11.4.5 (AUDIT LOGGING IN MONITORING SYSTEM ACCESS (When a violation is…
AUDIT LOGGING IN MONITORING SYSTEM
Most access control software has security features that
enable a security administrator to automatically log and report all levels of access attempts
— successes and failures. :robot_face: :bookmark_tabs:
Access Rights to System Logs
Computer security managers and system administrators/managers
have access for review purposes
security and/or administration personnel who MAINTAIN logical access functions may NOT NEED TO ACCESS audit logs
:information_desk_person: :forbidden: :bookmark_tabs:
important to ensure the
integrity of audit trail data
can be done using digital signatures, write-once devices or a SIEM system.
in many cases, especially in legal cases
confidentiality of audit trail
information may also be protected
audit trail is
recording information about users
that may be
, such as transaction data containing personal information
Strong access controls and encryption can be particularly effective in preserving confidentiality
Media logging is used to support accountability.
keystroke logging can be turned on for users who
have sensitive access privileges.
Logs can include
control numbers (or other tracking data),
such as the times and dates of transfers
names and signatures of individuals involved
A periodic review of system-generated logs can detect gain
security problems, including attempts to exceed access authority or
system access during unusual hours
Tools for Audit Trail (Logs) Analysis
• Audit reduction tools
preprocessors designed to reduce the volume of audit records
to facilitate manual review.
generally remove records generated by specified classes of events
—for example, records generated by nightly backups might be removed
look for anomalies in user or system behavior
. It is possible to construct more sophisticated processors that
monitor usage trends and detect major variations
user typically logs in at 09:00 but appears at 04:30 one morning, this may indicate a security problem that may need to be investigated.
look for an attack signature,
which is a specific SEQUENCE OF EVENTS INDICATES UNAUTHORIZED ATTEMPT OF ACCESS.
example would be
repeated failed logon attempts
can also be
configured to perform
automated tasks based upon the alerts
tools capture audit trails or logs
perform realtime analysis on them
aggregate audit trails and logs from many different sources. These
data can then be correlated, and alerts provided if required.
WHY? due to these issues
system overhead is incurred while
recording the audit trail
system overhead will be incurred to
store and process the records
logging every event
cause the system to lock up or slow to the point
at which response time would be measured in minutes.
Another cost involves human and machine time
required when performing the analysis
final cost of audit trails is the cost of investigating unexpected and anomalous events
If the system finds events as
identifying too many events as suspicious, :footprints: :feet: :!?:
administrators may spend undue time reconstructing events :information_desk_person: :clock1: :clock2: :clock3:
questioning personnel. :question: :boy::skin-tone-3:
When reviewing or performing security access follow-up, the IS auditor should look for:
Patterns or trends
:chart_with_upwards_trend: :chart_with_downwards_trend: :bar_chart:that indicate
abuse of access privileges, such as concentration on a sensitive application
:warning: :forbidden:(such as attempting computer file access that is not authorized) and/or
use of incorrect passwords
When a violation is identified:
• The person who identified the violator should refer the problem to the security administrator for investigation.
• The security administrator and responsible management should work together to
investigate and determine the severity of the violation
. Generally, most violations are accidental.
• If a violation attempt is serious, executive management should be notified, not law enforcement officials..
Executive management normally is responsible for notifying law enforcement officials
the decision to involve external agencies should be left to executive management because that may result in adverse publicity
• Procedures should be in
place to manage public relations and the press.
• To facilitate proper handling of access violations,
written guidelines should exist that identify various types and levels of violations
how they will be addressed.
This effectively provides
direction for judging the
seriousness of a violation
should be a
formal process that is applied consistently.
involve a reprimand, probation or immediate termination
The procedures should be
legally and ethically sound to reduce the risk of legal action against the company.
• Corrective measures should include a
review of the computer access rules,
not only for the perpetrator but for interested parties.
Excessive or inappropriate access rules should be eliminated.