Bài giảng Conducting Security Audits
Protocol Analyzer
Also called a sniffer
Captures each packet to decode and analyze its contents
Can fully decode application-layer network protocols
The different parts of the protocol can be analyzed for any suspicious behavior
46 trang |
Chia sẻ: vutrong32 | Lượt xem: 1050 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Bài giảng Conducting Security Audits, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Conducting Security AuditsContentsDefine privilege auditsDescribe how usage audits can protect securityList the methodologies used for monitoring to detect security-related anomaliesDescribe the different monitoring toolsPrivilege AuditingA privilege can be considered a subject’s access level over an objectPrinciple of least privilegeUsers should be given only the minimal amount of privileges necessary to perform his or her job functionPrivilege auditingReviewing a subject’s privileges over an objectRequires knowledge of privilege management, how privileges are assigned, and how to audit these security settingsPrivilege ManagementThe process of assigning and revoking privileges to objectsThe roles of owners and custodians are generally well-establishedThe responsibility for privilege management can be either centralized or decentralizedCentralized and Decentralized StructuresIn a centralized structureOne unit is responsible for all aspects of assigning or revoking privilegesAll custodians are part of that unitPromotes uniform security policiesSlows response, frustrates usersA decentralized organizational structure for privilege managementDelegates the authority for assigning or revoking privileges more closely to the geographic location or end userRequires IT staff at each location to manage privilegesAssigning PrivilegesThe foundation for assigning privilegesThe existing access control model for the hardware or software being usedRecall that there are four major access control models:Mandatory Access Control (MAC)Discretionary Access Control (DAC)Role Based Access Control (RBAC)Rule Based Access Control (RBAC)Auditing System Security SettingsAuditing system security settings for user privileges involves:A regular review of user access and rightsUsing group policiesImplementing storage and retention policiesUser access and rights reviewIt is important to periodically review user access privileges and rightsMost organizations have a written policy that mandates regular reviewsAuditing System Security SettingsUser Access and Rights Review (continued)Reviewing user access rights for logging into the network can be performed on the network serverReviewing user permissions over objects can be viewed on the network serverUser Access and Rights Review (continued)Group PoliciesInstead of setting the same configuration baseline on each computer, a security template can be createdSecurity templateA method to configure a suite of baseline security settingsOn a Microsoft Windows computer, one method to deploy security templates is to use Group PoliciesA feature that provides centralized management and configuration of computers and remote users who are using Active Directory (AD)Group Policy Objects (GPOs)The individual elements or settings within group policies are known as Group Policy Objects (GPOs). GPOs are a defined collection of available settings that can be applied to user objects or AD computersSettings are manipulated using administrative template files that are included within the GPOStorage and Retention PoliciesHealth Insurance Portability and Accountability Act (HIPPA)Sarbanes-Oxley ActRequire organizations to store data for specified time periodsRequire data to be stored securelyHIPPA Sanction for Unlocked DumpstersInformation Lifecycle Management (ILM)A set of strategies for administering, maintaining, and managing computer storage systems in order to retain dataILM strategies are typically recorded in storage and retention policies Which outline the requirements for data storageData classificationAssigns a level of business importance, availability, sensitivity, security and regulation requirements to dataData CategoriesData CategoriesGrouping data into categories often requires the assistance of the users who save and retrieve the data on a regular basisThe next step is to assign the data to different levels or “tiers” of storage and accessibilityContentsDefine privilege auditsDescribe how usage audits can protect securityList the methodologies used for monitoring to detect security-related anomaliesDescribe the different monitoring toolsUsage AuditingAudits what objects a user has actually accessedInvolves an examination of which subjects are accessing specific objects and how frequentlySometimes access privileges can be very complexUsage auditing can help reveal incorrect permissionsInheritancePermissions given to a higher level “parent” will also be inherited by a lower level “child”Inheritance becomes more complicated with GPOsPrivilege InheritanceGPO InheritanceGPO inheritanceAllows administrators to set a base security policy that applies to all users in the Microsoft ADOther administrators can apply more specific policies at a lower levelThat apply only to subsets of users or computersGPOs that are inherited from parent containers are processed firstFollowed by the order that policies were linked to a container objectLog ManagementA log is a record of events that occurLogs are composed of log entriesEach entry contains information related to a specific event that has occurredLogs have been used primarily for troubleshooting problemsLog managementThe process for generating, transmitting, storing, analyzing, and disposing of computer security log dataApplication and Hardware LogsSecurity application logsAntivirus softwareRemote Access SoftwareAutomated patch update serviceSecurity hardware logsNetwork intrusion detection systems and host and network intrusion prevention systemsDomain Name System (DNS)Authentication serversProxy serversFirewallsAntivirus LogsDNS LogsFirewall LogsFirewall LogsTypes of items that should be examined in a firewall log include:IP addresses that are being rejected and droppedProbes to ports that have no application services running on themSource-routed packetsPackets from outside with false internal source addressesSuspicious outbound connectionsUnsuccessful loginsOperating System LogsSystem eventsSignificant actions performed by the operating systemShutting down the systemStarting a serviceSystem EventsSystem events that are commonly recorded include:Client requests and server responsesUsage informationLogs based on audit recordsThe second common type of security-related operating system logsAudit records that are commonly recorded include:Account activity, such as escalating privilegesOperational information, such as application startup and shutdownWindows 7 Event LogsLog Management BenefitsA routine review and analysis of logs helps identifySecurity incidentsPolicy violationsFraudulent activityOperational problems Logs can also help resolve problemsLog Management BenefitsLogs helpPerform auditing analysisThe organization’s internal investigationsIdentify operational trends and long-term problemsDemonstrate compliance with laws and regulatory requirementsChange ManagementA methodology for making changes and keeping track of those changesTwo major types of changes Any change in system architectureNew servers, routers, etc.Data classificationDocuments moving from Confidential to Standard, or Top Secret to SecretChange Management Team (CMT)Created to oversee changesAny proposed change must first be approved by the CMTThe team typically has: Representatives from all areas of IT (servers, network, enterprise server, etc.)Network securityUpper-level managementChange Management Team (CMT) DutiesReview proposed changesEnsure that the risk and impact of the planned change is clearly understoodRecommend approval, disapproval, deferral, or withdrawal of a requested changeCommunicate proposed and approved changes to co-workersContentsDefine privilege auditsDescribe how usage audits can protect securityList the methodologies used for monitoring to detect security-related anomaliesDescribe the different monitoring toolsAnomaly-based MonitoringDetecting abnormal traffic BaselineA reference set of data against which operational data is comparedWhenever there is a significant deviation from this baseline, an alarm is raisedAdvantageDetect the anomalies quicklyAnomaly-based MonitoringDisadvantagesFalse positivesAlarms that are raised when there is no actual abnormal behaviorNormal behavior can change easily and even quicklyAnomaly-based monitoring is subject to false positivesSignature-based MonitoringCompares activities against signaturesRequires access to an updated database of signaturesWeaknessesThe signature databases must be constantly updatedAs the number of signatures grows the behaviors must be compared against an increasingly large number of signatures New attacks will be missed, because there is no signature for themBehavior-based MonitoringAdaptive and proactive instead of reactiveUses the “normal” processes and actions as the standardContinuously analyzes the behavior of processes and programs on a systemAlerts the user if it detects any abnormal actionsAdvantageNot necessary to update signature files or compile a baseline of statistical behaviorBehavior-based MonitoringMonitoring ToolsPerformance baselines and monitorsPerformance baselineA reference set of data established to create the “norm” of performance for a system or systemsData is accumulated through the normal operations of the systems and networks through performance monitorsOperational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be madeSystem MonitorA low-level system programMonitors hidden activity on a deviceSome system monitors have a Web-based interfaceSystem monitors generally have a fully customizable notification systemThat lets the owner design the information that is collected and made availableProtocol AnalyzerAlso called a snifferCaptures each packet to decode and analyze its contentsCan fully decode application-layer network protocolsThe different parts of the protocol can be analyzed for any suspicious behavior
Các file đính kèm theo tài liệu này:
- 08_conducting_security_audits_6248.pptx