Mod 4 Fundamentals of Info Sec~ Auditing & Accountability WGU

Answer these questions.

1 What is the benefit of logging? 92 Discuss the difference between authentication and accountability. 3 Describe nonrepudiation. 4 Name five items we might want to audit. 5 Why is accountability important when dealing with sensitive data? 6 Why might auditing our installed software be a good idea? 7 When dealing with legal or regulatory issues, why do we need accountability? 8 What is the difference between vulnerability assessment and penetration testing? 9 What impact can accountability have on the admissibility of evidence in court cases? 10 Given an environment containing servers that handle sensitive customer data, some of which are exposed to the Internet, would we want to conduct a vulnerability assessment, a penetration test, or both? Why?

Laws in place that dictate notification to those whose personally identifiable information (PII) has been involved in a breach

46 US states, D.C, Puerto Rico, and the US Virgin Islands have these laws in place. AL, KY,NM, and SD have yet to enact these laws

Deterrence

Accountability can also prove to be a great deterrent against misbehavior in our environments. If those we monitor are aware of this fact, and it has been communicated to them that there will be penalties for acting against the rules, these individuals may think twice before straying outside the lines. The key to deterrence lies in letting those we want to deter know they will be held accountable for their actions. This is typically carried out through the vehicle of auditing and monitoring, both of which we will discuss in the "Auditing" section of this lesson. If we do not make this clear, our deterrent will lose most of its strength.

Deterrence example

As part of monitoring activities, we keep track of the badge access times for when our employees pass in and out of our facility, we can validate this activity against the times they have submitted on their time card for each week, in order to prevent our employees from falsifying their time card and defrauding the company for additional and undeserved pay. On the network the same can be done by watching for users who are surfing the Internet instead of working. While this might seem to smack of Big Brother to some, such methods are often used for efficiency in areas with large numbers of employees working specific shifts where it would be too costly to have multiple managers watching the users, such as those that run technical support help desks.

We audit for one of several reasons

Auditing provides us with the data with which we can implement accountability. If we do not have the ability to assess our activities over a period of time, then we do not have the ability to facilitate accountability on a large scale. Particularly in larger organizations, our capacity to audit directly equates to our ability to hold anyone accountable for anything.

The BSA is a company that, on behalf of software companies (Adobe or Microsoft, for instance), regularly audits other companies to ensure their compliance with software licensing.

Fines from the BSA can reach $250,000 per occurrence of unlicensed software, and the BSA sweetens the pot for whistle-blowers by offering rewards of up to $1 million for reporting violations

Accountability is comprised of and depends on

Identification Authentication Authorization Access

Accountability methods for evidence collection

If properly followed, will hopefully let us display this unbroken chain of custody. If we cannot demonstrate this, our evidence will likely only be taken as hearsay, at best, considerably weakening our case and perhaps placing us on the losing side in court.The evidence must also have a hash proving it is original and has not been modified. A hash function is an algorithm that analyzes the data on the device and produces a code or hash. The hash would change if any data was changed.

Due to lack of accountability to its shareholders, board of directors, auditors, and the US government, Enron was able to defraud its investors out of billions of dollars. This was one of the events that prompted the enactment of SOX, directed specifically at halting such practices.

In cases like this, accountability equates to a certain extent to transparency. In some situations, our activities must be transparent to certain parties, such as shareholders, in order to hold us accountable for our actions. Such transparency is dictated by law in companies that are publicly traded.

Assessments

In some cases, our audits may take a more active route toward determining whether everything is as it should be and compliant with the relevant laws, regulations, or policies. In such cases, we may find it useful to carefully examine our environments for vulnerabilities. We can take two main approaches to such activities: vulnerability assessments and penetration testing. While these terms are often used interchangeably, they are actually two distinct sets of activities.

Logging

Logging gives us a history of the activities that have taken place in the environment being logged. Without this evidence, audits and investigations are not practical. It is key to any organization to determine the correct level of logging to support their needs. We typically generate logs in an automated fashion in operating systems and keep track of the activities that take place on most computing, networking, and telecommunications equipment, as well as most devices that can be remotely considered to incorporate or be connected to a computer.

Intrusion detection and prevention

One of the motivations behind logging and monitoring in our environments is to detect and prevent intrusions in both the logical and physical sense. If we implement alerts based on unusual activities in our environments and check the information we have logged on a regular basis, we stand a much better chance of detecting attacks that are in progress and preventing those for which we can see the precursors. Particularly in the logical realm where attacks can take place in fractions of a second and it is not practical to have a human in the loop, we would be wise to implement automated tools to carry out such tasks. We can divide such tools into two major categories: intrusion detection systems (IDSes) and intrusion prevention systems (IPSes). An IDS performs strictly as a monitoring and alert tool, only notifying us that an attack or undesirable activity is taking place. An IPS, often working from information sent by the IDS, can actually take action based on what is happening in the environment. In response to an attack over the network, an IPS might refuse traffic from the source of the attack.

Auditing

One of the primary ways we can ensure accountability through technical means is by ensuring that we have accurate records of who did what and when they did it. In nearly any environment, from the lowest level of technology to the highest, accountability is largely accomplished through the use of auditing. Merriam-Webster's Dictionary of Law defines an audit as "a methodical examination and review"

Software licensing is another common audit topic

Particularly on systems owned by the organization for which we work, ensuring that all of our software is appropriately licensed is an important task. If we were to be audited by an outside agency—the Business Software Alliance (BSA), for instance—and we were found to be running large quantities of unlicensed software, the financial penalties could be severe indeed. It is often best if we can find and correct such matters ourselves before receiving a notification from an external company such as the BSA.

As a more active method of finding security holes, we may also wish to conduct penetration testing.

Penetration testing, although it may use vulnerability assessment as a starting place, takes the process several steps further. When we conduct a penetration test, we mimic, as closely as possible, the techniques an actual attacker would use. We may attempt to gather additional information on the target environment from users or other systems in the vicinity, exploit security flaws in Web-based applications or Web-connected databases, conduct attacks through unpatched vulnerabilities in applications or operating systems, or similar methods.

Nonrepudiation

Refers to a situation in which sufficient evidence exists as to prevent an individual from successfully denying that he or she has made a statement, or taken an action. In information security settings, this can be accomplished in a variety of ways. We may be able to produce proof of the activity directly from system or network logs, or recover such proof through the use of digital forensic examination of the system or devices involved. We may also be able to establish nonrepudiation through the use of encryption technologies, more specifically through the use of hash functions that can be used to digitally sign a communication or a file. Example: A system that digitally signs every e-mail that is sent from it, thus rendering useless any denial that might take place regarding the sending of the message in question.

Accountability provides us

The means to trace activities in our environment back to their source. In addition, it provides us with a number of capabilities, when properly implemented, which can be of great use in conducting the daily business of security and information technology in our organizations. In particular, organizations need to carefully maintain accountability in order to ensure that they are in compliance with any laws or regulations associated with the types of data they handle or the industry in which they operate.

PCI Data Security Standards

These standards lay out requirements for vendors to protect customer's data. A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies. Except for small companies, compliance with the standard requires hiring a third party to conduct security assessments and detect violations. Failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties.

2 Common forms of assessments performed on Networks

Vulnerability Assessments Penetration Test

Although the breach may not be immediately visible to those outside the organization, or ever visible, for that matter

We are still accountable to be compliant with the laws that govern breaches in our location and with any laws that govern the handling of the data with which we conduct business. In the case where we do not conduct ourselves properly as relates to these laws, we may be able to continue with business as usual for a period of time, but we will eventually be discovered and the repercussions in the personal, business, and legal senses will be much greater for not having handled the situation properly in the first place.

Auditing by legal or contractual requirements

We may also be bounded by contractual or regulatory requirements that compel us to be subject to audit on some sort of reoccurring basis. In many cases, such audits are carried out by unrelated and independent third parties certified and authorized to perform such a task. Good examples of such audits are those mandated by SOX, which exist in order to ensure that companies are honestly reporting their financial results.

To ensure that we have accountability

We need certain other tools to be in place and working properly. Accountability depends on identification, authentication, and access control being present so that we can know who a given transaction is associated with, and what permissions were used to allow them to carry it out. Given proper monitoring and logging, we can often do exactly this and determine, in very short order, the details of the situation in question.

Many of the measures we put in place to ensure accountability facilitate auditing

We perform audits to ensure that compliance with applicable laws, policies, and other bodies of administrative control is being accomplished as well as detecting misuse. We may audit a variety of activities, including compliance with policy, proper security architecture, configuration management, personal behavior of users, or other activities.

Passwords are a commonly audited item

We should be setting out policy to dictate how they are constructed and used. If we do not take care to construct passwords in a secure manner, they can be easily cracked by an attacker. We should also be concerned with the frequency at which passwords are changed. If we do happen to have a password fall into the hands of someone who should not have it, we want to change the password at a relatively frequent interval in order to ensure that this person does not have permanent access. In many cases, checking password strength and managing password changes are accomplished in an automated fashion by functions within an operating system or by utilities designed to do so, and these need to be audited as well to ensure that they are in place and configured properly.

Security Benefits of Accountability

When we implement monitoring and logging on our systems and networks, we can use this information to maintain a higher security posture than we would be able to otherwise. Specifically, the tools that allow us accountability also enable nonrepudiation, deter those that would misuse our resources, help us in detecting and preventing intrusions, and assist us in preparing materials for legal proceedings.

What do we audit?

When we perform an audit, there are a number of items we can examine, primarily focused on compliance with relevant laws and policies. In the information security world, we tend to look at access to or from systems as a primary focus, but often extend this into other fields as well, such as physical security.

Admissibility of records

When we seek to introduce records in legal settings, it is often much easier to do so and have them accepted when they are produced from a regulated and consistent tracking system. For instance, if we seek to submit digital forensic evidence that we have gathered for use in a court case, the evidence will likely not be admissible to the court unless we can provide a solid and documented chain of custody for said evidence. We need to be able to show where the evidence was at all times, how exactly it passed from one person to another, how it was protected while it was stored, and so forth.

Monitoring is

a subset of auditing and tends to focus on observing information about the environment being monitored in order to discover undesirable conditions such as failures, resource shortages, security issues, and trends that might signal the arrival of such conditions. Monitoring is largely a reactive activity, with actions taken based on gathered data, typically from logs generated by various devices. Although we might consider the trend analysis portion of logging to be a proactive activity, we are still reacting to the present circumstances in order to forestall worse conditions than those we see at present. Think of this like the guard watching a camera view of the entry to the building. They will have to react to someone unauthorized coming in rather than just stopping them.

For nearly any action we might care to take

an associated audit record is created or updated in a computer system somewhere. Our medical histories, grades in school, purchases, credit history, and an enormous number of other factors are regularly queried and updated by the individuals and organizations with which we have contact. Such data is used to make decisions that can impact our lives for better or worse.

It's easy to look at accountability and the associated auditing tools that are commonly attached to it

and dismiss them as being bad because they are akin to Big Brother watching over our shoulder. In some senses, this is true, and excessive monitoring of people, places, and things can indicate an unhealthy environment. We can also go too far in the other direction. If we do not have sufficient controls in place to deter or prevent those that would break the rules and abuse the resources they have access to, we can end up in a bad place as well. The key is to develop a system that allows you to be compliant with all applicable laws and provides a reasonable level of security based on the organizations' risk tolerance.

Accountability and Auditing in the Real World

are commonly seen to some extent in the regular activities most of us carry out. When we examine our encounters with accountability, we can see that they take place with great regularity. We are held accountable for our compliance with local and national laws for the geographic areas in which we are located; likewise, for the policies and regulations laid out by our employers, schools, banks, and any of hundreds of other entities with which we do business of some variety. We also hold others accountable for their actions on the other side of the transaction. We want those that handle our information to protect it, our leadership to be honest and live up to their stated goals and policies, and so forth.

Storing logs can

build up a large set of data quickly and thus become expensive. There should be a policy that dictates how long logs should be sorted for and at what level of fidelity. For net flow data, the headers may be enough. For password attempts, we may want to keep all aspects of the logs for a longer period. We must also review compliance issues to determine if there are requirements to maintain logs for a certain period.

We may also see cases where accountability is prompted by outside agencies,

but the impetus to comply with these requirements must come from within our organizations. We can see an example of this in the requirements for notifying those that have had personal or financial information exposed in an unauthorized manner in a security breach. Such breaches seem to happen with disturbing regularity, and we can generally find a current example of one through a brief search of the news media. When a company experiences a breach in the United States, it will often be required, by state law, to notify those whose information has been exposed. In many cases, however, the breaches are not known of outside the company by more than a very few people, until they are actually announced to those that are directly involved. We can certainly see where such an organization might be tempted, in such a case, to not say anything about the incident to protect their image. To see a list of known breaches, check out the Privacy Rights Clearinghouse's Chronology of Data Breaches.

Although the databases of tools like Nessus do tend to be rather thorough,

newer attacks or those that are used very sparingly by attackers will often escape their notice.

How We Accomplish Accountability

e can attempt to ensure accountability by laying out the rules and ensuring that they are being followed. While it is all well and good to give someone a rule and ask him or her to follow it, we will often need to take further steps to ensure that this is actually taking place. We can see such a system at work in the law enforcement world. The geographical area in which we live has laid out certain laws for its populace to follow. Often, we can find laws governing theft, harm to others, safe operation of vehicles, and many more. We then have police that ensure compliance with these laws, in both a reactive and a proactive way. The police both patrol looking for violations and respond to calls to investigate violations. Police could be considered to be like System Administrator, detectives would be like security incident response analysts, and Crime Scene Investigation (CSI) would be computer forensic investigators. Each group has their own set of tools.

The ultimate goal in performing assessments of either type is to

find and fix vulnerabilities before any attackers do. If we can do so successfully and on a reoccurring basis, we will considerably increase our security posture and stand a much better chance of resisting attacks. As with any security measure that we can put in place, security assessments are only a single component in our overall defensive strategy.

Many organizations

handle data of a sensitive nature. Particularly in the case of data that is required by law to be protected, medical data being a good example, we must take steps to ensure that we are complying with any security measures we are required to have in place. In particular, we are often bound to ensure that accesses to such data are carried out in an authorized fashion, that any requirements for data retention over a period of time are met, and that the data is safely destroyed when it is no longer needed. Such data is often housed in some variety of databases, most of which have built-in facilities for controlling and monitoring access on a very granular level.

Logging is a reactive tool

in that it allows us to view the record of what happened after it has taken place. In order to immediately react to something taking place, we would need to use a tool more along the lines of an IDS/IPS.Logging mechanisms are often configurable and can be set up to log anything from solely critical events, which is typical, to every action carried out by the system or software, which is typically only done for troubleshooting purposes when we see a problem. We will often find events such as software errors, hardware failures, users logging in or out, resource access, and tasks requiring increased privileges in most logs, depending on the logging settings, and the system in question.

Internet usage is a very commonly audited item in organizations

often largely focused on our activities on the Web, although it may include instant messaging, e-mail, file transfers, or other transactions. In many cases, organizations have configured proxy servers so that all such traffic is funneled through just a few gateways in order to enable logging, scanning, and potentially filtering such traffic. Such tools can give us the ability to examine how exactly such resources are being utilized and to take action if they are being misused.

Logs are generally only available to

the administrators of the system for review and are usually not modifiable by the users of the system, perhaps with the exception of writing to them. It is very important to note that collecting logs without reviewing them is a fairly futile task. If we never review the content of the logs, we might as well have not collected them in the first place. It is important that we schedule a regular review of our logs in order to catch anything unusual in their contents.

In Logging we may also be asked to analyze

the contents of logs in relation to a particular incident or situation. These types of activities often fall to security personnel in the case of investigations, incidents, and compliance checks. In these cases, this can be a difficult task if the period of time in question is greater than a few days. Even searching the contents of a relatively simple log, such as that generated by a Web proxy server, can mean sifting through enormous amounts of data from one or more servers. In such cases, custom scripts or even a tool such as grep can be invaluable to accomplish such tasks in a reasonable amount of time.

Auditing is the process we go through

to ensure that our environment is compliant with the laws, regulations, and policies that bind it. Auditing is also the mechanism through which we can implement accountability. We may carry out a variety of tasks in the name of auditing, including logging, monitoring, and assessments.

Vulnerability assessments generally involve

using vulnerability scanning tools, such as Nessus. PICTURED, in order to locate such vulnerabilities. Such tools generally work by scanning the target systems to discover which ports are open on them, and then interrogating each open port to find out exactly which service is listening on the port in question. Given this information, the vulnerability assessment tool can then consult its database of vulnerability information to determine whether any vulnerabilities may be present.

When conducting monitoring

we are typically watching specific items of data we have collected, such as resource usage on computers, network latency, particular types of attacks occurring repeatedly against servers with network interfaces that are exposed to the Internet, and traffic passing through our physical access controls at unusual times of day. In reaction to such activity occurring at levels above what we normally expect, called the clipping level, our monitoring system might be configured to send an alert to a system administrator or physical security personnel, or it might trigger more direct action to mitigate the issue such as dropping traffic from a particular IP address, switching to a backup system for a critical server, summoning law enforcement officials, or other similar tasks.

Based on the data we collect from systems

we can also conduct monitoring in our environments. Monitoring allows us to take action on activities in the period after they have happened, potentially ranging from identifying trends in the operation of our systems to taking action to block attacks very quickly after they have first been identified.

If we do not set, and follow, stringent rules for access to sensitive data stored

we can suffer business losses, intellectual property theft, identity theft, fraud, and numerous other crimes. Some types of data—medical and financial, for example—often are under protection by laws in each country the data resides in. In the United States, two such well-known bodies of law are found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Sarbanes-Oxley Act of 2002 (SOX), protecting medical and financial data, respectively.

In order to support auditing, accountability, and monitoring activities

we often conduct logging on many of the devices in our environment. Such logs are often generated by software, computing devices, and other hardware connected to computers. Logs generated by devices can be very general in nature and contain only a limited amount of information, or they can be very specific and contain large amounts of highly detailed information.

Audit data is also used

whether it focuses on our activities as an individual or on the activities of organizations, to mitigate attacks that might be taking place. We can see an example of this in the monitoring that credit card companies conduct on the purchases made through our account. For instance, if we decide to buy half a dozen laptops in one day, chances are good that this will deviate from the normal purchase habits of most of us. In such cases, this will often trigger an alert in the monitoring systems run by the credit card company and will temporarily freeze any purchases made with our card. The credit card company will more than likely attempt to contact us to ensure that the transaction is legitimate before allowing it to proceed. Such efforts quietly take place in the background around us all the time.