Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited...
-
Upload
maximilian-quinn -
Category
Documents
-
view
213 -
download
1
Transcript of Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited...
Auditing for Security Auditing for Security ManagementManagement
ByBy
Cyril OnwubikoCyril Onwubiko
Network Security Analyst at COLT TelecomNetwork Security Analyst at COLT Telecom
Invited Guest Lecture delivered at London Metropolitan University, for the MSc in IT Security Students. Invited Guest Lecture delivered at London Metropolitan University, for the MSc in IT Security Students.
A copy of this presentation is available at A copy of this presentation is available at http://www.research-series.com/cyrilhttp://www.research-series.com/cyril
London Metropolitan University
London Metropolitan University
Background Practice Audit Trail Analysis
Overview
London Metropolitan University
Background
Networking and Communications Group
Problem Statement
To asses the effectiveness of an organisation ability to protect To asses the effectiveness of an organisation ability to protect its valued/critical asset:its valued/critical asset: To To Evaluate/ExamineEvaluate/Examine::
PolicyPolicy Processes and ProceduresProcesses and Procedures OperationsOperations
London Metropolitan University
Con
text
Why
Security Audit is performed to ensure:Security Audit is performed to ensure: Compliance with Standards & LawsCompliance with Standards & Laws Valued assets are protectedValued assets are protected
To Recommend:To Recommend: Improvement and Enforce ControlsImprovement and Enforce Controls
Practice
London Metropolitan University
Networking and Communications Group
General ConceptLondon Metropolitan University
Auditing
Security Policy
Backup controls
Logging &Monitoring
Data Protection
System and Network Protection
DisasterRecovery
Compliance
Web Usage & Filtering
SecurityThreats
Security Vulnerability
Business Continuity
Physical Access
Networking and Communications Group
Things to Consider before an Audit?
Who to Use:Who to Use: Internal AuditorInternal Auditor External AuditorExternal Auditor
Type of Audit:Type of Audit: IS Technical: - Minimise Loss/FailureIS Technical: - Minimise Loss/Failure IS Efficiency: - Minimise Costs and Increase RoIIS Efficiency: - Minimise Costs and Increase RoI IS Assessment: - Certification & ComplianceIS Assessment: - Certification & Compliance Software Assessment: - Inventory/People/PerformanceSoftware Assessment: - Inventory/People/Performance Information Security: - Verify Compliance/Best Practices.Information Security: - Verify Compliance/Best Practices.
Guarantee:Guarantee: Due CareDue Care
London Metropolitan University
Networking and Communications Group
Authority:
ISACA: Information Security Audit & Control Association
Recommend Computer Systems Audit and controls.
Example: COBIT - Control Objectives for Information & related Technology (IT Governance Institute)
Laws:
HIPAA: Health Insurance Portability & Accountability Act
Responsible for ensuring health information are protected and secured.
Protected Health Information (PHI)
GuidelinesLondon Metropolitan University
Networking and Communications Group
Laws:
GLBA: Gramm-Leach-Bliley Act Financial Section guideline for IS Controls
Provides Risk Management Controls
CISAA: Corporate Information Security Accountability Act
Information Security Accountability Controls
GAISP – Generally accepted information security principles
CSBIA: California Security Breach Information Act
Disclosure of security breaches
Responsible to: Shareholders, Customers & 3rd parties.
Guidelines-2London Metropolitan University
Networking and Communications Group
Audit Trail Analysis
Networking and Communications Group
Security AuditLondon Metropolitan University
Which?
Where?
When?
What?
Who?
How?
Audit
Networking and Communications Group
A collection of logged Computer Network Events:
Comprising of – Operating System, Application and User Activities
Example: Syslog, Sulog, Lastlog and EventViewer
Audit Trail Analysis
Audit Trail:
London Metropolitan University
Networking and Communications Group
Audit Policy
Fig. 1: Event Viewer
London Metropolitan University
Fig. 2: Audit Policy
Networking and Communications Group
Data Analysers Intrusion Detection Systems
Integrity Checks – Example Tripwire
Security Information Management Systems – Example Arcsight & SEC
Accountability Tools – Example RADIUS & Loglogic
Investigation – Security Forensic
Recovery – Business Continuity, Backup
ControlsLondon Metropolitan University
Sample Event Log – Anonymity~isedLondon Metropolitan University
more ./messages | grep backupuserMar 20 05:21:00 10.0.0.2 Mar 20 2008 04:40:04: %PIX-5-611103: User logged in: Uname: backupuserMar 20 05:21:22 10.0.0.1 Mar 20 2008 04:45:56: %PIX-6-315011: SSH session from 10.0.0.3 on interface testbackup-mgmt for user "backupuser"Mar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-109005: Authentication succeeded for user 'backupuser' from 10.0.0.3/24936 to 10.0.0.2/22 on interface testbackup-mgmtMar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-605005: Login permitted from 10.0.0.3/24936 to testbackup-mgmt:10.0.0.2/ssh for user "backupuser"
Networking and Communications Group
CorrelationLondon Metropolitan University
Event 1 Event 2
Event 3
Incident
Fig. 3: Events correlated to an incident
h4
h2
h5
h3
h1
Fig. 4: Example of a Port scan incident
SEC (Simple Event Correlator)
OS-SIM (Open Source Security Information Management)
PADS (Passive Asset Detection Systems)
SNORT – Open Source IDS
BASE (Basic Analysis Security Engine), E.g. Alert Management
Open Source Initiatives
Software PreventSys – McAfee PreventSys Risk and Compliance Audit
QualysGuard Consultant
Proactive Monitoring Technique:
London Metropolitan University
Networking and Communications Group
Conclusion
Audit for management aims to evaluate: Policies, practices and operations
For compliance, detection, protection and forensic.
Requires Tools and Techniques
Recommendations: Periodic security audit to assess if security needs are satisfied
Make contingency, business continuity and disaster recovery plans in case controls fail.
London Metropolitan University
Networking and Communications Group
Resources/References
1. CEE: Common Event Expression http://cee.mitre.org/2. PreventSys -
http://www.mcafee.com/us/enterprise/products/risk_management/index.html3. QualysGuard Consultant - http://www.qualys.com/partners/qgcon/4. CAPEC: Common Attack Pattern Enumeration and Classification
http://capec.mitre.org/data/index.html5. ATFG: Audit Trails Format Group
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-format.html6. SEC: Simple Event Correlator - http://kodu.neti.ee/~risto/sec/7. BASE: Basic Analysis and Security Engine -
http://base.secureideas.net/screens.php8. ISACA – www.isaca.org9. COBIT – www.isaca.org/cobit10. HIPAA - http://www.hipaa.org/
London Metropolitan University
Networking and Communications Group
Question & Answer
Thank-You
Author’s Contact: [email protected]
A copy of this presentation is available at: http://www.research-series.com/cyril
London Metropolitan University