Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Published byWendy Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full."— Presentation transcript:

1 Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full evaluation We’ll concentrate on two important elements: –Logging and auditing

2 Lecture 15 Page 2 CS 236 Online Logging No system’s security is perfect Are my system’s imperfections being exploited? You need to understand what’s going on to tell Logging is the tool for that: –Keeping track of important system information for later examination

3 Lecture 15 Page 3 CS 236 Online The Basics of Logging OS and applications record messages about their activities –In pre-defined places in the file system These messages record important events And unexpected events Many attacks leave traces in the logs

4 Lecture 15 Page 4 CS 236 Online Access Logs One example of what might be logged for security purposes Listing of which users accessed which objects –And when and for how long Especially important to log failures

5 Lecture 15 Page 5 CS 236 Online Other Typical Logging Actions Logging failed login attempts –Can help detect intrusions or password crackers Logging changes in program permissions –A common action by intruders Logging scans of ports known to be dangerous

6 Lecture 15 Page 6 CS 236 Online Problems With Logging Dealing with large volumes of data Separating the wheat from the chaff –Unless the log is very short, auditing it can be laborious System overheads and costs

7 Lecture 15 Page 7 CS 236 Online Log Security If you use logs to detect intruders, smart intruders will try to attack logs –Concealing their traces by erasing or modifying the log entries Append-only access control helps a lot here Or logging to hard copy Or logging to a remote machine

8 Lecture 15 Page 8 CS 236 Online Local Logging vs. Remote Logging Should you log just on the machine where the event occurs? Or log it just at a central site? Or both?

9 Lecture 15 Page 9 CS 236 Online Local Logging Only gives you the local picture More likely to be compromised by attacker Must share resources with everything else machine does Inherently distributed –Which has its good points and bad points

10 Lecture 15 Page 10 CS 236 Online Remote Logging On centralized machine or through some hierarchical arrangement Can give combined view of what’s happening in entire installation Machine storing logs can be specialized for that purpose But what if it’s down or unreachable? A goldmine for an attacker, if he can break in

11 Lecture 15 Page 11 CS 236 Online Desirable Characteristics of a Logging Machine Devoted to that purpose –Don’t run anything else on it Highly secure –Control logins –Limit all other forms of access Reasonably well provisioned –Especially with disk

12 Lecture 15 Page 12 CS 236 Online Network Logging Log information as it crosses your network Analyze log for various purposes –Security and otherwise Can be used to detect various problems Or diagnose them later

13 Lecture 15 Page 13 CS 236 Online Logging and Privacy Anything that gets logged must be considered for privacy Am I logging private information? If so, is the log an alternate way to access it? If so, is the log copy as well protected as the real copy?

14 Lecture 15 Page 14 CS 236 Online An Example Network logs usually don’t keep payload –Only some header information You can tell who talked to whom And what protocol they used And how long and much they talked But not what they said

15 Lecture 15 Page 15 CS 236 Online Auditing Security mechanisms are great –If you have proper policies to use them Security policies are great –If you follow them For practical systems, proper policies and consistent use are a major security problem `

16 Lecture 15 Page 16 CS 236 Online Auditing A formal (or semi-formal) process of verifying system security “You may not do what I expect, but you will do what I inspect.” A requirement if you really want your systems to run securely

17 Lecture 15 Page 17 CS 236 Online Auditing Requirements Knowledge –Of the installation and general security issues Independence Trustworthiness Ideally, big organizations should have their own auditors

18 Lecture 15 Page 18 CS 236 Online When Should You Audit? Periodically Shortly after making major system changes –Especially those with security implications When problems arise –Internally or externally

19 Lecture 15 Page 19 CS 236 Online Auditing and Logs Logs are a major audit tool Some examination can be done automatically But part of the purpose is to detect things that automatic methods miss –So some logs should be audited by hand

20 Lecture 15 Page 20 CS 236 Online What Does an Audit Cover? Conformance to policy Review of control structures Examination of audit trail (logs) User awareness of security Physical controls Software licensing and intellectual property issues

21 Lecture 15 Page 21 CS 236 Online Does Auditing Really Occur? To some extent, yes 2008 CSI/FBI report says more than 64% of responding organizations did audits Doesn’t say much about the quality of the audits It’s easy to do a bad audit

22 Lecture 15 Page 22 CS 236 Online Conclusion Don’t assume your security is perfect Either at design time or run time Using security evaluation tools can help improve your security Necessary at all points in the life cycle: –From earliest design until the system stops operating

Download ppt "Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Format Scandisk Defragmentation Antivirus Compression Software

Format Scandisk Defragmentation Antivirus Compression Software
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.

Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 16 Page 1 CS 136, Fall 2012 Evaluating System Security CS 136 Computer Security Peter Reiher November 27, 2012.

Lecture 16 Page 1 CS 136, Fall 2012 Evaluating System Security CS 136 Computer Security Peter Reiher November 27, 2012.

Similar presentations

Ads by Google