InfoSec Lecture 4: Auditing and Accountability

Study Notes

Introduction to Auditing and Accountability

After identification, authentication, and authorization, tracking activities and ensuring adherence to rules and policies is essential for security.

Accountability

Accountability depends on identification, authentication, and access control being in place to know who performed a transaction and what permissions were used.
Accountability is achieved through monitoring and logging to determine details of a situation.

Security Benefits of Accountability

Nonrepudiation: sufficient evidence to prevent individuals from denying actions or statements, achieved through system or network logs, digital forensic examination, and encryption technologies.

Deterrence: accountability can deter individuals from misbehavior if they know they will be held accountable for their actions.

Intrusion detection and prevention: logging and monitoring detect and prevent intrusions, divided into IDS (intrusion detection systems) and IPS (intrusion prevention systems).

Admissibility of records: regulated and consistent tracking systems ensure records are accepted in legal settings.

How We Accomplish Accountability

Ensuring accountability by laying out rules and ensuring they are followed, and taking further steps to ensure adherence.

Auditing

Auditing ensures accountability through technical means, providing accurate records of who did what and when.
Examples of what we audit: passwords, software licensing, and other items.

Reason for Auditing

Auditing provides data to implement accountability, assess activities over time, and facilitate accountability on a large scale.
Auditing is necessary for larger organizations and may be compelled by contractual or regulatory requirements.

Logging

Logging gives a history of activities in the environment, necessary for audits and investigations.
Logging is a reactive tool, allowing us to view what happened after it has taken place.

Where is Logging Used

Logging mechanisms are configurable and can be set up to log various events, from critical events to every action carried out by the system or software.

Accessibility of Logging

Logs are generally only available to system administrators for review and are not modifiable by users.
Collecting logs without reviewing them is futile, and administrators should schedule regular reviews to catch unusual events.

Introduction to Cryptography

Cryptography is the chief security measure that allows us to make use of technologies.
It is an integral part of computing, networking, and transactions that take place over devices.
Cryptography is used in daily activities such as conversations on cell phones, checking email, online shopping, and filing taxes.

Encryption and Decryption

Encryption is the transformation of unencrypted data (plaintext) into encrypted form (ciphertext).
Decryption is the process of recovering the plaintext message from the ciphertext.
Cryptanalysis is the science of breaking through the encryption used to create the ciphertext.
Cryptology is the overarching field of study that covers cryptography and cryptanalysis.

Goals of Cryptography

Confidentiality: information is only read/known/learnt by authorized people.
Authenticity: process of confirming the correctness of the claimed identity.
Integrity: information should only be modified by authorized people.
Non-Repudiation: a user should not be able to deny sending a message.

Symmetric Cryptography

Symmetric cryptography uses a single key for both encryption and decryption.
The key has to be private and shared between the sender and the receiver.
Symmetric key algorithms include:
- DES (Data Encryption Standard)
- 3DES (Triple DES)
- AES (Advanced Encryption Standard)

Asymmetric Cryptography

Asymmetric cryptography uses two keys: a public key and a private key.
The public key is used to encrypt messages and verify signatures.
The private key is used to decrypt messages and sign (create) signatures.
Asymmetric key algorithms include:
- RSA (Rivest-Shamir-Adleman)

Hash Functions

Hash functions create a fixed-length hash value from a message.
Any slight change to the message will change the hash.
Hash functions are used to verify the integrity of a message.
Examples of hash functions include: MD5, SHA-3, and RACE.

Digital Signatures

Digital signatures are used to:
- Enable detection of changes to the message contents.
- Ensure that the message was legitimately sent by the expected party.
- Prevent the sender from denying that he or she sent the message (nonrepudiation).
Digital signatures are generated by hashing the message and encrypting the hash with the sender's private key.

Certificates

Certificates link a public key to a particular individual and are often used as a form of electronic identification.
Certificates are created by taking the public key and identifying information, such as a name and address, and having them signed by a Certificate Authority (CA).

Description

This quiz covers the concepts of auditing and accountability in information security, based on the textbook 'The Basics of Information Security' by Jason Andress and referenced book 'Cryptography and Network Security' by William Stallings.