Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging � Configuring Logging � To configure logging, you should be prepared to � What should be logged answer the questions � How long logs must be maintained � What activities/events should be logged? � Configuring Alerts � How long should logs be maintained? � Windows Logging / UNIX Logging � What events should trigger immediate notifications to � Analyzing Log Data security administrators? � Profiling Normal Behavior � Logging must be configured to the needs of the � Detecting Anomalies organization � Data Reduction � Maintaining Secure Logs � Conducting a Security Audit 3 4
What Should Be Logged? What Should Be Logged? � A government intelligence agency protects highly � You can ’ t log everything sensitive classified information. He would want � Unless you have a lot of time and resources to log every access to files that contain the � Someone must review logs identify of undercover agents. � Logging has a negative effect on system performance � Critical events may be overwritten � A popular news Web site should protect the � A prudent approach is to strike a balance between integrity of data and try its best maintaining the logging important events but not everything availability of the Web site. � What is an important event is defined by the environment to some degree and should be given careful consideration 5 6 Determining How Long Logs Configuring Alerts Must Be Maintained � With modern operating systems, you can set up � Most operating systems allow you to overwrite alerts that notify administrators when specific log files based on time or file size events occur � This choice may be determined by policy, e.g., log � For example, immediate notification if a hard drive is full files must be kept for a certain amount of time � Alert options include � Log files can be archived � E-mail, pagers, Short Message Service (SMS), instant � You may need to maintain a (semi-) permanent messaging, pop-up windows, and cell phones record of system activity � Typically alerts can be configured differently � Back up log files before they are overwritten depending on the severity of the event and the � A common method is to alternate two log files, time backing up one file while the other is active � Only very severe events should trigger a cell phone call in the middle of the night, for example 7 8
Windows Logging Windows Logging (cont ’ d) � Windows uses the Event Viewer as its primary � Event Viewer log files (cont ’ d) logging mechanism � Application log � Found in Administrative Tools � Records events triggered by application software � Event Viewer log files � System administrators have control over what events to store � Security log � System log � Records security-related events � Contains events recorded by the operating system � Controlled by a system administrator: types of events, � The system administrator generally has no control over this log overwrite policy, user … � Typical events include hardware/software problems: driver failures, harddisk full … � Typical information includes failed logon attempts and attempts to exceed privileges � Other specialized log files include the directory service log, the file replication service log, and the DNS server log 9 10 Windows Logging (cont ’ d) Windows Logging (cont ’ d) Windows 2000 Professional System log � Four types of events are stored in Event Viewer logs � Error events are created when a serious problem occurs (corruption of a file system) � Warning events are created to alert administrators to potential problems (a disk nearing full) � Information events are details of some activities that are not indications of a problem (starting or stopping a service) � Success/failure auditing events are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts) 11 12
UNIX Logging Analyzing Log Data � The primary log facility in UNIX is syslog � Log data is used to monitor your environment � Very flexible, many options for notification and priority � Two main activities � Can write to a remote log file allowing the use of � Profiling normal behavior to understand typical system dedicated syslog servers to track all activity on a behavior at different times and in different parts of network your business cycle � Syslog implements eight priority levels � Detecting anomalies when system activity significantly � LOG_EMERG (emergency), LOG_ALERT (require deviates from the normal behavior you have immediate intervention), LOG_CRIT (critical system documented events), LOG_ERR (error), LOG_WARNING (warn of potential errors), LOG_NOTICE (information, no error), LOG_INFO (future use), LOG_DEBUG (developers use for debugging) 13 14 Profiling Normal Behavior Detecting Anomalies � A “ snapshot ” of typical system behavior is called � Define anomalies based on thresholds a baseline � The following questions must be answered � Baselines can be obtained at the network, system, � How much of a deviation from the norm represents user, and process level an anomaly? � Baselines detail consumption of system resources � How long must the deviation occur before registering an anomaly? � Baselines will vary significantly based on time of � What anomalies should trigger immediate alerts? day or business cycle � Anomalies can occur at any level � It is the administrator ’ s responsibility to � For example, if a user ’ s behavior deviates from determine the baseline studies appropriate for an normal, it may indicate a serious security event organization � These will change over time 15 16
Data Reduction Maintaining Secure Logs � When possible, limit the scope of logging � Logs themselves must be protected from activities to that which can reasonably be tampering and corruption analyzed � Common techniques to secure logs include � However, regulations or policies may stipulate that � Remote logging uses a centralized, highly protected, aggressive logging is necessary storage location � Data reduction tools are useful when more data � Printer logging creates a paper trail by immediately is collected than can be reviewed printing logged activity � Cryptographic technology digitally signs log files to � Often built into security tools that create log files ensure that changes can be detected, though the files � For example, CheckPoint ’ s Firewall-1 allows you to are vulnerable until they are finalized view log files filtered by inbound TCP traffic to a specific port on a specific date 17 18 Conducting a Security Audit Checklists � Checklists provide a systematic and consistent � Security professionals examine the policies and approach to completing various tasks in an audit implementation of the organization ’ s security � Audit checklists provide posture � a high-level overview of the overall audit process � Identify deficiencies and recommend changes � stepwise processes for auditing different classes of systems � The audit team should be well trained and � Configuration checklists contain specific configuration knowledgeable settings � The team may be multidisciplinary including � Vulnerability checklists contain lists of critical vulnerabilities for each operating system in use accountants, managers, administrators, and technical professionals � Choose a team based on your organization ’ s needs � MS http://www.microsoft.com/technet/security/chklist/def ault.mspx 19 20
IP/Port Scanners Vulnerability Scanners � Vulnerability scanners are software applications � IP/Port scanners are used by both crackers and that analyze systems for known vulnerabilities system administrators and create reports and suggestions � Use brute-force probing of IP addresses to identify � First vulnerability scanner was SATAN in the early open ports running services that may be vulnerable 1990s � Administrators can use this information to find rogue � Newer scanners include systems and services � SARA – a descendant of SATAN (UNIX) � Often set up by legitimate users who want to � SAINT – a commercially supported scanner (UNIX) bypass the red tape of going through � Nessus – provides a scripting language for writing and sharing administration security tests (UNIX) � Rogue systems and services are usually either � Microsoft Baseline Security Analyzer (MBSA) – free from removed or brought under administrative control Microsoft, downloads the most recent vulnerability database (Windows) 21 22 Integrity Checking Penetration Testing � Penetration testing is a proactive approach used � Integrity checking by security auditors � Maintains cryptographic signatures of all protected � The auditor tries to break into the system to find files to catch tampering vulnerabilities � Tripwire is the most common tool for file integrity � Many security teams bring in professionals to assurance conduct penetration testing � http://sourceforge.net/projects/tripwire/ free for UNIX � http://www.tripwire.com/ 30 days trial for Windows � Called “ white hat ” hackers � Typically used to protect static Web sites and other � Malicious hackers are called “ black hat ” hackers systems that store critical data that is infrequently � Be sure you have proper permission before changed conducting any type of penetration testing 23 24
Recommend
More recommend
