Information Assurance.

profilembk@248
AuditingTestingandMonitoring.pptx

Fundamentals of Information Systems Security

Lesson 7

Auditing, Testing, and Monitoring

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective(s)

Explain the importance of security audits, testing, and monitoring in an IT infrastructure.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Key Concepts

Practices and principles of security audits

Ways to monitor systems

Capturing and analyzing log data

Assessing an organization’s security compliance

Monitoring and testing security systems

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

3

Auditing, Testing, and Monitoring

A security audit is a crucial type of evaluation to avoid a data breach

Auditing a computer system involves checking to see how its operation has met security goals

Audit tests may be manual or automated

Before you can determine whether something has worked, you must first define how it’s supposed to work

Known as assessing a system

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

4

Security Auditing and Analysis

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Are security policies sound and appropriate for the business or activity? The purpose of information security is to support the mission of the business and to protect it from the risks it faces. With respect to security, one of the most visible risks is that of data breach. Your organization’s policies and supporting documents define the risks that affect it. Supporting documents include your organization’s procedures, standards, and baselines. When you conduct an audit, you are asking the question, “Are our policies understood and followed?” The audit itself does not set new policies. Auditors might, however, make recommendations based on experience or knowledge of new regulations or other requirements.

• Are there controls supporting your policies? Are the security controls aligned correctly with your organization’s strategies and mission? Do the controls support your policies and culture? If you cannot justify a control by a policy, you should probably remove it. Whenever a control is explained as “for security” but with no other explanation, you should remove it. Security is not a profit center, and it should never exist for its own sake. It is a support department. Its purpose is to protect the organization’s assets and revenue stream.

• Is there effective implementation and upkeep of controls? As your organization evolves and as threats mature, it is important to make sure your controls still meet the risks you face today

8/30/2016

(c) ITT Educational Services, Inc.

5

Are security policies sound and appropriate for the business or activity?

Are there controls supporting your policies?

Is there effective implementation and upkeep of controls?

Security Controls Address Risk

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Monitor: Review and measure all controls to capture actions and changes on the system.

• Audit: Review the logs and overall environment to provide independent analysis of how well the security policy and controls work.

• Improve: Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management.

• Secure: Ensure that new, and existing, controls work together to protect the intended level of security.

8/30/2016

(c) ITT Educational Services, Inc.

6

Determining What Is Acceptable

Define acceptable and unacceptable actions

Create standards based on those developed or endorsed by standards bodies

Communications and other actions permitted by a policy document are acceptable

Communications and other actions specifically banned in your security policy are unacceptable

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

7

Areas of Security Audits

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

8

Large in scope and cover entire departments or business functions

Narrow and address only one specific system or control

Purpose of Audits

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

9

Appropriateness of controls

Is the level of security control suitable for the risk it addresses?

Correct installation of controls

Is the security control in the right place and working well?

Address purpose of controls

Is the security control effective in addressing the risk it was designed to address?

Service Organization Control (SOC) Reports

Report Type Contents Audience
SOC 1 Internal controls over financial reporting Users and auditors Organizations that must comply with SOX or the GLBA
SOC 2 Security (confidentiality, integrity, availability) and privacy controls Management, regulators, stakeholders Service providers, hosted data centers, managed cloud computing providers
SOC 3 Security (confidentiality, integrity, availability) and privacy controls Public Customers of SOC 2 service providers

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

10

Defining Your Audit Plan

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

11

Define objectives; determine which systems or business processes to review

Define which areas of assurance to check

Identify personnel who will participate in the audit

Defining the Scope of the Plan

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Survey the site(s): An auditor will want to understand the environment and the interconnections between systems before starting the audit activities.

• Review documentation: An auditor will want to review system documentation and configurations, both during planning and as part of the actual audit. Reviewing interoperability agreement requirements is necessary when audits include external partners. These documents specify agreed-upon compliance requirements for outsourcing partners.

• Review risk analysis output: An auditor will want to understand system criticality ratings that are a product of risk analysis studies. This helps rank systems into the appropriate order for mitigation in the reporting phase.

• Review server and application logs: An auditor might ask to examine logs to look for changes to programs, permissions, or configurations.

• Review incident logs: An auditor might ask to review security incident logs to get a feel for problem trends.

• Review results of penetration tests: When an organization conducts penetration tests, the tester prepares a report listing weaknesses that were found. The auditor needs to review this report and make sure that the audit addresses all items.

8/30/2016

(c) ITT Educational Services, Inc.

12

Survey the site(s)

Review documentation

Review risk analysis output

Review server and application logs

Review incident logs

Review results of penetration tests

Audit Scope and the Seven Domains of the IT Infrastructure

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

13

Auditing Benchmarks

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• ISO 27002: ISO 27002 is a best-practices document that gives good guidelines for information security management. For an organization to claim compliance, it must perform an audit to verify that all provisions are satisfied. ISO 27002 is part of a growing suite of standards, the ISO 27000 series, that defines information security standards.

• NIST Cybersecurity Framework (CSF): NIST CSF, first released in 2014, is a response to a U.S. Presidential Executive Order calling for increased cybersecurity. It focuses on critical infrastructure components but is applicable to many general systems. The road map provides a structured method to securing systems that can help auditors align business drivers and security requirements. NIST also publishes a series of Special Publications that cover many aspects of information systems. For example, NIST SP 800-37 is a standard that describes best practices, including auditing, for U.S. government information systems.

• ITIL (Information Technology Infrastructure Library): This is a set of concepts and policies for managing IT infrastructure, development, and operations. ITIL is published in a series of books, each covering a separate IT management topic. ITIL gives a detailed description of a number of important IT practices, with comprehensive checklists, tasks, and procedures that any IT organization can tailor to its needs. Other organizations, such as ISACA and the Institute of Internal Auditors, have developed commonly used audit frameworks. Your organization might develop a set of guidelines in house or adopt and customize an audit framework developed elsewhere. Here are two examples of these types of frameworks:

COBIT: The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. It was created by the Information Systems Audit (ISA), the Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices. You can use COBIT to help obtain the most benefit from the use of information technology and to develop appropriate IT governance and control in a company.

COSO: The Institute of Internal Auditors (IIA) produces the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. This volunteer-run organization gives guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model. Many companies and other organizations use it to assess their control systems.

8/30/2016

(c) ITT Educational Services, Inc.

14

Benchmark—The standard to which your system is compared to determine whether it is securely configured

ISO 27002—ISO 27002

NIST Cybersecurity Framework (CSF)

ITIL (Information Technology Infrastructure Library)

Committee of Sponsoring Organizations (COSO)

Control Objectives for Information and related Technology (COBIT)

Audit Data Collection Methods

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Questionnaires: You can administer prepared questionnaires to both managers and users.

• Interviews: These are useful for gathering insight into operations from all parties. Interviews often prove to be valuable sources of information and recommendations.

• Observation: This refers to input used to differentiate between paper procedures and the way the job is really done.

• Checklists: These prepared documents help ensure that the information-gathering process covers all areas.

• Reviewing documentation: This documentation assesses currency, adherence, and completeness.

• Reviewing configurations: This review involves assessing change control procedures and the appropriateness of controls, rules, and layout.

• Reviewing policy: This review involves assessing policy relevance, currency, and completeness.

• Performing security testing: Vulnerability testing and penetration testing involve gathering technical information to determine whether vulnerabilities exist in the security components, networks, or applications.

8/30/2016

(c) ITT Educational Services, Inc.

15

Questionnaires

Interviews

Observation

Checklists

Reviewing documentation

Reviewing configurations

Reviewing policy

Performing security testing

Areas Included in Audit Plan

Area Audit Goal
Antivirus software Up-to-date, universal application
System access policies Current with technology
Intrusion detection and event monitoring systems Log reviews
System-hardening policies Ports, services
Cryptographic controls Key management, usage (network encryption of sensitive data)
Contingency planning Business continuity plan (BCP), disaster recovery plan (DRP), and continuity of operations plan (COOP)

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

16

Areas Included in Audit Plan (cont.)

Area Audit Goal
Hardware and software maintenance Maintenance agreements, servicing, forecasting of future needs
Physical security Doors locked, power supplies monitored
Access control Need to know, least privilege
Change control processes for configuration management Documented, no unauthorized changes
Media protection Age of media, labeling, storage, transportation

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

17

Control Checks and Identity Management

Approval process: Who grants approval for access requests?

Authentication mechanisms: What mechanisms are used for specific security requirements?

Password policy and enforcement: Does the organization have an effective password policy and is it uniformly enforced?

Monitoring: Does the organization have sufficient monitoring systems to detect unauthorized access?

Remote access systems: Are all systems properly secured with strong authentication?

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

18

Post-Audit Activities

Exit interview

Data analysis

Generation of audit report

Findings

Recommendations

Timeline for implementation

Level of risk

Management response

Follow-up

Presentation of findings

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

19

Security Monitoring

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Baselines: In order to recognize something as abnormal, you first must know what normal looks like.

• Alarms, alerts, and trends: Alarms and alerts are responses to security events that notify personnel of a possible security incident, much like a door-open alert or a fire alarm. Be aware that employees will quickly ignore repeated false alarms. For this reason, storing alerts and alarms makes it possible to show how events occur over time. This type of analysis helps identify trends. Trend analysis helps auditors focus on more than just individual events.

• Closed-circuit TV: Properly using a closed-circuit TV involves monitoring and recording what the TV cameras see. You must ensure that the security officers monitoring the cameras are trained to watch for certain actions or behaviors. Your staff must also be trained in local law; many jurisdictions prohibit profiling based on race or ethnicity.

• Systems that spot irregular behavior: Examples include IDSs and honeypots—that is, traps set to capture information about improper activity on a network.

8/30/2016

(c) ITT Educational Services, Inc.

20

Baselines

Alarms, alerts, and trends

Closed-circuit TV

Systems that spot irregular behavior

Security Monitoring for Computer Systems

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Real-time monitoring

• Host IDS: A host intrusion detection system (HIDS) is excellent for “noticing” activity in a computer as the activity is happening. IDS rules help identify suspicious activity in near real time.

• System integrity monitoring: Systems such as Tripwire enable you to watch computer systems for unauthorized changes and report them to administrators in near real time.

• Data loss prevention (DLP): DLP systems use business rules to classify sensitive information to prevent unauthorized end users from sharing it. Data that DLP protects are generally data that could put an organization at risk if they were disclosed. For example, DLP systems prevent users from using external storage services, such as Dropbox, for sensitive data.

Non-real-time monitoring

• Application logging: All applications that access or modify sensitive data should have logs that record who used or changed the data and when. These logs support proof of compliance with privacy regulations, investigation of errors or problems with records, and tracking of transactions.

• System logging: This type of logging provides records of who accessed the system and what actions they performed on the system.

Log these activities:

• Host-based activity: This includes changes to systems, access requests, performance, and startups and shutdowns.

• Network and network devices: These include access, traffic type and patterns, malware, and performance.

8/30/2016

(c) ITT Educational Services, Inc.

21

Real-time monitoring

Host IDS

System integrity monitoring

Data loss prevention (DLP)

Non-real-time monitoring

Application logging

System logging

Log activities

Host-based activity

Network and network devices

Types of Log Information to Capture

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

22

Event logs

General operating system and application software events

Access logs

Access requests to resources

Security logs

Security-related events

Audit logs

Defined events that provide additional input to audit activities

Types of Log Information

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

23

How to Verify Security Controls

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

24

Controls that monitor activity

IDSs

IPSs

Firewalls

IDS as a Firewall Complement

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

25

Basic NIDS as a Firewall Complement

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

26

Analysis Methods

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Statistical-based methods: These develop baselines of normal traffic and network activity. The device creates an alert when it identifies a deviation. These can catch unknown attacks, but false positives often happen because identifying normal activity is hard.

• Traffic-based methods: These signal an alert when they identify any unacceptable deviation from expected behavior based on traffic. They can also detect unknown attacks and floods.

• Protocol patterns: Another way to identify attacks without a signature is to look for deviations from protocols. Protocol standards are provided by request for comment (RFC) memorandums published by the Internet Engineering Task Force (IETF). You can get more information on RFCs at www.ietf.org/rfc.html. This type of detection works for well-defined protocols but may cause false positives for protocols that are not well defined.

8/30/2016

(c) ITT Educational Services, Inc.

27

Pattern- or signature-based IDSs

Anomaly-based IDSs

Common methods of detecting anomalies

Statistical-based methods

Traffic-based methods

Protocol patterns

Rule-based detection

Rely on pattern matching and stateful matching

Profile-based systems

HIDS

Software processes or services designed to run on server computers

Intercept and examine system calls or specific processes for patterns or behaviors that should not normally be allowed

HIDS daemons can take a predefined action such as stopping or reporting the infraction

Detect inappropriate traffic that originates inside the network

Recognize an anomaly that is specific to a particular machine or user

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

28

Layered Defense: Network Access Control

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

29

Using NIDS Devices to Monitor Outside Attacks

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

30

Host Isolation and the DMZ

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

31

System Hardening

Turn off or disable unnecessary services; protect ones that are still running

Secure management interfaces and applications

Protect passwords through aggressive password policies

Disable unnecessary user accounts

Apply the latest software patches available

Secure all computers/devices from unauthorized changes

Disable unused network interfaces

Disable unused application service ports

Use MAC filtering to limit device access

Implement 802.1x, PNAC

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

32

Monitoring and Testing Security Systems

Common risks are:

Attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware

Sensitive information leaking from inside the organization to unauthorized people who can damage your organization

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

33

Monitoring

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

34

Monitor traffic with an IDS, which identifies abnormal traffic for further investigation

Use an IPS to actively block malicious traffic

Testing

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

35

Security Testing Road Map

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Reconnaissance: This activity involves reviewing the system to learn as much as possible about the organization, its systems, and its networks. Public resources for the job, such as WHOIS and Dig, are invisible to network administrators—and this is a problem when they are used by attackers instead of

penetration testers.

• Network mapping: This phase uses tools to determine the layout and services running on the organization’s systems and networks.

•Vulnerability testing: Vulnerability testing involves finding all the weaknesses in a system and determining which places may be attack points.

• Penetration testing: In this phase, you try to exploit a weakness in the system and prove that an attacker could successfully penetrate it.

• Mitigation activities: Reduce or address vulnerabilities found in either penetration tests or vulnerability tests.

8/30/2016

(c) ITT Educational Services, Inc.

36

Establishing Testing Goals and Reconnaissance Methods

Establish testing goals

Identify vulnerabilities and rank them according to how critical they are to your systems

Document a point-in-time (snapshot) test for comparison to other time periods

Prepare for auditor review

Find the gaps in your security

Reconnaissance methods

Social engineering

Whois service

Zone transfer

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

37

Network Mapping

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

38

Network Mapping with ICMP (Ping)

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

39

Network Mapping with TCP/SYN Scans

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

40

Operating System Fingerprinting

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

41

Testing Methods

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Black-box testing uses test methods that aren’t based directly on knowledge of a program’s architecture or design. The term implies that either the tester does not have the source code or the details of the source code are not relevant to what is being tested. Put another way, black-box testing focuses on the externally visible behavior of the software. For example, it may be based on requirements, protocol specifications, APIs, or even attempted attacks.

White-box testing is based on knowledge of the application’s design and source code. In fact, white-box tests are generally derived from source code. For example, these tests might target specific constructs found in the source code or try to achieve a certain level of code coverage.

Gray-box testing lies somewhere between black-box testing and white-box testing. It uses limited knowledge of the program’s internals. In principle, this might mean the tester knows about some parts of the source code and not others. In practice, it usually just means that the tester has access to design documents that are more detailed than specifications or requirements. For example, the tests might be based on an architecture diagram or a state-based model of the program’s behavior.

8/30/2016

(c) ITT Educational Services, Inc.

42

Black-box testing

Uses test methods that aren’t based directly on knowledge of a program’s architecture or design

White-box testing

Is based on knowledge of the application’s design and source code

Gray-box testing

Lies somewhere between black-box testing and white-box testing

Covert versus Overt Testers

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8/30/2016

(c) ITT Educational Services, Inc.

43

Security Testing Tips and Techniques

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

• Choose the right tool: Choosing tools that are best for testing your software depends on what is to be tested and how the test plan indicates the tests should be carried out. Keep in mind that tool functions often overlap.

• Tools make mistakes: You should view preliminary results with skepticism. Watch for false positives or false negatives. Tool results can vary because detection methods often are not consistent.

• Protect your systems: Carrying out tests at the wrong time or in the wrong way can damage systems. Take care to protect your systems.

• Tests should be as “real” as possible: Tests should run against production networks and systems to the degree that is possible without impairing system operations.

8/30/2016

(c) ITT Educational Services, Inc.

44

Choose the right tool

Tools make mistakes

Protect your systems

Tests should be as “real” as possible

Summary

Practices and principles of security audits

Ways to monitor systems

Capturing and analyzing log data

Assessing an organization’s security compliance

Monitoring and testing security systems

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Fundamentals of Information Systems Security

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.