Chapter 12 - Monitoring and Auditing
Event Viewer's Security log
After auditing is turned on and specific resources are configured for auditing, you need to check the Security log for the entries. These could be successful logons or misfired attempts at deleting files. You are setting up auditing on a Windows computer. If set up properly, which log should have entries.
Anomaly-Based Monitoring
An anomaly-based monitoring system (also known as statistical anomaly-based) establishes a performance baseline based on a set of normal network traffic evaluations. These evaluations should be taken when the network and servers are under an average load during regular working hours.
Audit trails
Audit trails are records or logs that show the tracked actions of users, whether the user was successful in the attempt or not.
Computer security audits
are technical assessments conducted on applications, systems, or networks. They are an example of a detective security control. Audits can be done manually or with computer programs. Manual assessments usually include the following: 1) Review of security logs 2) Review of access control lists 3) Review of user rights and permissions 4) Review of group policies 5) Performance of vulnerability scans 6) Review of written organization policies 7) Interviewing organization personnel Programs used to audit a computer or network could be as simple as a program such as Belarc Advisor to more complex programs such as Nsauditor to open source projects such as OpenXDAS.
security template
Groups of policies that can be loaded in one procedure.
Baseline reporting
Identification of the security posture of an application, system, or network.
Signature-Based Monitoring
In a signature-based monitoring scenario, frames and packets of network traffic are analyzed for predetermined attack patterns. These attack patterns are known as signatures.
Baselining
Is the process of measuring changes in networking, hardware, software, applications, and so on. The term baselining is most often used to refer to monitoring network performance, but it actually can be used to describe just about any type of performance monitoring.
Network Monitor
Network Monitor is a built-in network sniffer used in Windows Server products. Called netmon for short, it behaves in basically the same fashion as Wireshark. You can run Network Monitor from the Run prompt by typing netmon.exe.
Analytical Tools: openfiles
One thing you can't see in this utility is the files that were opened locally. But for this you can use the openfiles command, which also allows you to see files opened by remote computers. The openfiles command must be run in elevated mode within the Command Prompt, and by default the Maintain Objects List global flag must be enabled/
Performance Monitor
Performance Monitor used in Linux systems is called System Monitor
Auditing System Security Settings
Remember that there might be different policies for each department in an organization. This would match up with the various organizational units on a Windows Server. I haven't counted them, but there are probably thousands of settings. Due to this, an organization might opt to use a security template; if this is the case, verify that the proper one is being used, and that the settings included in that template take into account what the organization has defined as part of its security plan. Templates are accessed by right-clicking Security Settings and selecting Import Policy.
SNMPv3
SNMPv3 should be used because it provides a higher level of security (encryption of packets, message integrity, and authentication), allowing you to gather information without fear of the data being compromised. SNMPv1 and v2 do not have the elaborate security of SNMPv3.
SPA
Security posture assessments are assessment that uses baseline reporting and other analyses to discover vulnerabilities and weaknesses in systems and networks.
Windows log monitoring
Several other types of Windows log files should be monitored periodically, including the following: * System: Logs events such as system shutdown or driver failure * Application: Logs events for operating system applications and third-party programs The System and Application logs exist on client and server versions of Windows. A few log files that exist only on servers include the following: * File Replication Service * DNS Server * Directory Service
Computer Security Audits Process
Step 1. Define exactly what is to be audited. Step 2. Create backups. Step 3. Scan for, analyze, and create a list of vulnerabilities, threats, and issues that have already occurred. Step 4. Calculate risk. Step 5. Develop a plan to mitigate risk and present it to the appropriate personnel.
Syslog
Syslog is the standard for computer message logging. Most devices such as switches, routers, and firewalls use it. The Syslog server is really just a repository for the logs that already exist on your routers and other devices. Syslog uses port 514 Port 6514 is used for secure connections known as Syslog over TLS.
To find out when a computer was shut down, which log file would an administrator use
The System log
Security posture
The risk level to which a system, or other technology element, is exposed.
Log File Maintenance and Security
The size and overwriting configuration of the file should play into your considerations. The log files should be backed up. The files could be backed up to a separate physical offsite location. Or, WORM (write-once read-many) media types could be utilized. WORM options such as CD-R and DVD-R are good ways to back up log files, but not re-write optical discs, mind you.
standard load
The term standard load is often used when referring to servers. A configuration baseline defines what the standard load of the server is for any measured objects.
Security events in the Event Viewer
To audit events on a computer, an administrator would need to: 1) Enable auditing within the computer's policy, 2) Turn on auditing for an individual object (folder, file, and so on), and then view the events within the Security log of the Event Viewer. 3) 512 KB is big enough for many events to be written to it.
Analytical Tools
monitor open sessions and files: In Windows, any files and shares that are being accessed by remote computers can be monitored within Computer Management (Run > compmgmt.msc). Inside Computer Management, navigate to System Tools > Shared Folders. From there you can see what shares and open files are being accessed, and what network sessions are open to that computer.
Auditing Files
security administrator wants to know who did what to a particular resource and when that person did it. Auditing files can usually be broken down into a three-step process: Step 1. Turn on an auditing policy. Step 2. Enable auditing for particular objects such as files, folders, and printers. Step 3. Review the security logs to determine who did what to a resource and when.
Logging
When it comes to auditing an organized set of information, logging is the method of choice. Frequent monitoring of logs is an important part of being a security person. Possibly the most important log file in Windows is the Security log
Analytical Tools: integrity of a file
When you are not sure if the integrity of a file (or files) has been affected, you can use the FC command to compare the file that is suspected of compromise with an older version of the file. Files can also be viewed and closed with the net file command (must be run in elevated mode). You'll probably also want to make use of the net config, net session, and net view commands. Better yet—just know the whole net command like the back of your hand.
log what happens on a database server
You need to consider: 1) The amount of disk space you will require. 2) The information that will be needed to reconstruct events later.
SNMP three components
* Managed devices: Computers or other network-attached devices monitored through the use of agents by a network management system. * Agent: Software deployed by the network management system that is loaded on managed devices. The software redirects the information that the NMS needs to monitor the remote managed devices. * Network management system (NMS): The software run on one or more servers that controls the monitoring of network-attached devices and computers. SNMP uses ports 161 and 162. SNMP agents receive requests on port 161; these requests come from the network management system or simply "manager." The manager receives notifications on port 162.
which two security measures should be implemented when logging a server
1) The application of retention policies on log files 2) Hashing of log files The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved.
Standard load of a server
A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server's network adapter, you can create a configuration baseline over time.
Jason is a security administrator for a company of 4000 users. He wants to store 6 months of logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented?
A performance baseline and audit trails are not necessarily needed. Because the reports are not time-critical, a performance baseline should not be implemented. Auditing this much information could be unfeasible for one person.
Behavior-Based Monitoring
Behavior-Based Monitoring A behavior-based monitoring system looks at the previous behavior of applications, executables, and/or the operating system and compares that to current activity on the system. If an application later behaves improperly, the monitoring system will attempt to stop the behavior. This has advantages compared to signature-based and anomaly-based monitoring in that it can to a certain extent help with future events, without having to be updated. However, because there are so many types of applications, and so many types of relationships between applications, this type of monitoring could set off a high amount of false positives.