Skip to content

Page267

Security Assessments

Security assessments are a holistic approach to assessing the effectiveness of access control. Instead of looking narrowly at penetration tests or vulnerability assessments, security assessments have a broader scope.

Security assessments view many controls across multiple domains, and may include the following:

  • Policies, procedures, and other administrative controls
  • Assessing the real-world effectiveness of administrative controls
  • Change management
  • Architectural review
  • Penetration tests
  • Vulnerability assessments
  • Security audits

As the above list shows, a security assessment may include other distinct tests, such as a penetration test. The goal is to broadly cover many other specific tests, to ensure that all aspects of access control are considered.

Log Reviews

As a security control, logs can and should play a vital role in detection of security issues, greatly inform incident response, and further forensic review. From an assessment and testing standpoint, the goal is to review logs to ensure they can support information security as effectively as possible.

Reviewing security audit logs within an IT system is one of the easiest ways to verify that access control mechanisms are performing adequately. Reviewing audit logs is primarily a detective control.

According to NIST Special Publication 800-92 (https://csrc.nist.gov/publications/detail/sp/800-92/final), the following log types should be collected:

  • Network Security Software/Hardware:
  • Antivirus logs
  • IDS/IPS logs
  • Remote Access Software (such as VPN logs)
  • Web proxy
  • Vulnerability management
  • Authentication servers
  • Routers and firewalls
  • Operating System:
  • System events
  • Audit records
  • Applications:
  • Client requests and server responses
  • Usage information
  • Significant operational actions [3]

The intelligence gained from proactive audit log management and monitoring can be very beneficial: the collected antivirus logs of thousands of systems can give a very accurate picture of the current state of malware. Antivirus alerts combined with a spike in failed authentication alerts from authentication servers or a spike in outbound firewall denials may indicate that a password-guessing worm is attempting to spread on a network.

According to "Five mistakes of Log Analysis" by Anton Chuvakin (see https://www.computerworld.com/article/2567666/five-mistakes-of-log-analysis.html), audit record management typically faces five distinct problems:

  1. Logs are not reviewed on a regular and timely basis.
  2. Audit logs and audit trails are not stored for a long enough time period.
  3. Logs are not standardized or viewable by correlation toolsets—they are only viewable from the system being audited.
  4. Log entries and alerts are not prioritized.
  5. Audit records are only reviewed for the “bad stuff” [4].

Many organizations collect audit logs, and then commit one or more of these types of mistakes. The useful intelligence referenced in the previous paragraph (identifying worms via antivirus alerts, combined with authentication failures or firewall denials) is only possible if these mistakes are avoided.