Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Intrusion Detection Systems and Practices
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Format Scandisk Defragmentation Antivirus Compression Software
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Enforcing Concurrent Logon Policies with UserLock.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 16 Page 1 CS 136, Fall 2012 Evaluating System Security CS 136 Computer Security Peter Reiher November 27, 2012.
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Security CS Introduction to Operating Systems.
CHAPTER 9 HARDENING SERVERS. C REATING A BASELINE POLICY Security parameters used to create a baseline installation can be configured using a Group Policy.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Computer security By Isabelle Cooper.
Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 5 Page 1 CS 236 Online Key Management Choosing long, random keys doesn’t do you any good if your clerk is selling them for $10 a pop at the back.
Intrusion Detection System
Understand Audit Policies LESSON Security Fundamentals.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
ICT and the Law Mr Conti. Did you see anything wrong with that? Most people wouldn’t want that sort of information posted in a public place. Why? Because.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Lecture 1 Page 1 CS 236 Online Introduction CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Role Of Network IDS in Network Perimeter Defense.
PREPARED BY : Harsh patel dhruv patel sreejit sundaram.
CSCE 201 Identification and Authentication Fall 2015.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
How Do Users Share Computer Files?
Outline What if your task isn’t writing secure code?
Outline What does the OS protect? Authentication for operating systems
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Outline What does the OS protect? Authentication for operating systems
Evaluating Program Security
Evaluating System Security Computer Security Peter Reiher May 31, 2016
Lesson 16-Windows NT Security Issues
Fault Tolerance Distributed Web-based Systems
Outline Interprocess communications protection
Bethesda Cybersecurity Club
Evaluating Program Security
16. Account Monitoring and Control
Outline Interprocess communications protection
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Presentation transcript:

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full evaluation We’ll concentrate on two important elements: –Logging and auditing

Lecture 15 Page 2 CS 236 Online Logging No system’s security is perfect Are my system’s imperfections being exploited? You need to understand what’s going on to tell Logging is the tool for that: –Keeping track of important system information for later examination

Lecture 15 Page 3 CS 236 Online The Basics of Logging OS and applications record messages about their activities –In pre-defined places in the file system These messages record important events And unexpected events Many attacks leave traces in the logs

Lecture 15 Page 4 CS 236 Online Access Logs One example of what might be logged for security purposes Listing of which users accessed which objects –And when and for how long Especially important to log failures

Lecture 15 Page 5 CS 236 Online Other Typical Logging Actions Logging failed login attempts –Can help detect intrusions or password crackers Logging changes in program permissions –A common action by intruders Logging scans of ports known to be dangerous

Lecture 15 Page 6 CS 236 Online Problems With Logging Dealing with large volumes of data Separating the wheat from the chaff –Unless the log is very short, auditing it can be laborious System overheads and costs

Lecture 15 Page 7 CS 236 Online Log Security If you use logs to detect intruders, smart intruders will try to attack logs –Concealing their traces by erasing or modifying the log entries Append-only access control helps a lot here Or logging to hard copy Or logging to a remote machine

Lecture 15 Page 8 CS 236 Online Local Logging vs. Remote Logging Should you log just on the machine where the event occurs? Or log it just at a central site? Or both?

Lecture 15 Page 9 CS 236 Online Local Logging Only gives you the local picture More likely to be compromised by attacker Must share resources with everything else machine does Inherently distributed –Which has its good points and bad points

Lecture 15 Page 10 CS 236 Online Remote Logging On centralized machine or through some hierarchical arrangement Can give combined view of what’s happening in entire installation Machine storing logs can be specialized for that purpose But what if it’s down or unreachable? A goldmine for an attacker, if he can break in

Lecture 15 Page 11 CS 236 Online Desirable Characteristics of a Logging Machine Devoted to that purpose –Don’t run anything else on it Highly secure –Control logins –Limit all other forms of access Reasonably well provisioned –Especially with disk

Lecture 15 Page 12 CS 236 Online Network Logging Log information as it crosses your network Analyze log for various purposes –Security and otherwise Can be used to detect various problems Or diagnose them later

Lecture 15 Page 13 CS 236 Online Logging and Privacy Anything that gets logged must be considered for privacy Am I logging private information? If so, is the log an alternate way to access it? If so, is the log copy as well protected as the real copy?

Lecture 15 Page 14 CS 236 Online An Example Network logs usually don’t keep payload –Only some header information You can tell who talked to whom And what protocol they used And how long and much they talked But not what they said

Lecture 15 Page 15 CS 236 Online Auditing Security mechanisms are great –If you have proper policies to use them Security policies are great –If you follow them For practical systems, proper policies and consistent use are a major security problem `

Lecture 15 Page 16 CS 236 Online Auditing A formal (or semi-formal) process of verifying system security “You may not do what I expect, but you will do what I inspect.” A requirement if you really want your systems to run securely

Lecture 15 Page 17 CS 236 Online Auditing Requirements Knowledge –Of the installation and general security issues Independence Trustworthiness Ideally, big organizations should have their own auditors

Lecture 15 Page 18 CS 236 Online When Should You Audit? Periodically Shortly after making major system changes –Especially those with security implications When problems arise –Internally or externally

Lecture 15 Page 19 CS 236 Online Auditing and Logs Logs are a major audit tool Some examination can be done automatically But part of the purpose is to detect things that automatic methods miss –So some logs should be audited by hand

Lecture 15 Page 20 CS 236 Online What Does an Audit Cover? Conformance to policy Review of control structures Examination of audit trail (logs) User awareness of security Physical controls Software licensing and intellectual property issues

Lecture 15 Page 21 CS 236 Online Does Auditing Really Occur? To some extent, yes 2008 CSI/FBI report says more than 64% of responding organizations did audits Doesn’t say much about the quality of the audits It’s easy to do a bad audit

Lecture 15 Page 22 CS 236 Online Conclusion Don’t assume your security is perfect Either at design time or run time Using security evaluation tools can help improve your security Necessary at all points in the life cycle: –From earliest design until the system stops operating