Computer Security - Exam II

an independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliacne with established security policy and procedures, detect breaches in security services , and recommend any changes that are indicated for countermeasures

a chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results

logic embedded into the software of the system that monitors system activity and detects security-related events that it has been configured to detect

for each recorded event the event discriminator transmits the information to _______ , often in the form of a message or by recording the event

takes some action based on the alarm (which is auditable)

stores a formatted record of each event created by the audit recorder

based on a pattern of activity, may define new auditable events which are sent to the audit recorder and may generate an alarm

a software module that periodically extracts records from the audit trail to create a permanent archive of auditable events

a permanent store of security-related events on a system

an application and/or user interface to the audit trail

an application or user who examines the audit trail and the audit archives for historical trends, for computer forensic purposes, and for other analysis

human-readable reports prepared by the audit trail examiner

a module on a centralized system that collects audit trail records from other systems and creates a combined audit trail

a module that transmits the audit trail records from its local system to the centralized audit trail collector

two additional logical components needed for a distributed auditing service

key elements of a Security Audit and Alarms Model

six major areas of security auditing functions

identifies the level of auditing, enumerates the types of auditable events, and identifies the minimum set of audit-related information provided

inclusion or exclusion of events from the auditable set that helps to avoid the creation of an unwieldy audit trail

creation and maintenance of the secure audit trail - includes measures to provide availability and to prevent loss of data from the audit trail

defines reactions taken following detection of events that are indicative of a potential security violation

provided via automated mechanisms to analyze system activity and audit data in search of security violations - uses anomaly detection and attack heuristics

as available to authorized users to assist in audit data review - may include a selectable review function, and may be restricted to authorized users

categories for audit trail design

three types of Windows event logs

used by applications running under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the computer system

events for all user-level applications - is not secured, and is open to any applications

the Windows Audit Log - for exclusive use of the Windows Local Security Authority

two approaches to collecting audit data from applications

timing options of when an audit trail analysis is to be done

four major approaches to data analysis

a form of baseline analysis - the identification of data that exceed a particular baseline value - used to identify events, such as refused connections

detection of events within a given set of parameters, such as within a given time period or outside a given time period

SIEM

SIM