Page 729 - StudyBook.pdf
P. 729

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  713

                 Usage

                 Auditing how accounts are used on a network may reveal successful and attempted
                 intrusions. Remember that a common method of hacking a system is to use an
                 existing account and acquire the password for it. By auditing certain events, admin-
                 istrators can determine if an intrusion is being attempted or occurring in this
                 manner.
                    Auditing logon and logoff failures can provide an indication that someone is
                 attempting to hack their way into a system using a particular account or set of
                 accounts. Upon realizing this, administrators can disable the account to block
                 access through it, or ensure that strong passwords are used to make access even
                 more difficult.
                    Monitoring successful logons also provides important information such as when
                 someone is successfully hacking a network. For example, the manager of finance is
                 on vacation, but someone has been logging in using his account. Since this account
                 should be inactive, monitoring the logons indicates that someone is using a stolen
                 or hacked password to access the system. Disabling the account will prevent the
                 hacker from using that account, and will protect the assets.
                    Auditing can also provide information on systems that are no longer required.
                 Certain services or resources may be used less by users or may no longer be used at
                 all. Since these services or resources could be exploited, they should be removed
                 from the network.
                    Audits can also be used to identify violations of existing corporate policy.
                 Firewall logs not only show which files and services are being accessed from the
                 Internet, but can also be used to monitor which Web sites are being accessed by
                 internal users.This can provide information on violations of acceptable use policies,
                 such as employees who are visiting improper sites during work hours, or using
                 company equipment for illicit purposes.
                 Escalation

                 Monitoring the escalating use of accounts or the irregular hours that accounts are
                 being used can also indicate intrusions. For example, if a user works days but their
                 account is being used at night or used more frequently than usual, it is possible that
                 someone else is using the account to gain access.
                    Systems should also be monitored for increased use, to determine if additional
                 servers, services, or resources are required on a network. For example, the number
                 of users visiting a corporate Web site has increased dramatically over the last year. If
                 this trend continues, it could result in performance issues or system crashes.Adding



                                                                              www.syngress.com
   724   725   726   727   728   729   730   731   732   733   734