Cyber Ch 7
Types of logs
-Event logs -Access logs -Security logs -Audit logs
Testing activites
-Reconnaissance: involves reviewing the system to learn as much as possible about the organization, its systems and networks -Network mapping: uses tools to determine the layout and services running on the organizations systems and networks -Vulnerability testing: finding all the weaknesses in a system and determining which places may be attack points -Penetration testing: try to exploit a weakness in the system and prove that an attacker could successfully penetrate it -Mitigation activities: any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.
Methods of detecting anomalies
-Statistical-based methods: develop baselines of normal traffic and network activity -Traffic-based methods: signal an alert when they identify any unacceptable deviation from expected behavior based on traffic -Protocol patterns: look for deviations from protocols
Two most common risks to security systems
-attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware -sensitive information leaking from inside the organization to unauthorized people who can damage your organization
Security Monitoring Tools
-baselines -alarms, alerts, and trends -closed-circuit TV -systems that spot irregular behavior
Potential impact of testing activities
-be aware of the potential for harm -be aware of the time of day and day of the week
Audit Report Parts
-findings -recommendations -timeline for implementation -level of risk -management response -follow up
Audit Data Collection Methods
-questionnaires -interviews -observation -checklists -reviewing documentation -reviewing configurations -reviewing policy -performing security testing
Monitoring issues
-spatial distribution: attacks are difficult to catch with logs if they come from a variety of attackers across a wide area -switched networks: it can be harder to capture traffic on networks that are very segmented through the use of switches and virtual LANs -encryption: encrypting data makes logging more difficult
Auditor planning and execution phases
-survey the site(s) -review documentation -review risk analysis output -review server and application logs -review incident logs -review results of penetration tests
Black-box testing
A method of security testing that isn't based directly on knowledge of a program's architecture.
Hardening
A process of changing hardware and software configurations to make computers and devices as secure as possible
Prudent
A reasonable list of things is permitted; all other prohibited. This permission level is suitable for most businesses
Operating system fingerprinting
A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer
COBIT (Control Objectives for Information and related Technology)
A set of best practices for IT management. Gives managers, auditors and IT users a set of generally accepted measures, indicators, processes and best practices
ITIL (Information Technology Infrastructure Library)
A set of concepts and policies for managing IT infrastructure, development, and operations.
Stateful matching
A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.
Zone transfer
A unique query of a DNS server that asks it for the contents of its zone.
Clipping level
A value used in security monitoring that tells the security operations personnel to ignore activity that falls below a stated value
Application logging
All applications that access or modify sensitive data should have logs that record who used or changed the data and when
Covert act
An act carried out in secrecy.
Overt act
An act carried out in the open or easily viewed by others
Anomaly-based IDS
An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.
Pattern (or signature) based IDS
An intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders
ISO 27002
An update to the ISO 17799 standard ISO 17799: An international security standard that documents a comprehensive set of controls that represent information systems best practices
Real-time monitoring
Analysis of activity as it is happening.
Permissive
Anything not specifically prohibited is ok. This permission level is suitable for most public Internet sites, some schools and libraries, and many training centers
Audit checks whether controls are:
Appropriate - Is the level of security control suitable for the risk it addresses? Installed correctly - Is the security control in the right place and working well? Addressing their purpose - Is the security control effective in addressing the risk it was designed to address?
Secure
Ensure that new, and existing, controls work together to protect the intended level of security
Promiscuous
Everything is allowed. This permission level is used by many home users but makes it easier for attackers to succeed
Host IDS
Excellent for noticing activity in a computer as the activity is happening
NIST Cybersecurity Framework (CSF)
Focuses on critical infrastructure components but is applicable to many general systems. The road map provides a structured method to securing systems that can help auditors align business drivers and security requirements
Improve
Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management
False negative
Incorrectly identifying abnormal activity as normal.
False positive
Incorrectly identifying normal activity as abnormal.
SOC 1
Internal controls over financial reporting Users and auditors
Security Controls
Monitor, Audit, Improve, Secure
Intrusion detection system (IDS)
Network security appliances typically installed with the LAN-to-WAN domain at the internet ingress/egress point to monitor and block unwanted IP traffic
Permission Levels
Promiscuous, Permissive, Prudent, Paranoid
Monitor
Review and measure all controls to capture actions and changes on the system
Audit
Review the logs and overall environment to provide independent analysis of how well the security policy and controls work
SOC 2
Security (confidentiality, integrity, availability) and privacy controls Management, regulators, stakeholders
SOC 3
Security (confidentiality, integrity, availability) and privacy controls Public
White-box testing
Security testing that is based on knowledge of the application's design and source code.
Gray-box testing
Security testing that is based on limited knowledge of an application's design.
Security Information and Event Management (SIEM) system
Software and devices that assist in collecting, storing, and analyzing the contents of log files
System integrity monitoring
Systems such as Tripwire enable you to watch computer systems for unauthorized changes and report them to administrators in near real time
Hardened configuration
The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.
System logging
This type of logging provides records of who accessed the system and what actions they performed on the system
Data loss prevention (DLP)
Use business rules to classify sensitive information to prevent unauthorized end users from sharing it.
Network mapping
Using tools to determine the layout and services running on an organization's systems and networks.
Paranoid
Very few things are permitted; all others are prohibited and carefully monitored. This permission level is suitable for secure facilities
COSO (Committee of Sponsoring Organizations)
Volunteer run organization that gives guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, risk management, fraud and financial reporting