Auditing and Monitoring
Operation procedures should also include auditing and monitoring. Auditing and monitoring are tied to accountability. These items are tied together because if you don't have accountability for specific users, you cannot perform an effective audit. True security relies on the ability to verify that individual users perform specific actions. Without the capability to hold individuals accountable, organizations can't enforce security policies. Some of the primary ways accountability is established is by auditing user activity, analyzing traffic patterns, scanning for intrusions, and monitoring the movement of individuals throughout the organization's premises.
|
Make sure you know the difference between audit and accountability for the exam. Audit controls are detective controls, are utilized after the fact, and are usually implemented to detect fraud or other illegal activities. Accountability is the ability to track specific actions, transactions, changes, and resource usage to a specific user within the system. This is accomplished, in part, by having unique identification for each user and strong authentication mechanisms. |
Auditing
Auditing produces audit trails. These trails can be used to re-create events and verify whether security policies were violated. The biggest disadvantage of the audit process is that it is detective in nature and that audit trails are usually examined after an event. Some might think of audit trails only as something that corresponds to logical access, but auditing can also be applied to physical access. Auditing tools can be used to monitor who entered the facility and what time certain areas were accessed.
Auditing Tools
The security professional has plenty of available tools that can help isolate the activities of individual users. Windows Event Viewer, Auditpol, and Elsave are all tools used to view and work with audit logs.
Many organizations monitor network traffic to look for suspicious activity and anomalies. Some monitoring tools enable administrators just to examine packet headers, whereas others can completely re-create network traffic. Snort and TCPdump are two such tools. Regardless of the tools used to capture and analyze this traffic, administrators need to make sure that policies are in place detailing how such activities will be handled. Items such as warning banners and AUPs go a long way in making sure that users are adequately informed of what to expect when using company resources.
|
A warning banner is the verbiage that the user sees at the point of entry into a system. Its purpose is to set the right expectations for users accessing those systems. It also aids in prosecuting those who violate the AUPs. A sample AUP is shown here: WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized use is suspected. |
Clipping Levels
Have you ever tried to log in to your workplace 300 times at 4 a.m.? Most people have not, and that's where clipping levels come in. Clipping levels are a way to allow users to make an occasional mistake. A clipping level is a threshold for normal mistakes a user may commit before investigation or notification begins.
|
An understanding of the term clipping level is essential for mastery of the CISSP exam. A clipping level establishes a baseline violation count to ignore normal user errors. |
The clipping level allows the user to make an occasional mistake, but if the established level is exceeded, violations are recorded or some type of response occurs. Look no further than your domain controller to see a good example of how clipping levels work. As a domain administrator, you might allow users to attempt to log in three times with an incorrect password. If the user can't get it right on the third try, the account is locked and he or she is forced to call an administrator for help. If an administrator or help-desk personnel is contacted to reset a password, some second type of authentication should be used to protect against a social-engineering attack. Social engineering is discussed in more detail in Chapter 3, "Security-Management Practices."
|
To prevent social-engineering attacks, individuals who call to have their password reset should be required to provide additional authentication, such as date of birth, PIN, or passphrase. |
Intrusion Detection
Intrusion-detection systems detect inappropriate, incorrect, or anomalous activity. These devices work by matching the signatures of known attacks or by detecting deviations of normal behavior. Organizations that decide to implement IDS systems must determine not only what type to deploy, but also where to deploy the IDS. IDS systems can be deployed as follows:
- Network These devices attach to the LAN and sniff for traffic that has been flagged to be anomalous.
- Host This form of IDS resides upon the host device and examines only the traffic going to or coming from the host computer.
IDS systems don't prevent attacks, but they give administrators the capability to detect these events, determine their source, and decide how to respond.
Keystroke Monitoring
Keystroke monitoring is the process of recording the keystrokes entered by a computer user. Keystroke-monitoring tools can be software or hardware based. These tools enable the administrator to capture all user activity. Many of these tools even take snapshots of the computer screen and email these screen captures to a predetermined email account.
Facility Access Control
No monitoring plan is complete without implementing controls that monitor physical access. Some common facility access controls include these:
- Watching CCTV to monitor who enters or leaves the facility
- Installing card readers or biometric sensors on server room doors to maintain a log of who accesses this area
- Mounting alarm sensors on doors and windows to detect possible security breaches
- Using mantraps and gates to control traffic and log entry to secured areas