CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

The Operations Security domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with the activities and efforts directed at maintaining operational

security and includes the primary concerns of auditing and monitoring. Auditing and monitoring prompt IT departments to make efforts at detecting intrusions and unauthorized activities. Vigilant administrators must sort through a selection of countermeasures and perform penetration testing that helps to limit, restrict, and prevent inappropriate activities, crimes, and other threats.

We discussed the Operations Security domain in some detail in Chapter 13, “Administrative Management,” and we will be finishing up coverage on this domain in this chapter. Be sure to read and study the materials from both chapters to ensure complete coverage of the essential operations security material for the CISSP certification exam.

Auditing

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used in a secure environment.

Auditing Basics

Auditing encompasses a wide variety of different activities, including the recording of event/ occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, and log analysis. These activities are also known as, for example, logging, monitoring, examining alerts, analysis, and even intrusion detection. Logging is the activity of recording information about events or occurrences to a log file or database. Monitoring is the activity of manually or programmatically reviewing logged information looking for something specific. Alarm triggers are notifications sent to administrators when a specific event occurs. Log analysis is a more detailed and systematic form of monitoring in which the logged information is analyzed in detail for trends and patterns as well as abnormal, unauthorized, illegal, and policyviolating activities. Intrusion detection is a specific form of monitoring both recorded information and real-time events to detect unwanted system access.

Auditing 423

Accountability

Auditing and monitoring are required factors for sustaining and enforcing accountability. Monitoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Without an electronic account of a subject’s actions, it is not possible to correlate IT activities, events, and occurrences with subjects. Monitoring is also the process by which unauthorized or abnormal activities are detected on a system. It is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis. Auditing and logging are usually native features of an operating system and most applications and services. Thus, configuring the system to record information about specific types of events is fairly straightforward.

Auditing is also used to monitor the health and performance of a system through recording the activities of subjects and objects as well as core system functions that maintain the operating environment and the security mechanisms. The audit trails created by recording system events to logs can be used to evaluate the health and performance of a system. System crashes can indicate faulty programs, corrupt drivers, or intrusion attempts. The event logs leading up to a crash can often be used to discover the reason a system failed. Log files provide an audit trail for recreating step-by-step the history of an event, intrusion, or system failure.

In most cases, when sufficient logging and auditing is enabled to monitor a system, so much data is collected that the important details get lost in the bulk. The art of data reduction is crucial when working with large volumes of monitoring data. There are numerous tools to search through log files for specific events or ID codes. However, for true automation and even realtime analysis of events, an intrusion detection system (IDS) is required. IDS solutions are discussed in Chapter 2, “Attacks and Monitoring.”

Compliance

Auditing is also commonly used for compliance testing, or compliance checking. Verification that a system complies with laws, regulations, baselines, guidelines, standards, and policies is an important part of maintaining security in any environment. Compliance testing ensures that all of the necessary and required elements of a security solution are properly deployed and functioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration testing. They can also be performed using log analysis tools to determine if any vulnerabilities for which countermeasures have been deployed have been realized on the system.

Audits can be performed from one of two perspectives: internal or external. Organizational employees from inside the IT environment who are aware of the implemented security solutions perform internal audits. Independent auditors from outside the IT environment who are not familiar with the implemented security solutions perform external audits. Insurance agencies, accounting firms, or even the organization itself hire external auditors to test the validity of security claims. The goal of both internal and external auditing is to measure the effectiveness of the deployed security solution.

424 Chapter 14 Auditing and Monitoring

Audit Time Frames

The frequency of an IT infrastructure security audit or security review is based on risk. When performing risk analysis, it must be determined whether sufficient risk exists to warrant the expense of and interruption caused by a security audit on a more or less frequent basis. In any case, the frequency of audit reviews should be clearly defined in the security guidelines or standards of an organization. Once defined in the formalized security infrastructure, it should be adhered to. Without regular assessments of the state of security of an IT infrastructure, there is no way to know how secure the environment is until an attack is either successful or thwarted. Waiting until the battle to determine whether or not you will succeed is a very poor business strategy.

As with many other aspects of deploying and maintaining security, security audits and effectiveness reviews are often viewed as key elements in displaying due care. If senior management fails to enforce compliance with regular periodic security reviews, then they will be held accountable and liable for any asset losses that occur due to security breaches or policy violations.

Audit Trails

Audit trails are the records created by recording information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, to prove or disprove culpability, and much more. They allow events to be examined or traced in forward or reverse order. This flexibility is useful when tracking down problems, coding errors, performance issues, attacks, intrusions, security breaches, and other security policy violations. Using audit trails is a passive form of detective security control. They serve as a deterrent in the same manner closed-circuit television (CCTV) or security guards do: if the attacker knows they are being watched and their activities recorded, they are less likely to perform the illegal, unauthorized, or malicious activity. Audit trails are also essential as evidence in the prosecution of criminals. They can often be used to produce a before-and-after picture of the state of resources, systems, and assets. This in turn helps to identify whether the change or alteration is the result of the action of a user or an action of the OS or software or caused by some other sources (such as hardware failure).

Accountability is maintained for individual subjects through the use of audit trails. When activities of users and events caused by the actions of users while online are recorded, individuals can be held accountable for their actions. This directly promotes good user behavior and compliance with the organization’s security policy. Users who are aware that their IT activities are being recorded are less likely to attempt to circumvent security controls or to perform unauthorized or restricted activities.

Audit trails give system administrators the ability to reconstruct events long after they have passed. When a security violation is detected, the conditions and system state leading up to the event, during the event, and after the event can be reconstructed through a close examination of the audit trail.

Audit trails offer details about recorded events. A wide range of information can be recorded in log files, including time, date, system, user, process, and type of error/event. Log files can even capture the memory state or the contents of memory. This information can help pinpoint the

Auditing 425

cause of the event. Using log files for this purpose is often labeled as problem identification. Once a problem is identified, performing problem resolution is little more than following up on the disclosed information. Audit trails record system failures, OS bugs, and software errors as well as abuses of access, violations of privileges, attempted intrusions, and many forms of attacks. Intrusion detection is a specialized form of problem identification through the use

of audit trails.

Once a security policy violation or a breach occurs, the source of that violation should be determined. If it is possible to track the individual who perpetrated the activity, they should be reprimanded or terminated (if an employee) or prosecuted (if an external intruder). In every case where a true security policy violation or breach has occurred (especially if a loss can be pinpointed), you should report the incident to your local authorities, possibly the FBI, and if the violation occurred online, to one or more Internet incident tracking organizations.

Reporting Concepts

The actual formats used by an organization to produce reports from audit trails will vary greatly. However, the reports should all address a few basic or central concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. In addition to these basic foundational concepts, audit reports often include many details specific to the environment, such as time, date, specific systems, and so on. Audit reports can include a wide range of content that focuses on problems/events/conditions, standards/criteria/baselines, causes/reasons, impact/effect, or solutions/recommendations/safeguards.

Reporting Format

Audit reports should have a structure or design that is clear, concise, and objective. It is common for the auditor to include opinions or recommendations for response to the content of a report, but the actual findings of the audit report should be based on fact and evidence from audit trails. Audit reports include sensitive information and should be assigned a classification label and handled appropriately. Within the hierarchy of the organization, only those people with sufficient privilege should have access to audit reports. An audit report may also be prepared in various forms according to the hierarchy of the organization. They should provide only the details relevant to the position of the staff members who have access to them. For example, senior management does not need to know all of the minute details of an audit report. Therefore, the audit report for senior management is much more concise and offers more of an overview or summary of the findings. An audit report for the IT manager or the security administrator should be very detailed and include all available information on the events contained in it.

Reporting Time Frames

The frequency of producing audit reports is based on the value of the assets and the level of risk. The more valuable the asset and the higher the risk, the more often an audit report should be produced. Once an audit report is completed, it should be submitted to the assigned recipient (as defined in the security policy documentation) and a signed confirmation of receipt should be filed. When an audit report contains information about serious security violations or performance issues, the report

426 Chapter 14 Auditing and Monitoring

should be escalated to higher levels of management for review, notification, and assignment of a response. Keep in mind that, in a formalized security infrastructure, only the higher levels of management have any decision-making power. All entities at the lower end of the structure must follow prescribed procedures and follow instruction.

Sampling

Sampling, or data extraction, is the process of extracting elements from a large body of data in order to construct a meaningful representation or summary of the whole. In other words, sampling is a form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail. There are two forms of sampling: statistical and nonstatistical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. There is always a risk that sampled data is not an accurate representation of the whole body of data and that it may mislead auditors and managers, and statistical sampling can be used to measure that risk.

Clipping levels are widely used in the process of auditing events as a baseline of system or user activity that is considered routine activity. If this baseline is exceeded, an unusual event alarm is triggered. This works especially well when individuals exceed their authority, when there are too many people with unrestricted access, and for serious intrusion patterns.

Nonstatistical sampling can be described as random sampling or sampling at the auditor’s discretion. It offers neither assurance of an accurate representation of the whole body of data nor a gauge of the sampling risk. Nonstatistical sampling is less expensive, requires less training, and does not require computer facilities.

Both statistical and nonstatistical sampling are accepted as valid mechanisms to create summaries or overviews of large bodies of audit data. However, statistical sampling is more reliable.

Record Retention

As the term implies, record retention involves retaining and maintaining important information. An organization should have a policy that defines what information is maintained and for how long. As it applies to the security infrastructure, in most cases, the records in question are audit trails of user activity, which may include file and resource access, logon patterns, e-mail, and the use of privileges.

Retention Time Frames

Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability information. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like.

If data about individuals is being retained by your organization, the employees and customers need to be made aware of it (such as in a conditional employment agreement or a use agreement). In many cases, the notification requirement is a legal issue, whereas in others it is a simply a courtesy. In either case, it is a good idea to discuss the issue with a lawyer.

Auditing 427

Media, Destruction, and Security

The media used to store or retain audit trails must be properly maintained. This includes taking secure measures for the marking, handling, storage, and destruction of media. For details on handling sensitive media, please see the section titled “Sensitive Information and Media” in Chapter 13, “Administrative Management.”

Retained records should be protected against unauthorized and untimely destruction, against alteration, and against hindrances to availability. Many of the same security controls used to protect online resources and assets can be imposed to protect audit logs, audit trails, audit reports, and backup media containing audit information.

Access to audit information should be strictly controlled. Audit information can be used in inference attacks to discover information about higher classifications of data, thus the audit logs containing records about highly confidential assets should be handled in the same secure manner as the actual assets. Another way of stating this is that when an audit log is created, you are creating another asset entity with the same security needs as the original audited asset.

As the value of assets and the audit data goes up and risk increases, so does the need for an increase in security and frequency of backups for the audit information. Audit data should be treated with the same security precautions as all other high-classification data within an IT environment. It should be protected by physical and logical security controls, it should be audited, it should be regularly backed up, and the backup media should be stored off site in a controlled facility. The backup media hosting audit data should be protected from loss, destruction, alteration, and unauthorized physical and logical access. The integrity of audit data must be maintained and protected at all times. If audit data is not accurate, it is useless.

External Auditors

It is often necessary to test or verify the security mechanisms deployed in an environment. The test process is designed to ensure that the requirements dictated by the security policy are followed and that no significant holes or weaknesses exist in the deployed security solution. Many organizations hire outside or external security auditors to check the security of their environment.

An external auditor is given access to the company’s security policy and the authorization to inspect every aspect of the IT and physical environment. Thus the auditor must be a trusted entity. The goal of the audit activity is to obtain a final report that details any findings and suggests countermeasures when appropriate. However, an audit of this type can take a considerable amount of time to complete—weeks or months, in fact. During the course of the audit, the auditor may issue interim reports. An interim report is a written or verbal report given to the organization about a discovered security weakness that needs immediate attention. Interim reports are issued whenever a problem or issue is too severe to wait until the final audit report is issued.

Once the auditor completes their investigations, an exit conference is held. During the exit conference, the auditor presents and discusses their findings and discusses resolution issues with the affected parties. However, only after the exit conference is over and the auditor has left the premises does the auditor write and submit the final audit report to the organization. This allows the final audit report to be as unaffected as possible by office politics and coercion. After the final

Monitoring 429

monitoring is used for malicious purposes. Only in extreme circumstances and highly secured environments is keystroke monitoring actually employed as a means to audit and analyze the activity of users at the keyboard. Keystroke monitoring can be extremely useful to track the key- stroke-by-keystroke activities of physical intruders in order to learn the kinds of attacks and methods used to infiltrate a system.

Keystroke monitoring is often compared to wiretapping. There is some debate about whether keystroke monitoring should be restricted and controlled in the same manner as telephone wiretaps. Because there is no legal precedent set yet, many organizations that employ keystroke monitoring notify authorized and unauthorized users of such monitoring through employment agreements, security policies, and warning banners.

Traffic Analysis and Trend Analysis

Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content of packets. Traffic and trend analysis can be used to infer a large amount of information, such as primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.

Other Monitoring Tools

There is a wide range of available tools to perform monitoring. Many are automated and perform the monitoring activities in real time. Some monitoring tools are developed in-house and are ad hoc implementations focusing on a single type of observation. Most monitoring tools are passive. This means they cause no effect on the monitored activity, event, or traffic and make no original transmissions of their own.

A common example of a tool for monitoring physical access is the use of closed-circuit television (CCTV). CCTV can be configured to automatically record the viewed events onto tape for later review, or personnel who watch for unwanted, unauthorized, and illegal activities in real time can watch it.

Failure recognition and response is an important part of monitoring and auditing. Otherwise, what is the point of performing the monitoring and auditing activities? On systems that use manual review, failure recognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated.

Automated monitoring and auditing systems are usually programmed to recognize failures. Failure recognition can be based on signatures or be knowledge based. For a discussion of these two mechanisms, please see the intrusion detection discussion in Chapter 2.

In either case of a manual or automated recognition, the first step in a response is to notify the authority responsible for sustaining security and handling the problem or breach. Often this is the local administrator, the local manager, or the local security professional. The notification usually takes the form of an alarm or warning message. Once notification is performed, the responsible personnel (i.e., the administrator, manager, or security professional) or the automated tool can perform a response. When a person is responsible for the response, they can adapt the response to the specific

430 Chapter 14 Auditing and Monitoring

condition and situation. For this reason, personnel-controlled responses are often the most effective. Automated tool responses are typically predefined response scripts that are usually much broader in scope than necessary. Automated tools are excellent for quick and efficient lockdown, but often the countermeasure or response imposed by a tool will significantly affect the ability of the system to continue to support and perform productive work. Whenever an automated tool response is deployed, personnel should be notified so the response can be fine-tuned and the network can be returned to normal as soon as possible.

Penetration Testing Techniques

In security terms, a penetration occurs when an attack is successful and an intruder is able to breach the perimeter of your environment. The breach can be as small as reading a few bits of data from your network or as big as logging in as a user with unrestricted privileges. One of the primary goals of security is to prevent penetrations.

One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any means necessary. It is common for organizations to hire external consultants to perform the penetration testing so the testers are not privy to confidential elements of the security’s configuration, network design, and other internal secrets.

Penetration testing is the art and science of evaluating implemented safeguards. It is just another name for launching intrusion attempts and attacks against a network. The activity in either is exactly the same, but penetration testing is performed with the approval and knowledge of senior management by security professionals in a controlled and monitored environment. Malicious users intent on violating the security of your IT environment perform intrusion attacks. If an internal user performs a test against a security measure without authorization, then it will be viewed as an attack rather than as a penetration test.

Penetration testing can be performed using automated attack tools or manually. Automated attack tools range from professional vulnerability scanners to wild, underground cracker/hacker tools discovered on the Internet. Manual attacks often employ tools, but much more onus is placed on the attacker to know the details of perpetrating an attack.

Penetration testing should only be performed with the consent and knowledge of the management staff. Performing unapproved security testing could result in productivity loss, trigger emergency response teams, or even cost you your job.

Regularly staged penetration attempts are a good way to accurately judge the security mechanisms deployed by an organization. Penetration testing may also reveal areas where patches or security settings are insufficient and where new vulnerabilities have developed.

Penetration testing teams can have various levels of knowledge about the environment to be evaluated. The three commonly recognized knowledge levels are zero, partial, and full. Zero knowledge teams know nothing about the site except for basic information, such as domain name and company address. An attack by a zero knowledge team most closely resembles a real external hacker attack because all information about the environment must be obtained from scratch. A partial knowledge team is given an inventory of hardware and software used at the