auditing for security management by cyril onwubiko network security analyst at colt telecom invited...

Auditing for Security Auditing for Security ManagementManagement

ByBy

Cyril OnwubikoCyril Onwubiko

Network Security Analyst at COLT TelecomNetwork Security Analyst at COLT Telecom

Invited Guest Lecture delivered at London Metropolitan University, for the MSc in IT Security Students. Invited Guest Lecture delivered at London Metropolitan University, for the MSc in IT Security Students.

A copy of this presentation is available at A copy of this presentation is available at http://www.research-series.com/cyrilhttp://www.research-series.com/cyril

London Metropolitan University


Background Practice Audit Trail Analysis

Overview


Background

Networking and Communications Group

Problem Statement

To asses the effectiveness of an organisation ability to protect To asses the effectiveness of an organisation ability to protect its valued/critical asset:its valued/critical asset: To To Evaluate/ExamineEvaluate/Examine::

PolicyPolicy Processes and ProceduresProcesses and Procedures OperationsOperations


Con

text

Why

Security Audit is performed to ensure:Security Audit is performed to ensure: Compliance with Standards & LawsCompliance with Standards & Laws Valued assets are protectedValued assets are protected

To Recommend:To Recommend: Improvement and Enforce ControlsImprovement and Enforce Controls

Practice



General ConceptLondon Metropolitan University

Auditing

Security Policy

Backup controls

Logging &Monitoring

Data Protection

System and Network Protection

DisasterRecovery

Compliance

Web Usage & Filtering

SecurityThreats

Security Vulnerability

Business Continuity

Physical Access


Things to Consider before an Audit?

Who to Use:Who to Use: Internal AuditorInternal Auditor External AuditorExternal Auditor

Type of Audit:Type of Audit: IS Technical: - Minimise Loss/FailureIS Technical: - Minimise Loss/Failure IS Efficiency: - Minimise Costs and Increase RoIIS Efficiency: - Minimise Costs and Increase RoI IS Assessment: - Certification & ComplianceIS Assessment: - Certification & Compliance Software Assessment: - Inventory/People/PerformanceSoftware Assessment: - Inventory/People/Performance Information Security: - Verify Compliance/Best Practices.Information Security: - Verify Compliance/Best Practices.

Guarantee:Guarantee: Due CareDue Care



Authority:

ISACA: Information Security Audit & Control Association

Recommend Computer Systems Audit and controls.

Example: COBIT - Control Objectives for Information & related Technology (IT Governance Institute)

Laws:

HIPAA: Health Insurance Portability & Accountability Act

Responsible for ensuring health information are protected and secured.

Protected Health Information (PHI)

GuidelinesLondon Metropolitan University


Laws:

GLBA: Gramm-Leach-Bliley Act Financial Section guideline for IS Controls

Provides Risk Management Controls

CISAA: Corporate Information Security Accountability Act

Information Security Accountability Controls

GAISP – Generally accepted information security principles

CSBIA: California Security Breach Information Act

Disclosure of security breaches

Responsible to: Shareholders, Customers & 3rd parties.

Guidelines-2London Metropolitan University


Audit Trail Analysis


Security AuditLondon Metropolitan University

Which?

Where?

When?

What?

Who?

How?

Audit


A collection of logged Computer Network Events:

Comprising of – Operating System, Application and User Activities

Example: Syslog, Sulog, Lastlog and EventViewer

Audit Trail Analysis

Audit Trail:



Audit Policy

Fig. 1: Event Viewer


Fig. 2: Audit Policy


Data Analysers Intrusion Detection Systems

Integrity Checks – Example Tripwire

Security Information Management Systems – Example Arcsight & SEC

Accountability Tools – Example RADIUS & Loglogic

Investigation – Security Forensic

Recovery – Business Continuity, Backup

ControlsLondon Metropolitan University

Sample Event Log – Anonymity~isedLondon Metropolitan University

more ./messages | grep backupuserMar 20 05:21:00 10.0.0.2 Mar 20 2008 04:40:04: %PIX-5-611103: User logged in: Uname: backupuserMar 20 05:21:22 10.0.0.1 Mar 20 2008 04:45:56: %PIX-6-315011: SSH session from 10.0.0.3 on interface testbackup-mgmt for user "backupuser"Mar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-109005: Authentication succeeded for user 'backupuser' from 10.0.0.3/24936 to 10.0.0.2/22 on interface testbackup-mgmtMar 20 05:21:24 10.0.0.2 Mar 20 2008 04:59:59: %PIX-6-605005: Login permitted from 10.0.0.3/24936 to testbackup-mgmt:10.0.0.2/ssh for user "backupuser"


CorrelationLondon Metropolitan University

Event 1 Event 2

Event 3

Incident

Fig. 3: Events correlated to an incident

h4

h2

h5

h3

h1

Fig. 4: Example of a Port scan incident

SEC (Simple Event Correlator)

OS-SIM (Open Source Security Information Management)

PADS (Passive Asset Detection Systems)

SNORT – Open Source IDS

BASE (Basic Analysis Security Engine), E.g. Alert Management

Open Source Initiatives

Software PreventSys – McAfee PreventSys Risk and Compliance Audit

QualysGuard Consultant

Proactive Monitoring Technique:



Conclusion

Audit for management aims to evaluate: Policies, practices and operations

For compliance, detection, protection and forensic.

Requires Tools and Techniques

Recommendations: Periodic security audit to assess if security needs are satisfied

Make contingency, business continuity and disaster recovery plans in case controls fail.



Resources/References

1. CEE: Common Event Expression http://cee.mitre.org/2. PreventSys -

http://www.mcafee.com/us/enterprise/products/risk_management/index.html3. QualysGuard Consultant - http://www.qualys.com/partners/qgcon/4. CAPEC: Common Attack Pattern Enumeration and Classification

http://capec.mitre.org/data/index.html5. ATFG: Audit Trails Format Group

http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-format.html6. SEC: Simple Event Correlator - http://kodu.neti.ee/~risto/sec/7. BASE: Basic Analysis and Security Engine -

http://base.secureideas.net/screens.php8. ISACA – www.isaca.org9. COBIT – www.isaca.org/cobit10. HIPAA - http://www.hipaa.org/


http://cee.mitre.org/

http://www.mcafee.com/us/enterprise/products/risk_management/index.html

http://www.qualys.com/partners/qgcon/

http://capec.mitre.org/data/index.html


Question & Answer

Thank-You

Author’s Contact: [email protected]

A copy of this presentation is available at: http://www.research-series.com/cyril


auditing for security management by cyril onwubiko network security analyst at colt telecom invited...

Documents