Chapter 14: Auditing and Monitoring

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 14

Auditing and Monitoring

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Access Control
- Control access by applying the following concepts/methodology/techniques
  - Policies; types of controls (preventative, detective, corrective, etc.); techniques (e.g., nondiscretionary, discretionary and mandatory); identification and authentication; decentralized/distributed access control techniques; authorization mechanisms; logging and monitoring
- Assess effectiveness of access controls

The Operations Security domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with the activities and efforts directed at maintaining operational security and includes the primary concerns of auditing and monitoring. Auditing and monitoring prompt IT departments to make efforts at detecting intrusions and unauthorized activities, with an emphasis on examining and recording such events. Vigilant administrators must sort through a selection of countermeasures, pore over system-generated log files, and perform penetration testing that helps to identify, detect, limit, restrict, and prevent inappropriate activities, crimes or criminal events, and various other forms of threat.

We discussed the Operations Security domain in some detail in Chapter 13, “Administrative Management,” and we will be finishing up coverage on this domain in this chapter. Be sure to read and study the materials from both chapters to ensure complete coverage of the essential operations security material for the CISSP certification exam. Some of the material introduced in this chapter also relates to the Access Control domain of the CBK, more about which you can also learn in Chapter 1 of this book, particularly in regard to security policy and access control techniques.

Auditing

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing is the primary type of detective control used in a secure environment.

Auditing Basics

Auditing encompasses a wide variety of different activities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, and log file analysis. These activities are better known as logging, monitoring, examining alerts, event analysis, and even intrusion detection.

Logging is the activity of recording information about events or occurrences to a log file or database. Monitoring is the activity of manually or programmatically reviewing information logs looking for something specific. Alarm triggers are notifications sent to administrators when specific events occur. Log analysis is a more detailed and systematic form of monitoring in which the logged information is analyzed in detail for trends and patterns as well as abnormal, unauthorized, illegal, and policy-violating activities. Intrusion detection is a specific form of monitoring both recorded information and real-time events to detect unwanted system access.

Accountability

Auditing and monitoring are required to sustain and enforce accountability. Monitoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Without an electronic account of a subject’s actions, it is not possible to correlate IT activities, events, and occurrences with subjects. Monitoring is also the process by which unauthorized or abnormal activities may be detected on a system. Monitoring is needed to detect malicious actions by subjects, attempted or successful intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and create problem reports and analyses.

Auditing and logging are usually native features in an operating system and for most applications and services. Thus, configuring a system to record information about specific types of events is fairly straightforward.

Auditing is also used to monitor the health and performance of a system through recording the activities of subjects and objects as well as core system functions that maintain the operating environment and its security mechanisms. The audit trails created when writing system events to logs can be used to evaluate the health and performance of a system. System crashes can indicate faulty programs, corrupt drivers, or intrusion attempts and many readily identifiable patterns, events, or actions that originate from malicious parties. The event logs leading up to a crash can often be used to discover the reason a system failed. Log files provide an audit trail to re-create the history of an event, intrusion, or system failure step-by-step, moment by moment.

In most cases, when sufficient logging and auditing is enabled to monitor a system, so much data is collected that important details get lost in the noise. The art of data reduction is crucial when working with large volumes of monitoring data. There are numerous tools to search through log files for specific events or ID codes. However, for true automation and even real-time analysis of events, an intrusion detection system (IDS) is required. IDS solutions are discussed in Chapter 2, “Attacks and Monitoring.”

Compliance

Auditing is also commonly used for compliance testing, also called compliance checking. Verification that a system complies with laws, regulations, baselines, guidelines, standards, and policies is an important part of maintaining security in any environment. Compliance testing ensures that all necessary and required elements of a security solution are properly deployed and functioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration testing. They can also use log analysis tools to determine whether any vulnerabilities for which countermeasures have been deployed have been attempted or exploited on the system.

Proper auditing seeks to measure the effectiveness of deployed security solutions. Audits can be performed from one of two perspectives: internal or external. Organizational employees from inside the IT environment, who are (and should be) aware of the implemented security solutions, perform internal audits. Independent auditors from outside the IT environment, who are not familiar with the implemented security solutions, perform external audits. Insurance agencies, accounting firms, or even the organization itself can—and often do—hire external auditors to test the validity of security claims.

Audit Time Frames

The frequency of an IT infrastructure security audit or security review derives from risk, a process formally called risk analysis. When performing risk analysis, one determines whether sufficient risk exists to warrant the expense of any possible interruption to business functionality that may be caused by a security audit on a regular or irregular basis. In any case, the frequency of audit reviews should be clearly defined in the security guidelines or standards for an organization. Once defined in the formal security infrastructure, it should be strongly applied and strictly followed. Without regular assessments of the state of security of an IT infrastructure, there is no way to know how secure the environment is until an attack either succeeds or fails. Waiting until the battle to determine whether you will win or lose is a poor business strategy.

As with many other aspects of deploying and maintaining security, security audits and effectiveness reviews are often viewed as key elements in displaying due care. If senior management fails to enforce compliance with regular periodic security reviews, then they will be held accountable and liable for any asset losses that occur because of security breaches or policy violations.

Audit Trails

Audit trails are records created when writing information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, to prove or disprove culpability, and much more. Audit trails allow events to be examined or traced in forward or reverse order. This flexibility helps when tracking down problems, coding errors, performance issues, attacks, intrusions, security breaches, and other policy violations.

Using audit trails is a passive form of detective security control. They serve as a deterrent in the same manner closed-circuit television (CCTV) or security guards do: If attackers know they are being watched and their activities recorded, they are less likely to commit illegal, unauthorized, or malicious activity—at least in theory (in reality, some criminals are too careless or clueless for this to apply in all cases). Audit trails are also essential as evidence in the prosecution of criminals. They can often be used to produce a before-and-after picture of the state of resources, systems, and assets. This in turn helps to determine whether a change or alteration is the result of an action by a user or an action by the OS or software or caused by some other sources (such as hardware failure).

Accountability is maintained for individual subjects through the use of audit trails. When activities and events are recorded while users are online, they can be held accountable for their individual or cooperative actions. This directly promotes good user behavior and compliance within the organization’s security policy. Users who are aware that their IT activities are being recorded are less likely to try to circumvent security controls or to perform unauthorized or restricted activities.

Audit trails give system administrators the ability to reconstruct events long after they have occurred. When a security violation is detected, the conditions and system state leading up to the event, during the event, and after the event can be reconstructed through a close examination of the audit trail. This process is largely facilitated and validated through the use of accurate time stamps, which must remain consistent throughout the network environment to correctly and positively identify the correct sequence of events after an intrusion. As such, they must also be kept safe and secure from modification at the hands of a malicious end user or intrusive attacker, who may otherwise modify (and therefore nullify) the contents of these files to remove any traces of intrusion and error.

Configuration and audit control can be validated and managed through passive triggering tools such as Tripwire, a file integrity tool designed to observe and report unusual or unauthorized changes to critical system files. Tripwire calculates and stores signatures for file permissions, ownership, and contents.

Audit trails offer details about recorded events. A wide range of information can be recorded in log files, including time, date, system, user, process, and type of error/event. Log files can even capture the memory state or the contents of memory for the applications and services designed to report failure conditions to these global log file repositories. This information can help pinpoint the cause of the event, whether good or bad and intentional or otherwise. Using log files for this purpose is often labeled as problem identification. Once a problem is identified, performing problem resolution involves little more than following up on the disclosed information. Audit trails record system failures, OS bugs, and software errors as well as abuses of access, violations of privileges, attempted intrusions, and many forms of attack. Intrusion detection is a specialized form of problem identification through the use of audit trails.

If auditing records or logs are transmitted across a network from a sentry agent to a collector warehouse, that transmission should be encrypted. Log and audit information should never be allowed on the network in clear text.

Once a security policy violation or a breach occurs, the source of that violation should be determined. If it is possible to track the individuals who perpetrated the activity, they should be reprimanded or terminated (if employees) or prosecuted (if external intruders). In any case where a critical security policy violation or personal information breach has occurred (especially if any loss can be pinpointed), you should seriously consider reporting the incident to your local authorities (in the United States, this may mean notifying the FBI; in Europe, Interpol). If a violation occurs online, particularly where sensitive customer information is involved, report the incident to one or more Internet incident-tracking organizations.

Most countries (and many smaller jurisdictions, including states and cities) have enacted significant regulatory compliance laws to govern security breaches, particularly as they apply to sensitive data retained within information systems. Laws differ from locale to locale, but all seek to protect the privacy of individual records and information, to protect consumer identities, and to establish standards for financial practice and corporate governance. Be sure to consult local authorities for more information on compliance standards and requirements in your area.

Time-synchronize all systems against a centralized or trusted public time server. This keeps all audit logs in sync so you can perform dependable and secure logging activities.

Reporting Concepts

The actual formats used by an organization to produce reports from audit trails will vary greatly. However, those reports should all address a few basic or central concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. In addition to these basic concepts, audit reports often include many details specific to the environment, such as time, date, specific systems, and so on. Audit reports can include a wide range of content that focuses on problems, events, and conditions; standards, criteria, and baselines; causes, reasons, impact, and effect; or solutions, recommendations, and safeguards.

Reporting Format

Audit reports should have a structure or design that is clear, concise, and objective. It is common for an auditor to include opinions or recommendations for response to the content of a report, but its actual findings should be based on fact and evidence from audit trails. Audit reports include sensitive information and should be assigned a classification label and handled appropriately.

Within the hierarchy of the organization, only those people with sufficient privilege, such as the privileged entities you learned about in Chapter 13, should have access to audit reports. An audit report may also be prepared in various forms according to the hierarchy of the organization. They should provide only the details relevant to the position of the staff members who have access to them.

For example, senior management does not need to know all the minute details of an audit report. Therefore, the audit report for senior management is much more concise and offers more of an overview or summary of findings. An audit report for an IT manager or a security administrator should be very detailed and include all available information on the events it covers.

Reporting Time Frames

The frequency of producing audit reports is based on the value of the assets covered and the level of risk involved. The more valuable the assets and the higher the risks, the more often you’ll want to produce an audit report. Once an audit report is completed, it should be submitted to its assigned recipients (as defined in security policy documentation) and a signed confirmation of receipt should be filed. When an audit report contains information about serious security violations or performance issues, that report should be escalated to higher levels of management for review, notification, and assignment of a response.

Keep in mind that, in a formal security infrastructure, only higher levels of management have any decision-making power. All entities at the lower end of the structure must follow prescribed procedures and follow instructions to the letter.

Sampling

Sampling, or data extraction, is the process of extracting elements from a large collection of data to construct a meaningful representation or summary of the whole. In other words, sampling is a form of data reduction that allows an auditor to quickly elicit important issues or events from an audit trail. There are two forms of sampling: statistical and nonstatistical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. There is always a risk that sampled data is not an accurate representation of the whole body of data or that it may mislead auditors and managers, and statistical sampling can be used to measure that risk.

Clipping is a form of nonstatistical sampling: It selects only error events that exceed a clipping-level threshold, a specified cutoff point for the accumulation of such events. Clipping levels are widely used in the process of auditing events to establish a baseline of system or user activity that is considered routine activity. If this baseline is exceeded, an alarm is triggered to signal abnormal events. This works especially well when individuals exceed their authority, when there are too many people with unrestricted access, and for serious intrusion patterns.

Clipping levels are often associated with a form of mainframe auditing known as violation analysis. In violation analysis, an older form of auditing, the environment is monitored for error occurrences. The baseline for errors is expected and known, and this level of common errors defines the clipping level. Any errors that exceed the clipping level threshold trigger a violation and details about such events are recorded into a violation record for later analysis.

In general, nonstatistical sampling can be described as random sampling or sampling at the auditor’s discretion. It offers neither assurance of an accurate representation of the whole body of data nor a gauge of the sampling risk. Nonstatistical sampling is less expensive, requires less training, and does not require computer facilities. By focusing only on error events above a threshold, for example, clipping enables direct focus on signs of potential anomaly or trouble.

Both statistical and nonstatistical sampling are accepted as valid mechanisms to create summaries or overviews of large bodies of audit data. However, statistical sampling is more reliable (and mathematically defensible).

Record Retention

As the term implies, record retention involves retaining and maintaining important information. An organization should have a policy that defines what information is maintained and for how long. As it applies to the security infrastructure, in most cases, the records in question are audit trails of user activity, which may include file and resource access, logon patterns, email, and the use of privileges.

Retention Time Frames

Depending upon your industry and your relationship with the government, you may need to retain records for three or seven years, or perhaps indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability information. This permits the main data backup system to periodically reuse its media without violating any requirement to retain audit trails and the like.

If data about individuals is being retained by your organization, employees and customers must be informed about that data (such as in a conditional employment agreement or a use agreement). In many cases, the notification requirement is a legal issue, whereas in others it is a simply a courtesy. In either case, it is a good idea to discuss this issue with a lawyer.

Media, Destruction, and Security

The media used to store or retain audit trails must be properly maintained. This includes taking secure measures for marking, handling, storing, and destroying media. For details on handling sensitive media, please see the section “Sensitive Information and Media” in Chapter 13, “Administrative Management.”

Retained records should be protected against unauthorized and untimely destruction, against alteration, and against hindrances to availability. Many of the same security controls used to protect online resources and assets can be imposed to protect audit logs, audit trails, audit reports, and backup media containing audit information.

Access to audit information should be strictly controlled. Audit information can be used in inference attacks to discover information about higher classifications of data; thus, the audit logs containing records about highly confidential assets should be handled in the same secure manner as the actual assets. In other words, when an audit log is created, you are creating another asset entity with the same security needs as the original audited asset.

As the value of assets and the audit data goes up and risk increases, so does the need for an increase in security and the frequency of backups for the audit information. Audit data should be treated with the same security precautions as all other high-classification data within an IT environment. It should be protected by physical and logical security controls, it should itself be audited, it should be regularly backed up, and the backup media should be stored off site in a controlled facility. The backup media hosting such audit data should be able to protect against loss, destruction, alteration, and unauthorized physical and logical access. The integrity of audit data must be maintained and protected at all times because without it, any and all audit data may be legally impugned and will become useless from a legal and logical standpoint.

External Auditors

It is often necessary to test or verify the security mechanisms deployed in an environment. The test process is designed to ensure that the requirements dictated by the security policy are followed and that no significant holes or weaknesses exist in deployed security solutions. Many organizations conduct independent audits by hiring outside or external security auditors to check the security of their environments. External audits provide a level of objectivity that an internal audit cannot provide and bring a fresh, outside perspective to your internal policies, practices, and procedures.

An external auditor is given access to the company’s security policy and the authorization to inspect every aspect of the IT and physical environment. Thus, the auditor must be a trusted entity. The goal of the audit activity is to obtain a final report that details any findings and suggests countermeasures when appropriate. However, an audit of this type can take a considerable amount of time to complete—weeks or months, in fact. During the course of the audit, the auditor may issue interim reports. An interim report is a written or verbal report given to the organization about any observed security weaknesses or policy/procedure mismatches that demand immediate attention. Interim reports are issued whenever a problem or issue is too important to wait until a final audit report is issued.

Once the auditors complete their investigations, an exit conference is held. During that conference, the auditors present and discuss their findings and discuss resolution issues with the affected parties. However, only after the exit conference is over and the auditors have left the premises do they write and submit their final audit report to the organization. This allows the final audit report to remain unaffected by office politics and coercion. After the final audit report is received, internal auditors should determine whether the recommendations in the report should be acted upon. However, it is the responsibility of senior management to select which recommendations to follow and to delegate their implementation to the security team.

Monitoring

Monitoring is a form of auditing that focuses on the active review of audited information or an audited asset. For example, you would audit the activity of failed logons, but you would monitor CPU performance. Monitoring is most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment.

A common implementation of monitoring is known as illegal software monitoring. This type of monitoring is used to watch for attempted or successful installation of unapproved software, use of unauthorized software, or unauthorized use of approved software (in other words, attempts to bypass the restrictions of the security classification hierarchy). Monitoring in this fashion reduces the likelihood of a virus or Trojan horse being installed or of software circumventing whatever security controls may be in place.

Monitoring Tools and Techniques

The actual tools and techniques used to perform monitoring vary greatly between environments and system platforms. However, several common elements appear in most environments. These include warning banners, keystroke monitoring, traffic analysis, and trend analysis as well as other monitoring tools.

Warning Banners

Warning banners serve to inform would-be intruders or those who attempt to violate security policy that their intended activities are restricted and that any further activities will be audited and monitored. A warning banner is basically an electronic equivalent of a “no trespassing” sign. In most situations, wording in banners is important from a legal standpoint because these banners can legally bind users to some permissible set of actions, behaviors, and processes. Be sure to consult with your attorneys about proper wording for your banners.

Only through valid, legally enforceable warnings (in other words, clear explanations that unauthorized access is prohibited and that any such activity will be monitored and recorded) can most intrusions and attacks be prosecuted. Both authorized and unauthorized users should be informed when their activities are being logged. Most authorized users should assume as much, and often their employment agreements include specific statements indicating that all activity on the IT infrastructure may be recorded.

Keystroke Monitoring

Keystroke monitoring is the act of recording the key presses a user performs on a physical keyboard. The act of recording can be visual (such as with a video recorder) or logical/technical (such as with a capturing hardware device or a software program). In most cases, keystroke monitoring is used for malicious purposes. Only in extreme circumstances and highly restricted environments is keystroke monitoring actually employed as a means to audit and analyze the activity of users at the keyboard. Keystroke monitoring can be extremely useful to track the keystroke-by-keystroke activities of physical intruders in order to learn about the kinds of attacks and methods used to infiltrate a system.

Companies can and do utilize keystroke monitoring for a few good reasons, but they generally (and legally) must inform employees through acceptable use policies (AUP) and logon banners.

Keystroke monitoring is often compared to wiretapping. There is some debate about whether keystroke monitoring should be restricted and controlled in the same manner as telephone wiretaps. Because there is no legal precedent as yet, many organizations that employ keystroke monitoring notify authorized and unauthorized users of such monitoring through employment agreements, security policies, and warning banners at sign-on or login areas. The software or hardware devices used to perform keystroke monitoring can be described as “keystroke loggers,” and the popular name for such programs or devices is keylogger.

Traffic Analysis and Trend Analysis

Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than actual packet contents. Traffic and trend analysis can be used to infer a lot of information, such as primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.

These techniques can also sometimes reveal questionable traffic patterns such as when an employee mass-emails a resume to dozens of employers on any given day or when an unscrupulous insider forwards internal information to unauthorized parties via an email attachment. Such events also leave behind distinct signatures that can often be detected through traffic or trend analysis.

Other Monitoring Tools

Many tools are available to perform monitoring. Some are automated and perform their monitoring activities in real time. Some monitoring tools may be developed in-house as ad hoc tools that focus on a single type of observation. Most monitoring tools are passive in nature, which means they cause no effect on the monitored activity, event, or traffic and make no original transmissions of their own.

A common example of a tool for monitoring physical access is the use of CCTV. CCTV can be configured to automatically record the viewed events onto tape for later review, and personnel who watch for unwanted, unauthorized, or illegal activities in real time can watch it live. This system can work alone or in conjunction with security guards, who themselves can be monitored by the CCTV and held accountable for any negative actions taken under observation.

Failure recognition and response is an important part of monitoring and auditing. Otherwise, what is the point of performing monitoring and auditing activities? On systems that use manual review, failure recognition is the responsibility of the observer or auditor. To recognize a failure, you must understand what is normal and expected. When monitored or audited events stray from a standard baseline, then a failure, breach, intrusion, error, or problem has occurred, and a response must be initiated.

Automated monitoring and auditing systems are usually programmed to recognize failures. Failure recognition can be signature based or knowledge based, driven by a recognizable pattern or sequence or by learning new, presumably abnormal behaviors in light of some baseline of known-good activities. For a discussion of these mechanisms, see the intrusion detection discussion in Chapter 2.

Be recognition manual or automated, the first step in a response is to notify the authority responsible for sustaining security and handling the problem or breach. Often this is a local administrator, a local manager, or a local security professional. The notification usually takes the form of an alarm or warning message. Once notification is made, the responsible personnel (in other words, the administrator, manager, or security professional) or the automated tool can initiate a response. Responsible persons can adapt a standard or predetermined response to specific conditions and the situation on the ground. For this reason, personnel-controlled responses are often the most effective.

Automated tool responses are typically predefined response scripts that are usually much broader in scope than is strictly necessary. Automated tools are excellent for quick and efficient lockdown, but often the countermeasure or response imposed by a tool will significantly affect the ability of the system to support and perform productive work. Whenever an automated tool response is initiated, personnel should be notified so the response can be fine-tuned and the network can be returned to normal as soon as possible.

Penetration-Testing Techniques

In security terms, a penetration occurs when an attack is successful and an intruder is able to breach the perimeter of your environment. A breach can be as small as reading a few bits of data from your network or as big as logging in as a user with unrestricted privileges. One primary goal for security is to prevent penetrations.

A common method to ascertain the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any means necessary or available. It is common for organizations to hire external consultants to perform penetration testing so the testers are not privy to confidential elements of the security solution’s configuration, network design, and other internal secrets. Because the security apparatus is a black box to unauthorized outsiders who seek to penetrate its defenses, or so the thinking goes, it should be likewise for authorized outsiders who seek to probe and test those defenses and to find and document weaknesses.

In this context, it’s important to understand two sets of terms for penetration (and other forms of) testing. A black box is literally a device of unknown composition whose internal circuits, makeup, and processing functions are unknown but whose outputs in response to various kinds of inputs can be observed and analyzed. On the other hand, a white box is a device whose internal structure or processing is known and understood. This distinction is important in penetration testing, where black-box testing proceeds without making use of any knowledge of how an organization is structured, what kinds of hardware and software it uses, or its security policies, processes, and procedures. White-box testing, on the other hand, seeks to exploit everything known about those things to focus and guide testing efforts. Black-box penetration testing proceeds without using any knowledge about an organization; white-box penetration testing proceeds using all available knowledge to drive its efforts.

Planning Penetration Testing

Penetration testing is the art and science of evaluating and validating implemented safeguards. It is just another name for launching intrusion attempts and re-creating attacks against a network or entities on that network. The activity in either a real intrusion or a simulated intrusion is the same, but formal penetration testing is performed with prior approval and advance knowledge of senior management by security professionals in a controlled and monitored environment. Malicious users intent on violating the security of your IT environment perform legally punishable intrusion attacks. If an internal user performs an informal test against a security measure without authorization, then it can be viewed as an illegal attack rather than as a penetration test.

Penetration testing typically includes social engineering attacks, network and system configuration review, and environment vulnerability assessment. Vulnerability analysis or vulnerability assessment is an element or phase within penetration testing where networks or hosts are evaluated or tested to determine whether they are vulnerable to known attacks.

Penetration testing can be performed using automated attack tools (mechanically) or manually (by hand). Automated attack tools range from professional vulnerability scanners to wild, underground attack tools discovered on the Internet. Manual attacks often employ tools and penetration suites such as ISS, Nessus, and Core Impact, but much more onus is placed on the attacker to know the details involved in perpetrating an attack.

It is generally considered unethical and a poor business practice to hire ex-attackers, especially those with criminal records, for any security activity including security assessment, penetration testing, or ethical hacking. Although it’s reasonable to argue that few better understand the intrusion process, it also stands to reason that criminal intent establishes a lack of credibility and that breaking into a system does not necessarily imply knowledge of how to secure it.

Penetration testing should be performed only with the consent and knowledge of the management staff. Performing unapproved security testing could result in productivity loss, trigger emergency response teams into action, or even cost you your job. However, even with full consent of senior management, your security assessment activities must stop short of actual damage to target systems. Subversion or target destruction is never a valid or ethical activity during a penetration test. Furthermore, demonstrating the effect of flaws, weaknesses, and vulnerabilities should not be included as part of any penetration test. If such evidence is required, it should be performed only on a dedicated and isolated lab system created for the sole purpose of exploit demonstration.

Regularly staged penetration attempts are a good way to gauge the security configurations, mechanisms, and processes deployed by an organization, with reasonably accurate results. Penetration testing may also reveal areas where patches or security settings are insufficient and where new vulnerabilities have developed or become exposed.

Penetration Testing Teams

Penetration testing teams may have varying levels of knowledge about the environment to be evaluated. Three commonly recognized knowledge levels are zero, partial, and full. Here are brief descriptions:

Zero-knowledge team This group knows nothing about the site except for basic information, such as domain name and company address. An attack by a zero-knowledge team closely resembles a real external attack because all information about the environment must be obtained from scratch. To return to terminology introduced earlier in this chapter, a zero-knowledge team conducts black-box penetration testing.

Partial-knowledge team This team is given an inventory of hardware and software used at the site and possibly network design and configuration details. The team is then able to focus its efforts on attacks and vulnerabilities specific to actual hardware and software in use at the site.

Full-knowledge team These people are completely aware of every aspect of the environment, down to patch and upgrades installed and exact security configurations. To return to terminology introduced earlier in this chapter, a full-knowledge team conducts white-box penetration testing, which explains why partial-knowledge teams are sometimes said to conduct gray-box testing because they operate between the extremes of black (zero knowledge) and white (full knowledge).

The regular security administration staff can be considered a full-knowledge team. Unfortunately, a full-knowledge team is the least preferred type of penetration testing cadre because its members are often biased and likely have blind spots or gaps in their understanding, estimation, or capabilities with certain security subjects. A full-knowledge team knows what has been secured, so it may fail to properly test every possibility by relying on false assumptions, a frequent and inexcusable occurrence in the security realm.

The Bane of False Assumptions

False assumptions are a hobgoblin to any inexperienced technology professional. Such things can be a source of ceaseless torment for those who are unfortunate enough to make them, particularly in the context of information security.

Francesca implements security patches, bug fixes, and product updates whenever Garrick releases them. She’s very efficient and timely about this task because her entire job is at stake along with the integrity of the company. Garrick is usually pretty responsive to security-related problems and issues his probable fixes and likely workarounds as quickly as his fingers can carry him.

What kinds of errors might a focus on speed cause for this dynamic duo? To begin with, it’s essential to be as sure as possible that patches, fixes, and updates introduce no new vulnerabilities, or the cure may be worse than the disease. Garrick would be well advised to test his work and to keep in touch with power users and key adopters for potential signs of trouble. Francesca might also want to think about deploying changes in a simulated test environment to look for trouble before inflicting it across an entire operation or enterprise.

Hannah noticed that one of Francesca’s latest installments, a security patch from Garrick, exposes sensitive data on the company servers. When Hannah confronted Francesca, she wasn’t aware of any such issue but was clearly aware of the latest fix. Since Garrick assumed he found the right solution to a security problem, he implemented it right away and so did Francesca, thinking that code guru Garrick never misses a target. See how two people can easily make a false assumption go terribly awry? Without testing and verification, fixes are as suspect as any other new software that appears on your doorstep.

Conventional wisdom proffers several suggestions on how to conduct penetration testing using teams. A well-known resource, for example, recommends that appropriate personnel be well versed in the flaw hypothesis methodology of penetration testing. Following the flaw hypothesis, general-purpose OSs are assessed using an open-box testing technique. Team members are required to document and analyze potential flaws in the system—essentially to hypothesize any flaws that may exist. Using a system of probability, team members prioritize the list of potential flaws based on whether flaws exist, the vulnerability and exploitability of such flaws (if they do indeed exist), and the amount of control or compromise those flaws may inflict on the system. This list of priorities then becomes the basis for the team’s testing initiative.

Ethical Hacking

Ethical hacking is often used as another name for penetration testing. However, it is not the same as penetration testing. Ethical hacking is a security assessment process whereby hacking techniques and tools are employed. When an ethical hacker is engaged as part of your assessment team, it is important to ensure that the person does not have a conflict of interest. This could be a person who also is a provider, reseller, or consultant for security products or add-in or value-add services. An ethical hacker should not exploit discovered vulnerabilities.

Although many argue that ethical hacking is in fact penetration testing, there is a subtle difference in what an ethical hacker will utilize that penetration testers might not, namely, the underground tools that unethical attackers also use.

Writing to, altering, or damaging a target of evaluation is a violation of the concept of ethical hacking and bleeds into the realm of unethical (and often criminal) hacking, which is specifically called cracking. The true ethos of any ethical hacker’s mind-set is never to alter or observe sensitive processes in an unauthorized security context. Here we make the distinction only once for completeness, but the world at large typically perceives hacking and cracking under the same umbrella of criminal intent or mischief.

War Dialing

War dialing means using a modem to search for a system that accepts inbound connection attempts. A war dialer might be a typical computer with a modem attached and war dialer software running, or it can be a stand-alone device. In either case, war dialers systematically dial phone numbers and listen for computer carrier tones, which can be differentiated from human voices and automated voice message systems. When a computer carrier tone is detected, the war dialer adds this number to a report generated at the end of the search process. A war dialer can search any range of numbers, such as all 10,000 numbers within a specific prefix or all 10,000,000 within a specific area code.

War dialing may be used to locate unauthorized modems that are installed on client systems within an otherwise secured network and that have been inadvertently configured to answer inbound calls. An attacker can guess a relatively small range of phone numbers to scan by learning one or more of an organization’s phone numbers.

War dialing as a penetration test method is a useful way to ensure that no unauthorized answering modems are present within an organization. In most cases, you will have a definitive list of the phone numbers controlled by or assigned to your organization. Such a list provides a focused plan of testing for war dialing.

Countermeasures against malicious war dialing include imposing strong remote access security (primarily in the arena of authentication), ensuring that no unauthorized modems are present, and using callback security, protocol restriction, and call logging.

Sniffing and Eavesdropping

Sniffing is a form of network traffic monitoring. Sniffing often involves capture or duplication of network traffic for examination, re-creation, and extraction. It can be used as a penetration test mechanism or as a malicious attack method. Sniffing is often an effective tool for capturing or extracting data from unencrypted network traffic streams. Passwords, usernames, IP addresses, message contents, and much more can be captured using software- or hardware-based sniffers.

Sniffers can capture either only traffic directed to their host system’s IP address or all traffic passing over a local network segment. To capture all traffic on a local network segment, the sniffer’s NIC must be placed into promiscuous mode. Placing a NIC into promiscuous mode grants the operator the ability to obtain a complete statistical understanding of local network activity.

Many commercial, freeware, and attackware sniffers are available. These include Etherpeek, WinDump, Wireshark, sniffit, and Snmpsniff. Each has its own particular set of strengths, weaknesses, and features, but they all essentially perform the same function.

The primary countermeasure for sniffing attacks is to use encrypted traffic, often carried within encapsulating security protocols and payloads. Sniffing can also be thwarted by preventing unwanted software from being installed; by locking down all unused ports, outlawing hubs, and using switches instead (hubs copy all traffic to all other ports; switches only duplicate traffic from specific ports as a tightly controlled configuration option); and by using an IDS or a vulnerability scanner that is able to detect the telltale signs of a sniffer product in use.

Eavesdropping is just another term for sniffing. However, eavesdropping can include more than just capturing and recording network traffic. Eavesdropping also includes recording or listening to audio communications, faxes, radio signals, and so on. In other words, eavesdropping is listening in on, recording, capturing, or otherwise becoming aware of the contents of any form of communication.

Radiation Monitoring

Radiation monitoring is a specific form of sniffing or eavesdropping that involves the detection, capture, and recording of radio frequency signals and other radiated communication methods, including sound and light. Radiation monitoring can be as simple as using a hidden microphone in a room to record voices or as sophisticated as using a camera to record the light reflections in a room to reconstruct the contents of a visual computer display that is otherwise hidden from direct view.

Radiation monitoring also includes tapping of radio frequencies often used by cell phones, wireless network interfaces, two-way radios, radio and television broadcastings, short-wave radios, and CBs. In addition, it includes tapping of a wide range of electrical signal variations that may not directly offer information but can be used in inference attacks. These include changes in electrical usage in an entire computer system, a hard drive, a modem, a network interface, a switch, and a router. Depending on the device, the electromagnetic signals produced by hardware can be captured and used to re-create the data, or at least metadata about the data, and the communication session.

TEMPEST is a standard that defines the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, and phones. Its primary goal is to prevent electromagnetic interference (EMI) and radio frequency interference (RFI) radiation from leaving a strictly defined area to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing. TEMPEST defines control zones, which generally consist of rooms or facilities that are enclosed with copper or some other kind of shielding (Faraday cages, TEMPEST tents, and so on) to prevent EMI/RFI from either leaving or entering a facility. Such facilities are surrounded by radiation capturing, stopping, hiding, and disrupting equipment. TEMPEST may use a form of white noise to broadcast an unintelligible worthless signal to mask the presence of a real signal. TEMPEST countermeasures are designed to protect against undetectable passive monitoring of EMI and RFI signals.

Dumpster Diving

Dumpster diving is the act of digging through the refuse, remains, or leftovers from an organization or operation in order to discover or infer confidential information. Dumpster diving is primarily associated with digging through actual garbage. Researching an organization for its useful details, or information gathering, includes searching, investigating, and reverse-engineering an organization’s website and commercial products and obtaining publicly accessible literature (such as financial statements, brochures, product information, shareholder reports, and so on). Much of what can be determined about an organization is revealed through its paper waste, which is known to turn up viable private or personally identifiable information.

Scavenging is a form of information gathering performed electronically. Online scavenging is searching for useful information in the remnants of data left over after processes or tasks are completed or remnants of deleted files. This could include audit trails, log files, memory dumps, variable settings, port mappings, and cached data.

Dumpster diving and scavenging (both are forms of information gathering) can be employed ahead of an informal penetration test to discover how much information about your organization is carelessly discarded or left around after closing a facility. The best countermeasure for dumpster diving and scavenging is to dispose of all garbage securely. This usually means shredding all documentation. Other safeguards include maintaining physical access control.

From Trash to Treasure

Garbage is often an inadvertent source of information, often played up in movies as a way to obtain private information on a subject or potential target. An investigator may sort through garbage to obtain DNA evidence on a suspect, or a criminal may glean personal details on a targeted victim.

Ian is curious to know what sort of sensitive information is being carelessly discarded by his staff, so he asks Jocelyn to collect all paper waste from the IT department for one week. Ian and Jocelyn discover private letters, internal memos, photo IDs, handwritten passwords, a few doctors’ notes, and even some credit and personal identity information. The results are surprising for Ian and unsettling for Jocelyn.

What strategy might you suggest Ian and Jocelyn implement to prevent this information from reaching undesirable parties? Certainly there must be some policy changes and personnel training, but can you think of any physical countermeasures you might use? The most obvious approach requires educating employees to watch what they’re throwing out and to require them to dispose of anything sensitive in secure receptacles regularly picked up for shredding or incineration.

Social Engineering

A social engineering attack is an attempt by an attacker to convince an employee to perform an unauthorized activity to subvert the security of an organization. Often the goal of social engineering is to gain access to the IT infrastructure or the physical facility.

Social engineering is a skill by which an unknown person gains the trust of someone inside your organization. Adept individuals can convince employees that they are associated with upper management, technical support, the help desk, or anyone of influential status. Once this deception is successful, the victim is often encouraged to make a change to their user account on the system, such as resetting their password. Other attacks include instructing the victim to open specific email attachments, launch an application, or connect to a specific URL. Whatever the actual activity is, the result is usually directed toward opening a back door that the attacker can use to gain access to the network or toward obtaining sensitive information.

Social engineering attacks do not exclusively occur by phone; they can happen in person as well. Malicious individuals often impersonate repair technicians, upper management, or traveling company managers to intimidate or coerce employees into performing activities that violate security. Countermeasures to in-person social engineering attacks include verifying the identity of the intruder/visitor via a secured photograph, contacting their source company, or finding a local manager who recognizes the individual.

Three well-known forms of social engineering attack all share a piscatorial emphasis. Phishing is the process of attempting to obtain sensitive information such as usernames, passwords, credit card details, or other personally identifiable information by masquerading as a trustworthy entity (a bank, a service provider, a merchant, for example) in electronic communication (usually emailing). Spearphishing is more targeted form of phishing where the message requesting information appears to originate from a colleague or co-worker at one’s own company or organization, often someone in a position of authority. Whaling is a form of phishing that targets specific individuals (by title, industry, from media coverage, and so forth) and sends messages tailored to the needs and interests of those individuals. All take advantage of people’s willingness to extend trust to apparently legitimate third parties without applying rules of basic, common-sense information security (the most germane of these principles here is “never open unexpected email attachments” and “never share sensitive information via e-mail”).

Social engineering attacks can be used as or in conjunction with penetration tests. These sorts of tests help determine how vulnerable your frontline employees are to individuals adept at lying and how familiar they are with security policy provisions intended to head such things off. For a more detailed discussion of social engineering attacks, see Chapter 4, “Communications Security and Countermeasures.”

Problem Management

Once auditing, monitoring, and penetration testing has occurred, the next step is problem management. Problem management is exactly what it sounds like: a formal process or structure for resolving problems. For the most part, problem management is a solution developed in-house to address the various types of issues and problems encountered in your environment. Problem management is typically defined as having three goals or purposes:

To reduce failures to a manageable level
To prevent the occurrence or reoccurrence of a problem
To mitigate the negative impact of problems on computing services and resources

Inappropriate Activities

Inappropriate activities are actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishment or termination. Inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

Inappropriate content can be defined as anything that is not related to or supportive of the work tasks in an organization. It includes but is not limited to pornography, sexually explicit material, entertainment, political data, and violent content. The definition of inappropriate content can be defined by example (by listing types of information deemed inappropriate) or by exclusion (by listing types of information deemed appropriate). Inappropriate content can be defined to include personal email that is not work related.

Keeping inappropriate content to a minimum requires several steps. First, it must be included as an objective in the security policy. Second, staff must have awareness training in regard to inappropriate content. Third, content filtering tools can be deployed to filter data based on source or word content. It is not possible to programmatically block all inappropriate content, but sufficient penalties can be levied against violations along with regular auditing/monitoring to keep its level to a minimum. Also, by defining a clear policy for acceptable use of systems and networks (usually abbreviated AUP for acceptable use policy), you can train users to avoid inappropriate content in the workplace and to stay away from sources of questionable material.

Sexual and racial harassment is a form of inappropriate content or activity on company equipment. Sexual harassment can take many forms, including distribution of images, videos, audio clips, or text information (such as jokes). Sexual and racial harassment controls include awareness training and content filtering.

Waste of resources can have a direct effect on the profitability of an organization. If storage space, computing power, or networking bandwidth capacity is consumed by inappropriate or non-work-related data, the organization is losing money on non-profit-making activities. Some of the more common examples of resource waste include operating a personal business using company equipment, accessing and distributing inappropriate data (pornography, entertainment, music, videos, and so on), or aimlessly surfing the Internet. Just as with inappropriate material, resource waste can be reduced but not eliminated. Some of the primary means to reduce waste include user awareness training, activity monitoring, and content filtering.

Abuse of rights and privileges is the attempt to perform activities or gain access to resources that are restricted or assigned to a higher classification and access level. When access is gained inappropriately, the confidentiality of data is violated and sensitive information can be disclosed. Countermeasures to abuse include strong implementations of access controls and activity logging.

Indistinct Threats and Countermeasures

Not all problems that an IT infrastructure will face have definitive countermeasures or are even recognizable threats. There are numerous vulnerabilities against which there are no immediate or distinct threats, and against such threats there are few countermeasures. Many of these vulnerabilities lack direct-effect countermeasures, or the deployment of available countermeasures offers little risk reduction.

Errors and Omissions

One of the most common vulnerabilities that is hardest to protect against is the occurrence of errors and omissions. Errors and omissions occur because humans interact with, program, control, and provide data for IT. There are no direct countermeasures to prevent all errors and omissions. Some safeguards against errors and omissions are input validators and user training. However, these mechanisms offer only a minimal reduction in overall errors and omissions encountered in an IT environment.

Fraud and Theft

Fraud and theft are criminal activities that can be perpetrated or enabled by using computers. Most of the access controls deployed in a secured environment will reduce fraud and theft, but not every form of such crimes can be predicted and protected against. Both internal authorized users and external unauthorized intruders can exploit your IT infrastructure to perform various types of fraud and theft. Maintaining an intensive auditing and monitoring program and prosecuting all criminal incidents will help reduce fraud and theft.

Theft is an increasing problem in the IT realm that carries the potential for exponential loss, receives lots of publicized attention, and yet remains largely unchecked in many organizations. The simple act of stealing a notebook PC containing private and personal information for hundreds or even thousands of customers, clients, or patients can geometrically expand into a complex problem of identity theft and possible fraud. It happens with alarming regularity and with costly consequences, both in terms of money and in terms of reputation.

Personally identifiable information is the uniquely recognizable data about any given person (maiden name, Social Security number, and so on) that is often used to conduct private matters of business. A strong, full-coverage security policy stands up to potential data theft with a proactive approach toward securing it in the first place, both for data in use and data at rest, or data that is stored and offline. Any responsible organization will protect private business information equally well against theft, tampering, and fraud.

Protection for personally identifiable information (PII) drives privacy and confidentiality requirements for rules, regulations, and legislation all over the world (especially in North America and the European Union). Be sure to acquaint yourself with the contents of NIST publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). It is available from the NIST Special Publications (800 Series) download page: http://csrc.nist.gov/publications/PubsSPs.html.

Collusion

Collusion is an agreement among multiple people to perform an unauthorized or illegal action. It is hindered by separation of duties, restricted job responsibilities, audit logging, and job rotation. All of these reduce the likelihood that a co-worker will agree to collaborate on an illegal or abusive scheme because of the higher risk of detection.

However, these safeguards are not primarily directed toward collusion prevention. Reducing collusion is simply a side benefit of these security controls.

Reducing Opportunities for Collusion

Collusion is a real and present danger anywhere highly desirable sensitive information is stored or wherever business transactions occur; collusion is even satirized in the comedy movie Office Space.

It depicts three disenfranchised parties—Peter, Michael, and Samir—plotting to commit a crime (embezzlement) against an imaginary company (Initech). Michael creates a virus that will steal fractional portions of electronic money transactions that Peter uploads to the company accounting system. Samir is their conspirator in this operation, which nets hundreds of thousands of dollars in one day.

Although this account is entirely fictional, there are real-world accounts of such crimes resulting in both success and failure. Peter, Michael, and Samir’s collusion is not entirely unique, and their story is probably based on some grain of truth from the real world.

How does the separation of duties help to prevent such behavior, and why is auditing so important as a means of ensuring that it doesn’t occur anyway? Separation of duties is designed to minimize opportunities for collusion and to maximize requirements and opportunities for reporting of shady or suspect behavior. Careful auditing should reveal that even small amounts of funds are disappearing from accounts and should also ultimately lead auditors to where they are going as well.

Sabotage

Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled. Employee sabotage occurs most often when an employee suspects they will be terminated without just cause.

This is one important reason terminations should be handled swiftly, including disabling all access to the infrastructure (IT and physical) and escorting the ex-employee off the premises. Safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for excellence and extra work.

Loss of Physical and Infrastructure Support

Loss of physical and infrastructure support may occur owing to power outages, natural disasters, communications interruptions, severe weather, loss of a core utility or service, disruption of transportation, strikes, or national emergencies. It may result in IT downtime and invariably reduces productivity and profitability significantly for the duration of the event. It is nearly impossible to predict and protect against events that cause physical and infrastructure support loss.

Disaster recovery and business continuity planning provide restoration methods when loss events are severe. In most cases, you must wait until the emergency or condition expires and things return to normal.

Unix Details

For the most part, the CISSP exam is product and vendor independent. However, a handful of issues are specific to Unix. If you have worked with Unix or even Linux, most of these items will be simply review. If you have never touched a Unix system, please read this sidebar carefully.

On Unix systems, passwords are stored in a password file. The password file is stored as a shadow file so that it does not appear by default in a directory listing. The shadow setting is similar to the file setting for hidden Windows system files. Although this is an improvement, it is not a valid security mechanism because everyone knows that the password file is set not to display in a directory listing by default and a simple modification of the directory command parameters reveals all hidden or shadowed files.

The most privileged account on a Unix system is known as root. Other powerful accounts with similar levels of access are known as superusers. It is important to restrict access to these types of user accounts to only those people who absolutely need that level of access to perform their work tasks. The root and superuser accounts on Unix are similar to the administrator account(s) on Windows systems. Whenever possible, restrict root and superuser access to the local console so that these accounts won’t work over a network connection.

Two utilities, setuid and setgid, should be closely monitored and their uses logged. These two tools are used to manipulate access to resources. Thus, if they are employed by a nonadministrator or if they are employed by an administrator in an unapproved fashion, it can indicate security policy violations.

Another important command to monitor is the mount command, used to map a local drive letter to a shared network drive. This activity may seem like an efficient way to access network resources. However, it also makes malicious code and intruder attacks easier to implement. When the mount command is used when it is not authorized, it could indicate an intrusion or an attempt to create a security loophole.

You should also consider monitoring use of the following commands: systat, bootp, tftp, sunrpc, snmp, snmp-trap, and nfs.

Finally, Unix systems can be configured to boot into a fixed dedicated security mode where authentication is not required. In that case, anyone accessing the system has complete access to everything at the security level at which the system is currently operating. You can easily determine whether a system has been configured to perform this operation if there is a /etc/host.equiv file present. Remove this file to disable this feature.

Malicious Attackers

Malicious attackers are individuals who actively seek to infiltrate your IT infrastructure whether for fame, access, or financial gain. These intrusions or attacks are important threats against which your security policy and your entire security infrastructure is designed to protect. Most safeguards and countermeasures protect against one specific threat or another, but it is not possible to protect against all possible threats that a cracker represents.

Remaining vigilant about security, tracking activity, and implementing intrusion detection systems can provide a reasonable level of protection. Remaining current on security-related subjects (through active forums, mailing lists, and so on) can provide a reasonable level of confidence in your security strategy.

Espionage

Espionage is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government). Espionage is sometimes committed by internal employees who have become dissatisfied with their jobs or have become compromised in some way. It can also be committed by a mole or plant placed in your organization to steal information for a primary secret employer. Or it can occur far removed from the workplace, perhaps at a convention or an event, perpetrated by someone who specifically targets your employees’ mobile assets.

Countermeasures against espionage are to strictly control access to all nonpublic data (both at home and abroad), thoroughly screen new employee candidates, and efficiently track all employee activities.

Malicious Code

Malicious code is any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system. Malicious code can take many forms, including viruses, worms, Trojan horses, documents with destructive macros, and logic bombs. Malicious code exists for every type of computer or computing device.

Monitoring and filtering traffic that enters into and travels within a secured environment (both via network and portable storage devices) is the only effective countermeasure against malicious code.

Education, Policy, and Tools

Malicious software is the stinging bull nettle on a business network and an incessant pest for IT staffers. Alas, users can and will track in malicious software in the most casual and often unwitting ways.

Kim forwards a seemingly harmless interoffice joke through email to Larry’s account. Larry opens the document, which actually contains active code segments that perform harmful or destructive actions on his system. Next, Larry reports a host of “performance issues” and “stability problems” with his workstation, which he never complained about before now.

In this scenario, Kim and Larry have little cause to be concerned about their apparently innocuous activities. After all, sharing anecdotes and jokes through company email is a common way to bond and socialize. What’s the harm in that, right? The real question is, how can you educate Kim, Larry, and all your other users to be more discreet and discerning in handling shared documents and executables? Can you reasonably prevent malware from coming in on flash drives?

The key is a combination of education, policy, and tools. Anti-malware tools of all types (antivirus, antispyware, antispam, and so forth) should be employed to prevent such materials from crossing the transom onto the network. Education should inform Kim that forwarding non-work materials on the company network is counter to policy and good behavior, and Larry should likewise learn that opening attachments not related to specific work tasks, especially unexpected ones, can lead to all kinds of problems (including those to which he falls prey here). And finally, policy should state terms of acceptable use clearly to prevent unauthorized materials from circulating and from being opened and read.

Traffic and Trend Analysis

The ongoing activities of a network and even a business environment may produce recognizable patterns, which can be deemed normal or abnormal on a circumstantial and situational basis. These patterns are known as trends or traffic patterns. A specific type of attack called traffic or trend analysis examines these patterns for what they reveal. What is interesting about these types of examinations or attacks is that they reveal only the patterns of traffic, not the actual content of the traffic. Patterns and trends can reveal operations that occur on a regular basis or that are somehow considered important.

For example, suppose an attacker watches your T1 line and notices that from 3 p.m. to approximately 4:30 p.m. every Friday your organization consumes nearly 80 percent of the capacity of the T1 line. The attacker can infer that the noticeable pattern is a file or data transfer activity that is important because it always occurs at the same time every week. Thus, the attacker can schedule an attack for 2:45 p.m. to take out the T1 or otherwise cause a denial of service to prevent legitimate activity from occurring. Traffic and trend analysis can be used against both encrypted and unencrypted traffic because patterns of traffic rather than contents are examined. Traffic and trend analysis can be used against physical environments and people as well. For example, an observer need only watch a security guard to discover that it takes 12 minutes for him to walk the perimeter of a building and for 8 of those minutes, he is unable to see a section of fence that an intruder could easily climb.

Countermeasures to traffic and trend analysis include performing traffic and trend analysis on your own environment to see what types of information you are inadvertently revealing if anyone happens to be watching. You can alter your common and mission-critical activities so you don’t produce easily recognizable patterns. Other countermeasures to traffic and trend analysis are traffic padding, noise, and use of covert channels. You can pad your communication channels through traffic generation tools or broadcasting noise whenever legitimate traffic is not occurring.

Initial Program Load Vulnerabilities

There is a period of time between the moments when a device is off and when it is fully booted and operational that the system is not fully protected by its security mechanisms. This time period is known as the initial program load (IPL), and it has numerous vulnerabilities. Without physical security, there are no countermeasures for IPL vulnerabilities. Anyone with physical access to a device can easily exploit its weaknesses during its boot-up process. Some IPL vulnerabilities are accessing alternate boot menus, booting to a mobile operating system off a CD or floppy, and accessing the CMOS to alter configuration settings, such as enabling or disabling devices.

Linux Details

Just as you should be aware of a few Unix issues, you should be aware of a few Linux items as well.

Salts are added to Linux passwords (and these days, even to Windows passwords as well) to increase randomness and ensure uniqueness of the stored hash. Think of a salt as a random number appended to the password before hashing.

Low Water-Mark Mandatory Access Control (LOMAC) is a loadable kernel module for Linux designed to protect the integrity of processes and data. It is an OS security architecture extension or enhancement that provides flexible support for security policies.

Flask is an OS prototyped in the Fluke research OS. Flask is a security architecture for operating systems that includes flexible support for security policies. Some features of the Fluke prototype were ported into the OSKit (a programmer’s toolkit for writing OSs). Many of the Flask architecture features were being incorporated into Security-Enhanced Linux (SE Linux) since it was built using the OSKit. Therefore, Flask led to the Fluke OS, which led to the OSKit. The OSKit was used to write SE Linux, which incorporates flask features.

Summary

Maintaining operations security requires directed efforts in auditing and monitoring. These efforts give rise to detecting attacks and intrusions. This in turn guides the selection of countermeasures, encourages penetration testing, and helps to limit, restrict, and prevent inappropriate activities, crimes, and other threats.

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.

Audit trails are the records created by recording information about events and occurrences into a database or log file, and they can be used to, for example, reconstruct an event, extract information about an incident, and prove or disprove culpability. Audit trails provide a passive form of detective security control and serve as a deterrent in the same manner as CCTV or security guards do. In addition, they can be essential as evidence in the prosecution of criminals.

Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity, including file and resource access, logon patterns, email, and the use of privileges.

Monitoring is a form of auditing that focuses more on the active review of the audited information or the audited asset. It is most often used in conjunction with performance, but it can be used in a security context as well. The actual tools and techniques used to perform monitoring vary greatly between environments and system platforms, but there are several common forms found in most environments: warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools.

Penetration testing is a vigorous attempt to break into a protected network using any means necessary. It is a common method for testing the strength of your security measures. Organizations often hire external consultants to perform penetration testing so that testers are not privy to confidential elements of the security’s configuration, network design, and other internal secrets. Penetration testing methods can include war dialing, sniffing, eavesdropping, radiation monitoring, dumpster diving, and social engineering.

Inappropriate activities may take place on a computer or over the IT infrastructure and may not be actual crimes, but they are often grounds for disciplinary action or termination. Inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

An IT infrastructure can include numerous vulnerabilities against which there is no immediate or distinct threat, and against such threats there are few countermeasures. These types of threats include errors, omissions, fraud, theft, collusion, sabotage, loss of physical and infrastructure support, attackers, espionage, and malicious code. There are, however, steps you can take to lessen the impact of most of these.

Exam Essentials

Understand auditing. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.

Know the types or forms of auditing. Auditing encompasses a wide variety of different activities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, log analysis, and response (some other names for these activities are logging, monitoring, examining alerts, analysis, and even intrusion detection). Be able to explain what each type of auditing activity involves.

Understand compliance checking. Compliance checking (or compliance testing) ensures that all the necessary and required elements of a security solution are properly deployed and functioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration testing. They can also involve auditing and be performed using log analysis tools to determine whether any vulnerabilities for which countermeasures have been deployed have been realized on the system.

Understand the need for frequent security audits. The frequency of an IT infrastructure security audit or security review is based on risk. You must determine whether sufficient risk exists to warrant the expense and interruption of a security audit on a more or less frequent basis. You should clearly define and adhere to the frequency of audit reviews.

Understand that auditing is an aspect of due care. Security audits and effectiveness reviews are key elements in displaying due care. Senior management must enforce compliance with regular periodic security reviews or they will be held accountable and liable for any asset losses that occur as a result.

Understand audit trails. Audit trails are the records created by recording information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals.

Understand how accountability is maintained. Accountability is maintained for individual subjects through the use of audit trails. Activities of users and events caused by the actions of users while online can be recorded so users can be held accountable for their actions. This directly promotes good user behavior and compliance with the organization’s security policy.

Know the basic elements of an audit report. Audit reports should all address a few basic or central concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. They often include many other details specific to the environment, such as time, date, and specific systems. Audit reports can include a wide range of content that focuses on problems/events/conditions, standards/criteria/baselines, causes/reasons, impact/effect, or solutions/recommendations/safeguards.

Understand the need to control access to audit reports. Audit reports include sensitive information and should be assigned a classification label and handled appropriately. Only people with sufficient privilege should have access to them. An audit report should also be prepared in various versions according to the hierarchy of the organization, providing only the details relevant to the position of the staff members for which they are prepared.

Understand sampling. Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole. There are two forms of sampling: statistical and nonstatistical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. Statistical sampling is used to measure the risk associated with the sampling process.

Understand record retention. Record retention is the act of retaining and maintaining important information. There should be an organizational policy that defines what information is maintained and for how long. The records in question are usually audit trails of user activity, including file and resource access, logon patterns, email, and the use of privileges. Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely.

Understand monitoring and uses of monitoring tools. Monitoring is a form of auditing that focuses more on the active review of the audited information or the audited asset. It’s most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment. Although the actual tools and techniques used to perform monitoring vary greatly between environments and system platforms, several common forms are found in most environments: warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools. Be able to list the various monitoring tools and know when and how to use each one.

Understand failure recognition and response. On systems with manual review, the observer or auditor is responsible for failure recognition. To recognize a failure, one must understand what is normal and expected. When monitored or audited events stray from a standard baseline, then a failure, breach, intrusion, error, or problem has occurred, and a response must be initiated.

Understand what penetration testing is and be able to explain the methods used. Organizations use penetration testing to evaluate the strength of their security infrastructure. Know that it involves launching intrusion attacks on your network and be able to explain the methods used: war dialing, sniffing and eavesdropping, radiation monitoring, dumpster diving, and social engineering.

Know what TEMPEST is. TEMPEST is a standard for the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EMI and RFI radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.

Know what dumpster diving and scavenging are. Dumpster diving and scavenging involve digging through refuse, remains, or leftovers from an organization or operation to discover or infer confidential information. Countermeasures for dumpster diving and scavenging include secure disposal of all garbage. This usually means shredding all documentation and incinerating all shredded material and other waste. Other safeguards include maintaining physical access control and monitoring privilege activity use online.

Understand social engineering. A social engineering attack is an attempt by an attacker to convince an employee to perform an unauthorized activity to subvert the security of an organization. Often the goal of social engineering is to gain access to the IT infrastructure or the physical facility. The only way to protect against social engineering attacks is to thoroughly train users how to respond and interact with communications as well as with unknown personnel.

Know what inappropriate activities are. Inappropriate activities are actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishments or termination. Some types of inappropriate activities are creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

Know that errors and omissions can cause security problems. One of the most common vulnerabilities and hardest to protect against are errors and omissions. Errors and omissions occur because humans interact with, program, control, and provide data for IT. There are no direct countermeasures to prevent all errors and omissions. Some safeguards against errors and omissions include input validators and user training. However, these mechanisms offer only a minimal reduction in overall errors and omissions encountered in an IT environment.

Understand fraud and theft. Fraud and theft are criminal activities that can be perpetrated using or enabled by computers. Most access controls deployed in a secured environment will reduce fraud and theft, but not every form of these crimes can be predicted and protected against. Both internal authorized users and external unauthorized intruders can exploit your IT infrastructure to perform various forms of fraud and theft. Maintaining an intensive auditing and monitoring program and prosecuting all criminal incidents will help reduce fraud and theft.

Know what collusion is. Collusion is an agreement among multiple persons to perform some unauthorized or illegal action. It is hindered by separation of duties, restricted job responsibilities, audits, and job rotation. All of these reduce the likelihood that a co-worker will agree to collaborate on an illegal or abusive scheme because of the higher risk of detection.

Understand employee sabotage. Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled. Safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for excellence and extra work.

Know how loss of physical and infrastructure support can cause security problems. Loss of physical and infrastructure support comes from power outages, natural disasters, communication interruptions, severe weather, loss of any core utility or service, disruption of transportation, strikes, and national emergencies. It is nearly impossible to predict and protect against events of this kind. Disaster recovery and business continuity planning can provide restoration methods if losses are severe. In most cases, you must wait until the emergency or condition subsides and things return to normal.

Understand espionage. Espionage is the malicious act by an internal employee of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government). Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Written Lab

1. What are audit trails, and why are they important?

2. How are accountability and auditing interrelated?

Answers to Written Lab

1. Auditing is a methodical examination or review of an environment that encompasses a wide variety of different activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially is what makes auditing and subsequent detection of malfeasance or misbehavior possible.

2. Accountability is the property that enables activities on a system to be traced to specific entities who then can be held responsible for their actions. Auditing and audit trails provide the means for accountability on information systems where users interact with other users and objects.

Review Questions

1. What is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?

A. Penetration testing

B. Auditing

C. Risk analysis

D. Entrapment

2. Which of the following is not considered a type of auditing activity?

A. Recording of event data

B. Data reduction

C. Log analysis

D. Deployment of countermeasures

3. Monitoring can be used to perform all but which of the following?

A. Determine validity of software licenses in use.

B. Detect malicious actions by subjects.

C. Detect attempted intrusions.

D. Detect system failures.

4. What provides data for re-creating the history of an event, intrusion, or system failure step-by-step?

A. Security policies

B. Log files

C. Audit reports

D. Business continuity planning

5. What is the frequency of an IT infrastructure security audit or security review based on?

A. Asset value

B. Management discretion

C. Risk

D. Level of realized threats

6. Failure to perform which of the following can result in the perception that due care is not being maintained?

A. Periodic security audits

B. Deployment of all available safeguards

C. Performance reviews

D. Creating audit reports for shareholders

7. Audit trails are considered to be what type of security control?

A. Administrative

B. Passive detective

C. Corrective

D. Physical

8. Which essential element of an audit report is not considered to be a basic concept of the audit?

A. Purpose of the audit

B. Recommendations of the auditor

C. Scope of the audit

D. Results of the audit

9. Why should access to audit reports be controlled and restricted?

A. They contain copies of confidential data stored on the network.

B. They contain information about the vulnerabilities of the system.

C. They are useful only to upper management.

D. They include the details about the configuration of security controls.

10. What are used to inform would-be intruders or those who attempt to violate security policy that their intended activities are restricted and that any further activities will be audited and monitored?

A. Security policies

B. Interoffice memos

C. Warning banners

D. Honeypots

11. Which of the following focuses more on the patterns and trends of data rather than the actual content?

A. Keystroke monitoring

B. Traffic analysis

C. Event logging

D. Security auditing

12. Which of the following activities is not considered a valid form of penetration testing?

A. Denial-of-service attacks

B. Port scanning

C. Distribution of malicious code

D. Packet sniffing

13. The act of searching for unauthorized modems is known as ________________.

A. scavenging

B. espionage

C. system auditing

D. war dialing

14. Which of the following is not a useful countermeasure to war dialing?

A. Restricted and monitored Internet access

B. Imposing strong remote access security

C. Callback security

D. Call logging

15. The standard for study and control of electronic signals produced by various types of electronic hardware is known as ______________.

A. eavesdropping

B. TEMPEST

C. SESAME

D. wiretapping

16. Searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information is known as _____________________.

A. impersonation

B. dumpster diving

C. social engineering

D. inference

17. Which of the following is not an effective countermeasure against inappropriate content being hosted or distributed over a secured network?

A. Activity logging

B. Content filtering

C. Intrusion detection system

D. Penalties and termination for violations

18. One of the most common vulnerabilities of an IT infrastructure and hardest to protect against is the occurrence of ______________.

A. errors and omissions

B. inference

C. data destruction by malicious code

D. data scavenging

19. The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as ___________________.

A. espionage

B. entrapment

C. sabotage

D. permutation

20. What is the most common reaction to the loss of physical and infrastructure support?

A. Deploying OS updates

B. Vulnerability scanning

C. Waiting for the event to expire

D. Tightening of access controls

Answers to Review Questions

1. B. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.

2. D. Deployment of countermeasures is not considered a type of auditing activity; rather, it’s an active attempt to prevent security problems.

3. A. Monitoring is not used to detect the validity of software licenses in use.

4. B. Log files provide an audit trail for re-creating step-by-step the history of an event, intrusion, or system failure. An audit trail is used to reconstruct an event, to extract information about an incident, to prove or disprove culpability, and to do much more.

5. C. The frequency of an IT infrastructure security audit or security review is based on risk. You must establish the existence of sufficient risk to warrant the expense of and interruption caused by a security audit on a more or less frequent basis.

6. A. Failing to perform periodic security audits can result in the perception that due care is not being maintained. Such audits alert personnel that senior management is practicing due diligence in maintaining system security.

7. B. Audit trails are a passive form of detective security control. Administrative, corrective, and physical security controls are active ways to maintain security.

8. B. Recommendations of the auditor are not considered basic and essential concepts to be included in an audit report. Key elements of an audit report include the purpose, scope, and results of the audit.

9. B. Audit reports should be secured because they contain information about the vulnerabilities of the system. Disclosure of such vulnerabilities to the wrong person could lead to security breaches.

10. C. Warning banners are used to inform would-be intruders or those who attempt to violate the security policy that their intended activities are restricted and that any further activities will be audited and monitored.

11. B. Traffic analysis focuses more on the patterns and trends of data rather than the actual content. Such an analysis offers insight into primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.

12. C. Distribution of malicious code will almost always result in damage or loss of assets. Thus, it is not an element of penetration testing under any circumstance, even if it’s done with the approval of upper management.

13. D. War dialing is the act of searching for unauthorized modems that will accept inbound calls on an otherwise secure network in an attempt to gain access.

14. A. Users often install unauthorized modems because of restricted and monitored Internet access. Because war dialing is often used to locate unauthorized modems, restricting and monitoring Internet access wouldn’t be an effective countermeasure.

15. B. TEMPEST is the standard that defines the study and control of electronic signals produced by various types of electronic hardware.

16. B. Dumpster diving is the act of searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information.

17. C. An IDS is not a countermeasure against inappropriate content.

18. A. One of the most common vulnerabilities and hardest to protect against is the occurrence of errors and omissions.

19. C. The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as sabotage.

20. C. In most cases, you must simply wait until the emergency or condition expires and things return to normal.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 14: Auditing and Monitoring

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 14: Auditing and Monitoring