OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002.

Slides:



Advertisements
Similar presentations
Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.
Advertisements

XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.
Mr C Johnston ICT Teacher
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Database Administration Chapter FOSTER School of Business Acctg. 420.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
Network security policy: best practices
Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
COEN 252 Computer Forensics
Enforcing Concurrent Logon Policies with UserLock.
1. Self Awareness You should only access your accounts and private informations from a safe location (only at home as necessary if at all possible) where.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Trouble-shooting Tips Georgia Bulldogs I can receive, but not send messages  If you can successfully receive messages, but can’t send.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, Sixth Edition Chapter 9, Part 9 Satisfying Customer Needs.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
EPASS - Overview November 2007 eWiSACWIS Production Access Security System.
I.Information Building & Retrieval Learning Objectives: the process of Information building the responsibilities and interaction of each data managing.
Introduction to Computer Security PA Turnpike Commission.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Chapter 2 Securing Network Server and User Workstations.
Choose a folder on the remote machine. For e.g. if there is a machine named comp1 in your network, please choose a folder in that machine which you will.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Course ILT Troubleshooting Unit objectives Describe methods to help prioritize network problems List basic troubleshooting steps to be followed when working.
9: Troubleshooting Your Network
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
How to Create an Address How to Create a Free Account, Read and Answer your s. Yahoo! provides FREE . To create a free .
FIT03.05 Explain features of network maintenance.
INTERNAL CONTROLS What are they? Why should I care?
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
PCI-DSS: Guidelines & Procedures When Working With Sensitive Data.
(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.
Data Coordinators Conference – 2014 Laura Marroquin CASEWORKER/JCMS Specialist Everything New Data Coordinators Should Know.
Trouble-shooting Tips Georgia Bulldogs I can receive, but not send messages  If you can successfully receive messages, but can’t send messages,
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Unit 1 Understanding computer systems: How legal, ethical, safety and security issues affect how computers should be used OCR Cambridge Nationals in ICT.
Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
Gaspar Modelo-Howard NEEScomm Cybersecurity Software Engineer Saurabh Bagchi NEEScomm Cybersecurity Officer.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Security on Peer-to-Peer Networks.
What you really need to know!. It’s an important team management tool – if used correctly. Other seminars are about the swimmers. This one is really for.
How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.
Two account types on this campus: UWB Access AccountUW NetID Account & 1.Not everyone has one as it must be requested by your supervisor 2.You are.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Network Management Chapter 8 Semester 3 By Roger Lewis.
Installing RMS 3.0 Contractor Mode
Chapter Objectives In this chapter, you will learn:
Lesson Objectives Aims You should be able to:
Call to Fix QuickBooks Error
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Final HIPAA Security Rule
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Bethesda Cybersecurity Club
PLANNING A SECURE BASELINE INSTALLATION
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Presentation transcript:

OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002

Why are logs important? Performance management Capacity planning Cost justification Management reporting Security both for integrity and for incident response – remember, security is there to *ensure* things go as planned, not to prevent access both for integrity and for incident response – remember, security is there to *ensure* things go as planned, not to prevent access

Network Responsibility It’s your job to know what’s going on with the network! Logs are a wonderful troubleshooting tool when things don’t go as planned.

The basics The 3 Layers Network Network Operating System Operating System Application Application

The basics AuthenticationAuthorizationAccountability

Authentication Most common authentication – Passwords Authentication – the process of matching a user to an account

Authorization After a user is authenticated, the permissions, connections, access, and quotas assigned to a user.

Accountability The process of keeping records of activity The ability to answer the questions: - Who did it? - What happened? - Where they were located? - When it happened? - How it was done and/or How much was used?

What should you log? Log enough to answer the questions… Who, What, When, Where, How Who, What, When, Where, How Authentication logs Show who logged on when Show who logged on when Don’t show who accessed what Don’t show who accessed what

What should you log? What happened? Application logs Application logs File access/change logs File access/change logs Keystroke logging/activity logging Keystroke logging/activity logging

What should you log? Where were they located? An updated network map is important An updated network map is important Naming conventions/Addressing policies Naming conventions/Addressing policies

What should you log? When did it happen? Time synchronization between logs is an issue Time synchronization between logs is an issue

What should you log? How was it done/How much was used?? Network traffic logs Network traffic logs Transaction logs Transaction logs Access logs Access logs

Building a case Use several logs to prove the same point Authentication log shows user logged in Authentication log shows user logged in Access log shows access to files-in-question Access log shows access to files-in-question Network logs shows traffic from workstation to servers where files are located Network logs shows traffic from workstation to servers where files are located Application logs show activity to process files Application logs show activity to process files OS logs show operating system state during activity OS logs show operating system state during activity

Building a case Use several logs to prove the same point Other application logs show access to other applications during the same time period (helps during an interview – “Yes, I did check my at that time, and I did run that application, but no, I certainly didn’t change that file….) Other application logs show access to other applications during the same time period (helps during an interview – “Yes, I did check my at that time, and I did run that application, but no, I certainly didn’t change that file….)

Building a case An example: Workstation cache shows suspected activity Workstation cache shows suspected activity Network traffic logs indicate suspected activity Network traffic logs indicate suspected activity Files not found on workstation, but are found in a recent backup Files not found on workstation, but are found in a recent backup User maintains innocence User maintains innocence But….. But…..

Building a case An example: But…..telephone records show phone calls…. But…..telephone records show phone calls….

Questions…but few answers What should I log? Log as much as is practical for your needs. Log as much as is practical for your needs. How long should logs be kept? Be practical…a general rule of thumb is 3 months of ‘quick’ access, then another 3 months ‘offline’ Be practical…a general rule of thumb is 3 months of ‘quick’ access, then another 3 months ‘offline’ Research, government, health care, accounting, tax, DoD, and others may have additional requirements Research, government, health care, accounting, tax, DoD, and others may have additional requirements

Questions…but few answers How should the logs be kept? As safely as practical – backups, check to make sure what you want to log is really being logged… As safely as practical – backups, check to make sure what you want to log is really being logged… On a system that isn’t likely to be compromised… On a system that isn’t likely to be compromised… Sometimes difficult for some OS and Application logs

Questions…but few answers Who should have access to the logs Only a limited number of people – they’re not public logs…(see your legal department, your mileage may vary) Only a limited number of people – they’re not public logs…(see your legal department, your mileage may vary) How much should I log? Be practical. Log more than you think you might need, but not so much that it causes problems with network or system performance. Generally plan on 10% of system Be practical. Log more than you think you might need, but not so much that it causes problems with network or system performance. Generally plan on 10% of system

An ounce of Prevention… Effort used to prevent incidents is well worth it! Use the logs to verify that the correct things are happening, and to know what happened when things don’t go well

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.