INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)Ongoing monitoring should include coverage of the following:— audit logs from firewalls, routers, servers, etc.,— alerts/alarms from such as audit logs pre-configured to notify certain event types, from such as firewalls,routers, servers, etc.,— output from IDS,— results from network security scanning activities,— information on events and incidents reported by users and support personnel,(as well as results from security compliance reviews).Events may turn out to be a security incident but have been prevented, e.g. a 'bad' logon, or have actuallycaused an incident but have now been detected, e.g. recognition of which user has carried out anunauthorized database change.It is emphasized that network monitoring should be conducted in a manner fully compatible with relevantnational and international legislation and regulation. This includes legislation for data protection and forregulation of investigatory powers (where by law all users have to be informed of any monitoring before it isconducted). In general terms monitoring should be conducted responsibly, and not for instance used forreviewing the behavior of employees in countries with very limited privacy laws. Obviously the actions takenshould be consistent with the security and privacy policies of the organization, and appropriate procedureswith related responsibilities put in place. Network audit logging and monitoring should also be conducted in aforensically secure manner if audit log evidence is to be used in criminal or civil prosecution.Most network audit logging and monitoring controls required in relation to network connections and relatedinformation systems can be determined by using ISO/IEC 17799 and with ISO/IEC 13335-2, when published.13.8 Intrusion DetectionAs network connections increase, it becomes easier for intruders to:— find multiple ways to penetrate an organization or community's information systems and networks,— disguise their initial point of access, and— access through networks and target internal information systems.Further, intruders are becoming more sophisticated, and more advanced methods of attack and tools areeasily available on the Internet or in the open literature. Indeed, many of these tools are automated, can bevery effective, and easy to use - including by persons with limited experience.For most organizations it is economically impossible to prevent all potential penetrations. Consequently, someintrusions are likely to occur. The risks associated with most of these penetrations should be addressedthrough the implementation of good identification and authentication, logical access control and accountingand audit controls, and, if justified, together with an intrusion detection capability. Such a capability providesthe means by which to predict intrusions, and identify intrusions in real-time and raise appropriate alarms. Italso enables local collection of information on intrusions, and subsequent consolidation and analysis, as wellas analysis of an organization's normal information system patterns of behavior/usage.In many situations it may be clear that some unauthorized or unwanted event is happening. It could be a slightdegradation in services for apparently unknown reasons, or it could be an unexpected number of accesses atunusual times, or it could be the denial of specific services. In most situations it is important to know thecause, severity and scope of the intrusion as soon as possible.It should be noted that this capability is more sophisticated than the audit log analysis tools and methods thatare implied in Clause 13.7 above and the related clauses of ISO/IEC 17799, and ISO/IEC 13335-2 whenpublished. The more effective intrusion detection capabilities use special post-processors that are designed to52 © ISO/IEC 2006 - All rights reserved
ISO/IEC 18028-1:2006(E)use rules to automatically analyze past activities recorded in audit trails and other logs to predict intrusions,and to analyze audit trails for known patterns of malicious behavior or behavior which is not typical of normalusage.Thus, an IDS is a system for detecting intrusion into a network. There are two types of IDS:— NIDS,— HIDS.NIDS monitor packets on a network and attempts to discover an intruder by matching the attack pattern to adatabase of known attack patterns. A typical example is looking for a large number of TCP connectionrequests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCPport scan. A network intrusion detection system sniffs network traffic, by promiscuously watching all networktraffic.HIDS monitor activity on the hosts (servers). It does this by monitoring security event logs or checking forchanges to the system, such as changes to critical system files, or to the systems registry. There are twotypes of HIDS:— system integrity checkers, which monitor system files and systems registry for changes made byintruders,— log file monitors (that monitor the system log files). Operating systems generate security events aboutcritical security issues, such as a user acquires root/administrator level privileges.In some cases responses to detected intrusions can be automated in IPS>Further detail on intrusion detection is provided in ISO/IEC 18043.13.9 Protection against Malicious CodeUsers should be aware that malicious code, including viruses, may be introduced into their environmentthrough network connections. Malicious code can cause a computer to perform unauthorized functions (e.g.bombard a given target with messages at a given date and time), or indeed destroy essential resources (e.g.delete files) as soon as it has replicated to try to find other vulnerable hosts. Malicious code may not bedetected before damage is done unless suitable controls are implemented. Malicious code may result incompromise of security controls (e.g. capture and disclosure of passwords), unintended disclosure ofinformation, unintended changes to information, destruction of information, and/or unauthorized use of systemresources.Some forms of malicious code should be detected and removed by special scanning software. Scanners areavailable for firewalls, file servers, mail servers, and workstations for some types of malicious code. Further, toenable detection of new malicious code it is very important to ensure that the scanning software is always keptup to date, desirably through daily updates. However, users and administrators should be made aware thatscanners cannot be relied upon to detect all malicious code (or even all malicious code of a particular type)because new forms of malicious code are continually arising. Typically, other forms of control are required toaugment the protection provided by scanners (where they exist).Overall, it is the job of anti-malicious code software to scan data and programs to identify suspicious patternsassociated with viruses, worms and Trojans (which sometimes are collectively termed 'malware'). The libraryof patterns to be scanned for is known as signatures, and should be updated at regular intervals, or whenevernew signatures become available for high-risk malware alerts. In the context of remote access, anti-virussoftware should be run on the remote systems and also on the servers on the central system - especiallyWindows and e-mail servers.Users and administrators of systems with network connections should be made aware that there are greaterthan normal risks associated with malicious software when dealing with external parties over external links.Guidelines for users and administrators should be developed outlining procedures and practices to minimizethe possibility for introducing malicious code.© ISO/IEC 2006 - All rights reserved 53
Page 1 and 2:
INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4:
ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6:
ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39 and 40: ISO/IEC 18028-1:2006(E)— flawed S
Page 41 and 42: ISO/IEC18028-1:2006(E)13.2.5.3 Secu
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[
show all

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?