AUDITING AND ACCOUNTABILITY

THE NEED FOR ACCOUNTABILITY

Even though we allowed a party to access a

resource, we need to ensure that they behave in accordance with rules

set.

DATA SECURITY

identification

Authentication

Authorization

Control

Acco

unta

bilit

y

ACCOUNTABILITY

• Provides the means to trace activities in our environment back to their source.• Depends on identification, authentication, and

access control being present so that one can know who a given transaction is associated with and what permissions were used to allow them to carry it out.• Providing sufficient controls in place to deter or

prevent those that would break the rules and abuse the resources they have access to

SECURITY BENEFITS OF ACCOUNTABILITY

• NONREPUDIATION• Refers to a situation in which sufficient evidence exists to

prevent an individual from successfully denying that he or she has made a statement, or taken an action.

• Example :system or network logs

SECURITY BENEFITS OF ACCOUNTABILITY

• DETERRENCE• If those monitored are aware that they are monitored and

has been communicated to them that there will be penalties for acting against the rules, these individuals may think twice before straying outside the lines.

SECURITY BENEFITS OF ACCOUNTABILITY

• INTRUSION DETECTION AND PREVENTION• example

implementation of alerts based on unusual activities in our environment and check information we have logged on a regular basis

SECURITY BENEFITS OF ACCOUNTABILITY

• ADMISSIBILITY OF RECORDS• It is often much easier to prove admissibility when records

are produced from a regulated and consistent tracking system. This means the organization can provide a solid and documented chain of custody for said evidence such as showing where evidence was at all times, how exactly it passed from one person to another, how it was protected while it was stored and so on.

AUDITING

• A methodological examination and review of resources• Provides with data which can be implemented for

accountability

WHAT DO WE AUDIT

• Password• Policies must be implemented to dictate how passwords

are constructed and use• Software Licensing• Systems owned by the organization that all software used

is appropriately licensed• Internet Usage• Use of instant messaging, e-mails, file transfers, or other

transactions

LOGGING

• Gives history of the activities that have taken place in the environment being logged.• Logging mechanisms can be setup to log anything

from solely critical events to every action carried out by the system or software such as :• Software error logs• Hardware failures• Users logging in and out• Resource access• Tasks requiring increased privileges in most logs

LOGGING

• Available to administrators for review and are usually not modifiable by the users of the system.• Logs must be regularly reviewed in order to catch

anything unusual in their contents.• Logs may be asked to be analyze in relation to a

particular incident or situation

MONITORING

• Subset of auditing and tends to focus on observing about the environment being monitored in order to discover undesirable conditions such as failures, resource shortages, security issues, and trends that might signal the arrival of such conditions.

MONITORING

• Typically watching specific items of data collected such as :• Resource usage on computers• Network latency• Attacks occurring repeatedly against servers with network

interfaces exposed to the Internet• Traffic passing through physical access controls at unusual

times of day

• CLIPPING LEVEL – activities are occurring levels above what is normally expected

ASSESSMENTS

• A more active route of determining whether everything is as it should be and compliant with relevant laws, regulations, policies by examining the environment for vulnerabilities.

• APPROACHES• Vulnerability Assessment• Penetration Testing

VULNERABILITY ASSESSMENT

• Involves use of vulnerability scanning tools in order to locate a vulnerability.

• NESSUS• Vulnerability scanning tool checking target systems to

discover which ports are open and then interrogating each open port to find out exactly which service is listening on the port in question.

• With the information collected, it checks its database of vulnerability information to determine whether any vulnerability may be presernt.

PENETRATION TESTING

• Mimicking the techniques an actual attacker may use to penetrate a system.