Introduction

Conceptually, auditing is the process by which one can ensure that a specific system, process, mechanism, or function meets a defined list of criteria. These criteria can be anything from questions whether documentation exists, to the detailed security capabilities of that which is being audited.

In the technological sense, the term auditing is most often used to describe methods for tracking and logging activities on information systems and networks. These activities can then be linked to specific user accounts or sources of activity. In the case of human error or software failure, audit trails can be extremely useful in determining the source of the problem, which is often the first step in the restoration of data integrity.

In the case of trusted systems, the assurance of a continuous audit process is an absolute requirement. This ensures that the system is continuously being monitored for a set of criteria, often including all user activity, process activity, and connectivity to and from the system itself. The information gathered by the audit mechanisms can be used to ensure that the activity of individuals on the trusted system can be traced to specific actions, and that those actions comply with defined security (and other) policies. This information can also be used to formulate evidence that can support any investigation into improper, illegal, or other activities that violate policy.

Most database applications support transaction logs detailing the activities that occur within the database. This log can then be used to either rebuild the database in the case of errors, or to create a duplicate database at another location. To provide this detailed level of transactional logging, a great deal of drive space is required for the log file. This can make extensive logging impractical, and as intense logging is not needed for most applications, informative messages such as system resources and predefined log criteria will be the more common setting for database logging.

The logging features provided on most networks and systems involve the logging of known or partially known resource event activities. While these logs are sometimes used for analyzing system problems, they are also useful for those whose duty it is to process the log files and check for both valid and invalid system activities.

To assist in catching mistakes and reduce the likelihood of fraudulent activities, the activities of a process should be split among several people. This separation of duties allows the next person in line to possibly correct problems simply because they are being viewed with fresh eyes.

From a security point of view, separation of duties requires the collusion of at least two people to perform any unauthorized activities. The following guidelines assist in ensuring that the duties are split so as to offer no way other than collusion to perform invalid activities.

• No Access to Sensitive Combinations of Capabilities   A classic example of this is control of inventory data and physical inventory. By separating the physical inventory control from the inventory data control, the temptation is removed for an employee to steal from inventory and then alter the data so that the theft is hidden.

• Prohibit Conversion and Concealment   Another violation that can be prevented by separation of duties is ensuring that there is supervision for people who have access to assets. An example of an activity that can be prevented if duties are properly segmented follows the lone operator of a night shift. This operator, without supervision, can copy (or "convert") customer lists and then sell them to interested parties. There have been instances reported of operators actually using the employer's computer to run a service bureau at night.

• The Same Person Cannot Both Originate and Approve Transactions   When someone is able to enter and authorize their own expenses, it introduces the possibility that they might fraudulently enter invalid expenses for their own gain.

These principles, whether manual or electronic, form the basis for why audit logs are retained. They also identify why people other than those performing the activities reported in the log should be the ones who analyze the data in the log file.

In keeping with the idea of separation of duties, as audit trails are deployed, it is important to have the logs sent to a secure, trusted location that is separate and non-accessible from the devices that are being monitored. This helps ensure that if any inappropriate activity occurs, the person cannot falsify the log. Inappropriate activity includes fraud, collusion, waste, abuse, and/or theft. A central logging facility (CLF) accomplishes this objective and provides the additional benefit of integrating disparate data for event correlation. If multiple sites experience the same exploit in the same timeframe, a CLF can collect information from each site to help determine the pattern of attack. A CLF can also reveal discrepancies between remote logs and the logs kept on the protected server. If an intruder or a network administrator changes a log that has already been sent to the CLF, the difference will be evident when the two are compared. This discourages network administrators from changing log file data to hide a breach involving collusion or other unauthorized use of system resources. It is possible, however, to alter the log files before they are sent to the CLF. Therefore, it is important to create preventative controls that maintain the integrity of the logs throughout the audit process.

When a syslog server acts as a CLF in a UNIX environment and separate from any other information system, it is the control that provides reasonable assurance that logs are not modified after they are submitted to the CLF. This control must be complemented with an administrative control, such as an internal audit review, to be effective. This increases the likelihood of an error or fraud being discovered, because technical controls (for example, programs) and administrative controls (for example, people) combined provide discovery information that must be interpreted and acted upon. The difference between the technical controls and administrative controls can be better understood by examining the function of the internal audit department. Larger organizations have an internal audit department that reviews the logs on a regularly scheduled basis to check for inconsistencies and to respond to alerts. In smaller organizations, this function is addressed by the network administrator. It should not be left to a single network administrator where log tampering could potentially go unchecked.

The major control types are as follows:

• Preventative   Preventative controls are intended to inhibit persons or processes from being able to initiate actions or activities that could potentially violate the policy for which the control was devised.

• Detective   Detective controls are intended to identify actions or activities from any source that violate the policy for which the control was devised. Detective controls often act as a trigger for a corrective control.

• Corrective   Corrective controls are intended to act upon a situation where a policy has been violated. Often called countermeasures, corrective controls can act in an automated fashion to inhibit the particular action or activity that violated a policy from becoming more serious than it already is.

• Directive   Directive controls are intended to initiate or ensure that particular actions or activities take place. These are often set by administrators or management personnel to ensure that the requisite actions or activities for maintaining a policy or system integrity take place.

• Recovery   Like corrective controls, recovery controls are intended to act upon a situation where a policy has been violated. As opposed to acting upon factors in the situation that has arisen due to the violation in policy, recovery controls attempt to restore the system or processes relating to the violation in policy to their original state.

Applying these controls in practice can be critical to achieving security objectives. By performing simple searches or reading through books and papers, one can find a plethora of information on security exploits, countermeasures, and best practices. The key to information security, however, is the ability to understand each of these items in a risk-based context, and the ability to utilize that information to improve the security of the system in question. The previous chapter describes risk, response, and recovery and should be kept in mind when approaching audit and monitoring topics. A risk-based approach to security design ensures that resources are allocated efficiently to mitigate the most significant threats to an organization. The security exploits and countermeasures change frequently, so organizations tend to ask, "How can I protect myself from threats that change on a daily basis?" Industry best practice statements are useful from a guidance standpoint, but fall short of what is really required to create a robust, secure organization. The primary requirement is a security framework that is capable of continually auditing and monitoring the compliance to security policy across an organization, and is then capable of acting on any findings to improve the security posture of the organization. This is called the continuous audit process, and is often assisted by a Computer Assisted Audit Tool (CAAT).

A CAAT is any software or hardware used to perform audit processes. CAATs can help find errors, detect fraud, identify areas where processes can be improved, and analyze data to detect deviations from the norm. Examples of mainframe tools that perform this function are EZTrieve, CA-PanAudit, FocAudit, and SAS. Personal computers can use spreadsheet or database programs for auditing or a Generalized Audit Software (GAS) tool that can perform these functions such as Integrated Development Environment Application (IDEA).

The advantage with almost any automated security audit tool is automation of manual tasks for data analysis to help the audit process. The downside or danger in any of these tools is reliance on automated tools to replace human observation and intuition. Instead, auditors should use these tools to exhaustively test data in different ways, test data integrity, identify trends, anomalies, and exceptions, and to promote creative approaches to audit while leveraging these tools.

Organizational security policy must be made readily available to all personnel who will be expected to make use of and adhere to it. It is common practice in an organization with a mature security practice to make the security policy readily available on the company intranet for reference. It is also helpful to provide e-mail pointers when the security policy changes to keep people up to date. If an organization provides a questionnaire that requires end-user identification and authentication to actually take the test, then there is further assurance that employees understand the security policy and are better equipped to uphold it. If, for instance, a questionnaire indicates that everyone in Information Technology (IT) scores a 90 percent or better but the marketing department scored 60 percent or less on average, the company should consider training programs directed towards the marketing department to improve their scores. An improved score would ideally correlate to better understanding of information security policy and awareness of security issues. This is crucial, because the human element is often considered the weakest link in the information security chain. (Please refer to the section on social engineering later in this chapter.) The end goal for a mature security organization is to create a culture of information protection awareness and individual responsibility. If everyone in an organization makes an effort to comply with the security policy, the security posture is significantly improved. So, where do you start? Auditing and monitoring are the tools that actually measure that compliance. Confidentiality, integrity, and availability are high-level goals that should be considered a starting point.

The security triad is comprised of three elements: confidentiality, integrity, and availability (CIA).

• Confidentiality   Ensures that something that is secret remains so. Confidentiality ensures that protected data is not being disclosed to the public.

• Integrity   Ensures that information is correct, can be relied upon, and has not been subject to unauthorized alteration. Three principles apply to establishing integrity controls:

  1. Access is Provided on a Need-to-Know Basis   Controls that ensure the need to know prevent the granting of excessive rights beyond a user's business requirements or clearance level.

  2. Separation of Duties   Controls that enforce separation of duties require the collusion of two or more people to bypass the control in question, and ensure that no one person has both authorization and oversight responsibilities.

  3. Rotation of Duties   Controls that enforce the rotation of duties ensure that there is a capability for irregularities to be detected by a "fresh set of eyes," that might otherwise have gone unnoticed if the same person remained in the same position.

• Availability   Ensures that a service and information is ready for use when needed by an organization. This also includes steps to ensure that data can be recovered and restored.

These three elements are interdependent and not mutually exclusive. If an organization has great confidentiality and integrity controls but the information is not available, the first two are rendered useless from a security point of view. These three security elements make up the foundation upon which detailed controls, practices, and processes can be used to ensure compliance with organizational security policy. (More information can be found on the information security triad in Chapter 2.)