Presentation on theme: "Access Control Chapter 3 Part 5 Pages 248 to 252."— Presentation transcript:
Access Control Chapter 3 Part 5 Pages 248 to 252
Accountability Auditing capabilities ensure users are accountable for their actions, verify that security policies are enforced, and can be used as investigation tools. Audit users, systems, and applications in log files.
Audit Logs Investigate suspicious activities Determine how far an attack has gone and how much damage is done.
Audit Logs Store logs securely Keep size under control Make sure the ability to delete logs is only available to administrators Log activities of high privileged accounts In a high security account, more activities should be audited and logged
What activities should be logged? Can waste disk space and CPU time is too much is audited. See page 249 – System-level events – Application-level events – User-level events
Threshold Audit all login attempts or Audit all failed logins
Intrusion Detection Systems IDS can scan audit logs for suspicious activities and alert administrators If an attacker is accessing confidential information on a database, this computer could be temporarily disconnected from the Internet.
Review of Audit Logs After a security breach, to piece together what happened Manually – Can be overwhelming – Audit-reduction tools
SIEM Security Information Event Management Gathers logs from various devices – Servers, firewalls, routers – Different vendor products with different formats Data mining to identify patterns
Protecting Audit Logs Attackers like to scrub audit logs Protect the integrity of the log files Digital signatures Write-only log files
Keystroke Monitoring www.keyghost.com If a security professional is suspicious of an individual’s activities An attacker installing a Trojan Horse keylogger Must be stated in security policy and get legal approval