Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Security Audit - Introduction to Information Security - Lecture Slides, Slides of Network security

The major points which I found very informative according to security are: Security Audit, Definition, Audit Log, Audit Procedure, Auditor, Audit Types, Audit Report, Database Audit, Accounting Office, Reference

Typology: Slides

2012/2013

Uploaded on 04/22/2013

sathiamoorthy
sathiamoorthy 🇮🇳

4.4

(24)

106 documents

1 / 31

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Security Audit
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Partial preview of the text

Download Security Audit - Introduction to Information Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Security Audit

2

Security Auditing

  • Definition
  • Audit log
  • Audit procedure
  • Auditor
  • Audit types
  • Audit report
  • Database audit

4

Definition of Security Audit

  • Helps identify potential vulnerabilities in the system based on audit report
  • Auditors compare the effectiveness of security with respect to industry standards

5

Audit Log

  • Types of activities/events to log
    • Logins (successful, failure, all, none)
    • Physical entry (scan card)
    • Changes to system (e.g., permissions)
    • Changes to sensitive data (e.g., salary)
  • Automation of logging
  • Length of retention for logged data
    • One month for login data
    • One week for physical entry data
    • One month for system change data
    • One year for sensitive data

7

Audit Log

  • Log only required data (e.g., if age is required then do not get address as well)
  • Someone must review logs
  • Logging has a negative effect on system performance
  • Critical events may be overwritten by excessive logging

8

Audit Log

  • Most OSs allow overwriting log files based on time or file size - This choice may be determined by policy, e.g., log files must be kept for a certain amount of time
  • Log files can be archived
    • You may need to maintain a (semi-) permanent record of system activity
    • Back up log files before they are overwritten
    • A common method is to alternate two log files, backing up one file while the other is active

10

Windows Logging

  • Application log
    • Records events triggered by application software
    • System administrators have control over what events to store
  • System log
    • Contains events recorded by the operating system
    • System administrator generally has no control over this log
    • Typical events include hardware/software problems
  • Other specialized log files: directory service log, file replication service log, and DNS server log

11

Windows Logging

  • Four types of events are stored in Event Viewer logs
    • Error events are created when a serious problem occurs (corruption of a file system)
    • Warning events are created to alert administrators to potential problems (a disk nearing capacity)
    • Information events are details of some activity that aren’t indications of a problem (starting or stopping a service)
    • Success/failure auditing events are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts)

13

Configuring Alerts

  • Set up alerts that notify administrators when specific events occur - For example, immediate notification if a hard drive is full
  • Alert options include
    • E-mail, pagers, Short Message Service (SMS), instant messaging, pop-up windows, and cell phones
  • Alerts can be configured differently depending on the severity of the event and the time - Only very severe events should trigger a cell phone call in the middle of the night, for example

14

Analyzing Log Data

  • Log data is used to monitor your environment
  • Two main activities:
    • Profiling normal behavior to understand typical system behavior at different times and in different parts of your business cycle
    • Detecting anomalies when system activity significantly deviates from the normal behavior you have documented

16

Detecting Anomalies

  • Define anomalies based on thresholds
  • The following questions must be answered
    • How much of a deviation from the norm represents an anomaly?
    • How long must the deviation occur before registering an anomaly?
    • What anomalies should trigger immediate alerts?
  • Anomalies can occur at any level
    • For example, if a user’s behavior deviates from normal, it may indicate a serious security event

17

Data Reduction

  • When possible, limit the scope of logging activities to that which can reasonably be analyzed - However, regulations or policies may stipulate that aggressive logging is necessary
  • Data reduction tools are useful when more data is collected than can be reviewed - Often built into security tools that create log files - For example, CheckPoint’s Firewall-1 allows you to view log files filtered by inbound TCP traffic to a specific port on a specific date

19

Audit Procedure

  • Security professionals examine the policies and implementation of the organization’s security posture - Identify deficiencies and recommend changes
  • The audit team should be well trained and knowledgeable - The team may be multidisciplinary including accountants, managers, administrators, and technical professionals - Choose a team based on your organization’s needs

20

Audit Procedure

  • Gather all data to be audited
  • Familiarize with the organizational policies and procedures with regard to data collection
  • Interview key personnel to learn about organizational practices
  • Perform penetration testing to see effectiveness of security controls
  • Analyze logged data to identify policy compliance. This is the most time consuming process.