if age is required then do not get address as well),Someone must review logs,Logging has a negative effect on system performance,Critical events may be overwritten by excessive logging,7,Audit Log,Most,OSs,allow overwriting log files based on time or file size,This choice may be determined by policy, e.g., log files must be kept for a certain amount of time,Log files can be archived,You may need to maintain a (semi-) permanent record of system activity,Back up log files before they are overwritten,A common method is to alternate two log files, backing up one file while the other is active,8,Windows Logging,Windows uses the Event Viewer as its primary logging mechanism,Found in Administrative Tools,Event Viewer log files,Security log,Records security-related events,Controlled by a system administrator,Typical information includes failed logon attempts and attempts to exceed privileges,9,Windows Logging,Application log,Records events triggered by application software,System administrators have control over what events to store,System log,Contains events recorded by the operating system,System administrator generally has no control over this log,Typical events include hardware/software problems,Other specialized log files:,directory service log, file replication service log, and DNS server log,10,Windows Logging,Four types of events are stored in Event Viewer logs,Error events,are created when a serious problem occurs (corruption of a file system),Warning events,are created to alert administrators to potential problems (a disk nearing capacity),Information events,are details of some activity that arent indications of a problem (starting or stopping a service),Success/failure auditing events,are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts),11,UNIX Logging,Primary log facility in UNIX is,syslog,Very flexible, many options for notification and priority,Can write to a remote log file allowing the use of dedicated syslog servers to track all activity on a network,Syslog priority levels:,LOG_EMERG (emergency),LOG_ALERT (require immediate intervention),LOG_CRIT (critical system events),LOG_ERR (error),LOG_WARNING (warn of potential errors),LOG_NOTICE (information, no error),12,Configuring Alerts,Set up alerts that notify administrators when specific events occur,For example, immediate notification if a hard drive is full,Alert options include,E-mail, pagers, Short Message Service (SMS), instant messaging, pop-up windows, and cell phones,Alerts can be configured differently depending on the severity of the event and the time,Only very severe events should trigger a cell phone call in the middle of the night, for example,13,Analyzing Log Data,Log data is used to monitor your environment,Two main activities:,Profiling,normal behavior,to understand typical system behavior at different times and in different parts of your business cycle,Detecting,anomalies,when system activity significantly deviates from the normal behavior you have documented,14,Profiling Normal Behavior,A “snapshot” of typical system behavior is called a,baseline,Baselines can be obtained at the network, system, user, and process level,Baselines detail consumption of system resources,Baselines will vary significantly based on time of day or business cycle,It is administrators responsibility to determine the baseline studies appropriate for an organization,These will change over time,15,Detecting Anomalies,Define anomalies based on thresholds,The following questions must be answered,How much of a deviation from the norm represents an anomaly?,How long must the deviation occur before registering an anomaly?,What anomalies should trigger immediate alerts?,Anomalies can occur at any level,For example, if a users behavior deviates from normal, it may indicate a serious security event,16,Data Reduction,When possible, limit the scope of logging activities to that which can reasonably be analyzed,However, regulations or policies may stipulate that aggressive logging is necessary,Data reduction tools are useful when more data is collected than can be reviewed,Often built into security tools that create log files,For example, CheckPoints Firewall-1 allows you to view log files filtered by inbound TCP traffic to a specific port on a specific date,17,Maintaining Secure Logs,Logs themselves must be protected from tampering and corruption,Common techniques to secure logs include,Remote logging,uses a centralized, highly protected, storage location,Printer logging,creates a paper trail by immediately printing logged activity,Cryptographic technology,digitally signs log files to ensure that changes can be detected, though the files are vulnerable until they are finalized,18,Audit Procedure,Security professionals examine the policies and implementation of the organizations security posture,Identify deficiencies and recommend changes,The audit team should be well trained and knowledgeable,The team may be multidisciplinary including accountants, managers, administrators, and technical professionals,Choose a team based on your organizations needs,19,Audit Procedure,Gather all data to be audited,Familiarize with the organizational policies and procedures with regard to data collection,Interview key personnel to learn about organizational practices,Perform penetration testing to see effectiveness of security controls,Analyze logged data to identify policy compliance. This is the most time consuming process.,20,Checklists,Checklists provide a systematic and consistent approach to completing various tasks in an audit,Audit checklists,provide,a high-level overview of the overall audit process,stepwise processes for auditing different classes of systems,Configuration checklists,contain specific configuration settings,Vulnerability checklists,contain lists of critical vulnerabilities for each operating system in use,21,Sample Security Audit Questionnaire,Are you preventing people from misusing your information processing facilities?,Are you protecting your information processing facilities by reducing the risk of human error?,Are you protecting information processing facilities by reducing the risk of theft?,Are you protecting information processing facilities by reducing the risk of fraud?,Are you addressing information security issues during the personnel recruitment process?,Are all new users of information processing facilities subjected to a security screening?,Are all new users of information processing facilities asked to sign confidentiality agreements?,Are users aware of information security threats and concerns?,Are users capable of applying your information security policy?,Do you teach users how to apply your security procedures?,22,IP/Port Scanners,IP/Port scanners are used by both crackers and system administrators,Use brute-force probing of IP addresses to identify open ports running services that may be vulnerable,Administrators can use this information to find rogue systems and services,Often set up by legitimate users who want to bypass the red tape of going through administration,Rogue systems and services are usually either removed or brought under administrative control,23,Vulnerability Scanners,Vulnerability scanners are software applications that analyze systems for known vulnerabilities and create reports and suggestions,First vulnerability scanner was SATAN in the early 1990s,Newer scanners include,SARA, a descendant of SATAN (UNIX),SAINT, a commercially supported scanner (UNIX),Nessus, provides a scripting language for writing and sharing security tests (UNIX, Linux),Microsoft Baseline Security Analyzer, free from Microsoft, downloads the most recent vulnerability database (Windows),24,Penetration Testing,Penetration testing is a proactive approach used by security auditors,The auditor tries to break in to the system to find vulnerabilities,Many security teams bring in professionals to conduct penetration testing,Called “white hat” hackers,Malicious hackers are called “black hat” hackers,Be sure you have proper permission before conducting any type of penetration testing,25,Integrity Checking,Integrity checking,Maintains cryptographic signatures of all protected files to catch tampering,Tripwire,is the most common tool for file integrity assurance,Typically used to protect static web sites and other systems that store critical data that is infrequently changed,26,Auditor,Auditors are a team of people who specialize in specific aspects of audit such as penetration testing,Auditors are always external in order for critical evaluation of policies and procedures,External auditing provides the necessary independence for auditors,Internal auditors do periodic checks to verify compliance with policies,Internal auditors work enables collection of relevant data for external auditors,27,Audit Types,Financial audit,Ensures that all financial transactions are accounted for and comply with the law,SAS 70,(Statement of Auditing Standards) is a specific financial audit,Security Audit,Evaluates system security,Compliance Audit,Verifies compliance with industry standards,Required for financial and health care companies,28,Audit Report,Outcome of an audit is the audit report,Audit report contains:,Summary of policies observance and deviations,Prioritizing deficiencies found,Recommending action plans for addressing deficiencies,Benefits from the report:,Management realizes the need for appropriate investments for security system,Identifies security gaps and vulnerabilities,Enables developing suitable internal controls,29,Database Audit,Database audit differs slightly from standard information system audit,Database audit keeps track of:,Built-in audit tools available with commercial systems,All user logins and logouts,All data changes,All schema changes (HIPAA requirement),30,Database Audit,Functionality,SQL Server,Oracle,GUI functions for audit,Yes,Yes,Data change audit,Yes,Yes,Email alerts,Yes,Yes,Disable triggers,Yes,Yes,Schedule Audit trail data purge,Yes,Yes,Audit trail data export,Yes,Yes,31,