Post on 21-Dec-2015
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives
Define privilege audits Describe how usage audits can protect
security List the methodologies used for monitoring to
detect security-related anomalies Describe the different monitoring tools
2
Security+ Guide to Network Security Fundamentals, Third Edition
Privilege Auditing _________ methodical ________ and ________ of
something that ___________________ of findings A _________ can be considered a _____________
__________________________ ____________________________ (PoLP)
Users should be given only the _____________________ necessary to perform his or her job function
____________________________ Reviewing a _____________________________________ Requires knowledge of privilege management, how
privileges are assigned, and how to audit these security settings
More to come on each of these….
3
Security+ Guide to Network Security Fundamentals, Third Edition
Privilege Management ___________________________
The process of ___________________________ to objects
Roles of owners and custodians are generally well-established Where those roles fit into the organization often
depends upon how the organization is structured The ______________ for privilege
management can be either ______________ ______________________________
4
Security+ Guide to Network Security Fundamentals, Third Edition
Privilege Management (continued) In a _______________ structure
____________ is _____________________ of assigning or revoking privileges
All custodians are part of that unit A _____________ organizational structure for
privilege management Delegates the authority for assigning or revoking
privileges _____________________________ __________________________
5
Security+ Guide to Network Security Fundamentals, Third Edition
Assigning Privileges
The foundation for assigning privileges is dictated by the existing access control model
Recall that there are four major access control models: Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC) Rule Based Access Control (RBAC)
6
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings Auditing system security settings for user
privileges involves: A regular _______________________ Using ______________________ Implementing ______________________
More to come on each of these
7
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)- User access and rights review: It is important to periodically review user
access ______________________ Most organizations have a _____________
that mandates regular reviews Reviewing user access rights for logging into
the network can be performed on the _____________________
Reviewing user permissions over objects can be viewed on the _______________
8
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)-Group Policies Instead of setting the same configuration baseline on
each computer, a ______________ can be created Security template
A method to ___________________________________ On a Microsoft Windows computer, one method to
deploy security templates is to use ___________ A feature that provides __________________________
____________________ of computers and remote users who are using Active Directory (AD)
10
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)-Group Policies The ____________________________ within
group policies are known as Group Policy Objects (______). GPOs are a ______________________________
that can be applied to user objects or AD computers
Settings are manipulated using administrative template files that are included within the GPO
11
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)- Storage and retention policies Information lifecycle management (______)
A set of strategies for ____________________________ ________ computer storage systems in order to _________
ILM strategies are typically recorded in storage and retention ___________________ Outline the requirements for data storage
_____________________ 1st step in developing storage and retention policies Assigns a ____________________________________
___________ and regulation requirements to __________ Example on next slide…
12
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)- Storage and retention policies
13
Security+ Guide to Network Security Fundamentals, Third Edition
Auditing System Security Settings (continued)- Storage and retention policies Grouping data into _________ often requires
the assistance of the users who save and retrieve the data on a regular basis
The 2nd step is to ______________________ __________________________________
Occasional _____________ of storage and retention policies is important
14
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing ____________________
Audits what objects a user has ____________________ Involves an examination of _____________________
______________________ and how frequently Sometimes access privileges can be very ________ Usage auditing can help _____________________ ____________________
Permissions given to a higher level “parent” will also be ___________________________
Adds to the complexity of access privileges See example on next slide
15
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing (continued) Inheritance becomes more complicated with ______ GPO inheritance
Allows administrators to set a ____________________ ______________________ in the Microsoft AD
Other administrators can apply more specific policies at a lower level That apply only to subsets of users or computers
GPOs that are _________________________ are processed _______________ Followed by the order that policies were linked to a
container object
17
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management A ______ is a record of events that occur Logs are composed of ____________________
Each entry contains _____________________________ that has occurred
Logs – from both hardware and software systems- have been used primarily for _______________ problems
__________________________ The process for ________________________________
___________________ of computer security log data
18
Usage Auditing involves Log Management (continued) Security _____________________
Antivirus software Remote Access Software Automated patch update service
Security __________________________ Network intrusion detection systems (NIDS) and host and
network intrusion prevention systems (HIPS/NIPS) Domain Name System (DNS) Authentication servers Proxy servers Firewalls- more info a few slides down…
Security+ Guide to Network Security Fundamentals 19
Security+ Guide to Network Security Fundamentals, Third Edition 21
Usage Auditing involves Log Management (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 22
Usage Auditing involves Log Management (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management (continued) Types of items that should be examined in a
_________________ include: IP addresses that are being rejected and dropped Probes to ports that have no application services
running on them Source-routed packets Suspicious outbound connections Unsuccessful logins
23
Security+ Guide to Network Security Fundamentals, Third Edition 24
Usage Auditing involves Log Management (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management (continued) Operating System (OS) logs
Two common types of security related OS logs: 1. _____________________________ 2. ____________________________
___________________ An occurrence within a software system that is
communicated to users or other programs ___________ _______________________
1. System events _____________________ that are performed by the
________________________
25
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management (continued) System events that are commonly recorded include:
_________________________________ ____________________ information
2. Logs based on audit records The second common type of security-related operating
system logs Audit records that are commonly recorded include:
_____________________________ ______________________________
26
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management (continued) Log management _______________:
A routine review and analysis of logs helps to __________________, policy violations, fraudulent activity, and _________________ shortly after they have occurred
Logs can also be used in providing information for ___________________________
Logs may be useful for ___________________ __________, supporting the organization’s internal investigations, and identifying operational trends and long-term problems
28
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Log Management (continued) It is recommended that organizations enact
the following log management solutions: Enact ______________________ Establish __________________ and procedures
for log management Maintain a ____________________ infrastructure Prioritize log management throughout the
organization Use __________________________ Provide adequate support
30
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Change Management
___________________________ Refers to a methodology for ____________ and
___________________________, often manually Seeks to approach changes _____________ and
provide the necessary __________________ of the changes
Two major types of changes regarding security that are routinely documented Any change in _______________________ _______________ classification
31
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Change Management (continued) Change management team (CMT)
Created to ________________________ Any proposed change must first be approved by
the CMT The team might be typically composed of:
Representatives from all areas of IT (servers, network, enterprise server, etc.)
Network security Upper-level management
32
Security+ Guide to Network Security Fundamentals, Third Edition
Usage Auditing involves Change Management (continued) The duties of the CMT include:
Review proposed changes Ensure that the risk and impact of the planned
change is clearly understood Recommend approval, disapproval, deferral, or
withdrawal of a requested change Communicate proposed and approved changes to
co-workers
33
Security+ Guide to Network Security Fundamentals, Third Edition
Monitoring Methodologies and Tools There are several types of instruments that
can be used on systems and networks to _______________________________
Monitoring involves ___________________, ________________________________
Monitoring methodologies include _________ ____________________ and ______________________ monitoring
More to come on each of these…
34
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring Anomaly-based monitoring
Designed for detecting ________________ _______________________
A ___________________ – considered “normal” for that network- against which ______________________ __________________
Whenever there is a ____________________ from this baseline, an alarm is raised
Advantage ___________ the anomalies ______________
35
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
Anomaly-based monitoring (continued) ________________________
Alarms that are raised when there is _________ _______________________
Normal behavior can change easily and even quickly Anomaly-based monitoring is _____________
__________________________
36
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued) Signature-based monitoring
Compares activities against a _________________ Requires access to an ____________________________
Current behavior must then be compared against a collection of signatures
Weaknesses The signature databases must be __________________ As the number of signatures grows the behaviors must be
___________________________________________ of signatures
37
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued) Behavior-based monitoring
Designed to be ______________________ instead of reactive
Uses the “normal” ____________________ as the standard
Continuously analyzes the behavior of processes and programs on a system Alerts the user if it detects any _________________
Advantage _________________ to update signature files or
compile a baseline of statistical behavior
38
Security+ Guide to Network Security Fundamentals, Third Edition
Methodologies for Monitoring (continued)
39
Security+ Guide to Network Security Fundamentals, Third Edition
Three Monitoring Tools
1. Performance baselines and monitors __________________________
A reference set of data established to _____________ _____________________ for a system or systems
Data is accumulated through the ___________ _________________ and networks through _____________________________
_____________ is compared with the baseline data to determine how closely the norm is being met and if any adjustments need to be made
40
Security+ Guide to Network Security Fundamentals, Third Edition
Three Monitoring Tools (continued)2.______________________
A low-level system program that uses a __________________ designed to monitor and ______________________ on a desktop system, server, or even a PDA or cell phone
Some system monitors have a Web-based interface
System monitors generally have a fully customizable notification system
41
Security+ Guide to Network Security Fundamentals, Third Edition
Three Monitoring Tools (continued)3. ___________________________
Also called a ____________________ ____________________________________ its
contents Can fully decode application-layer network
protocols The different parts of the protocol can be analyzed
for any suspicious behavior
42
Security+ Guide to Network Security Fundamentals, Third Edition
Summary A “privilege” can be considered a subject’s access
level over an object Auditing system security settings for user privileges
involves a regular review of user access and rights Information lifecycle management (ILM) is a set of
strategies for administering, maintaining, and managing computer storage systems in order to retain data
Usage auditing involves an examination of which subjects are accessing specific objects and how frequently
43
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
Logs related to computer security have become particularly important
Change management refers to a methodology for making changes and keeping track of those changes, often manually
Monitoring involves examining network traffic, activity, transactions, or behavior in order to detect security-related anomalies
44