auditing
play

Auditing Chapter 25 Computer Security: Art and Science , 2 nd - PowerPoint PPT Presentation

Oct 11, 2023 •497 likes •1.4k views

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

  1. Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

  2. Outline • Overview • What is auditing? • What does an audit system look like? • How do you design an auditing system? • Auditing mechanisms • Examples: NFSv2, LAFS Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-2

  3. What is Auditing? • Logging : recording events or statistics to provide information about system use and performance • Auditing : analysis of log records to present information about the system in a clear, understandable manner Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-3

  4. Uses • Describe security state • Determine if system enters unauthorized state • Evaluate effectiveness of protection mechanisms • Determine which mechanisms are appropriate and working • Deter attacks because of presence of record Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-4

  5. Problems • What do you log? • Hint: looking for violations of a policy, so record at least what will show such violations • What do you audit? • Need not audit everything • Key: what is the policy involved? Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-5

  6. Audit System Structure • Logger : records information, usually controlled by parameters • Analyzer : analyzes logged information looking for something • Notifier : reports results of analysis Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-6

  7. Logger • Type, quantity of information recorded controlled by system or program configuration parameters • May be human readable or not • If not, usually viewing tools supplied • Space available, portability influence storage format Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-7

  8. Example: RACF • Security enhancement package for IBM’s z/OS, OS/390 • Logs failed access attempts, use of privilege to change security levels, and (if desired) RACF interactions • View events with LISTUSERS commands Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-8

  9. RACF: Sample Entry USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004 DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30 ATTRIBUTES=ADSP REVOKE DATE=NONE RESUME-DATE=NONE LAST-ACCESS=88.020/14:15:10 CLASS AUTHORIZATIONS=NONE NO-INSTALLATION-DATA NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) -------------------------------- ANYDAY ANYTIME GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE=88.004 CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004 CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY AUTHORIZATION NONE SPECIFIED Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-9

  10. Example: Windows 10 • Different logs for different types of events • System event logs record system crashes, component failures, and other system events • Application event logs record events that applications request be recorded • Security event log records security-critical events such as logging in and out, system file accesses, and other events • Setup event log records events occurring during application installation • Forwarded event log records entries forwarded from other systems • Logs are binary; use event viewer to see them • If log full, can have system shut down, logging disabled, or logs overwritten Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-10

  11. Windows 10 Sample Entry Log Name: Security Source: Microsoft Logged: 03/20/2017 Windows security 12:02:59 PM Event ID: 4634 Task Category: Logoff Level: Information Keywords: Audit Success User: N/A Computer: McLaren OpCode: Info General: An account was logged off. Subject: Security ID: MCLAREN\matt Account Name: matt Account Domain: MCLAREN Logon ID: 0xACBA30 Details: + System - EventData TargetUserSID S-1-5-22-2039872233-608055118-4446661516-2001 TargetUserName matt TargetDomainName MCLAREN TargetLogonId Oxacba30 [would be in graphical format] Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-11

  12. Analyzer • Analyzes one or more logs • Logs may come from multiple systems, or a single system • May lead to changes in logging • May lead to a report of an event Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-12

  13. Examples • Using swatch to find instances of telnet from tcpd logs: /telnet/&!/localhost/&!/*.site.com/ • Query set overlap control in databases • If too much overlap between current query and past queries, do not answer • Intrusion detection analysis engine (director) • Takes data from sensors and determines if an intrusion is occurring Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-13

  14. Notifier • Informs analyst, other entities of results of analysis • May reconfigure logging and/or analysis on basis of results Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-14

  15. Examples • Using swatch to notify of telnet s /telnet/&!/localhost/&!/*.site.com/ mail staff • Query set overlap control in databases • Prevents response from being given if too much overlap occurs • Three failed logins in a row disable user account • Notifier disables account, notifies sysadmin Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-15

  16. Designing an Audit System • Essential component of security mechanisms • Goals determine what is logged • Idea: auditors want to detect violations of policy, which provides a set of constraints that the set of possible actions must satisfy • So, audit functions that may violate the constraints • Constraint p i : action Þ condition Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-16

  17. Example: Bell-LaPadula Simple security condition and *-property • S reads O Þ L ( S ) ≥ L ( O ) • S writes O Þ L ( S ) ≤ L ( O ) • To check for violations, on each read and write, must log L ( S ), L ( O ), action (read, write), and result (success, failure) • Note: need not record S , O ! • In practice, done to identify the object of the (attempted) violation and the user attempting the violation Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-17

  18. Remove Tranquility • New commands to manipulate security level must also record information • S reclassify O to L ( O ´) Þ L ( O ) ≤ L ( S ) and L ( O ´) ≤ L ( S ) • Log L ( O ), L ( O ´), L ( S ), action (reclassify), and result (success, failure) • Again, need not record O or S to detect violation • But needed to follow up … Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-18

  19. Example: Chinese Wall • Subject S has COI ( S ) and CD ( S ) • CD H ( S ) is set of company datasets that S has accessed • Object O has COI ( O ) and CD ( O ) • san ( O ) iff O contains only sanitized information • Constraints • S reads O Þ COI ( O ) ≠ COI ( S ) Ú $ O ¢ ( CD ( O ¢ ) Î CD H ( S )) • S writes O Þ ( S canread O ) Ù ¬ $ O ¢ ( COI ( O ) = COI ( O ¢ ) Ù S canread O ¢ Ù ¬ san ( O ´)) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-19

  20. Recording • S reads O Þ COI ( O ) ≠ COI ( S ) Ú $ O ¢ ( CD ( O ¢ ) Î CD H ( S )) • Record COI ( O ), COI ( S ), CD H ( S ), CD( O ¢ ) if such an O ¢ exists, action (read), and result (success, failure) • S writes O Þ ( S canread O ) Ù ¬ $ O ¢ ( COI ( O ) = COI ( O ¢ ) Ù S canread O ¢ Ù ¬ san ( O ¢ )) • Record COI ( O ), COI ( S ), CD H ( S ), plus COI ( O ¢ ) and CD ( O ¢ ) if such an O ¢ exists, action (write), and result (success, failure) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-20

  21. Implementation Issues • Show non-security or find violations? • Former requires logging initial state as well as changes • Defining violations • Does “write” include “append” and “create directory”? • Multiple names for one object • Logging goes by object and not name • Representations can affect this (if you read raw disks, you’re reading files; can your auditing system determine which file?) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-21

  22. Syntactic Issues • Data that is logged may be ambiguous • BSM: two optional text fields followed by two mandatory text fields • If three fields, which of the optional fields is omitted? • Solution: use grammar to ensure well-defined syntax of log files Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-22

  23. Example entry : date host prog [ bad ] user [ “from” host ] “to” user “on” tty date : daytime host : string prog : string “:” bad : “FAILED” user : string tty : “/dev/” string • Log file entry format defined unambiguously • Audit mechanism could scan, interpret entries without confusion Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations & Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of gratitude to DeWitt Beeler, who in an article published in the 1999 May Issue of Quality Progress provided me with a fresh look at auditing and

557 views • 41 slides
How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4 54818800 CHAN Shu Wah 54791726 IP Sunny 54814013 WAN Chun Fai 54808805 YIU Ho Fung How would the emerging technology affect the future of

672 views • 54 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
1 State Single Audit Requirements In accordance with federal requirements, beginning in

1 State Single Audit Requirements In accordance with federal requirements, beginning in

Compliance Auditing Update Compliance Auditing Update NC Local Government Auditing, Reporting and Review NC Local Government Auditing, Reporting and Review June 14, 2016 June 14, 2016 Uniform Guidance Overview Course Objectives- Uniform

435 views • 25 slides
Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

SAIs making a difference by AUDITING Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of Agenda 2030 ? Urge national governments into action if there isnt any. Independent oversight on the

203 views • 17 slides
Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security audit automated exfiltration

971 views • 64 slides
Auditing the European room Auditing the European room air- conditioning systems and potential

Auditing the European room Auditing the European room air- conditioning systems and potential

Auditing the European room Auditing the European room air- conditioning systems and potential air- conditioning systems and potential energy savings energy savings Daniela Bory Centre for energy and process Mines de Paris - France ECEEE

351 views • 19 slides
Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri

Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri

Documentation requirements under Standards on Auditing (SAs) Presented By C.A. Abhijit Sanzgiri 22/12/2018 CA Abhijit Sanzgiri Standards on Auditing Ensures information in FS is of high quality & acceptable worldwide Formulated by AASB

1.15k views • 89 slides
Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The

Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The

Endunamoo BCTA Auditing Koena Gerald Moabelo CA (SA) | 03/03/2018 The Audit Process The Companies Act Preliminary engagement activities (2008) Planning The Auditing Profession Act (IRBA) Establish overall audit Develop an audit plan

763 views • 45 slides
DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach

DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach

DANFOSS AUDITING SYSTEM May15-02 Responsibilities Jamie Countryman (SE) - Team Lead Zach Carlson (SE) - Web Master, Key Concept Holder Mitch Valenta (CPRE) - Communications May 15-02 Problem Auditing done on paper

578 views • 26 slides
Future Work Different Cleaners. Assess disk utilization vs. performance for LFS in

Future Work Different Cleaners. Assess disk utilization vs. performance for LFS in

Future Work Different Cleaners. Assess disk utilization vs. performance for LFS in TP1-like benchmarks. Try to make FFS recover quickly (do inode and block allocation in batches). Figure out if LFS is really viable. Papers

667 views • 34 slides
Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex

' $ AIS 1 Applications: Telnet, rlogin, ftp, Sun RPC, nfs, finger, whois, X & % telnet1.tex February 3, 1998 ' $ AIS 2 Remote login remote login to host from host to host telnet, rlogin rlogin: mostly Unix systems

769 views • 30 slides
Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows FTP General Countermeasures

1.48k views • 104 slides
3.3 FTP File Transfer Protocol (FTP) is first published in 1971 (RFC 114) that were

3.3 FTP File Transfer Protocol (FTP) is first published in 1971 (RFC 114) that were

3.3 FTP File Transfer Protocol (FTP) is first published in 1971 (RFC 114) that were implemented on hosts at MIT. In 1985, a standard FTP is published as RFC 959. Several extensions are published since then including anonymous FTP, secure

1.13k views • 46 slides
A NEW IDENTIFICATION SCHEME BASED ON THE PERCEPTRONS PROBLEM David POINTCHEVAL L.I.E.N.S.

A NEW IDENTIFICATION SCHEME BASED ON THE PERCEPTRONS PROBLEM David POINTCHEVAL L.I.E.N.S.

A NEW IDENTIFICATION SCHEME BASED ON THE PERCEPTRONS PROBLEM David POINTCHEVAL L.I.E.N.S. Ecole Normale Sup erieure 45, rue dUlm F-75230 Paris cedex 05 available on anonymous ftp: ftp.ens.fr in /pub/reports/liens/liens-95-2 WWW:

578 views • 8 slides
Vu Vuln lnera rabil bility ity As Assessm ssment nts s on SC SCAD ADA A Sy Systems:

Vu Vuln lnera rabil bility ity As Assessm ssment nts s on SC SCAD ADA A Sy Systems:

Vu Vuln lnera rabil bility ity As Assessm ssment nts s on SC SCAD ADA A Sy Systems: stems: Outsm tsmarting arting the Smart rt Grid id Fadli B. Sidek BSidesVienna 2014 Security Specialist @ Whoami SecureSingapore

833 views • 49 slides
QED: A grand unified theory? John Harrison Intel Corporation 18th July 2014 (09:0009:35)

QED: A grand unified theory? John Harrison Intel Corporation 18th July 2014 (09:0009:35)

QED: A grand unified theory? John Harrison Intel Corporation 18th July 2014 (09:0009:35) 14th March 1993: The QED mailing list To: avenhaus@de.uni-kl.informatik, bibel@de.th-darmstadt.informatik.intellektik, bledsoe@edu.utexas.cs,

520 views • 41 slides
Data Support Readiness for the AIRS Mission at the DAAC George Serafino Code 902, NASA/GSFC

Data Support Readiness for the AIRS Mission at the DAAC George Serafino Code 902, NASA/GSFC

Data Support Readiness for the AIRS Mission at the DAAC George Serafino Code 902, NASA/GSFC AIRS Science Team Meeting February 14, 2002 6/24/03 DAAC Data Support Services Basic services include: User support via dedicated Atmospheric

428 views • 11 slides

More recommend