Page 46 - StudyBook.pdf
P. 46

30     Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

                      then sell them to interested parties.There have been instances reported of
                      operators actually using the employer’s computer to run a service bureau.

                  ■   The same person cannot both originate and approve transactions.
                      When someone is able to enter and authorize their own expenses, it intro-
                      duces the possibility that they might fraudulently enter invalid expenses
                      for their own gain.

                 These principles, whether manual or electronic, form the basis for why audit
             logs are retained.They also identify why people other than those performing the
             activities reported in the log should be the ones who analyze the data in the log file.
                 In keeping with the idea of segmentation, as you deploy your audit trails, be
             sure to have your log files sent to a secure, trusted location that is separate and non-
             accessible from the devices you are monitoring.This will help ensure that if any
             inappropriate activity occurs, the person who performs it cannot falsify the log file
             to state the actions did not take place.


                How Much is Too Much?
           Head of the Class…  cessful and failed authentication attempts? How about success file access
                When auditing is enabled for a system, it is very important to strictly
                define exactly what it is that you are auditing. Do you need to see all suc-

                attempts? Do you need to know about every file or only confidential
                ones? If you audit too much, you will receive a huge amount of data that
                may be unusable. Finding actual events in this data could be like looking
                for a needle in a haystack. On the other hand, not auditing enough could
                cause you to miss capturing important information that you need. Strike
                a very careful balance when defining your auditing policies to ensure
                that you capture all of the relevant data without overloading yourself
                with useless information.



              EXERCISE 1.03


              CONFIGURING AUDITING IN MICROSOFT WINDOWS
                  During the discussion of using auditing as a method to track access
                  attempts within systems, it was mentioned that you must define an
                  audit policy that reflects the needs of your organization and the need
                  to track access in your system. This process is used to configure the types
                  of activity or access you wish to monitor. For this exercise on auditing,




          www.syngress.com
   41   42   43   44   45   46   47   48   49   50   51