Audit COM380 University of Sunderland Harry R. Erwin, PhD.

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

Chapter Five Users, Groups, Profiles, and Policies.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Access Control Methodologies

Chapter 19: Network Management Business Data Communications, 4e.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.

1 Archival Storage for Digital Libraries Arturo Crespo Hector Garcia-Molina Stanford University.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

Maintaining and Updating Windows Server 2008

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Security Guidelines and Management

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Inventory Management & Administration System Tourism suite What is the PCI DSS? The PCI DSS stands for Payment Card Industry Data Security Standard.

Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

Chapter 18 Intruders.

What is FORENSICS? Why do we need Network Forensics?

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Module 6: Designing Active Directory Security in Windows Server 2008.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

COEN 252 Computer Forensics Collecting Network-based Evidence.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

1 Welcome: To the second learning sequence “ Data Base (DB) and Data Base Management System (DBMS) “ Recap : In the previous learning sequence, we discussed.

Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Mark A. Magumba Storage Management. What is storage An electronic place where computer may store data and instructions for retrieval The objective of.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.

14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,

TCOM Information Assurance Management System Hacking.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

Understand Audit Policies LESSON Security Fundamentals.

Role Of Network IDS in Network Perimeter Defense.

CSCE 201 Identification and Authentication Fall 2015.

Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.

CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.

Security Principles.

Maintaining and Updating Windows Server 2008 Lesson 8.

Security Functional Requirements Kashif Imran. Overview Common Criteria Protection Profiles Security Objectives Security Requirements Security Functional.

Module Overview Installing and Configuring a Network Policy Server

Kuchimanchi Lakshmi Prasanna

Introduction to Networking

Offline Auditing for Privacy

An Introduction to Computer Networking

Presentation transcript:

Audit COM380 University of Sunderland Harry R. Erwin, PhD

Purpose The purpose of Audit is to maintain a safe record of security-relevant events to allow: –Reconstruction of incidents, –Prosecution in court, and –In some cases, to detect real, potential, or imminent violations of system security.

Audit in a Distributed Environment Differs significantly from audit in a stand-alone system. An audit ‘trail’ is not really feasible in a distributed environment. More thought should be given to collection and management, given the amount of data collected and the vagaries of the collection process. Different hosts and servers may conflict in their naming and formats. An audit repository may be required. Local long- term storage of audit data is probably unwise.

Cracker Interest in Audit Logs An audit log shows the cracker what can be seen of his attack. –Useful in limiting the cracker’s visibility and vulnerability to identification and prosecution. –Will be removed or modified by the cracker if possible.

Common Criteria Security Audit Functionality (FAU) Security audit automatic response (FAU_ARP) Security audit data generation (FAU_GEN) Security audit analysis (FAU_SAA) Security audit review (FAU_SAR) Security audit event selection (FAU_SEL) Security audit event storage (FAU_STG)

Security Audit Automatic Response (FAU_ARP) How are audit events handled? –Alarms –Possible automatic responses Terminate offending process or user Disable attacked service Disconnection Invalidation of a user account

Security Audit Data Generation (FAU_GEN) Should define the auditable events The following should be included: –Minimal Successful use of security administration functions –Basic Attempted use of security administration functions Identification of modified attributes –Detailed Capture new values of attributes (but don’t capture passwords, cryptographic keys, and similar sensitive data).

Typical Auditable Events Access to security controlled objects Deletion of objects Change of access rights Changes to security attributes Policy checks performed for a user Use of access rights to bypass policy checks Identification and authentication Operator security actions Import/export of data from/to removable media

Security Audit Analysis (FAU_SAA) Automated analysis of system activity and audit data. –For potential violations –Profile-based anomaly detection (to generate suspicion ratings) Note this cannot detect one-time events. Security administrators need to be briefed in the meaning of the suspicion rating. Otherwise, everyone becomes a suspect, and users are motivated to evade or hack security.

Detection of Attacks Usually audit analysis cannot determine a security violation is imminent; however some system events may be significant: –Deletion of security data files –Remote user attempting to gain root access. These events can be detected using simple or complex heuristic rules.

Security audit review (FAU_SAR) Pre or post-storage audit selection based on: –Individual users or groups of users –Actions performed on specific objects or resources –Audited exceptions and alerts –Actions associated with a specific security attribute. Access to this capability should be restricted

Security audit event selection (FAU_SEL) Not all events need or should be audited. The security supervisor should be allowed to select events based on: –Object identity –User identity –Subject identity –Host identity –Event type

Security audit event storage (FAU_STG) Requirements on storing audit data for later use. Note audit data should not be generally accessible to users. Requirements for controlling the loss of audit data due to: –System failure –Attack –Exhaustion of storage space

Conclusions If you don’t maintain an audit trail, you don’t know when you’re attacked and can’t figure out what you may have lost. Be selective. Monitor your audit trails.