Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.

Security+ Guide to Network Security Fundamentals, Third EditionChapter 10Conducting Security Audits

Security+ Guide to Network Security Fundamentals, Third Edition

Objectives

Define privilege audits Describe how usage audits can protect

security List the methodologies used for monitoring to

detect security-related anomalies Describe the different monitoring tools

2


Privilege Auditing _________ methodical ________ and ________ of

something that ___________________ of findings A _________ can be considered a _____________

__________________________ ____________________________ (PoLP)

Users should be given only the _____________________ necessary to perform his or her job function

____________________________ Reviewing a _____________________________________ Requires knowledge of privilege management, how

privileges are assigned, and how to audit these security settings

More to come on each of these….

3


Privilege Management ___________________________

The process of ___________________________ to objects

Roles of owners and custodians are generally well-established Where those roles fit into the organization often

depends upon how the organization is structured The ______________ for privilege

management can be either ______________ ______________________________

4


Privilege Management (continued) In a _______________ structure

____________ is _____________________ of assigning or revoking privileges

All custodians are part of that unit A _____________ organizational structure for

privilege management Delegates the authority for assigning or revoking

privileges _____________________________ __________________________

5


Assigning Privileges

The foundation for assigning privileges is dictated by the existing access control model

Recall that there are four major access control models: Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC) Rule Based Access Control (RBAC)

6


Auditing System Security Settings Auditing system security settings for user

privileges involves: A regular _______________________ Using ______________________ Implementing ______________________

More to come on each of these

7


Auditing System Security Settings (continued)- User access and rights review: It is important to periodically review user

access ______________________ Most organizations have a _____________

that mandates regular reviews Reviewing user access rights for logging into

the network can be performed on the _____________________

Reviewing user permissions over objects can be viewed on the _______________

8

Security+ Guide to Network Security Fundamentals, Third Edition 9


Auditing System Security Settings (continued)-Group Policies Instead of setting the same configuration baseline on

each computer, a ______________ can be created Security template

A method to ___________________________________ On a Microsoft Windows computer, one method to

deploy security templates is to use ___________ A feature that provides __________________________

____________________ of computers and remote users who are using Active Directory (AD)

10


Auditing System Security Settings (continued)-Group Policies The ____________________________ within

group policies are known as Group Policy Objects (______). GPOs are a ______________________________

that can be applied to user objects or AD computers

Settings are manipulated using administrative template files that are included within the GPO

11


Auditing System Security Settings (continued)- Storage and retention policies Information lifecycle management (______)

A set of strategies for ____________________________ ________ computer storage systems in order to _________

ILM strategies are typically recorded in storage and retention ___________________ Outline the requirements for data storage

_____________________ 1st step in developing storage and retention policies Assigns a ____________________________________

___________ and regulation requirements to __________ Example on next slide…

12


Auditing System Security Settings (continued)- Storage and retention policies

13


Auditing System Security Settings (continued)- Storage and retention policies Grouping data into _________ often requires

the assistance of the users who save and retrieve the data on a regular basis

The 2nd step is to ______________________ __________________________________

Occasional _____________ of storage and retention policies is important

14


Usage Auditing ____________________

Audits what objects a user has ____________________ Involves an examination of _____________________

______________________ and how frequently Sometimes access privileges can be very ________ Usage auditing can help _____________________ ____________________

Permissions given to a higher level “parent” will also be ___________________________

Adds to the complexity of access privileges See example on next slide

15


Usage Auditing (continued)

16


Usage Auditing (continued) Inheritance becomes more complicated with ______ GPO inheritance

Allows administrators to set a ____________________ ______________________ in the Microsoft AD

Other administrators can apply more specific policies at a lower level That apply only to subsets of users or computers

GPOs that are _________________________ are processed _______________ Followed by the order that policies were linked to a

container object

17


Usage Auditing involves Log Management A ______ is a record of events that occur Logs are composed of ____________________

Each entry contains _____________________________ that has occurred

Logs – from both hardware and software systems- have been used primarily for _______________ problems

__________________________ The process for ________________________________

___________________ of computer security log data

18

Usage Auditing involves Log Management (continued) Security _____________________

Antivirus software Remote Access Software Automated patch update service

Security __________________________ Network intrusion detection systems (NIDS) and host and

network intrusion prevention systems (HIPS/NIPS) Domain Name System (DNS) Authentication servers Proxy servers Firewalls- more info a few slides down…

Security+ Guide to Network Security Fundamentals 19



Usage Auditing involves Log Management (continued)




Usage Auditing involves Log Management (continued) Types of items that should be examined in a

_________________ include: IP addresses that are being rejected and dropped Probes to ports that have no application services

running on them Source-routed packets Suspicious outbound connections Unsuccessful logins

23




Usage Auditing involves Log Management (continued) Operating System (OS) logs

Two common types of security related OS logs: 1. _____________________________ 2. ____________________________

___________________ An occurrence within a software system that is

communicated to users or other programs ___________ _______________________

1. System events _____________________ that are performed by the

________________________

25


Usage Auditing involves Log Management (continued) System events that are commonly recorded include:

_________________________________ ____________________ information

2. Logs based on audit records The second common type of security-related operating

system logs Audit records that are commonly recorded include:

_____________________________ ______________________________

26



Usage Auditing involves Log Management (continued) Log management _______________:

A routine review and analysis of logs helps to __________________, policy violations, fraudulent activity, and _________________ shortly after they have occurred

Logs can also be used in providing information for ___________________________

Logs may be useful for ___________________ __________, supporting the organization’s internal investigations, and identifying operational trends and long-term problems

28



Usage Auditing involves Log Management (continued) It is recommended that organizations enact

the following log management solutions: Enact ______________________ Establish __________________ and procedures

for log management Maintain a ____________________ infrastructure Prioritize log management throughout the

organization Use __________________________ Provide adequate support

30


Usage Auditing involves Change Management

___________________________ Refers to a methodology for ____________ and

___________________________, often manually Seeks to approach changes _____________ and

provide the necessary __________________ of the changes

Two major types of changes regarding security that are routinely documented Any change in _______________________ _______________ classification

31


Usage Auditing involves Change Management (continued) Change management team (CMT)

Created to ________________________ Any proposed change must first be approved by

the CMT The team might be typically composed of:

Representatives from all areas of IT (servers, network, enterprise server, etc.)

Network security Upper-level management

32


Usage Auditing involves Change Management (continued) The duties of the CMT include:

Review proposed changes Ensure that the risk and impact of the planned

change is clearly understood Recommend approval, disapproval, deferral, or

withdrawal of a requested change Communicate proposed and approved changes to

co-workers

33


Monitoring Methodologies and Tools There are several types of instruments that

can be used on systems and networks to _______________________________

Monitoring involves ___________________, ________________________________

Monitoring methodologies include _________ ____________________ and ______________________ monitoring

More to come on each of these…

34


Methodologies for Monitoring Anomaly-based monitoring

Designed for detecting ________________ _______________________

A ___________________ – considered “normal” for that network- against which ______________________ __________________

Whenever there is a ____________________ from this baseline, an alarm is raised

Advantage ___________ the anomalies ______________

35


Methodologies for Monitoring (continued)

Anomaly-based monitoring (continued) ________________________

Alarms that are raised when there is _________ _______________________

Normal behavior can change easily and even quickly Anomaly-based monitoring is _____________

__________________________

36


Methodologies for Monitoring (continued) Signature-based monitoring

Compares activities against a _________________ Requires access to an ____________________________

Current behavior must then be compared against a collection of signatures

Weaknesses The signature databases must be __________________ As the number of signatures grows the behaviors must be

___________________________________________ of signatures

37


Methodologies for Monitoring (continued) Behavior-based monitoring

Designed to be ______________________ instead of reactive

Uses the “normal” ____________________ as the standard

Continuously analyzes the behavior of processes and programs on a system Alerts the user if it detects any _________________

Advantage _________________ to update signature files or

compile a baseline of statistical behavior

38


Methodologies for Monitoring (continued)

39


Three Monitoring Tools

1. Performance baselines and monitors __________________________

A reference set of data established to _____________ _____________________ for a system or systems

Data is accumulated through the ___________ _________________ and networks through _____________________________

_____________ is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made

40


Three Monitoring Tools (continued)2.______________________

A low-level system program that uses a __________________ designed to monitor and ______________________ on a desktop system, server, or even a PDA or cell phone

Some system monitors have a Web-based interface

System monitors generally have a fully customizable notification system

41


Three Monitoring Tools (continued)3. ___________________________

Also called a ____________________ ____________________________________ its

contents Can fully decode application-layer network

protocols The different parts of the protocol can be analyzed

for any suspicious behavior

42


Summary A “privilege” can be considered a subject’s access

level over an object Auditing system security settings for user privileges

involves a regular review of user access and rights Information lifecycle management (ILM) is a set of

strategies for administering, maintaining, and managing computer storage systems in order to retain data

Usage auditing involves an examination of which subjects are accessing specific objects and how frequently

43


Summary (continued)

Logs related to computer security have become particularly important

Change management refers to a methodology for making changes and keeping track of those changes, often manually

Monitoring involves examining network traffic, activity, transactions, or behavior in order to detect security-related anomalies

44

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 10 Conducting Security Audits.

Documents

security guide

network security fundamentals

security list

conducting security

securityrelated anomalies

edition privilege auditing

edition privilege management

edition9 slide