Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.

Published bySusanna Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits."— Presentation transcript:

1 Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits

2 Security+ Guide to Network Security Fundamentals, Third Edition Objectives Define privilege audits Describe how usage audits can protect security List the methodologies used for monitoring to detect security-related anomalies Describe the different monitoring tools 2

3 Security+ Guide to Network Security Fundamentals, Third Edition Privilege Auditing A privilege can be considered a subject’s access level over an object Principle of least privilege –Users should be given only the minimal amount of privileges necessary to perform his or her job function Privilege auditing –Reviewing a subject’s privileges over an object –Requires knowledge of privilege management, how privileges are assigned, and how to audit these security settings 3

4 Security+ Guide to Network Security Fundamentals, Third Edition Privilege Management Privilege management –The process of assigning and revoking privileges to objects Whereas the roles of owners and custodians are generally well-established –Where those roles fit into the organization often depends upon how the organization is structured The responsibility for privilege management can be either centralized or decentralized 4

5 Security+ Guide to Network Security Fundamentals, Third Edition Privilege Management (continued) In a centralized structure –One unit is responsible for all aspects of assigning or revoking privileges –All custodians are part of that unit A decentralized organizational structure for privilege management –Delegates the authority for assigning or revoking privileges more closely to the geographic location or end user 5

6 Security+ Guide to Network Security Fundamentals, Third Edition Assigning Privileges The foundation for assigning privileges –The existing access control model for the hardware or software being used Recall that there are four major access control models: –Mandatory Access Control (MAC) –Discretionary Access Control (DAC) –Role Based Access Control (RBAC) –Rule Based Access Control (RBAC) 6

7 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings Auditing system security settings for user privileges involves: –A regular review of user access and rights –Using group policies –Implementing storage and retention policies User access and rights review –It is important to periodically review user access privileges and rights –Most organizations have a written policy that mandates regular reviews 7

8 Security+ Guide to Network Security Fundamentals, Third Edition8

9 Auditing System Security Settings (continued) User access and rights review (continued) –Reviewing user access rights for logging into the network can be performed on the network server –Reviewing user permissions over objects can be viewed on the network server 9

10 Security+ Guide to Network Security Fundamentals, Third Edition10

11 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings (continued) Group Policies –Instead of setting the same configuration baseline on each computer, a security template can be created Security template –A method to configure a suite of baseline security settings On a Microsoft Windows computer, one method to deploy security templates is to use Group Policies –A feature that provides centralized management and configuration of computers and remote users who are using Active Directory (AD) 11

12 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings (continued) The individual elements or settings within group policies are known as Group Policy Objects (GPOs). –GPOs are a defined collection of available settings that can be applied to user objects or AD computers Settings are manipulated using administrative template files that are included within the GPO 12

13 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings (continued) Storage and retention policies –Information lifecycle management (ILM) A set of strategies for administering, maintaining, and managing computer storage systems in order to retain data –ILM strategies are typically recorded in storage and retention policies Which outline the requirements for data storage Data classification –Assigns a level of business importance, availability, sensitivity, security and regulation requirements to data 13

14 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings (continued) 14

15 Security+ Guide to Network Security Fundamentals, Third Edition Auditing System Security Settings (continued) Grouping data into categories often requires the assistance of the users who save and retrieve the data on a regular basis The next step is to assign the data to different levels or “tiers” of storage and accessibility 15

16 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing Usage auditing –Audits what objects a user has actually accessed –Involves an examination of which subjects are accessing specific objects and how frequently Sometimes access privileges can be very complex Usage auditing can help reveal incorrect permissions Inheritance –Permissions given to a higher level “parent” will also be inherited by a lower level “child” Inheritance becomes more complicated with GPOs 16

17 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) 17

18 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) GPO inheritance –Allows administrators to set a base security policy that applies to all users in the Microsoft AD Other administrators can apply more specific policies at a lower level –That apply only to subsets of users or computers GPOs that are inherited from parent containers are processed first –Followed by the order that policies were linked to a container object 18

19 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) A log is a record of events that occur Logs are composed of log entries –Each entry contains information related to a specific event that has occurred Logs have been used primarily for troubleshooting problems Log management –The process for generating, transmitting, storing, analyzing, and disposing of computer security log data 19

20 Usage Auditing (continued) Security application logs –Antivirus software –Remote Access Software –Automated patch update service Security hardware logs –Network intrusion detection systems and host and network intrusion prevention systems –Domain Name System (DNS) –Authentication servers –Proxy servers –Firewalls Security+ Guide to Network Security Fundamentals20

21 Security+ Guide to Network Security Fundamentals, Third Edition21

22 Security+ Guide to Network Security Fundamentals, Third Edition22 Usage Auditing (continued)

23 Security+ Guide to Network Security Fundamentals, Third Edition23 Usage Auditing (continued)

24 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) Types of items that should be examined in a firewall log include: –IP addresses that are being rejected and dropped –Probes to ports that have no application services running on them –Source-routed packets –Suspicious outbound connections –Unsuccessful logins 24

25 Security+ Guide to Network Security Fundamentals, Third Edition25 Usage Auditing (continued)

26 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) Operating system logs –Event An occurrence within a software system that is communicated to users or other programs outside the operating system –System events Operational actions that are performed by the operating system 26

27 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) System events that are commonly recorded include: –Client requests and server responses –Usage information Logs based on audit records –The second common type of security-related operating system logs Audit records that are commonly recorded include: –Account information –Operational information 27

28 Security+ Guide to Network Security Fundamentals, Third Edition28

29 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) Log management benefits: –A routine review and analysis of logs helps to identify security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred –Logs can also be used in providing information for resolving such problems –Logs may be useful for performing auditing analysis, supporting the organization’s internal investigations, and identifying operational trends and long-term problems 29

30 Security+ Guide to Network Security Fundamentals, Third Edition30

31 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) It is recommended that organizations enact the following log management solutions: –Enact periodic audits –Establish policies and procedures for log management –Maintain a secure log management infrastructure –Prioritize log management throughout the organization –Use log aggregators –Provide adequate support 31

32 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) Change management –Refers to a methodology for making changes and keeping track of those changes, often manually –Seeks to approach changes systematically and provide the necessary documentation of the changes Two major types of changes regarding security that are routinely documented –Any change in system architecture –Data classification 32

33 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) Change management team (CMT) –Created to oversee changes –Any proposed change must first be approved by the CMT The team might be typically composed of: –Representatives from all areas of IT (servers, network, enterprise server, etc.) –Network security –Upper-level management 33

34 Security+ Guide to Network Security Fundamentals, Third Edition Usage Auditing (continued) The duties of the CMT include: –Review proposed changes –Ensure that the risk and impact of the planned change is clearly understood –Recommend approval, disapproval, deferral, or withdrawal of a requested change –Communicate proposed and approved changes to co- workers 34

35 Security+ Guide to Network Security Fundamentals, Third Edition Monitoring Methodologies and Tools There are several types of instruments that can be used on systems and networks to detect security- related anomalies 35

36 Security+ Guide to Network Security Fundamentals, Third Edition Methodologies for Monitoring Anomaly-based monitoring –Designed for detecting statistical anomalies –Baseline A reference set of data against which operational data is compared –Whenever there is a significant deviation from this baseline, an alarm is raised Advantage –Detect the anomalies quickly 36

37 Security+ Guide to Network Security Fundamentals, Third Edition Methodologies for Monitoring (continued) False positives –Alarms that are raised when there is no actual abnormal behavior Normal behavior can change easily and even quickly –Anomaly-based monitoring is subject to false positives 37

38 Security+ Guide to Network Security Fundamentals, Third Edition Methodologies for Monitoring (continued) Signature-based monitoring –Compares activities against a predefined signature –Requires access to an updated database of signatures Along with a means to actively compare and match current behavior against a collection of signatures Weaknesses –The signature databases must be constantly updated –As the number of signatures grows the behaviors must be compared against an increasingly large number of signatures 38

39 Security+ Guide to Network Security Fundamentals, Third Edition Methodologies for Monitoring (continued) Behavior-based monitoring –Designed to be more adaptive and proactive instead of reactive –Uses the “normal” processes and actions as the standard –Continuously analyzes the behavior of processes and programs on a system Alerts the user if it detects any abnormal actions Advantage –Not necessary to update signature files or compile a baseline of statistical behavior 39

40 Security+ Guide to Network Security Fundamentals, Third Edition Methodologies for Monitoring (continued) 40

41 Security+ Guide to Network Security Fundamentals, Third Edition Monitoring Tools Performance baselines and monitors –Performance baseline A reference set of data established to create the “norm” of performance for a system or systems –Data is accumulated through the normal operations of the systems and networks through performance monitors –Operational data is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made 41

42 Security+ Guide to Network Security Fundamentals, Third Edition Monitoring Tools (continued) System monitor –A low-level system program that uses a notification engine designed to monitor and track down hidden activity on a desktop system, server, or even personal digital assistant (PDA) or cell phone Some system monitors have a Web-based interface System monitors generally have a fully customizable notification system –That lets the owner design the information that is collected and made available 42

43 Security+ Guide to Network Security Fundamentals, Third Edition Monitoring Tools (continued) Protocol analyzer –Also called a sniffer –Captures each packet to decode and analyze its contents –Can fully decode application-layer network protocols –The different parts of the protocol can be analyzed for any suspicious behavior 43

44 Security+ Guide to Network Security Fundamentals, Third Edition Summary A “privilege” can be considered a subject’s access level over an object Auditing system security settings for user privileges involves a regular review of user access and rights Information lifecycle management (ILM) is a set of strategies for administering, maintaining, and managing computer storage systems in order to retain data Usage auditing involves an examination of which subjects are accessing specific objects and how frequently 44

45 Security+ Guide to Network Security Fundamentals, Third Edition Summary (continued) Logs related to computer security have become particularly important Change management refers to a methodology for making changes and keeping track of those changes, often manually Monitoring involves examining network traffic, activity, transactions, or behavior in order to detect security-related anomalies 45

Download ppt "Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits."

Similar presentations

IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.

Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
seminar on Intrusion detection system

seminar on Intrusion detection system

Similar presentations

Ads by Google