O UNIT 5. Testing, Auditing & Monitoring

Transcription

1 5 esting, uditing & onitoring

2 opics for his nit ole of an audit in effective security baselining and gap analysis mportance of monitoring systems throughout the infrastructure Penetration testing and ethical hacking to help mitigate gaps ecurity logs for normal and abnormal traffic patterns and digital signatures ecurity countermeasures through auditing, testing, and monitoring test results

3 ecurity udit erminology Verification - nsuring that established security controls meet policies or regulatory/mandatory laws Validation - nsuring that security controls function against types of attack and attempted manipulation esting - he manual or automated means of verifying security controls and examining their effectiveness valuation - xamining how well security controls and personnel respond to alarming events

4 ecurity aintenance onitor review and measure all attempts t to capture user actions and system changes udit check to see if measures are actually working mprove make changes to keep up with new threats ecure make sure things work they way you want them to work

5 udit Plan

6 Permission Levels Promiscuous everything allowed Permissive anything not specifically prohibited is allowed Prudent things must be explicitly allowed, everything else prohibited Paranoid very little allowed, rest prohibited and constantly monitored

7 ecurity ssessment heck effectiveness of security measures Verify access controls Validate established mechanisms

8 nfrastructure udit Verify that established controls perform as planned nternal audits examine local security risks and countermeasures. t xternal audits explore attacks from outside.

9 ecurity ssessment vs. udit ecurity ssessment: xamines systems for established security policies and regulatory compliance ecurity udit: dentifies what weaknesses exist despite established security controls

10 thical Hacking eeks to identify and demonstrate exploits for discovered vulnerabilities Good guys employ technical methods used by the bad guys lso called penetration testing Black, white, or gray box testing

11 ole of thical Hacking thical hackers are white hats experienced in penetration testing and security assessments thical hacking tests t security controls against actual attacks

12 Penetration esting mploys testing methodologies depending on the scope of access and information provided by client: Black box White box Gray box

13 ecurity ssessment & udit oles nformation ystems ecurity () officers/managers etwork and systems administrators anagers/data owners uditors Penetration testers or ethical hackers

14 eal-ime onitoring Host ntrusion Prevention ystem (HP): onitors individual hosts for suspicious activity etwork ntrusion Prevention ystem (P): onitors entire network for suspicious traffic Wireless ntrusion Prevention ystem (WP): pecifically monitors the wireless network for suspicious traffic

15 eal-ime onitoring unctions espond to incidents as they p y occur HP denies and disrupts a live attack on a system P intercepts and interrupts a live attack on the wire

16 eal-ime onitoring argets uthentication failures pplication crashes ervice disruptions ystem intrusions etwork abuses Policy violations nauthorized activities nventory changes

17 Log iles Different logs on different systems: pplication, service, and system logs (workstations, servers) ccess, failure, and status logs (routers, firewalls) udit and security logs (proxies, D) Drawbacks: asily overwhelming, clocks not synchronized, and needs organization and prioritization Prioritize goals according to importance (regulations vs policies) reate and maintain a secure log management infrastructure Logging systems can be circumvented and log files modified. ttackers with administrative privilege can tamper with logs Log entries may be faked, modified, or removed altogether

18 Ways to Detect Bad Behavior ttack signatures - use signatures based on attack patterns tatistical anomalies - observe anomalies and variances to baseline behavior tatefull protocol analysis - identify deviant protocol states by comparing events

19 ngress and gress irewalls ntrusion detection system (D) ntrusion prevention system (P) Host Based ntrusion prevention system (HP)

20 Protection Devices irewalls - restrict traffic but cannot distinguish between benign and malicious forms of permissible traffic or make identification of attack patterns in traffic D and P can observe traffic in real-time and trap what slips past firewalls D reports and logs attacks D/P are aware of acceptable and unacceptable forms of legit traffic. n P instantly responds to block the attack and the attacker and may create firewall rules to prevent a future attack

21 ypical irewall etup y

22 ypical D and HD etup y

23 ypical DZ etup y

24 esting Process econnaissance investigating the network to see what exists (who is and other search engines) etwork mapping determine the physical layout, operating systems and the services running on the network (icmp and P scanning) Vulnerability testing finding where the weaknesses are Penetration testing actually exploit the weaknesses you discovered itigation fix the problems and reduce the risk

25 vert vs overt testing g

26 mploying ountermeasures onitor security at several layers of the environment: ystem logs - user interactions, service statuses, and historic failures and events ervice logs - user interactions, service failures, and run-time conditions pplication logs - user interactions, application failures, and run-time conditions etwork logs - Device statuses, traffic conditions, and routing failures

27 ummary security assessments and audits verify, validate, test, and evaluate the infrastructure Penetration testing helps find security gaps ecurity log monitoring reveals normal and abnormal traffic patterns and digital signatures ystem and network monitoring helps prevent attacks and unauthorized access ppropriate security countermeasures are determined through auditing, testing, and monitoring test results

28 Lab 5 ask 1: xamine what packets are sent and received using the ping utility using the windows target server ask 2: xamine what packets are sent and received using the tracert utility using the windows target server ask 3: xamine what packets are sent and received using P using the windows target server ask 4: epeat tasks 1, 2 and 3 using the bunto server