SY0-501 Section 3.6- Analyze a scenario and select the appropriate type of mitigation and deterrent techniques.

Monitoring system logs

The general goal of monitoring is to detect suspicious behavior by external users or employees, or malfunctions. An organization can do this directly, such as by monitoring for specific events, or indirectly, such as by watching the state of a server over time and investigating anomalous behavior.

Your security organization will have to determine its specific monitoring policy. Within this policy, you will have to determine your organization’s specific monitoring goals. Some questions you will have to answer are:

– Are you going to baseline your server’s performance? If so, what counters are you going to collect and at what interval? How often are you going to take baselines?

– How are you going to manage your event logs? Are you going to use the tools Microsoft provides, write your own, or purchase a third-party system?

– Which monitoring technologies are you going to use?

– How much are you going to monitor? Monitoring a system has a distinct impact on system performance—the more you query or log a system’s state, the more resources the system must expend on these activities.)

Event logs

Event log data is reported to the Event Log service by other parts of the system or by applications running on the system. The Event Log service stores this data in .evt files in the %systemroot%\system32\config directory. The built-in logs in Windows NT 4.0 and Windows 2000 Professional are the system log, the security log, and the application log. Windows 2000 Server installations may add logs for Domain Name System (DNS) and directory services. Any application that needs to log events should register itself with the Event Log service.

Events stored in the event logs have a description field that displays text data describing the event. Typically, this is the text of an error message. Usually, only information unique to a particular instance of an event is stored with the event in the log; the text strings are stored in an event message file (usually a .dll or .exe file) that is registered with the Event Log service. If, when viewing an event, you see an error in the description field indicating that the event text is not available, you will need to register the event message file with the Event Log service on the computer at which you are trying to view the event. More information on this is available at http://support.microsoft.com/default.aspx?scid=kb;en-us;165959&sd=tech

The Event Log service is automatically started automatically when windows machine starts. All users can view application and system logs. Only administrators can gain access to security logs. Security logging is turned off by default. To ensure that a security log is available the administrator should turn it on.

Windows has several different logs that should be monitored. The most important log being the security log to the security professional as this log tracks the on goings on the network. The different log types are: Application log these are events logged by applications.

1. Security log this log contains records of valid and invalid logon attempts and events related to resources use, such as creating, opening, or deleting files or other objects. This log is also customizable.

2. System log contains system component event. Driver failures and hardware issues.

3. Domain controllers have two extra logs directory service directory service.

4. File Replication service log containing windows File Replication service events. Sysvol changes are recorded in the file replication log.

5. DNS machines also store DNS events in the logs.

Each log contains different types of logs i.e. Errors, warnings, information, success audit and failure audits. It has become apparent that a third party automation tool is necessary, on any busy machine or on any busy network many hours are logged and megabytes of log files are generated, this makes it logically impossible to monitor all of the logs on all of the networked computers with limited resources. Below are a few valuable features that prove useful when monitoring logs.

1. Real time monitoring and notification, if events happen that need to come to the security professional’s attention. Windows is unable to notify the security official of triggered events.

2. Audit trail is unconsolidated in windows. This means that individual machines hold the isolated event logs making the task of viewing event logs extremely difficult. It is much easier to look at one event log to get a current network status than to look at multiple event logs and miss information because of the vast amount of entries that have not been filtered. So it is ideal to have a central log monitoring system that the security professional can use at a glance.

3. Security logs are also able to be monitored remotely, this means that when intruders attempt to use local accounts to log into the machine the audit trail is limited to the local security logs.

4. Less obvious description of critical event. In normal Microsoft tradition “event 12345%$# means your server was rebooted or something like that.” Logs are cryptic and misleading. Consolidation and remote log reading applications have alerts that can be preprogrammed for specific events to make the administrators life much easier deciphering the misleading logs.

5. Archiving. Institutions such as banks are required in most countries to keep audit logs for over 7 years and even longer in some circumstances. Typical windows default setting is set to overwrite over the logs when certain size is reached. The other issue is that the user has to physically archive and clear the logs. Automation of this process is available and making it central, increasing productivity time on a large network environment as it lessens support calls and lets the administrators see what is happening locally on the user’s machine.

6. Log file integrity. Files stored on a user machine have less integrity as the user can clear the logs quickly or an intruder after gaining access can cover the tracks by clearing the event logs. Intruders sometimes produce an excessive Amount of events triggering actions to fill up security logs to cover tracks. Using the consolidation and remote log viewing applications, the security professional can be alerted to this phenomenon and can react to it immediately; further more he logs are stored remotely so the user or intruder can not erase them. Applications exist on the Internet that render local machine logs useless as they can create vast amounts of traffic and fill the logs with garbage or delete them completely.

7. Log filtering. Data overload is a huge issue log monitoring applications have the ability to filter out irrelevant noise events that take up time and space and only display the pertinent logs.

1. The ability to monitor access of important files this can be achieved by auditing failed access to these files enables you to find out if someone is attempting to access the files.

2. An application that can alert the security professional by SMS (mobile phone) e-mail and pager prove valuable as the Administrator may not be in the proximity of a computer at all times this should trigger a response. The administrator can then react or have systems in place the can be remotely activated to stop a potential attack.

3. Monitoring of web server log is important and should be mentioned as an isolated point as this is often overlooked by hasty administrators. By using software that monitors your local or remote web server you can add an extra layer of security to your web server. This is where the alerting functionality of log monitoring software is useful because it sometimes is challenging to monitor servers that are on the DMZ.

4. Logging of data in powerful searchable databases like SQL is an advantage and would be preferred in an enterprise environment the most good centralized logging software available does provide this type of functionality.

5. Reporting using well known tools like Crystal is also need in large organizations as trends are easier to see depicted. Log monitoring software should have the capability to link to crystal reports and other well known reporting software.

6. Categorically sorting log events into prioritized sections. Software should be able to let the security administrator view high profile security events at a glimpse, medium profile or low profile security events have taken place this saves time and makes for good managerial reporting.

7. Clearing of logs should also be monitored as only the administrator should be able to clear security logs. 8. The ability to make logging of certain events on certain machines more critical is also useful as machines that need to remain secure should be monitored at a more granular level.

Application Log 

This log contains various events logged by applications or programs. Many applications will record their errors in this log. It can be useful particularly if the log is on a server that has database server software like SQL Server installed. Examining this log can provide clues that someone has been attempting to compromise the database.

Security Log

The most important things that you will find in the security log are successful and unsuccessful logon attempts. This log also records events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log. Logon auditing can be turned off, but it never should be. In Windows a security log is the access log. Linux provides separate logs for successful and failed login attempts. By default, Windows does not log both successes and failures, but for security reasons this should be changed. Although the Windows operating systems do not create audit logs by name, the logs they create are useful in auditing. If you add Share-point, SQL, or other services, then they will often call the application logs they create audit logs and you will want to carefully monitor them for security-related events.

Hardening

The term hardening is usually applied to operating systems. The idea is to “lock down” the operating system as much as is practical. For example, ensure that all unneeded servicesare turned off, all unneeded software is uninstalled, patches are updated, user accounts are checked for security, and so forth. Hardening is a general process of making certain that the operating system itself is as secure as it can be. In fact, it could be said that if you have not hardened the operating system, then any other security measures are going to be far less effective (and possibly completely ineffective!).

Working with Services Services

are programs that run when the operating system boots, and they are often are running in the background without users interacting directly with them. Many services are quite important—even critical. However, a service can provide an attack vector that someone could exploit against your system, so be sure to enable only those services that are absolutely required. Part of operating system hardening is disabling unnecessary services. To display all the services on your Windows computer (any version—from XP to Windows 8 or Windows Server 2012), you first select the Control Panel and then select Administrative Tools, as shown in Figure 2.2.

In Figure 3.3, the Remote Registry service is shown. This service is used to allow technical support personnel to access that system’s Registry remotely. The service can be quite useful in some situations, but it can also function as a means for an attacker to get into your system. If you don’t need it, turn it off. The issue is not that a given service is “bad”; it is more of an issue of ensuring that you know what services are running on your system and that you make a conscious decision to allow the service to run (or not). Windowsalso provides a brief summary of what the service does and any services that depend on that service. If you don’t know what a service does, then you should probably leave it at its default setting.

It is critical that you have a good understanding of any service you intend to disable. Some services depend on other services. Turning off one service could render others unusable. Fortunately, the Microsoft Services Console gives you information on dependencies. As a security administrator, you should regularly check all servers and make certain that only necessary services are running on them. Here are some tips:

File and Print Servers

These are primarily vulnerable to denial-of-service (DoS) and access attacks. DoS attacks can be targeted at specific protocols and overwhelm a port with activity. Make sure that these servers run only the protocols that are needed to support the network.

Networks with PC-Based Systems

In a network that has PC-based systems, make sure that NetBIOS services are disabled on servers or that an effective firewall is in place between the server and the Internet. Many of the popular attacks that are occurring on systems today take place through the NetBIOS services via ports 135, 137, 138, and 139. On Unix systems, make sure that port 111, the Remote Procedure Call (RPC) port, is closed.

MAC Limiting and Filtering

Limit access to the network to MAC addresses that are known, and filter out those that are not. Even in a home network, you can implement MAC filtering with most routers, and you typically have the option of choosing to allow or deny only those computers with MAC addresses that you list.

If you don’t know a workstation’s MAC address, use ipconfig /all to find it in the Windowsbased world (it is listed as physical address). Use ifconfig or ip a in Unix/Linux. MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help attackers circumvent this control.

802.1X

The IEEE standard 802.1X defines port-based security for wireless network access control. The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.

Disable Unused Ports

Remember, a port is a connection, like a channel. For example, SMTP uses port 25. For that reason these are sometimes called application ports. All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter. Essentially, you disable a port by disabling the service and block the port with Windows Firewall (doing one and not the other can result in a single point of failure).

Rogue Machine Detection

On any sizable network it is always possible that someone has added an unauthorized machine. A rogue machine could be an intruder in a neighboring office connecting to your wireless network or an employee adding an unauthorized machine by plugging directly into a network RJ45 jack. Rogue machines pose a serious security risk. Part of your monitoring strategy must be to scan for rogue machines on your network.

Security posture

It is impossible to evaluate your security without having a baseline configuration documented. The baseline must represent a secure state. In other words, it is not simply the state of your network when you decide to start monitoring. It is instead a baseline state you know to be secure. All future security reporting will be relative to this state, so it is rather important.

“Identifies the steps for creation of a baseline configuration, content of the baseline configuration, approval of the initial baseline configuration, maintenance of the baseline configuration (i.e., when it should be updated and by whom), and control of the baseline configuration. If applicable, requirements from higher regulatory bodies are considered and integrated when defining baseline configurations (e.g., requirements from OMB memos, laws such as Health Insurance Portability and Accountability Act (HIPAA), etc.).” In other words, it is not just the current state of your network, but how it addresses specific compliance issues. Is your network in compliance with HIPAA, PCI, or other relevant regulatory standards? What is the configuration of network security devices (intrusion detection systems, antivirus, and so on)?

It is also a good idea to include network utilization statistics. Being aware of normal traffic flow on your network can be useful when identifying DoS attacks.

Continuous Security Monitoring

Once a baseline security configuration is documented, it is critical to monitor it to see that this baseline is maintained or exceeded. A popular phrase among personal trainers is “that which gets measured gets improved.” Well, in network security, “that which gets monitored gets secure.” Continuous monitoring means exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.

Security Audits

Monitoring should take place on several levels. There should be basic, ongoing monitoring that is not labor intensive. Software solutions are available that will accomplish this for you. However, you should also implement scheduled, in-depth checks of security. These are usually called security audits.

A security audit is an integral part of continuous security monitoring. Security audits can be a check of any aspect of your security, including the following:

– Review of security logs

– Review of policies and compliance with policies
– A check of security device configuration

– Review of incident response reports

The scope of the audit and its frequency are determined by the organization. These parameters are determined by security needs and budget. For example, a high school network administrator does not have the budget or the security needs of a defense contractor. Therefore, you could expect the defense contractor to have more frequent and more comprehensive audits. However, every organization needs to have some type of audit policy as a part of continuous monitoring.

Setting a Remediation Policy

The monitoring of your system is very likely to uncover some gaps between the secure baseline that you established and the current state of the network. Those gaps might be quite significant or very minor. For example, you may have a requirement that all RSA cryptography be implemented with 2048-bit keys but discover one service is using 1024-bit keys. This is not a critical gap. Thisdiscrepancy will not render your system wide open to hackers, but it is a gap nonetheless.

Your policies must include a remediation policy. When a gap in the security posture is detected, it should first be classified, and then a remediation plan must be implemented. The specifics of how you classify and respond to a gap will vary from one organization to another. One possible classification system is given here:

Minor

This is a deviation from the security baseline that does not pose any immediate threat to security.

Serious 

This is a deviation that could pose an immediate threat, but the threat is either so unlikely or so difficult to exploit as to minimize the danger.

Critical

This is a deviation that poses an immediate threat and that must be addressed as soon as possible. This is just one possible classification system. An example of a minor threat would be the RSA issue previously mentioned. A serious threat might be the discovery of an obscure vulnerability in a database server that could be exploited but only by someone on the network. A critical threat might be finding out that your web application is vulnerable to SQL injection.

Reporting

Security incidents will occur no matter how well you design your security system. Some of these incidents will be minor, whereas others will be quite serious. Regardless of the severity of the incident, it must be reported. A system must be in place to report all issues.

Alarms

Alarms are indications of an ongoing current problem currently. Think of a siren sounding when someone kicks in the door to a home. These are conditions to which you must respond right now. Alarm rates can indicate trends that are occurring. Even after you solve the problem, you still need to look for indications that the condition may not be isolated. For example, if your IDS or firewall has an alarm, how is this reported to network security staff? A notification system should be in place that immediately notifies appropriate staff. Once the issue is addressed, those staff members must have a procedure in place to report the specifics of the incident, and how it was addressed, to management. The point is that your organization needs to have a system for reporting alarms. It cannot be an ad hoc process whereby each individual reports such alarms as they see fit. Incident response cannot occur without some reporting of alarms.

Alerts

Slightly below alarms in terms of security issues are alerts. Alerts are issues to which you need to pay attention but are not about to bring the system down at any moment. (Think of them as storm watches instead of storm warnings.) In Event Viewer, for example, system events are identified either as errors, information, or warnings. Although errors are the most critical, the others need attention too in order to keep them from eventually becoming errors. Alerts can also refer to industry alerts. Many antivirus software vendors provide alert services that will email you when a new attack is found or is increasing. Sometimes, other organizations, such as Microsoft, will also send alerts. When a security professional receives such an alert, that information can be communicated both to management and to the staff, as appropriate.

Trends

Trends do not refer to the latest fad in security. Instead they refer to trends in threats. For example, there are more email-based phishing attempts in the last month than in previous months, or waterhole and spear phishing attacks have been increasing recently. Though not often used in this fashion, the term can also refer to trends in your organizational security profile. Are audits finding an increase in compliance with software policies? Conversely, are you seeing an uptick in the violation of software installation policies?

Detection controls vs. prevention controls

Some security controls are implemented simply to detect potential threats. Others are designed to prevent or at least minimize such threats. For the CompTIA Security+ exam, it is important to know the difference. We will look at security controls here. An intrusion detection system (IDS), as the name implies, is focused on detecting intrusion. One step beyond this, an Intrusion Prevention System (IPS), again as the name implies, is focused on preventing an intrusion from occurring. There are various levels of both IDS and IPS as they can be based on a host (H-IDS, for example) or a network (N-IDS).

Not all approaches are so clear-cut as to include the term “detection” or “prevention” in the title, and many tools fall between the two. One such tool is a honeypot. A honeypot is a computer that has been designated as a target for computer attacks. The best way to visualize a honeypot is to think of Winnie the Pooh and the multiple times the character has become stuck while trying to get the honey out of the jugs in which it is stored. By get- ting stuck, he has incapacitated himself and become an easy target for anyone trying to find him. The purpose of a honeypot is to allow itself to succumb to an attack. During the process of “dying,” the system can be used to gain information about how the attack developed and what methods were used to institute the attack. The benefit of a honeypot system is that it draws attackers away from a higher-value system or allows administrators to gain intelligence about an attack strategy. Honeypots aren’t normally secured or locked down. If they come straight out of the box with an operating system and applications software, they may be configured as is. Elaborate honeypot systems can contain information and software that might entice an attacker to probe deeper and take over the system. If not configured properly, a honeypot system can be used to launch attacks against other systems. There are several initiatives in the area of honeypot technology. One of the more interesting involves the Honeynet Project, which created a synthetic network that can be run on a single computer system and is attached to a network using a normal network interface card (NIC). The system looks like an entire corporate network, complete with applications and data, all of which are fake. As part of the Honeynet Project, the network was routinely scanned, worms were inserted, and attempts were made to contact other systems to infest them—all over the course of a three-day period. At the end of day three, no fewer than three worms had infected the system. This infestation happened without any advertising by the Honeynet Project.

Enticement

Enticement is the process of luring someone into your plan or trap. You might accomplish this by advertising that you have free software, or you might brag that no one can break into your machine. If you invite people to try, you’re enticing them to do some- thing that you want them to do.

Entrapment

Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution. Although enticement is legally acceptable in the United States, entrapment is not. Your legal liabilities are probably small in either case, but you should seek legal advice before you implement a honeypot on your network. You may also want to contact law enforcement or the prosecutor’s office if you want to pursue legal action against attackers.

IDS vs. IPS

This type of system is an IDS that reacts to the intrusion that has been detected, most often by blocking communication from the offending IP address. The problem with this approach is the issue of false positives. No system is perfect—at some point you will have a situation where network activity is anomalous and the IDS indicates an intrusion, butin reality it is not an intrusion. For example, if the IDS is set up to react to traffic outside normal bounds, excessive traffic from a given system could indicate an attack. However, it could also indicate an unusually high workload.

Camera vs. guard

The camera versus guard debate is an old one. You must decide what is best for your own environment. The benefit of a camera (also known as closed-circuit television, or CCTV) is that it is always running and can record everything it sees, creating evidence that can be admissible in court if necessary. On the other hand, it is stationary, lacks any sort of intelligence, is possible to avoid, and needs someone to monitor the feed or review the tape to be effective, which many times does not happen until a problem has been discovered. The benefit of a guard is that the person can move about, apply intelligence to situations, and collect evidence. The guard, however, is not always recording, can be avoided, and has more downtime.

img