This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Application security logging best practices and challenges
1. 6/20/2018
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
– Application Security
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
2. 6/20/2018
2
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
3
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,800 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 4
3. 6/20/2018
3
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
TODAY’S AGENDA
• Applications Vulnerability
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
6
4. 6/20/2018
4
APPLICATION SECURITY
• Application vulnerability assessment is to identify and
remediate vulnerabilities and maintain a resilient web
presence. This process involves:
• Web and client-server application security assessments.
• Mobile application assessments across most platforms.
• Software development lifecycle (SDLC) reviews
• Application architecture assessments
• Custom services as requested
VULNERABLE APPLICATIONS RISKS
• Unauthorized access to sensitive customer or company data
• Theft of sensitive data to conduct identity theft, credit card fraud or other
crimes
• Defacement of websites; strong potential for brand damage
• Manipulation of data impacting data integrity, quality and organization’s
reputation
• Redirection of users to malicious web sites; phishing and malware
distribution
• Denial of service; availability of data
• Attackers can assume valid user identities
• Access to hidden web pages using forged URLs
• Attacker’s hostile data can trick the interpreter to execute unintended
commands
8
5. 6/20/2018
5
ROOT CAUSE?
1. Developers not trained in security
Most computer science curricula have no security courses
2. Under investment from security teams
Lack of tools, policies, process, etc.
3. Growth in complex, mission critical online applications
Online banking, commerce, Web 2.0, etc
4. Number one focus by hackers
75% of attacks focused on applications - Gartner
Result: Application security incidents and lost data on the rise
AUTOMATED SCANNER CAN’T FIND
ALL THE VULNERABILITIES
• There is no “silver bullet” for identifying application
security vulnerabilities. There are different classes of
tools ranging from static code scanners that assess
the code to dynamic scanners that analyze logic and
data flow. Generally, 30% to 40% of vulnerabilities
can be identified by scanners; the remainder are
uncovered by other means.
• Manual testing allows an informed and experienced
tester to attempt to manipulate the application,
escalate privileges or get the application to operate
in a way it was not designed to do.
10
6. 6/20/2018
6
11
APPLICATIONS SECURITY ISSUES
• Few Operating Systems But Many Applications
• Because OS are harden, most attacks target applications installed
on servers.
• Many applications run with administrative or super user (root)
privileges
• Securing applications is challenging
• Buffer Overflow Attacks
• Most widespread vulnerabilities in application programs
• Buffers are RAM areas where data is stored temporarily
• If an attacker sends more data than the programmer had allocated
to a buffer, a buffer might overflow, overwriting an adjacent section
of RAM
EDUCATING DEVELOPERS
AND GETTING “BUY IN”
• Establish security accountability and stds for shipping
• Create a “security architect” role
• Create a security community of practice
• Create a secure development portal or wiki
• Conduct hacking demos to demonstrate risks
• Online & offline courses for secure coding
• Put developers through secure coding exams
• Security reviews of real applications
• Pay premiums for security architects
7. 6/20/2018
7
13
GENERAL APPLICATION SECURITY
• Minimize number of applications
• Fewer applications on a computer, fewer attack opportunities
• Use security baselines for installation
• Security baselines improve security
• Add application layer authentication
• Important for sensitive applications
• Could be password-based
• Implement cryptographic systems
BuildCoding SecurityQAQA
IBM SOFTWARE SECURITY DEVELOPMENT ECOSYSTEM
Security
Auditor
scanning
Developers Build System Quality Assurance Testing
Control, Monitor and Report
Web Based Security Training
8. 6/20/2018
8
15
KEY CHALLENGES FOR
APPLICATION SECURITY
LOGGING
1. Lack of Security Logging Frameworks
2. Lack of guidance on what and how to log
3. Lack of requirements for security logging
4. Lack of correlation and alerting capabilities
BEST PRACTICES FOR
APPLICATION SECURITY
16
Adopt Secure software development life cycle (SDLC)
Follow secure coding practices and conduct security code reviews
Perform static code analysis and dynamic web scanning tests
Build-in application level logging
Embed security logging capability within applications
Capture security and application transactional information in the logs
Correlate application events with SIEM
More accurately identify business risks closer to application transactions
9. 6/20/2018
9
WHY ARE BEST PRACTICES
NOT FOLLOWED?
17
Adopt secure software development life cycle (SDLC)
Slow Adoption: It takes years to train developers/testers to build in security
3rd Party Code: Cannot impose SDLC practices on 3rd parties and SAAS providers
Build-in application level logging
Developers accustomed to logging functional use-cases not abuse-cases
Developers collect too little information in logs - not usable to assess business risk
Correlate application events with SIEM
Many sophisticated attacks cannot be detected by monitoring individual
applications
Need to correlate across multiple applications, firewalls, IPS/IDS and other
sources
18
KEY CHALLENGES FOR
APPLICATION SECURITY
LOGGING
• Many applications have poor security logs
(and sometimes have none at all)
• Without good security event information it
is difficult to:
• detect attacks
• detect compromised user account
• detect fraud
• detect abuse of privileges and
• Respond to events
10. 6/20/2018
10
19
MANY LOGGING FRAMEWORKS
Java (commonly used)
• Commons Logging
• Log4j
• Logback
• SLF4J
Other frameworks
Craftsman Spy, Houston, jLo, Jmyra,
JTraceDump, Just4log, Limpid Log,
Logging Toolkit, Monolog, ObjectGuy
Framework, Protomatter, RP Logging,
Simple Log, SmartInspect,TraceTool
.Net (commonly used)
• Microsoft Enterprise Library
• Log4net
• Logger.NET
• NLog
Other frameworks
C# Logger, CommonData, CSharp Dot
Net Logger, DebugWriter, LogThis,
NetTrace, Nspring, ObjectGuy
Framework, SmartInspect, TcpTrace,
Traceract, TraceRT.NET, Traffic
Monitor
20
THE LEVEL OF DETAILS FOR
LOGGING
Log Event Data should include the following:
1. Time stamp from a trusted system component
2. Severity rating for each event
3. Tagging of security relevant events, if they are mixed
with other log entries
4. Identity of the account/user that caused the event
5. Source IP address associated with the request
6. Event outcome (success or failure)
7. Description of the event
11. 6/20/2018
11
21
HIGH LEVEL SECURITY LOGGING
REQUIREMENTS
• Ensure log entries that include un-trusted data will not
execute as code in the intended log viewing interface or
software
• Restrict access to logs to only authorized individuals
• Utilize a master routine for all logging operations
• Do not store sensitive information in logs, including
unnecessary system details, session identifiers or
passwords
• Ensure that a mechanism exists to conduct log analysis
22
HIGH LEVEL SECURITY
LOGGING EVENTS
• Log all input validation failures
• Log all authentication attempts, especially failures
• Log all access control failures
• Log all apparent tampering events, including unexpected
changes to state data
• Log attempts to connect with invalid or expired session tokens
• Log all system exceptions
• Log all administrative functions, including changes to the
security configuration settings
• Log all backend TLS connection failures
• Log cryptographic module failures
12. 6/20/2018
12
23
WHAT TO LOG?
• What level of detail is required to identify a user and
reliably trace back to an unauthorized malicious action?
• Where are they?
• (is it a green screen internal application? An internet facing web
application, a corporate desktop application?)
• What technical details can be identified and logged?
• (e.g. XSS, Change of IP address mid-session, data validation issues
etc.)
• What business level detail must be logged?
• (e.g. viewing sensitive data, who did what for segregation of duties,
etc.)
24
TYPES OF BUSINESS EVENTS
Logical, Behavioral and Compliance
• Privileged User Access
• Process Violations
• Segregation of Duties bypass
• Bulk Downloads
• Privacy Violations
13. 6/20/2018
13
25
TYPES OF BUSINESS EVENTS
Influencers:
• Business Owners
• Internal Audit
• Regulatory Bodies
(PCI-DSS, SOX, Government, etc.)
• Operational Risk
• Fraud Teams
• Security Consultants
26
CORRELATION TECHNOLOGY
Security Information and Event Management (SIEM)
technology provides:
• Security Information Management (SIM) – log management and
compliance reporting
• Security Event Management (SEM) – real-time monitoring and
incident management for security-related events from networks,
security devices, systems and application
SIEM Technology is typically deployed to support three
primary use cases:
• Compliance – Log management and compliance reporting
• Threat Management – real-time monitoring of user activity, data
access and application activity and incident management
• A deployment that provides a mix of compliance and threat
management capabilities
14. 6/20/2018
14
27
SOLVING THE CHALLENGES
Where to start?
Focus on high risks and incidents
What risk or impact are you minimizing:
• Reduced internal fraud
• Compromised user accounts (leading to external fraud)
• Process Violations
• Compliance with regulatory bodies
• External compromise
• In software engineering, multi-tier architecture (often referred to
as n-tier architecture) is a client–server architecture in which
presentation, application processing, and data management
functions are logically separated. For example, an application
that uses middleware to service data requests between a user
and a database employs multi-tier architecture. The most
widespread use of multi-tier architecture is the three-tier
architecture.
• N-tier application architecture provides a model by which
developers can create flexible and reusable applications. By
segregating an application into tiers, developers acquire the
option of modifying or adding a specific layer, instead of
reworking the entire application. Three-tier architectures typically
comprise a presentation tier, a business or data access [logic]
tier, and a data tier.
(Wikipedia : Multitier Architecture)
Multitier architecture :
16. 6/20/2018
16
N-TIER ARCHITECTURE -
ADVANTAGES
• Scalable:
• this is due to its capability of multiple tier deployment and the tier
decoupling it brought.
• For example,
• the data tier can be scaled up by database clustering without other
tiers involving.
• The web client side can be scaled up by load-balancer easily
without affecting other tiers.
• Windows server can be clustered easily for load balancing and
failover.
• In addition, business tier server can also be clustered to scale up
the application, such as Weblogic cluster in J2EE.
N-TIER ARCHITECTURE -
ADVANTAGES
• Better and finer security control to the whole system:
• we can enforce the security differently for each tier if the security
requirement is different for each tier.
• For example,
• business tier and data tier usually need higher security level than
presentation tier does, then we can put these two high security tiers
behind firewall for protection.
• 1 or 2 tiers architecture cannot fully achieve this purpose because of a
limited number of tiers.
• Also, for N-Tier architecture, users cannot access business layer and
data layer directly, all requests from users are routed by client presenter
layer to business layer, then to data layer. Therefore, client presenter
layer also serves as a proxy-like layer for business layer, and business
layer serves as a proxy-like layer for data layer. These proxy-like layers
provides further protection for their layers below.
• Better fault tolerance ability:
• for example,
• the databases in data layer can be clustered for failover or load
balance purpose without affecting other layers.
17. 6/20/2018
17
THE DISADVANTAGES OF THE
N-TIER DEPLOYMENT
• The performance of the whole application
• may be slow if the hardware and network bandwidth aren’t
good enough because more networks, computers and
processes are involved.
• More cost for hardware, network, maintenance and
deployment
• because more hardware and better network bandwidth are
needed.
34
WHAT DETAIL NEEDS TO
BE LOGGED?
What security people want
• Time stamp
• Severity rating for each event
• Identity of the account/user that caused the event
• Source IP address associated with the request
• User context across application tiers (internal
webservice, MQ, Database)
• Event outcome (success or failure)
18. 6/20/2018
18
35
EVENT LOGS MONITORING TOOLS
• Microsoft Log Parser 2.2
https://technet.microsoft.com/en-
us/scriptcenter/dd919274.aspx
• Kiwi Syslog Products:
http://www.kiwisyslog.com/Syslogs
• Remstats -
http://remstats.sourceforge.net/release/log-
server.html
• Set up a Linux log server
http://www.linuxsecurity.com/content/view/1175
14/49/
36
LOG PARSER
• Search for Data - Search for the logons of a specific user
among the events in the Windows Event Log:
C:>LogParser "SELECT TimeGenerated, SourceName,
EventCategoryName, Message INTO report.txt FROM Security WHERE
EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON
19. 6/20/2018
19
37
LOG PARSER (2)
• Create Reports - Create custom-formatted HTML
reports.
38
LOG PARSER (3)
• Calculate Statistics -Calculate the
distribution of the HTTP response status
codes from your IIS log files:
C:>LogParser "SELECT sc-status, COUNT(*)
AS Times INTO Chart.gif
FROM <1> GROUP BY sc-status ORDER BY Times
DESC" –
chartType:PieExploded3D -
chartTitle:"Status Codes"
And produce a chart formatted as desired:
20. 6/20/2018
20
39
LOG PARSER - SYNTAX
Examples:
LogParser "SELECT date, REVERSEDNS(c-ip) AS Client, COUNT(*)
FROM file.log
WHERE sc-status<>200 GROUP BY date, Client" -e:10
LogParser
file:myQuery.sql?myInput=C:tempex*.log+myOutput=results.csv
LogParser -c -i:BIN -o:W3C file1.log file2.log "ComputerName
IS NOT NULL"
Help:
-h GRAMMAR : SQL Language Grammar
-h FUNCTIONS [ <function> ] : Functions Syntax
-h EXAMPLES : Example queries and commands
-h -i:<input_format> : Help on <input_format>
-h -o:<output_format> : Help on <output_format>
-h -c : Conversion help
40
LOG PARSER – SAMPLE
OUTPUT
Server EventID Total
------- ------ -----
HKGKABS1 528 420
HKGKABS1 529 1
HKGKABS1 538 419
HKGKABS1 539 1
HKGKABS1 576 420
HKGKABS1 578 2
HKGUATS1 528 73
HKGUATS1 538 71
HKGUATS1 576 73
HKGUATS1 578 11
………….
Statistics:
-----------
Elements processed: 1130
Elements output: 10
Execution time: 0.19
seconds
21. 6/20/2018
21
41
FROM LOGS
DOWNLOAD
TO OUTPUT
REPORTS (1B)
DUMPEL Usage:
dumpel -f file [-s server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d
x]
-d <days> Filters for event last days (number larger than zero)
-e nn Filters for event id nn (up to 10 may be specified)
-f <filename> Output filename (default stdout)
-l <name> Dumps the specified log (system, application, security)
-b Dumps a backup file (use -l to specify file name)
-m <name> Filters for events logged by name
-r Filters out events logged by name (must use -m too)
-s <servername> Remote to servername
-t Use tab to separate strings (default is space)
-c Use comma to separate fields
-ns Do not output strings
-format <fmt> Specify output format. Default format is
dtTCISucs
where
t - time
d - date
T - event type
C - event category
I - event ID
S - event source
u - user
c - computer
s - strings
42
EVENT LOGS REVIEW
PROCESS (3)
• Add the header to the beginning of the file.
• Date,Time,EventID,SourceName,Dummy,Server,Descrip
tion . They are used in the SQL query.
• SQL Query in the EventIDDistrib_with_selected
event_ID.sql:
SELECT StrCat(TO_STRING(EventID),Description) as
EventID_And_Source,Count(*) as Total
FROM %sourcefile% To %destfile%
WHERE EventID in (529; 530; 531; 532; 535; 537; 539;608; 609; 612;
613; 614; 615; 616; 617; 620; 624; 625;626; 627; 628; 629; 630;
631; 632; 633; 634; 635; 636;637; 638; 639; 640; 641; 642; 643;
644; 645; 646; 647;648; 649; 650; 651; 652; 653; 654; 655; 656;
657; 658;659; 660; 661; 662; 663; 664; 665; 666; 667; 675; 676;
677)
GROUP BY EventID_And_Source
22. 6/20/2018
22
43
FINAL LOG REVIEW REPORT
ELEMENT
• Scope and Content
• Which servers do we monitor?
• Grand Total Figures:
• It shows no. of logs for each event for every server
• Group the events into different categories:
• Appendix with detailed event statistics
• Statistics with no breakdown.
• Detailed statistics breakdown with log description
• Appendix of selected critical events
44
GROUP THE EVENTS FOR THE MANAGEMENT REPORT
Event Group Event Suspicious Finding After
Following Up (Yes/No/No
Occurrence)
Audit Log and Policy
Access/Change
517, 612 No Occurrence
Account Lockout 539,644 No
Failed Account Access 529-535, 537 No
Account Profile Change
(Normal User/Administrator)
608, 609, 624-630, 642-
647
No
User Role/Group
Change/Addition
631-639, 641, 648-667 No
Domain Policy & User
Database Change
640,643 No
23. 6/20/2018
23
45
CRITICAL
EVENTS
SELECTION
Event
ID
Message
Type
Description Risk (H/M/L)
512 User Windows NT is starting
up
513 User Windows NT is
shutting down
514 User An authentication
package loaded by
Local Security
Authority
515 User A trusted logon
process registered with
Local Security
Authority
516 User Internal resources
allocated for queuing
of audit messages
exhausted
517 * User Audit log cleared
518 User A notification package
loaded by Security A/C
Mgr
528 User Successful Logon
Different parties
will have
different risk
ranking on
particular event.
TOOLS AND RESOURCES
• Open Software Assurance Maturity Model
(OpenSAMM) – A freely available open source
framework that organizations can use to build and
assess their software security programs
www.opensamm.org
• The Open Web Application Security Project
(OWASP) – Worldwide not-for-profit organization
focused on improving the security of software.
Source of valuable free resources www.owasp.org
• Open Source or Low Cost Application Security
Scanners – OWASP Zed Attack Proxy (ZAP), w3af,
Mavituna Netsparker, Websecurify, Wapiti, N- Stalker,
SkipFish, Scrawlr, Acunetix, and many more to do
basic discovery work
46
24. 6/20/2018
24
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU! Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino