Auditing, Testing, and Monitoring PDF

Summary

This chapter focuses on auditing, testing, and monitoring in an information technology infrastructure. It covers key concepts, security audits, different aspects of monitoring, and essential security checks to evaluate security and controls.

Full Transcript

CHAPTER 10

Auditing, Testing,
and Monitoring

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain the role of security  Practices and principles of security
operations, security policies, audits and analysis
security audits, testing, and
 Ways to monitor systems
monitoring in an IT infrastructure.
 Types of log information to capture
 Verifying an organization’s security
controls
 Monitoring and testing security
systems
Auditing, Testing, and Monitoring

 A security audit is a crucial type of evaluation to avoid a data breach.

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Auditing a computer system involves checking to see how its operation has met
security goals.
 Audit tests may be manual or automated.
 Before you can determine whether something has worked, you must first define
how it’s supposed to work.
 Known as assessing a system
Security Auditing and Analysis

 Are security policies sound and appropriate for the business or activity?

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Are there controls supporting your policies?
 Is there effective implementation and upkeep of controls?
Security Controls Address Risk

 Monitor
 Review and measure all controls to capture actions and changes to any

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
environment component.

 Audit
 Review the logs and overall environment to provide independent analysis of how
well the security policy and controls work.

 Improve
 Include proposals to improve the security program and controls in the audit results.
This step applies to the recommended changes as accepted by management.

 Secure
 Ensure that new and existing controls work together to protect the intended level of
security.
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The Security Review Cycle
Determining What Is Acceptable

 Security policy should define acceptable and unacceptable actions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Organizations might create standards based on those developed or endorsed
by standards bodies
 Communications and other actions permitted by a policy document are
acceptable
 Communications and other actions specifically banned in security policy are
unacceptable
Permission Levels

 Promiscuous
 Everything is allowed

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Permissive
 Anything not specifically prohibited is OK

 Prudent
 A reasonable list of things is permitted, and all others are prohibited

 Paranoid
 Very few things are permitted; all others are prohibited and carefully monitored
Areas of Security Audits

 Large in scope and cover entire departments or business functions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Narrow and address only one specific system or control
Purpose of Audits

 Appropriate security level
 Is the level of security control suitable for the risk it addresses?

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Correct installation of controls
 Is the security control in the right place and working well?

 Effectiveness of purpose of controls
 Is the security control effective in addressing the risk it was designed to address?
Customer Confidence

 Customers generally conduct business only with organizations they trust

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 If customers know that an organization’s systems are consistently audited for
security, they may be more willing to share their sensitive information
 Service Organization Control (SOC) framework defines scope and contents of
three levels of audit report:
 SOC 1
 SOC 2
 SOC 3
SOC Reports

Report
Contents Audience
Type

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Users and auditors
Internal controls over financial Organizations that must comply
SOC 1
reporting with Sarbanes-Oxley (SOX) or
Gramm-Leach-Bliley Act (GLBA)
Management, regulators,
Security (confidentiality, stakeholders
SOC 2 integrity, availability) and Implemented for service providers,
privacy controls hosted data centers, managed
cloud computing providers
Security (confidentiality, Public
SOC 3 integrity, availability) and Required for customers of SOC 2
privacy controls service providers
Defining the Audit Plan

 Define objectives; determine which systems or business processes to review

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Define which areas of assurance to check
 Identify personnel who will participate in the audit
Defining the Scope of the Plan

 Survey the site(s)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Review documentation
 Review risk analysis output
 Review server, device, and application logs
 Review incident logs
 Review results of penetration tests
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Audit Scope and the Seven Domains of the IT
Infrastructure
Auditing Benchmarks

 Benchmark: The standard to which a system is compared to determine whether
it is securely configured

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 ISO 27002
 National Institute of Standards and Technology (NIST) Cybersecurity Framework
(CSF)
 Information Technology Infrastructure Library (ITIL)
 Control Objectives for Information and Related Technologies (COBIT)
 Committee of Sponsoring Organizations (COSO)
Audit Data Collection Methods

 Questionnaires

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Interviews
 Observation
 Checklists
 Reviewing documentation
 Reviewing configurations
 Reviewing policy
 Performing security testing
Areas of Security Audits (1 of 2)

Area Audit Goal

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Endpoint protection (antivirus/anti- Up-to-date, universal application
malware, endpoint detection and
response [EDR], host-based firewall)
System access policies Current with technology
Intrusion detection and event-monitoring
Log reviews
systems
System-hardening policies Ports, services
Key management, usage (network
Cryptographic controls
encryption of sensitive data)
Areas of Security Audits (2 of 2)

Area Audit Goal

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business continuity plan (BCP),
Contingency planning disaster recovery plan (DRP), and
continuity of operations plan (COOP)
Maintenance agreements, servicing,
Hardware and software maintenance
forecasting of future needs
Doors locked, power supplies
Physical security
monitored
Access control Need to know, least privilege
Change control processes for Documented, no unauthorized
configuration management changes
Age of media, labeling, storage,
Media protection
transportation
Control Checks and Identity Management

 Approval process
 Who grants approval for access requests?

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Authentication mechanisms
 What mechanisms are used for specific security requirements?

 Password policy and enforcement
 Does the organization have an effective password policy and is it uniformly
enforced?

 Monitoring
 Does the organization have sufficient monitoring systems to detect unauthorized
access?

 Remote access systems
 Are all systems properly secured with strong authentication?
Post-Audit Activities

 Exit interview

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Data analysis
 Generation of audit report
 Findings
 Recommendations
 Timeline for implementation
 Level of risk
 Management response
 Follow-up

 Presentation of findings
Security Monitoring

 Baselines

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Alarms, alerts, and trends
 Closed-circuit TV
 Systems that spot irregular behavior
Security Monitoring for Computer Systems

 Real-time monitoring
 Host intrusion detection system (HIDS)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 System integrity monitoring
 Data loss prevention (DLP)

 Non–real-time monitoring
 Application logging
 System logging

 Log activities
 Host-based activity
 Network and network devices
Monitoring Issues

 Many organizations turn off logs  Other monitoring issues:
because they produce too much  Spatial distribution

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
information  Switched networks
 Encryption
 Without a way to automatically
 Network Layer encryption
analyze log data, logging uses up
 Application Layer encryption
disk space without providing much
value  Logging anomalies
 False positives
 False negatives

 Log management
Types of Log Information to Capture (1 of 2)

 Event logs
 General operating system and application software events

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Access logs
 Access requests to resources

 Security logs
 Security-related events

 Audit logs
 Defined events that provide additional input to audit activities
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Types of Log Information
Types of Log Information to Capture (2 of 2)

 Security information and event management (SIEM) system
 Helps organizations manage log files by providing a common platform to capture

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
and analyze entries from firewall, intrusion detection system/intrusion prevention
system (IDS/IPS), web server, and database server logs
 Standardizes data into a common format
 Produces visual charts and graphical representations of collected data into easy-to-
read dashboards
 Dashboards monitor user activity and ensure that users act only in accordance with
policy

 Security orchestration, automation, and response (SOAR) system
 Extends SIEM functionality to identify incidents and respond to them in a structured
manner
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
How to Verify Security Controls

 Controls that monitor activity

 Firewalls
 IDSs
 IPSs
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
IDS as a Firewall Complement
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Basic Network IDS (NIDS) as a Firewall Complement
Analysis Methods

 Pattern- or signature-based IDSs
 Rule-based detection

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Rely on pattern matching and
stateful matching

 Anomaly-based IDSs
 Profile-based systems

 Common methods of detecting
anomalies
 Statistical-based methods
 Traffic-based methods
 Protocol patterns
HIDS

 Software processes or services designed to run on server computers

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Intercept and examine system calls or specific processes for patterns or
behaviors that should not normally be allowed
 HIDS/host-based IPS (HIPS) daemons can perform a predefined action, such
as stopping or reporting the infraction
 Detect inappropriate traffic that originates inside the network
 Recognize an anomaly that is specific to a particular machine or user
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Layered Defense: Network Access Control
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Using NIDS Devices to Monitor Outside Attacks
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Host Isolation and the Demilitarized Zone (DMZ)
System Hardening (1 of 2)

 Turn off or disable unnecessary services; protect ones that are still running

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Secure management interfaces and applications
 Protect passwords through aggressive password policies
 Disable unnecessary user accounts
 Apply the latest software patches available
 Secure all computers/devices from unauthorized changes
System Hardening (2 of 2)

 Disable unused network interfaces

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Disable unused application service ports
 Use Media Access Control (MAC) filtering to limit device access
 Implement 802.1x, port-based Network Access Control (PNAC)
 Set a baseline configuration
 Review endpoint protection programs
Monitoring and Testing Security Systems

 Common risks:
 Attackers who come in from outside, with unauthorized access, malicious code,

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Trojans, and malware
 Sensitive information leaking from inside the organization to unauthorized people
who can damage your organization
Monitoring

 Monitor traffic with an IDS, which identifies abnormal traffic for further
investigation

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Use an IPS to actively block malicious traffic
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Testing
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Security Testing Road Map
Establishing Testing Goals and Reconnaissance
Methods

 Establish testing goals
 Identify vulnerabilities and rank them according to how critical they are to your

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
systems
 Document a point-in-time (snapshot) test for comparison to other time periods
 Prepare for auditor review
 Find the gaps in your security

 Reconnaissance methods
 Social engineering
 Whois service
 Zone transfer
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Network Mapping
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Network Mapping with Internet Control Message
Protocol (ICMP) (Ping)
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Network Mapping with Transmission Control Protocol
(TCP)/Synthesize (SYN) Scans
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Operating System Fingerprinting
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Covert Versus Overt Testers
Testing Methods

 Black-box testing
 Uses test methods that aren’t based directly on knowledge of a program’s

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
architecture or design

 White-box testing
 Is based on knowledge of the application’s design and source code

 Gray-box testing
 Lies somewhere between black-box testing and white-box testing
Security Testing Tips and Techniques

 Choose the right tool

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Tools make mistakes
 Protect the systems
 Tests should be as real as possible
Summary

 Practices and principles of security audits and analysis

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Ways to monitor systems
 Types of log information to capture
 Verifying an organization’s security controls
 Monitoring and testing security systems