secuAUDIT: CONTINUOUS COMPUTER SECURITY AUDITING EXPERIENCES

1

• secu-AUDIT CONTINUOUS COMPUTER SECURITY
  AUDITING EXPERIENCES

Urko Zurutuza Ortega San Sebastian, December
1-3, 2004
2
Overview
Introduction

• Introduction
• Background
• State-of-the-art
• Methodology
• Identification and selection of security metrics
• Security level formula definition
• Implementation
• Identification and selection of security tools
• System implementation
• Results
• Conclusions Further Work
• Audits
• munix
• Tools
• Measures Metrics
• System improvement
• Future implementations
• Questions

Methodology
Implementation
Conclusions Further Work
secu-AUDIT Continuous Computer Security Auditing
ExperiencesIADAT International Conference on
Telecommunications and Computer Networks 2004
3
Background
Introduction

• Computer security Research group in MGEP-MU
• Continuous audit financial meaning
• Computer security context measuring
  andcontrolling the security level, performing
  continuous monitoring in time and taking
  proofreaders actions if necessary

• Security models
• Audit and evaluation mechanisms
• Intrusion detection

4
Background
Introduction

• Traditional Security Auditing
• Occasional controls Unknown security level

5
Background
Introduction

• Continuous Security Auditing
• Short intervals. Knowledge of system security
  level in each moment security metrics

6
State-of-the-art
Introduction

• Metrics
• A uniform monitoring method and an objective way
  to document our organization's security attitude.
• Measures Vs. Metrics
• Measure
• View or snapshot
• Data count
• Objective set of data
• Metric
• Relation between two or more data
• Human interpretation

7
Identification and selection of security metrics

• Measures
• Number of high/medium/low risk vulnerabilities
• Number of intrusions
• Time of down servers
• Time of down services
• Physical security level
• Number of virus detected on Gateway
• Number of virus detected into the network
• Number of unsuccessful logins
• Average of opened ports
• Time lapsed since last backup

Methodology

• Need to know
• Their distribution
• Behavior in time
• What is expected from them
• How to obtain

8
Identification and selection of security metrics

• Metrics (i. e., number of vulnerabilities)
• Description Number of vulnerabilities or
  security holes detected.
• Featurization (transforming the measure)
• Total No. of vulnerabilities per host
  (high/medium/low risk)
• No. of different types of vulnerabilities
  (high/medium/low risk)

Methodology

• Distribution

• Mathematical behavior

• How to obtain Vulnerability scanner Nessus

9
Security level formula definition

• Linking the metrics
• Impact of the metrics within the total security
  level establish a weighting or ratio scale of
  the impact for each metric
• Computer Science Corporation, CSC Global
  Information Security Services. Security value
  metrics.

Methodology
10
Security level formula definition

• FORMULA
• Environment interaction establish the metrics
  constants (Ci)

Methodology
11
System implementation

• Audit system implementation
• Nagios as host service monitor
• Snort as IDS
• Nessus as vulnerability scanner
• MySQL Database
• PHP for creating dynamic web pages
• Apache as http server

Implementation
12
System implementation

• Experiment
• University LAN
• 1 month of network monitoring
• 180 host, W2k, W2k servers mainly

Implementation
13
Results

• munix

Implementation

• On weekends, number of hosts decreases, but
  security level maintains independent from
  organisations size!
• 3rd week security patches installed security
  level raised!

14
Conclusions

• Audits
• Continuous security auditing is possible with
  little effort by means of combining existing
  security tools
• The tool does not increase the security level by
  itself
• The concern within the security must be a
  continuous and constant task
• munix
• Tool for measuring the security improvement, more
  than security level
• It is an autonomous system. No need of human
  interaction
• It is not possible to collect some metrics
  automatically (i.e. physical security)

Conclusions Further Work
15
Conclusions

• Tools
• The integration of different tools for the
  measure of the security level is possible
• The three GNU/GPL tools have demonstrated to be
  perfectly valid
• Measures Metrics
• They permit to establish control points, so that
  it is possible to evaluate a system dynamically
  and act proactively
• Very low maturity level of computer security
  metrics
• The environment is a conditioning object on the
  measure of the security level, and requires a
  parameterization of the system. The weighting
  values on the formula are completely subjective

Conclusions Further Work
16
Further Work

• System improvement
• Try the system in different environments to
  adjust the weightings applied to the metrics
• Tuning of the Snort and Nessus rules to avoid
  false positives
• Metric review/adding
• Add new measures/metrics
• Review some metrics (different kind of
  intrusions,)
• Overall Risk Assessment
• How to obtain the cost of improving the security
  level of each metric (technology and resources)

Conclusions Further Work
17
Questions
Thank You
?
Questions