Fundamentals of Information

Systems Security

Lesson 7
Auditing, Testing, and Monitoring

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective(s)
 Explain the importance of security audits,
testing, and monitoring in an IT
infrastructure.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Practices and principles of security audits
 Ways to monitor systems
 Capturing and analyzing log data
 Assessing an organization’s security compliance
 Monitoring and testing security systems

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 3
All rights reserved.
 Auditing, Testing, and Monitoring
 A security audit is a crucial type of evaluation to avoid
a data breach
 Auditing a computer system involves checking to see
how its operation has met security goals
 Audit tests may be manual or automated
 Before you can determine whether something has
worked, you must first define how it’s supposed to
work
• Known as assessing a system

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 4
All rights reserved.
 Security Auditing and Analysis

Are security policies

Are there controls
sound and
supporting your
appropriate for the
policies?
business or activity?

Is there effective
implementation and
upkeep of controls?

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 5
All rights reserved.
 Security Controls Address Risk

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 6
All rights reserved.
 Determining What Is Acceptable
 Define acceptable and unacceptable actions
 Create standards based on those developed
or endorsed by standards bodies
 Communications and other actions permitted
by a policy document are acceptable
 Communications and other actions specifically
banned in your security policy are
unacceptable

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 7
All rights reserved.
 Areas of Security Audits

Large in scope and Narrow and

cover entire address only one
departments or specific system or
business functions control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 8
All rights reserved.
 Purpose of Audits

Appropriateness of controls
• Is the level of security control suitable for the risk it
addresses?
Correct installation of controls
• Is the security control in the right place and working
well?
Address purpose of controls
• Is the security control effective in addressing the risk it
was designed to address?

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 9
All rights reserved.
 Service Organization Control (SOC)
Reports
Report Type Contents Audience

SOC 1 Internal controls over  Users and auditors

financial reporting  Organizations that must
comply with SOX or the
GLBA
SOC 2 Security (confidentiality,  Management, regulators,
integrity, availability) stakeholders
and privacy controls  Service providers, hosted
data centers, managed cloud
computing providers
SOC 3 Security (confidentiality,  Public
integrity, availability)  Customers of SOC 2 service
and privacy controls providers

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 10
All rights reserved.
 Defining Your Audit Plan

Define objectives;
Define which areas Identify personnel
determine which
of assurance to who will participate
systems or business
check in the audit
processes to review

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 11
All rights reserved.
 Defining the Scope of the Plan

Survey the site(s)

Review documentation

Review risk analysis output

Review server and application logs

Review incident logs

Review results of penetration tests

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 12
All rights reserved.
 Audit Scope and the Seven Domains
of the IT Infrastructure

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 13
All rights reserved.
 Auditing Benchmarks

Benchmark—The standard to which your

system is compared to determine whether
it is securely configured
• ISO 27002—ISO 27002
• NIST Cybersecurity Framework (CSF)
• ITIL (Information Technology Infrastructure Library)
• Control Objectives for Information and related Technology
(COBIT)
• Committee of Sponsoring Organizations (COSO)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 14
All rights reserved.
 Audit Data Collection Methods

Questionnaires Interviews Observation

Reviewing Reviewing
Checklists
documentation configurations

Reviewing Performing
policy security testing

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 15
All rights reserved.
 Areas Included in Audit Plan
Area
Antivirus software
System access policies
Intrusion detection and
event monitoring systems
System-hardening policies Ports, services
Cryptographic controls
Contingency planning
Fundamentals of Information Systems Security
Audit Goal
Up-to-date, universal application
Current with technology
Log reviews
Key management, usage (network
encryption of sensitive data)
Business continuity plan (BCP),
disaster recovery plan (DRP), and
continuity of operations plan (COOP)
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com Page 16
All rights reserved.
 Areas Included in Audit Plan (cont.)

Area Audit Goal

Hardware and software Maintenance agreements,
maintenance servicing, forecasting of future
needs
Physical security Doors locked, power supplies
monitored
Access control Need to know, least privilege
Change control processes for Documented, no unauthorized
configuration management changes
Media protection Age of media, labeling, storage,
transportation

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 17
All rights reserved.
 Control Checks and Identity
Management
 Approval process: Who grants approval for access
requests?
 Authentication mechanisms: What mechanisms are
used for specific security requirements?
 Password policy and enforcement: Does the
organization have an effective password policy and is it
uniformly enforced?
 Monitoring: Does the organization have sufficient
monitoring systems to detect unauthorized access?
 Remote access systems: Are all systems properly
secured with strong authentication?

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 18
All rights reserved.
 Post-Audit Activities
 Exit interview
 Data analysis
 Generation of audit report
• Findings
• Recommendations
• Timeline for implementation
• Level of risk
• Management response
• Follow-up
 Presentation of findings

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 19
All rights reserved.
 Security Monitoring

Baselines

Alarms, alerts, and trends

Closed-circuit TV

Systems that spot irregular behavior

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 20
All rights reserved.
 Security Monitoring for Computer
Systems

• Host IDS
Real-time • System integrity monitoring
monitoring • Data loss prevention (DLP)

Non-real-time • Application logging

monitoring • System logging

• Host-based activity
Log activities • Network and network devices

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 21
All rights reserved.
 Types of Log Information to Capture

• General operating system and

Event logs application software events

Access logs • Access requests to resources

Security logs • Security-related events

• Defined events that provide

Audit logs additional input to audit activities

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 22
All rights reserved.
 Types of Log Information

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 23
All rights reserved.
 How to Verify Security Controls

IDSs

Controls that
monitor IPSs
activity

Firewalls

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 24
All rights reserved.
 IDS as a Firewall Complement

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 25
All rights reserved.
 Basic NIDS as a Firewall
Complement

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 26
All rights reserved.
 Analysis Methods
Pattern- or • Rule-based detection
signature-based • Rely on pattern matching and
IDSs stateful matching

• Profile-based systems
Anomaly-based
IDSs

Common methods • Statistical-based methods

of detecting • Traffic-based methods
anomalies • Protocol patterns

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 27
All rights reserved.
 HIDS
 Software processes or services designed to run on server
computers
 Intercept and examine system calls or specific processes
for patterns or behaviors that should not normally be
allowed
 HIDS daemons can take a predefined action such as
stopping or reporting the infraction
 Detect inappropriate traffic that originates inside the
network
 Recognize an anomaly that is specific to a particular
machine or user

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 28
All rights reserved.
 Layered Defense: Network Access
Control

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 29
All rights reserved.
 Using NIDS Devices to Monitor
Outside Attacks

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 30
All rights reserved.
 Host Isolation and the DMZ

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 31
All rights reserved.
 System Hardening
 Turn off or disable unnecessary services; protect ones that
are still running
 Secure management interfaces and applications
 Protect passwords through aggressive password policies
 Disable unnecessary user accounts
 Apply the latest software patches available
 Secure all computers/devices from unauthorized changes
 Disable unused network interfaces
 Disable unused application service ports
 Use MAC filtering to limit device access
 Implement 802.1x, PNAC
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 32
All rights reserved.
 Monitoring and Testing Security
Systems
 Common risks are:
• Attackers who come in from outside, with
unauthorized access, malicious code,
Trojans, and malware
• Sensitive information leaking from inside
the organization to unauthorized people
who can damage your organization

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 33
All rights reserved.
 Monitoring

Monitor traffic with an

Use an IPS to
IDS, which identifies
actively block
abnormal traffic for
malicious traffic
further investigation

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 34
All rights reserved.
 Testing

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 35
All rights reserved.
 Security Testing Road Map

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 36
All rights reserved.
 Establishing Testing Goals and
Reconnaissance Methods
 Establish testing goals
• Identify vulnerabilities and rank them according to how
critical they are to your systems
• Document a point-in-time (snapshot) test for
comparison to other time periods
• Prepare for auditor review
• Find the gaps in your security
 Reconnaissance methods
• Social engineering
• Whois service
• Zone transfer
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 37
All rights reserved.
 Network Mapping

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 38
All rights reserved.
 Network Mapping with ICMP (Ping)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 39
All rights reserved.
 Network Mapping with TCP/SYN
Scans

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 40
All rights reserved.
 Operating System Fingerprinting

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 41
All rights reserved.
 Testing Methods

Black-box testing
• Uses test methods that aren’t based directly on
knowledge of a program’s architecture or design
White-box testing
• Is based on knowledge of the application’s design and
source code
Gray-box testing
• Lies somewhere between black-box testing and white-
box testing

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 42
All rights reserved.
 Covert versus Overt Testers

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 43
All rights reserved.
 Security Testing Tips and
Techniques

Choose the right tool

Tools make mistakes

Protect your systems

Tests should be as “real” as possible

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 44
All rights reserved.
 Summary
 Practices and principles of security audits
 Ways to monitor systems
 Capturing and analyzing log data
 Assessing an organization’s security
compliance
 Monitoring and testing security systems

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 45
All rights reserved.