.  Define privilege audits  Describe how usage audits can protect security  List the methodologies used for monitoring to detect security-related.

Slides:



Advertisements
Similar presentations
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Advertisements

IP ADDRESS MANAGEMENT [IPAM]
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Security+ Guide to Network Security Fundamentals, Fourth Edition
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 14: Troubleshooting Windows Server 2003 Networks.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Department Of Computer Engineering
Network security policy: best practices
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Security Guidelines and Management
Module 8: Implementing Administrative Templates and Audit Policy.
10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
COEN 252 Computer Forensics
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Hands-On Microsoft Windows Server 2008
COEN 252 Computer Forensics Collecting Network-based Evidence.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
1 Objectives Audit Policies Update and maintain your clients using Windows Server Update Service Microsoft Baseline Security Analyzer Windows Firewalls.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.
Implementing Group Policy. Overview What is Group Policy Introduction to Group Policy Group Policy Structure How Group Policy Settings Are Applied in.
Overview Managing a DHCP Database Monitoring DHCP
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Chapter 10 Conducting Security Audits. Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Cryptography and Network Security Sixth Edition by William Stallings.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Module 10: Implementing Administrative Templates and Audit Policy.
Understand Audit Policies LESSON Security Fundamentals.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network management Network management refers to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance,
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Planning File and Print Services Lesson 5. File Services Role The File Services role and the other storage- related features included with Windows Server.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Security Methods and Practice CET4884
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
Intrusion Detection system
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Presentation transcript:

 Define privilege audits  Describe how usage audits can protect security  List the methodologies used for monitoring to detect security-related anomalies  Describe the different monitoring tools

 A privilege can be considered a subject’s access level over an object  Principle of least privilege  Users should be given only the minimal amount of privileges necessary to perform his or her job function  Privilege auditing  Reviewing a subject’s privileges over an object  Requires knowledge of privilege management, how privileges are assigned, and how to audit these security settings

 The process of assigning and revoking privileges to objects  The roles of owners and custodians are generally well- established  The responsibility for privilege management can be either centralized or decentralized

 In a centralized structure  One unit is responsible for all aspects of assigning or revoking privileges  All custodians are part of that unit  Promotes uniform security policies  Slows response, frustrates users  A decentralized organizational structure for privilege management  Delegates the authority for assigning or revoking privileges more closely to the geographic location or end user  Requires IT staff at each location to manage privileges

 The foundation for assigning privileges  The existing access control model for the hardware or software being used  Recall that there are four major access control models:  Mandatory Access Control (MAC)  Discretionary Access Control (DAC)  Role Based Access Control (RBAC)  Rule Based Access Control (RBAC)

 Auditing system security settings for user privileges involves:  A regular review of user access and rights  Using group policies  Implementing storage and retention policies  User access and rights review  It is important to periodically review user access privileges and rights  Most organizations have a written policy that mandates regular reviews

 Reviewing user access rights for logging into the network can be performed on the network server  Reviewing user permissions over objects can be viewed on the network server

 Instead of setting the same configuration baseline on each computer, a security template can be created  Security template  A method to configure a suite of baseline security settings  On a Microsoft Windows computer, one method to deploy security templates is to use Group Policies  A feature that provides centralized management and configuration of computers and remote users who are using Active Directory (AD)

 The individual elements or settings within group policies are known as Group Policy Objects (GPOs).  GPOs are a defined collection of available settings that can be applied to user objects or AD computers  Settings are manipulated using administrative template files that are included within the GPO

 Health Insurance Portability and Accountability Act (HIPPA)  Sarbanes-Oxley Act  Require organizations to store data for specified time periods  Require data to be stored securely

 A set of strategies for administering, maintaining, and managing computer storage systems in order to retain data  ILM strategies are typically recorded in storage and retention policies  Which outline the requirements for data storage  Data classification  Assigns a level of business importance, availability, sensitivity, security and regulation requirements to data

 Grouping data into categories often requires the assistance of the users who save and retrieve the data on a regular basis  The next step is to assign the data to different levels or “tiers” of storage and accessibility

 Define privilege audits  Describe how usage audits can protect security  List the methodologies used for monitoring to detect security-related anomalies  Describe the different monitoring tools

 Audits what objects a user has actually accessed  Involves an examination of which subjects are accessing specific objects and how frequently  Sometimes access privileges can be very complex  Usage auditing can help reveal incorrect permissions  Inheritance  Permissions given to a higher level “parent” will also be inherited by a lower level “child”  Inheritance becomes more complicated with GPOs

 GPO inheritance  Allows administrators to set a base security policy that applies to all users in the Microsoft AD  Other administrators can apply more specific policies at a lower level  That apply only to subsets of users or computers  GPOs that are inherited from parent containers are processed first  Followed by the order that policies were linked to a container object

 A log is a record of events that occur  Logs are composed of log entries  Each entry contains information related to a specific event that has occurred  Logs have been used primarily for troubleshooting problems  Log management  The process for generating, transmitting, storing, analyzing, and disposing of computer security log data

 Security application logs  Antivirus software  Remote Access Software  Automated patch update service  Security hardware logs  Network intrusion detection systems and host and network intrusion prevention systems  Domain Name System (DNS)  Authentication servers  Proxy servers  Firewalls

 Types of items that should be examined in a firewall log include:  IP addresses that are being rejected and dropped  Probes to ports that have no application services running on them  Source-routed packets  Packets from outside with false internal source addresses  Suspicious outbound connections  Unsuccessful logins

 System events  Significant actions performed by the operating system  Shutting down the system  Starting a service

 System events that are commonly recorded include:  Client requests and server responses  Usage information  Logs based on audit records  The second common type of security-related operating system logs  Audit records that are commonly recorded include:  Account activity, such as escalating privileges  Operational information, such as application startup and shutdown

 A routine review and analysis of logs helps identify  Security incidents  Policy violations  Fraudulent activity  Operational problems  Logs can also help resolve problems

 Logs help  Perform auditing analysis  The organization’s internal investigations  Identify operational trends and long-term problems  Demonstrate compliance with laws and regulatory requirements

 A methodology for making changes and keeping track of those changes  Two major types of changes  Any change in system architecture  New servers, routers, etc.  Data classification  Documents moving from Confidential to Standard, or Top Secret to Secret

 Created to oversee changes  Any proposed change must first be approved by the CMT  The team typically has:  Representatives from all areas of IT (servers, network, enterprise server, etc.)  Network security  Upper-level management

 Review proposed changes  Ensure that the risk and impact of the planned change is clearly understood  Recommend approval, disapproval, deferral, or withdrawal of a requested change  Communicate proposed and approved changes to co- workers

 Define privilege audits  Describe how usage audits can protect security  List the methodologies used for monitoring to detect security-related anomalies  Describe the different monitoring tools

 Detecting abnormal traffic  Baseline  A reference set of data against which operational data is compared  Whenever there is a significant deviation from this baseline, an alarm is raised  Advantage  Detect the anomalies quickly

 Disadvantages  False positives  Alarms that are raised when there is no actual abnormal behavior  Normal behavior can change easily and even quickly  Anomaly-based monitoring is subject to false positives

 Compares activities against signatures  Requires access to an updated database of signatures  Weaknesses  The signature databases must be constantly updated  As the number of signatures grows the behaviors must be compared against an increasingly large number of signatures  New attacks will be missed, because there is no signature for them

 Adaptive and proactive instead of reactive  Uses the “normal” processes and actions as the standard  Continuously analyzes the behavior of processes and programs on a system  Alerts the user if it detects any abnormal actions  Advantage  Not necessary to update signature files or compile a baseline of statistical behavior

 Performance baselines and monitors  Performance baseline  A reference set of data established to create the “norm” of performance for a system or systems  Data is accumulated through the normal operations of the systems and networks through performance monitors  Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made

 A low-level system program  Monitors hidden activity on a device  Some system monitors have a Web-based interface  System monitors generally have a fully customizable notification system  That lets the owner design the information that is collected and made available

 Also called a sniffer  Captures each packet to decode and analyze its contents  Can fully decode application-layer network protocols  The different parts of the protocol can be analyzed for any suspicious behavior