Lec 13-Security Auditing

(1)

(2)

•

A computer

security audit

is a manual or

systematic measurable technical assessment

of a system or application. Manual

assessments include interviewing staff,

performing

security

vulnerability scans,

(3)

So a security audit is the process of testing and

ensuring that your company assets are fully

(4)

Why do I need Security Audit?

• _{Put very simply, you need a security audit in order to}

ensure that your security systems are working.

• _{Unauthorized access of privileged logon accounts}

caused by far the greatest financial losses to individual companies of all crimes analyzed

• _{The increasing incidence and complexity of}

legislation designed to counter cyber terrorism and protect personal privacy throughout the world. Think of HIPAA, SOX and the European Data Protection

(5)

Where do I get Security Audit?

•

There's a simple choice: do it yourself, or buy

(6)

How can I evaluate Security Audit?

•

you can never prove that you are secure; you

can only prove (by bitter experience) that you

are not secure

•

Your security audit will tell you how effective

your security is

•

Relate audit reports to every aspect of your

security policy

(7)

Problems

•

What do you log?

– _{Hint: looking for violations of a policy, so record}_at

least what will show such violations

•

What do you audit?

– _{Need not audit everything}

(8)

November 1, 2004 Introduction to Computer Security

Audit System Structure(Anatomy)

•

Logger

– _{Records information, usually controlled by}

parameters

•

Analyzer

– _{Analyzes logged information looking for}

something

•

Notifier

(9)

Logger

•

Type, quantity of information recorded

controlled by system or program configuration

parameters

•

May be human readable or not

– _{If not, usually viewing tools supplied}

•

E.g Logs failed access attempts, use of

(10)

Example: Windows NT

• Different logs for different types of events

– System event logs record system crashes, component failures, and other system events

– Application event logs record events that applications request be recorded

– Security event log records security-critical events such as logging in and out, system file accesses, and other events

• _{Logs are binary; use}_{event viewer}_{to see them}

• _{If log full, can have system shut down, logging disabled, or}

(11)

Analyzer

• _{Analyzes one or more logs}

– _{Logs may come from multiple systems, or a single}

system

– _{May lead to changes in logging} – _{May lead to a report of an event}

(12)

Notifier

•

Informs analyst, other entities of results of

analysis

•

May reconfigure logging and/or analysis on

(13)

Designing an Auditing System

• _{Keep Everyone in the Loop} • _{Ensure mobility}

(14)

Designing an Audit System

• _{Essential component of security mechanisms} • _{Goals determine what is logged}

– _{Idea: auditors want to detect violations of policy,}

which provides a set of constraints that the set of possible actions must satisfy

– _{So, audit functions that may violate the}

constraints

(15)

Example: Bell-LaPadula

• _{Simple security condition and *-property} – _S_reads_O  L(S) ≥ L(O)

– _S_writes_O  L(S) ≤ L(O)

– _{To check for violations, on each read and write,}

must log L(S), L(O), action (read, write), and result (success, failure)

(16)

Design

• A posteriori design

– Need to design auditing mechanism for system not built with security in mind

• _{Goal of auditing}

– Detect any violation of a stated policy

• Focus is on policy and actions designed to violate policy; specific actions may not be known

– Detect actions known to be part of an attempt to breach security

(17)

Detect Violations of Known Policy

•

Goal: does system enter a disallowed state?

•

Two forms

– _{State-based auditing}

• _{Look at current state of system} – _{Transition-based auditing}

• _{Look at actions that transition system from one state to}

(18)

Detect Known Violations of Policy

•

Goal: does a specific action and/or state that is

known to violate security policy occur?

– _{Assume that action}_{automatically}_{violates policy} – _{Policy may be implicit, not explicit}

(19)

Example

• _{Land attack}

– _{Consider 3-way handshake to initiate TCP connection (next}

slide)

– _{What happens if source, destination ports and addresses}

(20)

3-Way Handshake and Land Attack

Source

Destination SYN(s) ACK(s+1)

SYN(t) ACK(t+1)

• _{Must spot initial Land packet with}

source, destination addresses the same

• _{Logging requirement:}

– _{source port number, IP address}

– _{destination port number, IP address}

• _{Auditing requirement:}

– _{If source port number = destination}

(21)

Auditing Mechanisms

•

Systems use different mechanisms

– _{Most common is to log}_all_{events by default, allow}

system administrator to disable logging that is unnecessary

•

Two examples

(22)

Secure Systems

• _{Auditing mechanisms integrated into system design}

and implementation

• _{Security officer can configure reporting and logging:} – _{To report specific events}

– _{To monitor accesses by a subject} – _{To monitor accesses to an object} • _{Controlled at audit subsystem}

(23)

Non-Secure Systems

•

Have some limited logging capabilities

– _{Log accounting data, or data for non-security}

purposes

– _{Possibly limited security data like failed logins}

•

Auditing subsystems focusing on security

usually added after system completed

– _{May not be able to log all events, especially if}

(24)

Audit Browsing

• _{Goal of browser: present log information in a form}

easy to understand and use

• _{Several reasons to do this:}

– _{Audit mechanisms may miss problems that auditors will}

spot

– _{Mechanisms may be unsophisticated or make invalid}

assumptions about log format or meaning

– _{Logs usually not integrated; often different formats, syntax,}

(25)

Browsing Techniques

• _{Text display}

– _{Does not indicate relationships between events} • _{Hypertext display}

– _{Indicates local relationships between events} – _{Does not indicate global relationships clearly} • _{Relational database browsing}

– _{DBMS performs correlations, so auditor need not know in}

advance what associations are of interest

(26)

Example Use

• _{Auditor notices unexpected gap in time information}

area

– _{No log entries during that time!?!?}

• _{Auditor focuses on log entries before, after gap}

– _{Wants to know why logging turned off, then turned back}

on

• _{Color of words in entries helps auditor find similar}