Chapter 7: Auditing, Testing, and Monitoring
Personal Information Protection and Electronic Documents Act (PIPEDA)
A Canadian law that protects how organizations collect, use, or disclose personal information in e-commerce transactions
Security Information and Event Management (SIEM) system
A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.
operating system fingerprinting
A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer
Penetration Testing
A test by an outsider to actually exploit any weaknesses in systems that are vulnerable.
Anomaly-based IDS
An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.
signature-based IDS
An intrusion detection system that maintains a database of signatures that might signal a particular type of attack and compares incoming traffic to those signatures
pattern-based IDS
An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders.
Mitigation activities
Any activities designed to reduce the severity of a vulnerability or remove it altogether.
Examples of Non-real-time monitoring
Application logging- all applications that access or modify sensitive data should have logs that record who used or changes the data and when system logging- provides records of who accessed the system and what actions they performed on the system Activities you need to log: host-based activity. network and network devices
Audit checks whether controls are
Appropriate- is the level of security control suitable for the risk it addresses? Installed correctly- Is the security control in the right place and working well? Addressing their purpose- Is the security control effective in addressing the risk it was designed to address?
Security Monitoring tools and techniques
Baselines: understanding what normal looks like so you can compare it to what is happening (40 percent disk usage that suddenly doubles overnight) Alarms, alerts, and trends: responses to security eve3nts that notify personnel of a possible security incident (alert = door chime when you open the door / alarm = sound when alarm is set and door is opened) Closed-circuit TV: monitoring and recording what the TV cameras see Systems that spot irregular behavior: IDSs and honeypots- traps set to capture information about improper activity on a network
reconaissance
Collecting information and knowing deeply about the target system. Data is the main street for the programmer to hack the target system. It involves Footprinting, Enumeration, and Scanning.
Audits generally contain at least 3 broad sections
Findings Recommendation: timelines for implementation, level of risk, management response Follow up
zone transfer
In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.
SOC 1
Internal controls over financial reporting (ICFR). Users and auditors. This is commonly implemented for organization that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA)
Real-Time monitoring examples
Intrusion detection system Host IDS- host intrusion detection system (HIDS) notices activity in a computer as the activity is happening System integrity monitoring- enables you to watch computer systems for unauthorizes changes and report them to administrators in near real time Data loss prevention (DLP)- use business rules to classify information to prevent unauthorized end user sfrom sharing it
Security Review elements
Monitor- review and measure all controls to capture actions and changes on the system Audit- Review the logs and overall environment to provide independent analysis of how well the security policy and controls work Improve- Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management Secure- Ensure that new, and existing, controls work together to protect the intended level of security
Most common permission levels
Promiscuous- Everything is allowed. used by many home users but makes it easier for attackers to succeed Permissive- Anything not specifically prohibited is OK. suitable for most public internet sites, some schools and libraries, and many training centers. Prudent- A reasonable list of things is permitted; all others are prohibited and carefully monitored. Suitable for most businesses Paranoid- Very few things are permitted; all others are prohibited and carefully monitored. Suitable for secure facilities
Real-time monitoring
Provides information on what is happening as it happens
Audit Data collection methods
Questionnaires- both managers and users Interviews- gathering insight into operations from all parties. often prove to be valuable sources of information and recommendations Observation- input used to differentiate between paper procedures and the way the job is really done Checklists- help ensure that the information gathering process covers all areas Reviewing documentation- assess currency, adherence, and completeness reviewing configurations- assessing change control procedures and the appropriateness of control, rules, and layout reviewing policy- assessing policy relevance, currency, and completeness performing security testing- along with vulnerability testing and penetration testing involves gathering technical information to determine whether vulnerabilities exist in the security components, networks, or applications
Federal laws or vendor standards that require internal and external audits
Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPPA) Payment Card Industry Data Security Standard (PCI DSS)
Stateful matching
Scans for attack signatures in the context of a traffic stream rather than individual packets
SOC 2
Security (confidentiality, integrity, availability) and privacy controls). Management, regulators, stakeholders. This is commonly implemented for service providers, hosted data centers, and managed cloud computing providers.
SOC 3
Security (confidentiality, integrity, availability) and privacy controls). Public. This is commonly required for the customers of SOC 2 service providers to verify and validate that the organization is satisfying customers private data and compliance law requirements (such as HIPPA and GLBA)
Gray Box Testing
Security testing that is based on limited knowledge of an application's design.
Auditor planning and execution phases
Survey the site(S): understanding environment and connections between systems Review documentation- system documentation and configuration during planning and as part of the audit Review the risk analysis output- understand system criticality ratings Review server and application logs: examine logs to look for changes in programs, permissions, or configurations Review incident logs- review security incident logs to get a feel for problem trends Review results of penetration tests- helps prepare a list of weaknesses that were found. Auditor reviews this report to address all items
White Box Testing
Testing based on an analysis of the internal structure of the component or system.
Black Box Testing
Testing, either functional or non-functional, without reference to the internal structure of the component or system.
network mapping
The process of discovering and identifying the devices on a network.
Hardened configuration
The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
false positive
When a system incorrectly accepts an action instead of rejecting it.
false negative
When a system incorrectly rejects an action instead of accepting it.
clipping level
a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator.
NIST Cybersecurity Framework (CSF)
a response to a US presidential executive order calling for increased cybersecurity (2014). Focuses on critical infrastructure components but applicable to many general systems. Road map for securing systems that can help auditors align business drivers and security requirements
COBIT (Control Objectives for Information and related Technology)
a set of best practices for IT management. Gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices.
Benchmark
baseline values the system seeks to attain
ISO 27002
best-practices document that gives good guidelines for information security management. Organizations must perform an audit to verify that all provisions are satisfied in order to claim compliance
Service Organization Control (SOC)
defines the scope and contents of three levels of audit reports (SOC 1, SOC 2, SOC 3)
Vulnerability testing
examining the system to determine the adequacy of security measures and to identify security deficiencies
Statement on Standard for Attestation Engagements Number 16 (SSAE 16)
expanded the scope of SAS 70 and is the predominant auditing and reporting standard for service organizations
Particular industries that require internal and external audits
financial services organizations and any organization that handles personal medical records
Covert acts
hidden and secret
Network and network devices
include access, traffic type and patterns, malware, and performance
Host-based activity
includes changes to systems, access requests, performance, and startups and shutdowns
Non-real-time monitoring
keeps historical records of acitivity. can use when its not as critical to detect and respond to incidents immediately
Overt acts
obvious and intentional
Audit
provides management with an independent assessment of whether the best controls are in place and how well they work. Helps management understand and address the risks
ITIL (information technology infrastructure library)
set of concepts and policies for managing IT infrastructure, development, and operations. Give a detailed description of a number of important IT practices
Auditing Standards Number 70 (SAS 70)
the first standard of its kind and provided audit guidance for many service organizations (type 1 and type 2) type 1: encompasses the service auditor's assessment of the service organizations description and implementation of controls to achieve the environmental control objectives type 2: Type 1 as well as the service auditors assessment of whether or not the identified controls were implemented and operating effectively retired in June 2011
hardening
the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services
benchmark
the standard to which your system is compared to determine whether it is securely configured
COSO (Committee of Sponsoring Organizations)
volunteer run organization gives guidance to executive managements and governance entities on critical aspects of organization governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. established a common internal control model