Security Audit - Introduction to Information Security - Lecture Slides, Slides of Network security

Download Security Audit - Introduction to Information Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Security Audit

2

Security Auditing

• Definition
• Audit log
• Audit procedure
• Auditor
• Audit types
• Audit report
• Database audit

4

Definition of Security Audit

• Helps identify potential vulnerabilities in the system based on audit report
• Auditors compare the effectiveness of security with respect to industry standards

5

Audit Log

• Types of activities/events to log
  • Logins (successful, failure, all, none)
  • Physical entry (scan card)
  • Changes to system (e.g., permissions)
  • Changes to sensitive data (e.g., salary)
• Automation of logging
• Length of retention for logged data
  • One month for login data
  • One week for physical entry data
  • One month for system change data
  • One year for sensitive data

7

Audit Log

• Log only required data (e.g., if age is required then do not get address as well)
• Someone must review logs
• Logging has a negative effect on system performance
• Critical events may be overwritten by excessive logging

8

Audit Log

• Most OSs allow overwriting log files based on time or file size - This choice may be determined by policy, e.g., log files must be kept for a certain amount of time
• Log files can be archived
  • You may need to maintain a (semi-) permanent record of system activity
  • Back up log files before they are overwritten
  • A common method is to alternate two log files, backing up one file while the other is active

10

Windows Logging

• Application log
  • Records events triggered by application software
  • System administrators have control over what events to store
• System log
  • Contains events recorded by the operating system
  • System administrator generally has no control over this log
  • Typical events include hardware/software problems
• Other specialized log files: directory service log, file replication service log, and DNS server log

11

Windows Logging

• Four types of events are stored in Event Viewer logs
  • Error events are created when a serious problem occurs (corruption of a file system)
  • Warning events are created to alert administrators to potential problems (a disk nearing capacity)
  • Information events are details of some activity that aren’t indications of a problem (starting or stopping a service)
  • Success/failure auditing events are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts)

13

Configuring Alerts

• Set up alerts that notify administrators when specific events occur - For example, immediate notification if a hard drive is full
• Alert options include
  • E-mail, pagers, Short Message Service (SMS), instant messaging, pop-up windows, and cell phones
• Alerts can be configured differently depending on the severity of the event and the time - Only very severe events should trigger a cell phone call in the middle of the night, for example

14

Analyzing Log Data

• Log data is used to monitor your environment
• Two main activities:
  • Profiling normal behavior to understand typical system behavior at different times and in different parts of your business cycle
  • Detecting anomalies when system activity significantly deviates from the normal behavior you have documented

16

Detecting Anomalies

• Define anomalies based on thresholds
• The following questions must be answered
  • How much of a deviation from the norm represents an anomaly?
  • How long must the deviation occur before registering an anomaly?
  • What anomalies should trigger immediate alerts?
• Anomalies can occur at any level
  • For example, if a user’s behavior deviates from normal, it may indicate a serious security event

17

Data Reduction

• When possible, limit the scope of logging activities to that which can reasonably be analyzed - However, regulations or policies may stipulate that aggressive logging is necessary
• Data reduction tools are useful when more data is collected than can be reviewed - Often built into security tools that create log files - For example, CheckPoint’s Firewall-1 allows you to view log files filtered by inbound TCP traffic to a specific port on a specific date

19

Audit Procedure

• Security professionals examine the policies and implementation of the organization’s security posture - Identify deficiencies and recommend changes
• The audit team should be well trained and knowledgeable - The team may be multidisciplinary including accountants, managers, administrators, and technical professionals - Choose a team based on your organization’s needs

20

Audit Procedure

• Gather all data to be audited
• Familiarize with the organizational policies and procedures with regard to data collection
• Interview key personnel to learn about organizational practices
• Perform penetration testing to see effectiveness of security controls
• Analyze logged data to identify policy compliance. This is the most time consuming process.