Chapter 10 - Auditing, Testing, and Monitoring Flashcards
Security auditing is…
crucial to avoid data breaches
Auditing a computer system involves…
checking to see how its operation has met security goals
Audits can be…
manual or automated
narrow in scope or encompass the entire organization
Assessing a system
defining how a system is supposed to work
The first step in the auditing process, before we can even begin is…
assessing the system
Purpose of audits
- evaluate appropriate security levels
- ensure that controls are correctly installed and working well
- ensure that controls are effective in addressing the risk they were assigned to address
Steps in the security review cycle
- monitor
- audit
- improve
- secure
Monitor
review and measure all controls
Audit
Review the logs and overall environment analyze how well policies and controls are working
Improve
include proposals to improve the security program and controls in the audit results
Secure
ensure that new and existing controls work together to protect the intended level of security
Security policy should…
define acceptable and unacceptable actions
Promiscuous
everything is allowed
Permissive
anything not specifically prohibited is allowed
Prudent
a reasonable list of things is permitted and all others are prohibited
Paranoid
very few things are permitted and all others are prohibited and carefully monitored
Service Organization Control (SOC)
a framework that defines scope and contents of three levels of audit reports
SOC 1
an audit report focused on a service organization’s internal controls relevant to their clients’ financial reporting
SOC 2
an audit report that focuses on the security and privacy of an organization’s information systems
SOC 3
a general-use, public-facing version of a more detailed SOC 2 report, designed to reassure customers about an organization’s security
Benchmark
the standard to which a system is compared to determine whether it is securely configured
Example of a benchmark
the NIST cybersecurity framework
How can we collect data for our audit?
questionnaires, interviews, observation, etc.
Steps of an audit
Planning, fieldwork, reporting, and follow-up
Step 1. planning
Define the audit plan and the scope of the audit
Step 2. fieldwork
Analyze how well controls are working
Step 3. reporting
create audit logs and other reports
Step 4. follow up
review actions taken and determine whether issues outlined in the audit report have been solved.
Event logs
document general operating system and application software events
Access logs
document access requests to resources
Security logs
document security-related events
Audit logs
defined events that provide additional input to audit activities
Security Information and event management system (SIEM)
helps organizations manage log files by providing a common platform to capture and analyze entries from firewall, intrusion detection, and database server logs
The SIEM..
- Standardizes data
- Produces visualizations of data
- Monitor user activity and ensure that users act in a way that is in line with company policies
IDs
a control that identifies abnormal traffic
IPs
actively block malicious traffic
System hardening
Turn off or disable unnecessary services and protect the ones that are still running
Black-box testing
uses test methods that aren’t based directly on knowledge of a program’s architecture or design
White-box testing
based on knowledge of the application’s design and source code
Grey-box testing
lies somewhere between black-box and white-box testing
