auditing
play

Auditing Chapter 25 Computer Security: Art and Science , 2 nd - PowerPoint PPT Presentation

Oct 11, 2023 •497 likes •1.4k views

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

  1. Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

  2. Outline • Overview • What is auditing? • What does an audit system look like? • How do you design an auditing system? • Auditing mechanisms • Examples: NFSv2, LAFS Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-2

  3. What is Auditing? • Logging : recording events or statistics to provide information about system use and performance • Auditing : analysis of log records to present information about the system in a clear, understandable manner Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-3

  4. Uses • Describe security state • Determine if system enters unauthorized state • Evaluate effectiveness of protection mechanisms • Determine which mechanisms are appropriate and working • Deter attacks because of presence of record Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-4

  5. Problems • What do you log? • Hint: looking for violations of a policy, so record at least what will show such violations • What do you audit? • Need not audit everything • Key: what is the policy involved? Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-5

  6. Audit System Structure • Logger : records information, usually controlled by parameters • Analyzer : analyzes logged information looking for something • Notifier : reports results of analysis Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-6

  7. Logger • Type, quantity of information recorded controlled by system or program configuration parameters • May be human readable or not • If not, usually viewing tools supplied • Space available, portability influence storage format Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-7

  8. Example: RACF • Security enhancement package for IBM’s z/OS, OS/390 • Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions • View events with LISTUSERS commands Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-8

  9. RACF: Sample Entry USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004 DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30 ATTRIBUTES=ADSP REVOKE DATE=NONE RESUME-DATE=NONE LAST-ACCESS=88.020/14:15:10 CLASS AUTHORIZATIONS=NONE NO-INSTALLATION-DATA NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) -------------------------------- ANYDAY ANYTIME GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE=88.004 CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004 CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY AUTHORIZATION NONE SPECIFIED Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-9

  10. Example: Windows 10 • Different logs for different types of events • System event logs record system crashes, component failures, and other system events • Application event logs record events that applications request be recorded • Security event log records security-critical events such as logging in and out, system file accesses, and other events • Setup event log records events occurring during application installation • Forwarded event log records entries forwarded from other systems • Logs are binary; use event viewer to see them • If log full, can have system shut down, logging disabled, or logs overwritten Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-10

  11. Windows 10 Sample Entry Log Name: Security Source: Microsoft Logged: 03/20/2017 Windows security 12:02:59 PM Event ID: 4634 Task Category: Logoff Level: Information Keywords: Audit Success User: N/A Computer: McLaren OpCode: Info General: An account was logged off. Subject: Security ID: MCLAREN\matt Account Name: matt Account Domain: MCLAREN Logon ID: 0xACBA30 Details: + System - EventData TargetUserSID S-1-5-22-2039872233-608055118-4446661516-2001 TargetUserName matt TargetDomainName MCLAREN TargetLogonId Oxacba30 [would be in graphical format] Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-11

  12. Analyzer • Analyzes one or more logs • Logs may come from multiple systems, or a single system • May lead to changes in logging • May lead to a report of an event Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-12

  13. Examples • Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*.site.com/ • Query set overlap control in databases • If too much overlap between current query and past queries, do not answer • Intrusion detection analysis engine (director) • Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-13

  14. Notifier • Informs analyst, other entities of results of analysis • May reconfigure logging and/or analysis on basis of results Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-14

  15. Examples • Using swatch to notify of telnet s /telnet/&!/localhost/&!/*.site.com/ mail staff • Query set overlap control in databases • Prevents response from being given if too much overlap occurs • Three failed logins in a row disable user account • Notifier disables account, notifies sysadmin Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-15

  16. Designing an Audit System • Essential component of security mechanisms • Goals determine what is logged • Idea: auditors want to detect violations of policy, which provides a set of constraints that the set of possible actions must satisfy • So, audit functions that may violate the constraints • Constraint p i : action Þ condition Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-16

  17. Example: Bell-LaPadula Simple security condition and *-property • S reads O Þ L ( S ) ≥ L ( O ) • S writes O Þ L ( S ) ≤ L ( O ) • To check for violations, on each read and write, must log L ( S ), L ( O ), action (read, write), and result (success, failure) • Note: need not record S , O ! • In practice, done to identify the object of the (attempted) violation and the user attempting the violation Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-17

  18. Remove Tranquility • New commands to manipulate security level must also record information • S reclassify O to L ( O ´) Þ L ( O ) ≤ L ( S ) and L ( O ´) ≤ L ( S ) • Log L ( O ), L ( O ´), L ( S ), action (reclassify), and result (success, failure) • Again, need not record O or S to detect violation • But needed to follow up … Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-18

  19. Example: Chinese Wall • Subject S has COI ( S ) and CD ( S ) • CD H ( S ) is set of company datasets that S has accessed • Object O has COI ( O ) and CD ( O ) • san ( O ) iff O contains only sanitized information • Constraints • S reads O Þ COI ( O ) ≠ COI ( S ) Ú $ O ¢ ( CD ( O ¢ ) Î CD H ( S )) • S writes O Þ ( S canread O ) Ù ¬ $ O ¢ ( COI ( O ) = COI ( O ¢ ) Ù S canread O ¢ Ù ¬ san ( O ´)) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-19

  20. Recording • S reads O Þ COI ( O ) ≠ COI ( S ) Ú $ O ¢ ( CD ( O ¢ ) Î CD H ( S )) • Record COI ( O ), COI ( S ), CD H ( S ), CD( O ¢ ) if such an O ¢ exists, action (read), and result (success, failure) • S writes O Þ ( S canread O ) Ù ¬ $ O ¢ ( COI ( O ) = COI ( O ¢ ) Ù S canread O ¢ Ù ¬ san ( O ¢ )) • Record COI ( O ), COI ( S ), CD H ( S ), plus COI ( O ¢ ) and CD ( O ¢ ) if such an O ¢ exists, action (write), and result (success, failure) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-20

  21. Implementation Issues • Show non-security or find violations? • Former requires logging initial state as well as changes • Defining violations • Does “write” include “append” and “create directory”? • Multiple names for one object • Logging goes by object and not name • Representations can affect this (if you read raw disks, you’re reading files; can your auditing system determine which file?) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-21

  22. Syntactic Issues • Data that is logged may be ambiguous • BSM: two optional text fields followed by two mandatory text fields • If three fields, which of the optional fields is omitted? • Solution: use grammar to ensure well-defined syntax of log files Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-22

  23. Example entry : date host prog [ bad ] user [ “from” host ] “to” user “on” tty date : daytime host : string prog : string “:” bad : “FAILED” user : string tty : “/dev/” string • Log file entry format defined unambiguously • Audit mechanism could scan, interpret entries without confusion Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-23

Recommend

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of gratitude to DeWitt Beeler, who in an article published in the 1999 May Issue of Quality Progress provided me with a fresh look at auditing and

557 views • 41 slides
How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4 54818800 CHAN Shu Wah 54791726 IP Sunny 54814013 WAN Chun Fai 54808805 YIU Ho Fung How would the emerging technology affect the future of

672 views • 54 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
1 State Single Audit Requirements In accordance with federal requirements, beginning in

1 State Single Audit Requirements In accordance with federal requirements, beginning in

Compliance Auditing Update Compliance Auditing Update NC Local Government Auditing, Reporting and Review NC Local Government Auditing, Reporting and Review June 14, 2016 June 14, 2016 Uniform Guidance Overview Course Objectives- Uniform

435 views • 25 slides
Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

SAIs making a difference by AUDITING Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of Agenda 2030 ? Urge national governments into action if there isnt any. Independent oversight on the

203 views • 17 slides
Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security audit automated exfiltration

971 views • 64 slides
Auditing the European room Auditing the European room air- conditioning systems and potential

Auditing the European room Auditing the European room air- conditioning systems and potential

Auditing the European room Auditing the European room air- conditioning systems and potential air- conditioning systems and potential energy savings energy savings Daniela Bory Centre for energy and process Mines de Paris - France ECEEE

351 views • 19 slides
Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri

Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri

Documentation requirements under Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri Standards on Auditing Ensures information in FS is of high quality & acceptable worldwide Formulated by AASB

1.15k views • 89 slides
Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The

Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The

Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The Companies Act Preliminary engagement activities (2008) Planning The Auditing Profession Act (IRBA) Establish overall audit Develop an audit plan

763 views • 45 slides
DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach

DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach

DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach Carlson (SE) - Web Master, Key Concept Holder Mitch Valenta (CPRE) - Communications May 15-02 Problem Auditing done on paper

578 views • 26 slides
Auditing Research in 2016 Some Statistics, Four Fundamental Truths, and a Sarcastic Side Point

Auditing Research in 2016 Some Statistics, Four Fundamental Truths, and a Sarcastic Side Point

Illinois Audit Doctoral Consortium October 13, 2016 Auditing Research in 2016 Some Statistics, Four Fundamental Truths, and a Sarcastic Side Point Steven Kachelmeier University of Texas at Austin Some Statistics Auditing articles in TAR and

482 views • 25 slides
SOCIAL ACCOUNTING AND AUDITING Session 2: Measuring social outcomes and impacts Preparatory

SOCIAL ACCOUNTING AND AUDITING Session 2: Measuring social outcomes and impacts Preparatory

SOCIAL ACCOUNTING AND AUDITING Session 2: Measuring social outcomes and impacts Preparatory Activities Understand key principles of social accounting and auditing. Agree the Terms of Reference (scope, manner and responsibility) for

185 views • 7 slides
January 28, 2019 Audit Overview Audit in Accordance with: US Generally Accepted Auditing

January 28, 2019 Audit Overview Audit in Accordance with: US Generally Accepted Auditing

Solanco School District 2017-18 Audit January 28, 2019 Audit Overview Audit in Accordance with: US Generally Accepted Auditing Standards Government (Yellow Book) Auditing Standards Uniform Guidance Audit of period 7/1/17 -

254 views • 24 slides
Nominee for the AEB Auditing Commission Pischel, Rene, Germany, European Space Agency Nominee for

Nominee for the AEB Auditing Commission Pischel, Rene, Germany, European Space Agency Nominee for

Nominee for the AEB Auditing Commission Pischel, Rene, Germany, European Space Agency Nominee for the Auditing Commission Personal data Born: 1959 Education Ren Pischel studied mathematics in Kharkov, Ukraine in the former USSR, specializing

288 views • 3 slides
21 March 2017 Strengthening SAI capacities for auditing SDGs Kimi Makwetu, Auditor-General of

21 March 2017 Strengthening SAI capacities for auditing SDGs Kimi Makwetu, Auditor-General of

21 March 2017 Strengthening SAI capacities for auditing SDGs Kimi Makwetu, Auditor-General of South Africa Chair: INTOSAI Capacity Building Committee Strengthening SAI capacities for auditing SDGs Agenda 2030 calls for business unusual a

577 views • 12 slides
Pilot Project - ED 01/18 Proposed Auditing Standard ASA 315 Identifying and Assessing the Risks of

Pilot Project - ED 01/18 Proposed Auditing Standard ASA 315 Identifying and Assessing the Risks of

Pilot Project - ED 01/18 Proposed Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement Rod Whitehead Auditor-General Outline Proposed auditing standard ASA 315 future changes ASA 315 pilot project

451 views • 18 slides
AUDITING THE RESEARCH AND DEVELOPMENT CLUSTER HHS Single Audit Training Workshop Overland Park,

AUDITING THE RESEARCH AND DEVELOPMENT CLUSTER HHS Single Audit Training Workshop Overland Park,

AUDITING THE RESEARCH AND DEVELOPMENT CLUSTER HHS Single Audit Training Workshop Overland Park, KS August 6, 2015 Session Objectives 2 Understand the auditing process for the research and development cluster Identify current areas

525 views • 10 slides
Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit

Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit

Association of Inspectors General Certified Inspector General Auditor course Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit District of Columbia Office of the Inspector General Governmental Auditing

497 views • 27 slides

More recommend