Information Technology Security Lecture 7 - Auditing, Testing, & Monitoring (PDF)
Document Details
Uploaded by InnovativeIndianapolis
David Kim, Michael G. Solomon
Tags
Summary
This document is a lecture on information technology security, focusing on auditing, testing, and monitoring. It includes recommended readings and discussion points relevant to security audit practices and principles.
Full Transcript
Information Technology Security Lecture 7 Auditing, Testing, and Monitoring Recommended Reading: Fundamentals of Information Systems Security.4th ed. Author: David Kim, Michael G. Solomon 2023 Chapter 10: Auditing, Testing, and Monit...
Information Technology Security Lecture 7 Auditing, Testing, and Monitoring Recommended Reading: Fundamentals of Information Systems Security.4th ed. Author: David Kim, Michael G. Solomon 2023 Chapter 10: Auditing, Testing, and Monitoring OR Recommended Reading: Fundamentals of Information Systems Security.3rd ed. Author: David Kim, Michael G. Solomon 2018 Chapter 7: Auditing, Testing, and Monitoring © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 1 All rights reserved. Learning Objective(s) Explain the importance of security audits, testing, and monitoring in an IT infrastructure. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 2 All rights reserved. Key Concepts Practices and principles of security audits Ways to monitor systems Capturing and analyzing log data Assessing an organization’s security compliance Monitoring and testing security systems © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 3 All rights reserved. Auditing, Testing, and Monitoring A security audit is a crucial type of evaluation to avoid a data breach Auditing a computer system involves checking to see how its operation has met security goals (Confidentiality, Integrity, Availability and Accountability) Audit tests may be manual (performed as step by step by a person) or automated (performed by executing a program or a script). Before you can determine whether something has worked, you must first define how it’s supposed to work “The state of What Good Looks Like (WGLL)?” © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 4 All rights reserved. Security Auditing and Analysis Are security policies Are there controls Is there effective sound and appropriate supporting your implementation and for the business or policies? upkeep of controls? activity? The purpose of information security is to support the mission of the business and to protect it from the risks it faces. With respect to security, one of the most visible risks is that of data breach. If you cannot justify a control by a policy, you should probably remove it. Whenever a control is explained as “for security” but with no other explanation, you should remove it. Security is not a profit centre, and it should never exist for its own sake. It is a support department. Its purpose is to protect the organisation’s assets and revenue stream. As your organisation evolves and as threats mature, it is important to make sure your controls still meet the risks you face today © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 5 All rights reserved. Security Auditing and Analysis Are security policies Are there controls Is there effective sound and appropriate supporting your implementation and for the business or policies? upkeep of controls? activity? Auditors are people/contractors who ask the question, “Are the company policies understood and followed?” The audit itself does not set new policies. Auditors might, however, make recommendations based on experience or knowledge of new regulations or other requirements. Auditor are good at spotting edge cases where the policy struggles to protect the business hence, their recommendations Fundamentals of Information Systems Security are important. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com Page 6 All rights reserved. Security Controls Address Risk Ensure that new and existing controls work together to protect the intended level of security. Include proposals to Review and measure all improve the security controls to capture actions program and controls in and changes on the system the audit results. This step that is in production used applies to the by staff or clients. recommended changes as accepted by management. Review the logs and overall environment to provide an independent analysis of how well the security policy and controls Fundamentals of Information Systems Security work © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com Page 7 All rights reserved. Auditing © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 8 All rights reserved. Determining What Is Acceptable Define acceptable and unacceptable actions in security policies. Create standards based on those developed or endorsed by standards bodies (Best Practices). Acceptable: Communications and other actions permitted by a policy document. Unacceptable: Communications and other actions specifically banned in your security policy. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 9 All rights reserved. Auditing Home Router Security Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com Page 10 All rights reserved. My Home Router Access Policy Devices of all personnel residing at a given address are the only devices allowed to connect to a WiFi router placed in the same address. The router is configurable only by the homeowner. Q1: Does that policy serve a good cause or purpose to protect residents? Q2: How will you check if the current security controls enforce Fundamentals of Information the above policy? © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Systems Security www.jblearning.com All rights reserved. Page 11 Wi-Fi Router Standards and Procedure Must conform to the IEEE 802.11ax. Must conform to WPA 2.0 or higher Setting Functionalities Procedure. Built Communications Security Etc. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 12 All rights reserved. Auditor in action Check the router type complies with Standards IEEE 802.11ax and WPA 2.0 Check the wireless key specs, length, formatting, etc.. Check the router admin username and password against specs. Check device logging history. Check configurations log Check router Log Check Whitelists and blacklists Etc.………. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 13 All rights reserved. Audit Report (findings) The router was set to use WPA, not WPA 2.0 The router admin user password was set to generic “admin1234.” There are three users with admin-level There are 5 devices at the household. Based on the MAC addresses log, 25 different devices connected to the router! No access control lists set up. No blacklisting or whitelisting set-up! Others… © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 14 All rights reserved. Auditors Auditors can be internal employees or external contractors to ensure impartiality. Auditors can be working with Compliance Teams or Business Assurance Teams in organisations. They are part of every organisation’s POLICE but are there for support. They are crucial to every organisation. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 15 All rights reserved. Areas of Security Audits Large in scope and Narrow and cover entire address only one departments or specific system or business functions control © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 16 All rights reserved. Purpose of Audits Appropriateness of controls Is the level of security control suitable for the risk it addresses? Correct installation of controls Is the security control in the right place and working well? Address purpose of controls Is the security control effective in addressing the risk it was designed to address? © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 17 All rights reserved. Defining Your Audit Plan Define objectives; Define which areas Identify personnel determine which of assurance to who will participate systems or business check in the audit processes to review © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 18 All rights reserved. During The Audit Survey the site(s): Uunderstand the environment and the interconnections between systems before starting the audit activities Review documentation: An auditor will want to review system documentation and configurations, both during planning and as part of the actual audit Review risk analysis output: An auditor will want to understand system criticality ratings that are a product of risk analysis studies Review server and application logs: An auditor might ask to review security incident logs to get a feel for problem trends Review incident logs: An auditor might ask to review security incident logs to get a feel for problem trends Review results of penetration tests: When an organization conducts penetration tests, the tester prepares a report listing weaknesses that were found © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 19 All rights reserved. Audit Scope and the Seven Domains of the IT Infrastructure © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 20 All rights reserved. Auditing Benchmarks Benchmark—The standard to which your system is compared to determine whether it is securely configured ISO 27002—ISO 27002 NIST Cybersecurity Framework (CSF) ITIL (Information Technology Infrastructure Library) Control Objectives for Information and related Technology (COBIT) Committee of Sponsoring Organizations (COSO) © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 21 All rights reserved. Audit Data Collection Methods Questionnaires Interviews Observation Reviewing Reviewing Checklists documentation configurations Reviewing Performing policy security testing © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 22 All rights reserved. Areas Included in Audit Plan Area Audit Goal Antivirus software Up-to-date, universal application System access policies Current with technology Intrusion detection and Log reviews event monitoring systems System-hardening policies Ports, services Cryptographic controls Key management, usage (network encryption of sensitive data) Contingency planning Business continuity plan (BCP), disaster recovery plan (DRP), and continuity of operations plan (COOP) © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 23 All rights reserved. Areas Included in Audit Plan (cont.) Area Audit Goal Hardware and software Maintenance agreements, maintenance servicing, forecasting of future needs Physical security Doors locked; power supplies monitored Access control Need to know, least privilege Change control processes for Documented, no unauthorized configuration management changes Media protection Age of media, labeling, storage, transportation © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 24 All rights reserved. Control Checks and Identity Management Approval process: Who grants approval for access requests? Authentication mechanisms: What mechanisms are used for specific security requirements? Password policy and enforcement: Does the organization have an effective password policy and is it uniformly enforced? Monitoring: Does the organization have sufficient monitoring systems to detect unauthorised access? Remote access systems: Are all systems properly secured with strong authentication? © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 25 All rights reserved. Post-Audit Activities Exit interview Data analysis Generation of audit report Findings Recommendations Timeline for implementation Level of risk Management response Follow-up Presentation of findings © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 26 All rights reserved. Monitoring © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 27 All rights reserved. Security Operations: Monitoring Baselines: In order to recognize something as abnormal, you first must know what normal looks like. Alarms and alerts: Alarms and alerts are responses to security events that notify personnel of a possible security incident, Closed-circuit TV: Your staff must also be trained in local law; many jurisdictions prohibit profiling based on race or ethnicity. Systems that spot irregular behaviour: Examples include IDSs and honeypots—that is, traps set to capture information about improper activity on a network. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 28 All rights reserved. Security Monitoring for Computer Systems Host IDS: watch computer systems for unauthorized changes and report Real-time them to administrator System integrity monitoring: watch computer systems for unauthorized changes and report them to administrator monitoring Data loss prevention (DLP): DLP systems use business rules to classify sensitive information to prevent unauthorized end users from sharing it Application logging: All applications that access or Non-real-time modify sensitive data should have logs that record who used or changed the data and when (CRM and Billing monitoring systems). System logging: provides records of who accessed the system and what actions they performed on the system Logged Host-based activity: access requests, performance, and start-ups and shutdowns. activities Network and network devices: traffic type and patterns, malware, and performance © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 29 All rights reserved. Types of Log Information to Capture General operating system and Event logs application software events Access logs Access requests to resources Security logs Security-related events Defined events that provide Audit logs additional input to audit activities © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 30 All rights reserved. Example: Event Logs © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 31 All rights reserved. Example: Access Logs © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 32 All rights reserved. Example: Security Logs © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 33 All rights reserved. Example: Audit Logs © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 34 All rights reserved. Types of Networks Log Information A web host, or web hosting service provider, is a business that provides the technologies and services needed for the website or webpage to be viewed in the Internet. Websites are hosted, or stored, on special computers called servers. NIDS: A network-based intrusion detection system (NIDS) detects malicious traffic on a network © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 35 All rights reserved. Security Controls Monitors IDSs Controls that monitor IPSs activity Firewalls © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 36 All rights reserved. IDS as a Firewall Complement A network intrusion detection system (NIDS) monitors traffic that gets through the firewall to detect malicious activity. A host-based intrusion detection system (HIDS)— does the same for traffic aimed at a particular computer or device. Because the HIDS sees a narrower view, you can tune it to detect very specific activities. Unlike the NIDS, the HIDS will also see traffic that originates inside the perimeter. Host-based intrusion detection systems (HIDS) help organisations to identify threats inside the network perimeter byandmonitoring © 2018 Jones Bartlett Learning, LLC, anhost devices Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 37 All rights reserved. Basic NIDS as a Firewall Complement You connect the IDS to a management console that lets the administrator monitor and manage it. Ideally, the IDS will not be detectable from the network. That means attackers will not be able to determine where the IDS is positioned on the network. The administration port on the IDS is not accessible from the network, which prevents an attacker from altering the configuration of the IDS. We should not manage the IDS device from inside the network it monitors © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 38 All rights reserved. Network Traffic Analysis Methods Pattern- or Rule-based detection signature-based Rely on pattern matching and IDSs stateful matching Anomaly-based Profile-based systems IDSs Common methods Statistical-based methods of detecting Traffic-based methods anomalies Protocol patterns © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 39 All rights reserved. Capturing Network Traffic (Wireshark) © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 40 All rights reserved. HIDS Software processes or services designed to run on server computers Intercept and examine system calls or specific processes for patterns or behaviors that should not normally be allowed HIDS daemons (the long-running background process that answers requests for services) can take a predefined action such as stopping or reporting the infraction (violations) Detect inappropriate traffic that originates inside the network. (Attacks from the inside!) Recognize an anomaly that is specific to a particular machine or user © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 41 All rights reserved. Layered Defense: Network Access Control This is how network devices work in multiple layers to try to prevent an attack on the internal- protected network. The router detects and filters out some traffic, and the firewall detects and stops unwanted traffic. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 42 All rights reserved. Using NIDS Devices to Monitor Outside Attacks © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 43 All rights reserved. Host Isolation and the DMZ A DMZ with two isolated hosts. A DMZ is a physical or logical subnetwork that contains and exposes an organisation’s external services to a larger untrusted network, usually the Internet. Outside traffic from the untrusted Internet is allowed only into the DMZ, where it can get to certain company services. The web applications in the DMZ then access the trusted internal network but prevent the outside user from © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company getting directly of Fundamentals toInformation the internalSystems network. Security www.jblearning.com Page 44 All rights reserved. Actions of System Hardening Turn off or disable unnecessary services; protect the ones that are still running Secure management interfaces and applications Protect passwords through aggressive password policies Disable unnecessary user accounts Apply the latest software patches available Secure all computers/devices from unauthorised changes Disable unused network interfaces Disable unused application service ports Use MAC filtering to limit device access Note: It is called hardening, to change hardware and software configurations to make computers and Fundamentals of Information Systems Security devices © 2018 Jones and as LLC, Bartlett Learning, www.jblearning.com secure an Ascendas possible. Learning Company Page 45 All rights reserved. MAC Address on iPhone © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 46 All rights reserved. MAC Address on Android © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 47 All rights reserved. MAC Address on Windows © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 48 All rights reserved. Monitoring and Testing Security Systems Common risks are: Attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware Sensitive information leaking from inside the organization to unauthorized people who can damage your organization © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 49 All rights reserved. Monitoring Monitor traffic with an Use an IPS to IDS, which identifies actively block abnormal traffic for malicious traffic further investigation © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 50 All rights reserved. Security Testing The primary purpose of any security test is to identify uncorrected vulnerabilities in a system. A system might have been secure at one time, but adding a new service or application might have made the system vulnerable. The point of testing is to discover new vulnerabilities so you can address them. When do we trigger testing? - During the security certification phase - After major system changes (new technology upgrades, application changes) - New threats - During system audits - Periodically, depending on the nature of the system. - Once a year, on critical systems Rate of Volatility: The rate of changes in the system and the sensitivity or criticality of the system define how frequent testing should happen © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 51 All rights reserved. Security Testing Road Map © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 52 All rights reserved. Establishing Testing Goals and Reconnaissance Methods Establish testing goals Identify vulnerabilities and rank them according to how critical they are to your systems Document a point-in-time (snapshot) test for comparison to other time periods Prepare for auditor review Find the gaps in your security Reconnaissance methods Social engineering is a fancy phrase for lying Whois service: This service provides information, such as names and phone numbers of administrators, that can help attackers. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 53 All rights reserved. Network Mapping © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 55 All rights reserved. Network Mapping with ICMP (Ping) Blocking ping packets, as seen with the Tony router, can prevent the attacker from learning about the network. Of course, this also prevents the administrator from being able to use this valuable © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company tool for network Fundamentals troubleshooting. of Information Systems Security www.jblearning.com Page 56 All rights reserved. Network Mapping with TCP/SYN Scans A TCP Reset (RST) packet is used by a TCP sender to indicate that it will neither accept nor receive more data. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 57 All rights reserved. Operating System Fingerprinting © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 58 All rights reserved. Testing Methods Black-box testing Uses test methods that aren’t based directly on knowledge of a program’s architecture or design White-box testing Is based on knowledge of the application’s design and source code Gray-box testing Lies somewhere between black-box testing and white- box testing © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 59 All rights reserved. Security Testing Tips and Techniques Choose the right tool Tools make mistakes Protect your systems Tests should be as “real” as possible © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 60 All rights reserved. Summary Practices and principles of security audits Ways to monitor systems Capturing and analyzing log data Assessing an organization’s security compliance Monitoring and testing security systems © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company Fundamentals of Information Systems Security www.jblearning.com Page 61 All rights reserved.
