Operation procedures should also include auditing and monitoring. Auditing and monitoring are tied to accountability. These items are tied together because if you don't have accountability for specific users, you cannot perform an effective audit. True security relies on the ability to verify that individual users perform specific actions. Without the capability to hold individuals accountable, organizations can't enforce security policies. Some of the primary ways accountability is established is by auditing user activity, analyzing traffic patterns, scanning for intrusions, and monitoring the movement of individuals throughout the organization's premises.
Make sure you know the difference between audit and accountability for the exam. Audit controls are detective controls, are utilized after the fact, and are usually implemented to detect fraud or other illegal activities. Accountability is the ability to track specific actions, transactions, changes, and resource usage to a specific user within the system. This is accomplished, in part, by having unique identification for each user and strong authentication mechanisms.
Auditing produces audit trails. These trails can be used to re-create events and verify whether security policies were violated. The biggest disadvantage of the audit process is that it is detective in nature and that audit trails are usually examined after an event. Some might think of audit trails only as something that corresponds to logical access, but auditing can also be applied to physical access. Auditing tools can be used to monitor who entered the facility and what time certain areas were accessed.
The security professional has plenty of available tools that can help isolate the activities of individual users. Windows Event Viewer, Auditpol, and Elsave are all tools used to view and work with audit logs.
Many organizations monitor network traffic to look for suspicious activity and anomalies. Some monitoring tools enable administrators just to examine packet headers, whereas others can completely re-create network traffic. Snort and TCPdump are two such tools. Regardless of the tools used to capture and analyze this traffic, administrators need to make sure that policies are in place detailing how such activities will be handled. Items such as warning banners and AUPs go a long way in making sure that users are adequately informed of what to expect when using company resources.
A warning banner is the verbiage that the user sees at the point of entry into a system. Its purpose is to set the right expectations for users accessing those systems. It also aids in prosecuting those who violate the AUPs. A sample AUP is shown here:
WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized use is suspected.
Have you ever tried to log in to your workplace 300 times at 4 a.m.? Most people have not, and that's where clipping levels come in. Clipping levels are a way to allow users to make an occasional mistake. A clipping level is a threshold for normal mistakes a user may commit before investigation or notification begins.
An understanding of the term clipping level is essential for mastery of the CISSP exam. A clipping level establishes a baseline violation count to ignore normal user errors.
The clipping level allows the user to make an occasional mistake, but if the established level is exceeded, violations are recorded or some type of response occurs. Look no further than your domain controller to see a good example of how clipping levels work. As a domain administrator, you might allow users to attempt to log in three times with an incorrect password. If the user can't get it right on the third try, the account is locked and he or she is forced to call an administrator for help. If an administrator or help-desk personnel is contacted to reset a password, some second type of authentication should be used to protect against a social-engineering attack. Social engineering is discussed in more detail in Chapter 3, "Security-Management Practices."
To prevent social-engineering attacks, individuals who call to have their password reset should be required to provide additional authentication, such as date of birth, PIN, or passphrase.
Intrusion-detection systems detect inappropriate, incorrect, or anomalous activity. These devices work by matching the signatures of known attacks or by detecting deviations of normal behavior. Organizations that decide to implement IDS systems must determine not only what type to deploy, but also where to deploy the IDS. IDS systems can be deployed as follows:
IDS systems don't prevent attacks, but they give administrators the capability to detect these events, determine their source, and decide how to respond.
Keystroke monitoring is the process of recording the keystrokes entered by a computer user. Keystroke-monitoring tools can be software or hardware based. These tools enable the administrator to capture all user activity. Many of these tools even take snapshots of the computer screen and email these screen captures to a predetermined email account.
Keystroke Logging and the Law
For the administrator, it's important to note that the U.S. Department of Justice has noted that administrators should protect themselves by giving notice to users if keystroke monitoring has been implemented. This notification can be by means of company policy or warning banner. Administrators who fail to implement these operational policies that specify how keystroke monitoring is to be used could be subject to criminal and civil liabilities.
Facility Access Control
No monitoring plan is complete without implementing controls that monitor physical access. Some common facility access controls include these: