Information Assurance.
Fundamentals of Information Systems Security
Lesson 7
Auditing, Testing, and Monitoring
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective(s)
Explain the importance of security audits, testing, and monitoring in an IT infrastructure.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Practices and principles of security audits
Ways to monitor systems
Capturing and analyzing log data
Assessing an organization’s security compliance
Monitoring and testing security systems
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
3
Auditing, Testing, and Monitoring
A security audit is a crucial type of evaluation to avoid a data breach
Auditing a computer system involves checking to see how its operation has met security goals
Audit tests may be manual or automated
Before you can determine whether something has worked, you must first define how it’s supposed to work
Known as assessing a system
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
4
Security Auditing and Analysis
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Are security policies sound and appropriate for the business or activity? The purpose of information security is to support the mission of the business and to protect it from the risks it faces. With respect to security, one of the most visible risks is that of data breach. Your organization’s policies and supporting documents define the risks that affect it. Supporting documents include your organization’s procedures, standards, and baselines. When you conduct an audit, you are asking the question, “Are our policies understood and followed?” The audit itself does not set new policies. Auditors might, however, make recommendations based on experience or knowledge of new regulations or other requirements.
• Are there controls supporting your policies? Are the security controls aligned correctly with your organization’s strategies and mission? Do the controls support your policies and culture? If you cannot justify a control by a policy, you should probably remove it. Whenever a control is explained as “for security” but with no other explanation, you should remove it. Security is not a profit center, and it should never exist for its own sake. It is a support department. Its purpose is to protect the organization’s assets and revenue stream.
• Is there effective implementation and upkeep of controls? As your organization evolves and as threats mature, it is important to make sure your controls still meet the risks you face today
8/30/2016
(c) ITT Educational Services, Inc.
5
Are security policies sound and appropriate for the business or activity?
Are there controls supporting your policies?
Is there effective implementation and upkeep of controls?
Security Controls Address Risk
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Monitor: Review and measure all controls to capture actions and changes on the system.
• Audit: Review the logs and overall environment to provide independent analysis of how well the security policy and controls work.
• Improve: Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management.
• Secure: Ensure that new, and existing, controls work together to protect the intended level of security.
8/30/2016
(c) ITT Educational Services, Inc.
6
Determining What Is Acceptable
Define acceptable and unacceptable actions
Create standards based on those developed or endorsed by standards bodies
Communications and other actions permitted by a policy document are acceptable
Communications and other actions specifically banned in your security policy are unacceptable
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
7
Areas of Security Audits
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
8
Large in scope and cover entire departments or business functions
Narrow and address only one specific system or control
Purpose of Audits
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
9
Appropriateness of controls
Is the level of security control suitable for the risk it addresses?
Correct installation of controls
Is the security control in the right place and working well?
Address purpose of controls
Is the security control effective in addressing the risk it was designed to address?
Service Organization Control (SOC) Reports
| Report Type | Contents | Audience |
| SOC 1 | Internal controls over financial reporting | Users and auditors Organizations that must comply with SOX or the GLBA |
| SOC 2 | Security (confidentiality, integrity, availability) and privacy controls | Management, regulators, stakeholders Service providers, hosted data centers, managed cloud computing providers |
| SOC 3 | Security (confidentiality, integrity, availability) and privacy controls | Public Customers of SOC 2 service providers |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
10
Defining Your Audit Plan
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
11
Define objectives; determine which systems or business processes to review
Define which areas of assurance to check
Identify personnel who will participate in the audit
Defining the Scope of the Plan
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Survey the site(s): An auditor will want to understand the environment and the interconnections between systems before starting the audit activities.
• Review documentation: An auditor will want to review system documentation and configurations, both during planning and as part of the actual audit. Reviewing interoperability agreement requirements is necessary when audits include external partners. These documents specify agreed-upon compliance requirements for outsourcing partners.
• Review risk analysis output: An auditor will want to understand system criticality ratings that are a product of risk analysis studies. This helps rank systems into the appropriate order for mitigation in the reporting phase.
• Review server and application logs: An auditor might ask to examine logs to look for changes to programs, permissions, or configurations.
• Review incident logs: An auditor might ask to review security incident logs to get a feel for problem trends.
• Review results of penetration tests: When an organization conducts penetration tests, the tester prepares a report listing weaknesses that were found. The auditor needs to review this report and make sure that the audit addresses all items.
8/30/2016
(c) ITT Educational Services, Inc.
12
Survey the site(s)
Review documentation
Review risk analysis output
Review server and application logs
Review incident logs
Review results of penetration tests
Audit Scope and the Seven Domains of the IT Infrastructure
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
13
Auditing Benchmarks
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• ISO 27002: ISO 27002 is a best-practices document that gives good guidelines for information security management. For an organization to claim compliance, it must perform an audit to verify that all provisions are satisfied. ISO 27002 is part of a growing suite of standards, the ISO 27000 series, that defines information security standards.
• NIST Cybersecurity Framework (CSF): NIST CSF, first released in 2014, is a response to a U.S. Presidential Executive Order calling for increased cybersecurity. It focuses on critical infrastructure components but is applicable to many general systems. The road map provides a structured method to securing systems that can help auditors align business drivers and security requirements. NIST also publishes a series of Special Publications that cover many aspects of information systems. For example, NIST SP 800-37 is a standard that describes best practices, including auditing, for U.S. government information systems.
• ITIL (Information Technology Infrastructure Library): This is a set of concepts and policies for managing IT infrastructure, development, and operations. ITIL is published in a series of books, each covering a separate IT management topic. ITIL gives a detailed description of a number of important IT practices, with comprehensive checklists, tasks, and procedures that any IT organization can tailor to its needs. Other organizations, such as ISACA and the Institute of Internal Auditors, have developed commonly used audit frameworks. Your organization might develop a set of guidelines in house or adopt and customize an audit framework developed elsewhere. Here are two examples of these types of frameworks:
COBIT: The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. It was created by the Information Systems Audit (ISA), the Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices. You can use COBIT to help obtain the most benefit from the use of information technology and to develop appropriate IT governance and control in a company.
COSO: The Institute of Internal Auditors (IIA) produces the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. This volunteer-run organization gives guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model. Many companies and other organizations use it to assess their control systems.
8/30/2016
(c) ITT Educational Services, Inc.
14
Benchmark—The standard to which your system is compared to determine whether it is securely configured
ISO 27002—ISO 27002
NIST Cybersecurity Framework (CSF)
ITIL (Information Technology Infrastructure Library)
Committee of Sponsoring Organizations (COSO)
Control Objectives for Information and related Technology (COBIT)
Audit Data Collection Methods
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Questionnaires: You can administer prepared questionnaires to both managers and users.
• Interviews: These are useful for gathering insight into operations from all parties. Interviews often prove to be valuable sources of information and recommendations.
• Observation: This refers to input used to differentiate between paper procedures and the way the job is really done.
• Checklists: These prepared documents help ensure that the information-gathering process covers all areas.
• Reviewing documentation: This documentation assesses currency, adherence, and completeness.
• Reviewing configurations: This review involves assessing change control procedures and the appropriateness of controls, rules, and layout.
• Reviewing policy: This review involves assessing policy relevance, currency, and completeness.
• Performing security testing: Vulnerability testing and penetration testing involve gathering technical information to determine whether vulnerabilities exist in the security components, networks, or applications.
8/30/2016
(c) ITT Educational Services, Inc.
15
Questionnaires
Interviews
Observation
Checklists
Reviewing documentation
Reviewing configurations
Reviewing policy
Performing security testing
Areas Included in Audit Plan
| Area | Audit Goal |
| Antivirus software | Up-to-date, universal application |
| System access policies | Current with technology |
| Intrusion detection and event monitoring systems | Log reviews |
| System-hardening policies | Ports, services |
| Cryptographic controls | Key management, usage (network encryption of sensitive data) |
| Contingency planning | Business continuity plan (BCP), disaster recovery plan (DRP), and continuity of operations plan (COOP) |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
16
Areas Included in Audit Plan (cont.)
| Area | Audit Goal |
| Hardware and software maintenance | Maintenance agreements, servicing, forecasting of future needs |
| Physical security | Doors locked, power supplies monitored |
| Access control | Need to know, least privilege |
| Change control processes for configuration management | Documented, no unauthorized changes |
| Media protection | Age of media, labeling, storage, transportation |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
17
Control Checks and Identity Management
Approval process: Who grants approval for access requests?
Authentication mechanisms: What mechanisms are used for specific security requirements?
Password policy and enforcement: Does the organization have an effective password policy and is it uniformly enforced?
Monitoring: Does the organization have sufficient monitoring systems to detect unauthorized access?
Remote access systems: Are all systems properly secured with strong authentication?
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
18
Post-Audit Activities
Exit interview
Data analysis
Generation of audit report
Findings
Recommendations
Timeline for implementation
Level of risk
Management response
Follow-up
Presentation of findings
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
19
Security Monitoring
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Baselines: In order to recognize something as abnormal, you first must know what normal looks like.
• Alarms, alerts, and trends: Alarms and alerts are responses to security events that notify personnel of a possible security incident, much like a door-open alert or a fire alarm. Be aware that employees will quickly ignore repeated false alarms. For this reason, storing alerts and alarms makes it possible to show how events occur over time. This type of analysis helps identify trends. Trend analysis helps auditors focus on more than just individual events.
• Closed-circuit TV: Properly using a closed-circuit TV involves monitoring and recording what the TV cameras see. You must ensure that the security officers monitoring the cameras are trained to watch for certain actions or behaviors. Your staff must also be trained in local law; many jurisdictions prohibit profiling based on race or ethnicity.
• Systems that spot irregular behavior: Examples include IDSs and honeypots—that is, traps set to capture information about improper activity on a network.
8/30/2016
(c) ITT Educational Services, Inc.
20
Baselines
Alarms, alerts, and trends
Closed-circuit TV
Systems that spot irregular behavior
Security Monitoring for Computer Systems
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Real-time monitoring
• Host IDS: A host intrusion detection system (HIDS) is excellent for “noticing” activity in a computer as the activity is happening. IDS rules help identify suspicious activity in near real time.
• System integrity monitoring: Systems such as Tripwire enable you to watch computer systems for unauthorized changes and report them to administrators in near real time.
• Data loss prevention (DLP): DLP systems use business rules to classify sensitive information to prevent unauthorized end users from sharing it. Data that DLP protects are generally data that could put an organization at risk if they were disclosed. For example, DLP systems prevent users from using external storage services, such as Dropbox, for sensitive data.
Non-real-time monitoring
• Application logging: All applications that access or modify sensitive data should have logs that record who used or changed the data and when. These logs support proof of compliance with privacy regulations, investigation of errors or problems with records, and tracking of transactions.
• System logging: This type of logging provides records of who accessed the system and what actions they performed on the system.
Log these activities:
• Host-based activity: This includes changes to systems, access requests, performance, and startups and shutdowns.
• Network and network devices: These include access, traffic type and patterns, malware, and performance.
8/30/2016
(c) ITT Educational Services, Inc.
21
Real-time monitoring
Host IDS
System integrity monitoring
Data loss prevention (DLP)
Non-real-time monitoring
Application logging
System logging
Log activities
Host-based activity
Network and network devices
Types of Log Information to Capture
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
22
Event logs
General operating system and application software events
Access logs
Access requests to resources
Security logs
Security-related events
Audit logs
Defined events that provide additional input to audit activities
Types of Log Information
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
23
How to Verify Security Controls
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
24
Controls that monitor activity
IDSs
IPSs
Firewalls
IDS as a Firewall Complement
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
25
Basic NIDS as a Firewall Complement
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
26
Analysis Methods
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Statistical-based methods: These develop baselines of normal traffic and network activity. The device creates an alert when it identifies a deviation. These can catch unknown attacks, but false positives often happen because identifying normal activity is hard.
• Traffic-based methods: These signal an alert when they identify any unacceptable deviation from expected behavior based on traffic. They can also detect unknown attacks and floods.
• Protocol patterns: Another way to identify attacks without a signature is to look for deviations from protocols. Protocol standards are provided by request for comment (RFC) memorandums published by the Internet Engineering Task Force (IETF). You can get more information on RFCs at www.ietf.org/rfc.html. This type of detection works for well-defined protocols but may cause false positives for protocols that are not well defined.
8/30/2016
(c) ITT Educational Services, Inc.
27
Pattern- or signature-based IDSs
Anomaly-based IDSs
Common methods of detecting anomalies
Statistical-based methods
Traffic-based methods
Protocol patterns
Rule-based detection
Rely on pattern matching and stateful matching
Profile-based systems
HIDS
Software processes or services designed to run on server computers
Intercept and examine system calls or specific processes for patterns or behaviors that should not normally be allowed
HIDS daemons can take a predefined action such as stopping or reporting the infraction
Detect inappropriate traffic that originates inside the network
Recognize an anomaly that is specific to a particular machine or user
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
28
Layered Defense: Network Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
29
Using NIDS Devices to Monitor Outside Attacks
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
30
Host Isolation and the DMZ
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
31
System Hardening
Turn off or disable unnecessary services; protect ones that are still running
Secure management interfaces and applications
Protect passwords through aggressive password policies
Disable unnecessary user accounts
Apply the latest software patches available
Secure all computers/devices from unauthorized changes
Disable unused network interfaces
Disable unused application service ports
Use MAC filtering to limit device access
Implement 802.1x, PNAC
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
32
Monitoring and Testing Security Systems
Common risks are:
Attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware
Sensitive information leaking from inside the organization to unauthorized people who can damage your organization
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
33
Monitoring
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
34
Monitor traffic with an IDS, which identifies abnormal traffic for further investigation
Use an IPS to actively block malicious traffic
Testing
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
35
Security Testing Road Map
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Reconnaissance: This activity involves reviewing the system to learn as much as possible about the organization, its systems, and its networks. Public resources for the job, such as WHOIS and Dig, are invisible to network administrators—and this is a problem when they are used by attackers instead of
penetration testers.
• Network mapping: This phase uses tools to determine the layout and services running on the organization’s systems and networks.
•Vulnerability testing: Vulnerability testing involves finding all the weaknesses in a system and determining which places may be attack points.
• Penetration testing: In this phase, you try to exploit a weakness in the system and prove that an attacker could successfully penetrate it.
• Mitigation activities: Reduce or address vulnerabilities found in either penetration tests or vulnerability tests.
8/30/2016
(c) ITT Educational Services, Inc.
36
Establishing Testing Goals and Reconnaissance Methods
Establish testing goals
Identify vulnerabilities and rank them according to how critical they are to your systems
Document a point-in-time (snapshot) test for comparison to other time periods
Prepare for auditor review
Find the gaps in your security
Reconnaissance methods
Social engineering
Whois service
Zone transfer
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
37
Network Mapping
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
38
Network Mapping with ICMP (Ping)
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
39
Network Mapping with TCP/SYN Scans
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
40
Operating System Fingerprinting
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
41
Testing Methods
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Black-box testing uses test methods that aren’t based directly on knowledge of a program’s architecture or design. The term implies that either the tester does not have the source code or the details of the source code are not relevant to what is being tested. Put another way, black-box testing focuses on the externally visible behavior of the software. For example, it may be based on requirements, protocol specifications, APIs, or even attempted attacks.
White-box testing is based on knowledge of the application’s design and source code. In fact, white-box tests are generally derived from source code. For example, these tests might target specific constructs found in the source code or try to achieve a certain level of code coverage.
Gray-box testing lies somewhere between black-box testing and white-box testing. It uses limited knowledge of the program’s internals. In principle, this might mean the tester knows about some parts of the source code and not others. In practice, it usually just means that the tester has access to design documents that are more detailed than specifications or requirements. For example, the tests might be based on an architecture diagram or a state-based model of the program’s behavior.
8/30/2016
(c) ITT Educational Services, Inc.
42
Black-box testing
Uses test methods that aren’t based directly on knowledge of a program’s architecture or design
White-box testing
Is based on knowledge of the application’s design and source code
Gray-box testing
Lies somewhere between black-box testing and white-box testing
Covert versus Overt Testers
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8/30/2016
(c) ITT Educational Services, Inc.
43
Security Testing Tips and Techniques
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
• Choose the right tool: Choosing tools that are best for testing your software depends on what is to be tested and how the test plan indicates the tests should be carried out. Keep in mind that tool functions often overlap.
• Tools make mistakes: You should view preliminary results with skepticism. Watch for false positives or false negatives. Tool results can vary because detection methods often are not consistent.
• Protect your systems: Carrying out tests at the wrong time or in the wrong way can damage systems. Take care to protect your systems.
• Tests should be as “real” as possible: Tests should run against production networks and systems to the degree that is possible without impairing system operations.
8/30/2016
(c) ITT Educational Services, Inc.
44
Choose the right tool
Tools make mistakes
Protect your systems
Tests should be as “real” as possible
Summary
Practices and principles of security audits
Ways to monitor systems
Capturing and analyzing log data
Assessing an organization’s security compliance
Monitoring and testing security systems
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.