Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit COM380 University of Sunderland Harry R. Erwin, PhD.

Published byArron Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "Audit COM380 University of Sunderland Harry R. Erwin, PhD."— Presentation transcript:

1 Audit COM380 University of Sunderland Harry R. Erwin, PhD

2 Purpose The purpose of Audit is to maintain a safe record of security-relevant events to allow: –Reconstruction of incidents, –Prosecution in court, and –In some cases, to detect real, potential, or imminent violations of system security.

3 Audit in a Distributed Environment Differs significantly from audit in a stand-alone system. An audit ‘trail’ is not really feasible in a distributed environment. More thought should be given to collection and management, given the amount of data collected and the vagaries of the collection process. Different hosts and servers may conflict in their naming and formats. An audit repository may be required. Local long- term storage of audit data is probably unwise.

4 Cracker Interest in Audit Logs An audit log shows the cracker what can be seen of his attack. –Useful in limiting the cracker’s visibility and vulnerability to identification and prosecution. –Will be removed or modified by the cracker if possible.

5 Common Criteria Security Audit Functionality (FAU) Security audit automatic response (FAU_ARP) Security audit data generation (FAU_GEN) Security audit analysis (FAU_SAA) Security audit review (FAU_SAR) Security audit event selection (FAU_SEL) Security audit event storage (FAU_STG)

6 Security Audit Automatic Response (FAU_ARP) How are audit events handled? –Alarms –Possible automatic responses Terminate offending process or user Disable attacked service Disconnection Invalidation of a user account

7 Security Audit Data Generation (FAU_GEN) Should define the auditable events The following should be included: –Minimal Successful use of security administration functions –Basic Attempted use of security administration functions Identification of modified attributes –Detailed Capture new values of attributes (but don’t capture passwords, cryptographic keys, and similar sensitive data).

8 Typical Auditable Events Access to security controlled objects Deletion of objects Change of access rights Changes to security attributes Policy checks performed for a user Use of access rights to bypass policy checks Identification and authentication Operator security actions Import/export of data from/to removable media

9 Security Audit Analysis (FAU_SAA) Automated analysis of system activity and audit data. –For potential violations –Profile-based anomaly detection (to generate suspicion ratings) Note this cannot detect one-time events. Security administrators need to be briefed in the meaning of the suspicion rating. Otherwise, everyone becomes a suspect, and users are motivated to evade or hack security.

10 Detection of Attacks Usually audit analysis cannot determine a security violation is imminent; however some system events may be significant: –Deletion of security data files –Remote user attempting to gain root access. These events can be detected using simple or complex heuristic rules.

11 Security audit review (FAU_SAR) Pre or post-storage audit selection based on: –Individual users or groups of users –Actions performed on specific objects or resources –Audited exceptions and alerts –Actions associated with a specific security attribute. Access to this capability should be restricted

12 Security audit event selection (FAU_SEL) Not all events need or should be audited. The security supervisor should be allowed to select events based on: –Object identity –User identity –Subject identity –Host identity –Event type

13 Security audit event storage (FAU_STG) Requirements on storing audit data for later use. Note audit data should not be generally accessible to users. Requirements for controlling the loss of audit data due to: –System failure –Attack –Exhaustion of storage space

14 Conclusions If you don’t maintain an audit trail, you don’t know when you’re attacked and can’t figure out what you may have lost. Be selective. Monitor your audit trails.

Download ppt "Audit COM380 University of Sunderland Harry R. Erwin, PhD."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Access Control Methodologies

Access Control Methodologies
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.

11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.
1 Archival Storage for Digital Libraries Arturo Crespo Hector Garcia-Molina Stanford University.

1 Archival Storage for Digital Libraries Arturo Crespo Hector Garcia-Molina Stanford University.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Guidelines and Management

Security Guidelines and Management
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Similar presentations

Ads by Google