Chapter 7: Auditing, Testing, and Monitoring

Ace your homework & exams now with Quizwiz!

Personal Information Protection and Electronic Documents Act (PIPEDA)

A Canadian law that protects how organizations collect, use, or disclose personal information in e-commerce transactions

Security Information and Event Management (SIEM) system

A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.

operating system fingerprinting

A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer

Penetration Testing

A test by an outsider to actually exploit any weaknesses in systems that are vulnerable.

Anomaly-based IDS

An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.

signature-based IDS

An intrusion detection system that maintains a database of signatures that might signal a particular type of attack and compares incoming traffic to those signatures

pattern-based IDS

An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders.

Mitigation activities

Any activities designed to reduce the severity of a vulnerability or remove it altogether.

Examples of Non-real-time monitoring

Application logging- all applications that access or modify sensitive data should have logs that record who used or changes the data and when system logging- provides records of who accessed the system and what actions they performed on the system Activities you need to log: host-based activity. network and network devices

Audit checks whether controls are

Appropriate- is the level of security control suitable for the risk it addresses? Installed correctly- Is the security control in the right place and working well? Addressing their purpose- Is the security control effective in addressing the risk it was designed to address?

Security Monitoring tools and techniques

Baselines: understanding what normal looks like so you can compare it to what is happening (40 percent disk usage that suddenly doubles overnight) Alarms, alerts, and trends: responses to security eve3nts that notify personnel of a possible security incident (alert = door chime when you open the door / alarm = sound when alarm is set and door is opened) Closed-circuit TV: monitoring and recording what the TV cameras see Systems that spot irregular behavior: IDSs and honeypots- traps set to capture information about improper activity on a network

reconaissance

Collecting information and knowing deeply about the target system. Data is the main street for the programmer to hack the target system. It involves Footprinting, Enumeration, and Scanning.

Audits generally contain at least 3 broad sections

Findings Recommendation: timelines for implementation, level of risk, management response Follow up

zone transfer

In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.

SOC 1

Internal controls over financial reporting (ICFR). Users and auditors. This is commonly implemented for organization that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA)

Real-Time monitoring examples

Intrusion detection system Host IDS- host intrusion detection system (HIDS) notices activity in a computer as the activity is happening System integrity monitoring- enables you to watch computer systems for unauthorizes changes and report them to administrators in near real time Data loss prevention (DLP)- use business rules to classify information to prevent unauthorized end user sfrom sharing it

Security Review elements

Monitor- review and measure all controls to capture actions and changes on the system Audit- Review the logs and overall environment to provide independent analysis of how well the security policy and controls work Improve- Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management Secure- Ensure that new, and existing, controls work together to protect the intended level of security

Most common permission levels

Promiscuous- Everything is allowed. used by many home users but makes it easier for attackers to succeed Permissive- Anything not specifically prohibited is OK. suitable for most public internet sites, some schools and libraries, and many training centers. Prudent- A reasonable list of things is permitted; all others are prohibited and carefully monitored. Suitable for most businesses Paranoid- Very few things are permitted; all others are prohibited and carefully monitored. Suitable for secure facilities

Real-time monitoring

Provides information on what is happening as it happens

Audit Data collection methods

Questionnaires- both managers and users Interviews- gathering insight into operations from all parties. often prove to be valuable sources of information and recommendations Observation- input used to differentiate between paper procedures and the way the job is really done Checklists- help ensure that the information gathering process covers all areas Reviewing documentation- assess currency, adherence, and completeness reviewing configurations- assessing change control procedures and the appropriateness of control, rules, and layout reviewing policy- assessing policy relevance, currency, and completeness performing security testing- along with vulnerability testing and penetration testing involves gathering technical information to determine whether vulnerabilities exist in the security components, networks, or applications

Federal laws or vendor standards that require internal and external audits

Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPPA) Payment Card Industry Data Security Standard (PCI DSS)

Stateful matching

Scans for attack signatures in the context of a traffic stream rather than individual packets

SOC 2

Security (confidentiality, integrity, availability) and privacy controls). Management, regulators, stakeholders. This is commonly implemented for service providers, hosted data centers, and managed cloud computing providers.

SOC 3

Security (confidentiality, integrity, availability) and privacy controls). Public. This is commonly required for the customers of SOC 2 service providers to verify and validate that the organization is satisfying customers private data and compliance law requirements (such as HIPPA and GLBA)

Gray Box Testing

Security testing that is based on limited knowledge of an application's design.

Auditor planning and execution phases

Survey the site(S): understanding environment and connections between systems Review documentation- system documentation and configuration during planning and as part of the audit Review the risk analysis output- understand system criticality ratings Review server and application logs: examine logs to look for changes in programs, permissions, or configurations Review incident logs- review security incident logs to get a feel for problem trends Review results of penetration tests- helps prepare a list of weaknesses that were found. Auditor reviews this report to address all items

White Box Testing

Testing based on an analysis of the internal structure of the component or system.

Black Box Testing

Testing, either functional or non-functional, without reference to the internal structure of the component or system.

network mapping

The process of discovering and identifying the devices on a network.

Hardened configuration

The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.

false positive

When a system incorrectly accepts an action instead of rejecting it.

false negative

When a system incorrectly rejects an action instead of accepting it.

clipping level

a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator.

NIST Cybersecurity Framework (CSF)

a response to a US presidential executive order calling for increased cybersecurity (2014). Focuses on critical infrastructure components but applicable to many general systems. Road map for securing systems that can help auditors align business drivers and security requirements

COBIT (Control Objectives for Information and related Technology)

a set of best practices for IT management. Gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices.

Benchmark

baseline values the system seeks to attain

ISO 27002

best-practices document that gives good guidelines for information security management. Organizations must perform an audit to verify that all provisions are satisfied in order to claim compliance

Service Organization Control (SOC)

defines the scope and contents of three levels of audit reports (SOC 1, SOC 2, SOC 3)

Vulnerability testing

examining the system to determine the adequacy of security measures and to identify security deficiencies

Statement on Standard for Attestation Engagements Number 16 (SSAE 16)

expanded the scope of SAS 70 and is the predominant auditing and reporting standard for service organizations

Particular industries that require internal and external audits

financial services organizations and any organization that handles personal medical records

Covert acts

hidden and secret

Network and network devices

include access, traffic type and patterns, malware, and performance

Host-based activity

includes changes to systems, access requests, performance, and startups and shutdowns

Non-real-time monitoring

keeps historical records of acitivity. can use when its not as critical to detect and respond to incidents immediately

Overt acts

obvious and intentional

Audit

provides management with an independent assessment of whether the best controls are in place and how well they work. Helps management understand and address the risks

ITIL (information technology infrastructure library)

set of concepts and policies for managing IT infrastructure, development, and operations. Give a detailed description of a number of important IT practices

Auditing Standards Number 70 (SAS 70)

the first standard of its kind and provided audit guidance for many service organizations (type 1 and type 2) type 1: encompasses the service auditor's assessment of the service organizations description and implementation of controls to achieve the environmental control objectives type 2: Type 1 as well as the service auditors assessment of whether or not the identified controls were implemented and operating effectively retired in June 2011

hardening

the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

benchmark

the standard to which your system is compared to determine whether it is securely configured

COSO (Committee of Sponsoring Organizations)

volunteer run organization gives guidance to executive managements and governance entities on critical aspects of organization governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. established a common internal control model


Related study sets

Microbiology Lab (Exercises 1-20)

View Set

Western Civ Final Exam: Chapters 5-8 and 13-15

View Set