QUESTION NUMBER 107-111
107. What are the various types of audit trails?
various types of audit trails are as follow.
- Keystroke Monitoring
- Audit Events
- System-Level Audit Trails
- Application-Level Audit Trails
- User Audit Trails
Keystroke Monitoring
Keystroke monitoring is the process used to view or record both the keystrokes entered by a
computer user and the computer's response during an interactive session. Keystroke monitoring
is usually considered a special case of audit trails. Examples of keystroke monitoring would
include viewing characters as they are typed by users, reading users' electronic mail, and viewing
other recorded information typed by users.
Some forms of routine system maintenance may record user keystrokes. This could constitute keystroke monitoring if the keystrokes are preserved along with the user identification so that an administrator could determine the keystrokes entered by specific users. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.
Audit Events
System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.
The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself. Monitoring the alteration of systems configuration files that implement the policy is important. If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used. .
Sometimes a finer level of detail than system audit trails is required. Application audit trails can provide this greater level of recorded detail. If an application is critical, it can be desirable to record not only who
invoked the application, but certain details specific to each use. For example, consider an e-mail application. It may be desirable to record who sent mail, as well as to whom they sent mail and the length of messages.
Another example would be that of a database application. It may be useful to record who accessed what database as well as the individual rows or columns of a table that were read (or changed or deleted), instead of just recording the execution of the database program. .
A user audit trail monitors and logs user activity in a system or application by recording events initiated by the user (e.g., access of a file, record or field, use of a modem). .
Flexibility is a critical feature of audit trails. Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications. The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional
manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging. Audit logging can have privacy implications; users should be aware of applicable privacy laws, regulations, and policies that may apply in such situations. .
System-Level Audit Trails
If a system-level audit capability exists, the audit trail should capture, at a minimum, any attempt to log on (successful or unsuccessful), the log-on ID, date and time of each log-on attempt, date and time of each
log-off, the devices used, and the function(s) performed once logged on (e.g., the applications that the user tried, successfully or unsuccessfully, to invoke). System-level logging also typically includes information that is not specifically security-related, such as system operations, cost-accounting charges, and network performance. .
Application-Level Audit Trails
System-level audit trails may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager. In general, application-level audit trails monitor and log user activities, including data files opened and closed, specific actions, such as reading, editing, and deleting records or fields, and
printing reports. Some applications may be sensitive enough from a data availability, confidentiality, and/or integrity perspective that a "before" and "after" picture of each modified record (or the data element(s) changed within arecord) should be captured by the audit trail. .
User Audit Trails
User audit trails can usually log: .
- all commands directly initiated by the user;
- all identification and authentication attempts; and
- files and resources accessed. .
It is most useful if options and parameters are also recorded from commands. It is much more useful to know that a user tried to delete a log file (e.g., to hide unauthorized actions) than to know the user merely issued the delete command, possibly for a personal data file.
108. Explain Audit Trails. What are the two types of audit records explain in detail?
Audit trails maintain a record of system
activity both by system and application
processes and by user activity of systems and
applications.
In conjunction with
appropriate tools and procedures, audit trails
can assist in detecting security violations,
performance problems, and flaws in
applications.
Audit trails may be used as either a support
for regular system operations or a kind of
insurance policy or as both of these. As
insurance, audit trails are maintained but are
not used unless needed, such as after a system
outage. As a support for operations, audit trails are used to help system administrators
ensure that the system or resources have not been harmed by hackers, insiders, or technical
problems.
Two types of audit records
There are typically two kinds of audit records, (1)
an event-oriented log and (2)
a record of every keystroke, often called keystroke monitoring.
Keystroke Monitoring
Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users' electronic mail, and viewing other recorded information typed by users.
Some forms of routine system maintenance may record user keystrokes. This could constitute keystroke monitoring if the keystrokes are preserved along with the user identification so that an administrator could determine the keystrokes entered by specific users. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.
Audit Events
System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.
The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself. Monitoring the alteration of systems configuration files that implement the policy is important. If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used. .
Sometimes a finer level of detail than system audit trails is required. Application audit trails can provide this greater level of recorded detail. If an application is critical, it can be desirable to record not only who
invoked the application, but certain details specific to each use. For example, consider an e-mail application. It may be desirable to record who sent mail, as well as to whom they sent mail and the length of messages.
Another example would be that of a database application. It may be useful to record who accessed what database as well as the individual rows or columns of a table that were read (or changed or deleted), instead of just recording the execution of the database program. .
A user audit trail monitors and logs user activity in a system or application by recording events initiated by the user (e.g., access of a file, record or field, use of a modem). .
Flexibility is a critical feature of audit trails. Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications. The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional
manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging. Audit logging can have privacy implications; users should be aware of applicable privacy laws, regulations, and policies that may apply in such situations. .
109. List the steps to perform information security audit.
The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company.
1. Defining the Scope of Your Audit: Creating Asset Lists and a Security Perimeter
The first step in conducting an audit is to create a master list of the assets your company has, in order to later decide upon what needs to be protected through the audit. While it is easy to list your tangible assets, things like computers, servers, and files, it becomes more difficult to list intangible assets. To ensure consistency in deciding which intangible company assets are included, it is helpful to draw a "security perimeter" for your audit.
What is the Security Perimeter?
The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the smallest boundary that contains the assets that you own and/or need to control for your own company's security.
Assets to Consider
Once you have drawn up your security perimeter, it is time to complete your asset list. That involves considering every potential company asset and deciding whether or not it fits within the "security perimeter" you have drawn. To get you started, here is a list of common sensitive assets:
• Computers and laptops
• Routers and networking equipment
• Printers
• Cameras, digital or analog, with company-sensitive photographs
• Data - sales, customer information, employee information
• Company smartphones/ PDAs
• VoIP phones, IP PBXs (digital version of phone exchange boxes), related servers
• VoIP or regular phone call recordings and records
• Email
• Log of employees daily schedule and activities
• Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
• Web server computer
• Security cameras
• Employee access cards.
• Access points (i.e., any scanners that control room entry)
This is by no means an exhaustive list, and you should at this point spend some time considering what other sensitive assets your company has. The more detail you use in listing your company's assets (e.g., "25 Dell Laptops Model D420 Version 2006", instead of "25 Computers") the better, because this will help you recognize more clearly the specific threats which face each particular company asset.
2. Creating a 'Threats List'
You can't protect assets simply by knowing what they are, you also have to understand how each individual asset is threatened. So in this stage you will compile an overall list of threats which currently face your assets.
What Threats to Include?
If your threat list is too broad, your security audit will end up getting focused on threats which are extremely small or remote. When deciding whether to include a particular threat on your 'Threat List' keep in mind that your test should follow a sliding scale. For example, if you are considering whether the possibility of a hurricane flooding out your servers you should consider both, how remote the threat is, but also how devastating the harm would be if it occurred. A moderately remote harm can still be reasonably included in your threat list if the potential harm it would bring is large enough to your company.
Common 'Threats' to Get you Started?
Here are some relatively common security threats to help you get started in creating your company's threat list:
Computer and network passwords. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?
Physical assets. Can computers or laptops be picked up and removed from the premises by visitors or even employees?
Records of physical assets. Do they exist? Are they backed up?
Data backups. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?
Logging of data access. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?
Access to sensitive customer data, e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?
Access to client lists. Does the website allow backdoor access into the client database? Can it be hacked?
Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?
Emails. Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them?
3. Past Due Diligence & Predicting the Future
At this point, you have compiled a list of current threats, but what about security threats that have not come on to your radar yet, or haven't even been developed? A good security audit should account not just for those security threats that face your company today, but those that will arise in the future.
Examining Your Threat History
The first step towards predicting future threats is to examine your company's records and speak with long-time employees about past security threats that the company has faced. Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities.
Checking Security Trends
In addition to checking for security threats specific to your particular industry, ITSecurity.com's recent white paper covers trends for 2007 as well as offering a regularly updated blog which will keep you abreast of all new security threat developments. Spend some time looking through these resources and consider how these trends are likely to affect your business in particular. If you're stumped you may want to Ask the IT Security Experts directly.
Checking with your Competition
When it comes to outside security threats, companies that are ordinarily rivals often turn into one another's greatest asset. By developing a relationship with your competition you can develop a clearer picture of the future threats your company will face by sharing information about security threats with one another.
4. Prioritizing Your Assets & Vulnerabilities
You have now developed a complete list of all the assets and security threats that your company faces. But not every asset or threat has the same priority level. In this step, you will prioritize your assets and vulnerabilities in order to know your company's greatest security risks, and so that you can allocate your company's resources accordingly.
Perform a Risk Calculation/ Probability Calculation
The bigger the risk, the higher priority dealing with the underlying threat is. The formula for calculating risk is:
Risk = Probability x Harm
The risk formula just means that you multiply the likelihood of a security threat actually occurring (probability) times the damage that would occur to your company if the threat actually did occur (harm). The number that comes out of that equation, is the risk that threat poses to your company.
Calculating Probability
Probability is simply the chance that a particular threat will actually occur. Unfortunately, there isn't a book that lists the probability that your website will be hacked this year, so you have to come up with those figures yourself.
Your first step in calculating probability should be to do some research into your company's history with this threat, your competitors' history, and any empirical studies on how often most companies face this threat. Any probability figure that you ultimately come up with is an estimate, but the more accurate the estimate, the better your risk calculation will be.
Calculating Harm
How much damage would a particular threat cause if it occurred? Calculating the potential harm of a threat can be done in a number of different ways. You might count up the cost in dollars that replacing the lost revenue or asset would cost the company. Or instead you might calculate the harm as the number of man-hours which would be lost trying to remedy the damage once it has occurred. But whatever method you use, it is important that you stay consistent throughout the audit in order to get an accurate priorities list.
Developing Your Security Threat Response Plan
When working down your newly developed priority list, there will be a number of potential responses you could make to any particular threat. The remaining six points in this article cover the primary responses a company can make to a particular threat. While these security responses are by no means the only appropriate ways to deal with a security threat, they will cover the vast majority of the threats your company faces, and as a result you should go through this list of potential responses before considering any alternatives.
5. Implementing Network Access Controls
Network Access Controls, or NACs, check the security of any user trying to access a network. So, for example, if you are trying to come up with a solution for the security threat of your competition stealing company information from private parts of the company's website, applying network access controls or NACs is an excellent solution.
Part of implementing effective NAC is to have an ACL (Access Control List), which indicates user permissions to various assets and resources. Your NAC might also include steps such as; encryption, digital signatures, ACLs, verifying IP addresses, user names, and checking cookies for web pages.
6. Implementing Intrusion Prevention
While a Network Access Control deals with threats of unauthorized people accessing the network by taking steps like password protecting sensitive data, an Intrustion Prevention System (IPS) prevents more malicious attacks from the likes of hackers.
The most common form of an IPS is a second generation firewall. Unlike first generation firewalls, which were merely content based filters, a second generation firewall adds to the content filter a 'Rate-based filter'.
Content-based. The firewall does a deep pack inspection, which is a thorough look at actual application content, to determine if there are any risks.
Rate-based. Second generation firewalls perform advanced analyses of either web or network traffic patterns or inspection of application content, flagging unusual situations in either case.
7. Implementing Identity & Access Management
Identity and Access Management (IAM) simply means controlling users' access to specific assets. Under an IAM, users have to manually or automatically identify themselves and be authenticated. Once authenticated, they are given access to those assets to which they are authorized.
An IAM is a good solution when trying to keep employees from accessing information they are not authorized to access. So, for instance, if the threat is that employees will steal customers credit card information, an IAM solution is your best bet.
8. Creating Backups
When we think of IT security threats, the first thing that comes to mind is hacking. But a far more common threat to most companies is the accidental loss of information. Although it's not sexy, the most common way to deal with threats of information loss is to develop a plan for regular backups. These are a few of the most common backup options and questions you should consider when developing your own backup plan:
Onsite storage. Onsite storage can come in several forms, including removable hard drives or tape backups stored in a fireproofed, secured-access room. The same data can be stored on hard drives which are networked internally but separated by a DMZ (demilitarized zone) from the outside world.
Offsite storage. Mission-critical data could be stored offsite, as an extra backup to onsite versions. Consider worst-case scenarios: If a fire occurred, would your hard-drives or digital tapes be safe? What about in the event of a hurricane or earthquake? Data can be moved offsite manually on removable media, or through a VPN (Virtual Private Network) over the Internet
.
Secured access to backups. Occasionally, the need to access data backups will arise. Access to such backups, whether to a fireproofed room or vault, or to an offsite data center, physically or through a VPN, must be secure. This could mean issuing keys, RFID-enabled "smart pass cards", VPN passwords, safe combinations, etc.
Scheduling backups. Backups should be automated as much as possible, and scheduled to cause minimum disruption to your company. When deciding on the frequency of backups, be aware that if your backups aren't frequent enough to be relevant when called upon, they are not worth conducting at all.
9. Email Protection & Filtering
Each day, 55 billion spam messages are sent by email throughout the world. To limit the security risk that unwanted emails pose, spam filters and an educated workforce are a necessary part of every company's security efforts. So, if the threat you are confronting is spam emails, the obvious (and correct) response is to implement an email security and filtering system for your company.
While the specific email security threats confronting your company will determine the appropriate email protections you choose, here are a few common features:
Encrypt emails. When sending sensitive emails to other employees at other locations, or to clients, emails should be encrypted. If you have international clients, make sure that you use encryption allowed outside of the United States and Canada.
Try steganography. Steganography is a technique for hiding information discreetly in the open, such as within a digital image. However, unless combined with something like encryption, it is not secure and could be detected.
Don't open unexpected attachments. Even if you know the sender, if you are not expecting an email attachment, don't open it, and teach your employees to do the same.
Don't open unusual email. No spam filter is perfect. But if your employees are educated about common spam techniques, you can help keep your company assets free of viruses.
10. Preventing Physical Intrusions
Despite the rise of new generation threats like hacking and email spam, old threats still imperil company assets. One of the most common threats is physical intrusions. If, for example, you are trying to deal with the threat of a person breaking into the office and stealing company laptops, and along with them valuable company information, then a plan for dealing with physical intrusions is necessary.
Here are some common physical threats along with appropriate solutions for dealing with them:
Breaking into the office: Install a detection system. Companies like ADT have a variety of solutions for intrusion detection and prevention, including video surveillance systems.
Stolen laptop: Encrypt hard drive. Microsoft offers an Encrypt File System, or EFS, which can be used to encrypt sensitive files on a laptop.
Stolen screaming smart phones. A new service from Synchronica protect smartphones and PDAs, should they be stolen. Once protected, a stolen phone cannot be used without an authorization code. If this is not given correctly, all data is wiped from the phone and a high-pitch "scream" is emitted. Once your phone is recovered, the data can be restored from remote servers. Currently, this particular service is limited to the UK, but comparable services are available throughout the world.
Kids + Pets = Destruction: Prevent unauthorized access. For many small-business owners, the opportunity to work from home is an important perk. But having children and/or pets invading office space and assets can often be a greater risk that that posed by hackers. By creating an appropriate-use policy and sticking with it small business owners can quickly deal with one of their most significant threats.
Internal Click Fraud: Education and Blocks. Many web-based businesses run advertising such as Google AdSense or Chitika to add an extra revenue stream. However, inappropriate clicking of the ads by employees or family can cause your account to be suspended. Make employees aware of such things, and prevent the company's live website from being viewed internally.
110. What are the implementations issues regarding Audit Trail?
Audit trail data requires protection, since the data should be available for use when needed and is not useful if it is not accurate. Also, the best planned and implemented audit trail is of limited value without timely review of the logged data. Audit trails may be reviewed periodically, as needed (often triggered by occurrence of a security event), automatically in realtime, or in some combination of these. System managers and administrators, with guidance from computer security personnel, should determine how long audit trail data will be maintained -- either on the system or in archive files.
Following are examples of implementation issues that may have to be addressed when using audit trails. .
1. Protecting Audit Trail Data .
Access to on-line audit logs should be strictly controlled. Computer security managers and system administrators or managers should have access for review purposes; however, security and/or administration personnel who maintain logical access functions may have no need for access to audit logs. .
It is particularly important to ensure the integrity of audit trail data against modification. One way to do this is to use digital signatures. (See Chapter 19.) Another way is to use write-once devices. The audit trail files needs to be protected since, for example, intruders may try to "cover their tracks" by modifying audit trail records. Audit trail records should be protected by strong access controls to help prevent unauthorized access. The integrity of audit trail information may be particularly important when legal issues arise, such as when audit trails are used as legal evidence. (This may, for example, require daily printing and signing of the logs.) Questions of such legal issues should be directed to the cognizant legal counsel. .
The confidentiality of audit trail information may also be protected, for example, if the audit trail is recording information about users that may be disclosure-sensitive such as transaction data containing personal information (e.g., "before" and "after" records of modification to income tax data). Strong access controls and encryption can be particularly effective in preserving confidentiality. .
2. Review of Audit Trails
Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like. Audit trail review can be easier if the audit trail function can be queried by user ID, terminal ID, application name, date and time, or some other set of parameters to run reports of selected information. .
Audit Trail Review After an Event. Following a known system or application software problem, a known violation of existing requirements by a user, or some unexplained system or user problem, the appropriate system-level or application-level administrator should review the audit trails. Review by the application/data owner would normally involve a separate report, based upon audit trail data, to determine if their resources are being misused. .
Periodic Review of Audit Trail Data. Application owners, data owners, system administrators, data processing function managers, and computer security managers should determine how much review of audit trail records is necessary, based on the importance of identifying unauthorized activities. This determination should have a direct correlation to the frequency of periodic reviews of audit trail data. .
Real-Time Audit Analysis. Traditionally, audit trails are analyzed in a batch mode at regular intervals (e.g., daily). Audit records are archived during that interval for later analysis. Audit analysis tools can also be used in a real-time, or near real-time fashion. Such intrusion detection tools are based on audit reduction, attack signature, and variance techniques. Manual review of audit records in real time is almost never feasible on large multiuser systems due to the volume of records generated. However, it might be possible to view all records associated with a particular user or application, and view them in real time. .
3. Tools for Audit Trail Analysis.
Many types of tools have been developed to help to reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create very large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Some of the types of tools include: .
Audit reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. (This alone may cut in half the number of records in the audit trail.) These tools generally remove records generated by specified classes of events, such as records generated by nightly backups might be removed. .
Trends/variance-detection tools look for anomalies in user or system behavior. It is possible to construct more sophisticated processors that monitor usage trends and detect major variations. For example, if a user typically logs in at 9 a.m., but appears at 4:30 a.m. one morning, this may indicate a security problem that may need to be investigated. .
Attack signature-detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example would be repeated failed log-in attempts.
111. Write a note on interdependencies in Audit Trial.
The ability to audit supports many of the controls presented in this handbook. The following
paragraphs describe some of the most important interdependencies.
Policy.
The most fundamental interdependency of audit trails is with policy. Policy dictates who
is authorized access to what system resources. Therefore it specifies, directly or indirectly, what
violations of policy should be identified through audit trails.
Assurance.
System auditing is an important aspect of operational assurance. The data recorded
into an audit trail is used to support a system audit. The analysis of audit trail data and the
process of auditing systems are closely linked; in some cases, they may even be the same thing. In
most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.
Identification and Authentication.
Audit trails are tools often used to help hold users accountable
for their actions. To be held accountable, the users must be known to the system (usually
accomplished through the identification and authentication process). However, as mentioned
earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If
a user is impersonated, the audit trail will establish events but not the identity of the user.
Logical Access Control.
Logical access controls restrict the use of system resources to
authorized users. Audit trails complement this activity in two ways. First, they may be used to
identify breakdowns in logical access controls or to verify that access control restrictions are
behaving as expected, for example, if a particular user is erroneously included in a group
permitted access to a file. Second, audit trails are used to audit use of resources by those who
have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure
that audit trails are not modified.
Contingency Planning.
Audit trails assist in contingency planning by leaving a record of activities
performed on the system or within a specific application. In the event of a technical malfunction,
this log can be used to help reconstruct the state of the system (or specific files).
Incident Response.
If a security incident occurs, such as hacking, audit records and other
intrusion detection methods can be used to help determine the extent of the incident. For
example, was just one file browsed, or was a Trojan horse planted to collect passwords?
Cryptography.
Digital signatures can be used to protect audit trails from undetected
modification. (This does not prevent deletion or modification of the audit trail, but will provide
an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction
with adding secure time stamps to audit records. Encryption can be used if confidentiality of
audit trail information is important.
