Chapter 4 - Auditing and Accountability Flashcards
What does accountability provide us with?
the means to trace activities in our environment back to their source
it provides us with a number of capabilities, when properly implemented, which can be of great use in conducting the daily business of security and information technology in our organizations
What do we need to ensure we have accountability?
We need certain other tools to be in place and working properly.
What does accountability rely on?
Accountability depends on identification, authentication, and access control being present so that we can know who a given transaction is associated with, and what permissions were used to allow them to carry it out.
How can we ensure that identification, authentication and access control are helping accountability?
Given proper monitoring and logging, we can often do exactly this and determine, in very short order, the details of the situation in question.
What are the security benefits of accountability?
Implementing accountability often brings with it a number of useful features from a security perspective. When we implement monitoring and logging on our systems and networks, we can use this information to maintain a higher security poster than we would be able to do otherwise.
Describe the additional benefits of using tools that deliver accountability?
nonrepudiation
deter those that would misuse our resources
help us in detecting and preventing intrusions
assist us in preparing materials for legal proceedings
What is nonrepudiation?
Nonrepudiation refers to a situation in which sufficient evidence exists as to prevent an individual from successfully denying that he or she has made a statement, or taken an action.
How do we accomplish nonrepudiation?
In information security settings, this can be accomplished in a variety of ways
We may be able to produce proof of the activity directly from system or network logs, or recover such proof through the use of digital forensic examination of the system or devices involved. We may also be able to establish nonrepudiation through the use of encryption technologies, more specifically through the use of hash functions that can be used to digitally sign a communication or a file.
Describe deterrence
Accountability can also prove to be a great deterrent against misbehavior in our environments. If those we monitor are aware of this fact, and it has been communicated to them that there will be penalties for acting against the rules, these individuals may think twice before straying outside the lines.
Describe intrusion detection and prevention
One of the motivations behind logging and monitoring in our environments is to detect and prevent intrusions in both the logical and physical sense. If we implement alerts based on unusual activities in our environments and check the information we have logged on a regular basis, we stand a much better chance of detecting attacks that are in progress and preventing those for which we can see the precursors.
Describe Admissibility of Records
When seeking to submit documents in a legal setting, it is much easier to have them accepted when they are produced from a consistent tracking system.
How do we accomplish accountability?
We can attempt to ensure accountability by laying out the rules and ensuring that they are being followed.
Describe auditing
Auditing is one of the primary ways we can ensure accountability through technical means.
Keeping track of who did what and when, is auditing.
What does auditing provide us with?
The data with which we can implement accountability.
What do we audit?
When we perform an audit there are a number of items we can examine, primarily focused on compliance with relevant laws and policies.
Passwords
Software Licensing
Internet usage
What is logging?
Logging gives us a history of the activities that have taken place in the environment
being logged. We typically generate logs in an automated fashion in
operating systems, and keep track of the activities that take place on most computing,
networking, and telecommunications equipment, as well as most any
device that can be remotely considered to incorporate or be connected to a computer.
Logging is a reactive tool, in that it allows us to view the record of what
happened after it has taken place
What is monitoring? How does it relate to auditing?
Monitoring is a subset of auditing and tends to focus on observing information
about the environment being monitored in order to discover undesirable
conditions such as failures, resource shortages, security issues, and trends that
might signal the arrival of such conditions. Monitoring is largely a reactive
activity, with actions taken based on gathered data, typically from logs generated
by various devices.
Describe logging:
Logging gives us a history of the activities that have taken place in the environment being logged. We typically generate logs in an automated fashion in operating systems, and keep track of the activities that take place on most computing, networking, and telecommunications equipment.
Logging is a reactive tool.
Logs are generally only available to the admin.
Logs can be used to analyze a specific incident or situation.
Describe monitoring
Monitoring is a subset of auditing.
It focuses on observing information about the environment to discover undesirable conditions.
Monitoring is largely a reactive activity, with actions taken based on gathered data, typically from log generated by various devices.
What are the two main approaches to determining whether everything is as it should be?
Vulnerability Assessments
Penetration Testing
Describe vulnerability assessments
use vulnerability scanning tools
These tools generally work by scanning the target systems to discover which pots are open on them, and then interrogating each open port.
Describe penetration testing
A more active method of finding security holes.
Takes the process a few steps further than VA’s.
We mimic the techniques of an actual attacker, attempting to gather additional information on the target environment.
What is the main purpose of performing assessments?
To find and fix vulnerabilities before any attackers do.
