Security Audit Principles and PracticesConfiguring LoggingDetermining What Should Be LoggedDetermining How Long Logs Must Be MaintainedConfiguring AlertsWindows LoggingWindows Logging (continued)Slide 8PowerPoint PresentationUNIX LoggingAnalyzing Log DataProfiling Normal BehaviorDetecting AnomaliesData ReductionMaintaining Secure LogsConducting a Security AuditChecklistsIP/Port ScannersVulnerability ScannersIntegrity CheckingPenetration TestingAudit ResultsSummarySlide 24Security Audit Principles and PracticesChapter 11Configuring Logging•To configure logging, you should be prepared to answer the questions–What activities/events should be logged?–How long should logs be maintained?–What events should trigger immediate notifications to security administrators?•Logging must be configured to the needs of the organizationDetermining What Should Be Logged•You can’t log everything–Unless you have a lot of time and resources–Someone must review logs–Logging has a negative effect on system performance–Critical events may be overwritten•A prudent approach is to strike a balance between logging important events but not everything•What is an important event is defined by the environment to some degree and should be given careful considerationDetermining How Long Logs Must Be Maintained•Most operating systems allow you to overwrite log files based on time or file size–This choice may be determined by policy, e.g., log files must be kept for a certain amount of time•Log files can be archived–You may need to maintain a (semi-) permanent record of system activity–Back up log files before they are overwritten–A common method is to alternate two log files, backing up one file while the other is activeConfiguring Alerts•With modern operating systems, you can set up alerts that notify administrators when specific events occur–For example, immediate notification if a hard drive is full•Alert options include–E-mail, pagers, Short Message Service (SMS), instant messaging, pop-up windows, and cell phones•Typically alerts can be configured differently depending on the severity of the event and the time–Only very severe events should trigger a cell phone call in the middle of the night, for exampleWindows Logging•Windows uses the Event Viewer as its primary logging mechanism–Found in Administrative Tools•Event Viewer log files–Security log•Records security-related events•Controlled by a system administrator•Typical information includes failed logon attempts and attempts to exceed privilegesWindows Logging (continued)•Event Viewer log files (continued)–Application log•Records events triggered by application software•System administrators have control over what events to store–System log•Contains events recorded by the operating system•The system administrator generally has no control over this log•Typical events include hardware/software problems –Other specialized log files include the directory service log, the file replication service log, and the DNS server logWindows Logging (continued)•Four types of events are stored in Event Viewer logs–Error events are created when a serious problem occurs (corruption of a file system)–Warning events are created to alert administrators to potential problems (a disk nearing capacity)–Information events are details of some activity that aren’t indications of a problem (starting or stopping a service)–Success/failure auditing events are administrator-defined events that can be logged when they succeed, when they fail, or both (unsuccessful logon attempts)UNIX Logging•The primary log facility in UNIX is syslog–Very flexible, many options for notification and priority–Can write to a remote log file allowing the use of dedicated syslog servers to track all activity on a network•Syslog implements eight priority levels–LOG_EMERG (emergency), LOG_ALERT (require immediate intervention), LOG_CRIT (critical system events), LOG_ERR (error), LOG_WARNING (warn of potential errors), LOG_NOTICE (information, no error), LOG_INFO (future use), LOG_DEBUG (developers use for debugging)Analyzing Log Data•Log data is used to monitor your environment•Two main activities–Profiling normal behavior to understand typical system behavior at different times and in different parts of your business cycle–Detecting anomalies when system activity significantly deviates from the normal behavior you have documentedProfiling Normal Behavior•A “snapshot” of typical system behavior is called a baseline•Baselines can be obtained at the network, system, user, and process level•Baselines detail consumption of system resources•Baselines will vary significantly based on time of day or business cycle•It is the administrator’s responsibility to determine the baseline studies appropriate for an organization–These will change over timeDetecting Anomalies•Define anomalies based on thresholds•The following questions must be answered–How much of a deviation from the norm represents an anomaly?–How long must the deviation occur before registering an anomaly?–What anomalies should trigger immediate alerts?•Anomalies can occur at any level–For example, if a user’s behavior deviates from normal, it may indicate a serious security eventData Reduction•When possible, limit the scope of logging activities to that which can reasonably be analyzed–However, regulations or policies may stipulate that aggressive logging is necessary•Data reduction tools are useful when more data is collected than can be reviewed–Often built into security tools that create log files–For example, CheckPoint’s Firewall-1 allows you to view log files filtered by inbound TCP traffic to a specific port on a specific dateMaintaining Secure Logs•Logs themselves must be protected from tampering and corruption•Common techniques to secure logs include–Remote logging uses a centralized, highly protected, storage location–Printer logging creates a paper trail by immediately printing logged activity–Cryptographic technology digitally signs log files to ensure that changes can be detected, though the files are vulnerable until they are finalizedConducting a Security Audit•Security professionals examine the policies and implementation of the organization’s security posture–Identify deficiencies and recommend changes•The audit team should be well trained and knowledgeable–The team