2.8. Introducing Auditing Processes and Files
Most systems generate security logs and audit files of activity. These files do absolutely no good if they aren't periodically reviewed for unusual events. Many web servers provide message auditing, as do logon, system, and application servers.
The amount and volume of information these files contain can be overwhelming. You should establish a procedure to review them on a regular basis.
|
Audit files and security logs may also be susceptible to access or modification attacks. The files often contain critical system information, including resource sharing, security status, and so on. An attacker may be able to use this information to gather more detailed data about your network.
In an access attack, these files can be deleted, modified, and scrambled to prevent system administrators from knowing what happened in the system. A logic bomb could, for example, delete these files when it completes. Administrators might know that something happened, but they would get no clues or assistance from the log and audit files.
You should consider periodically inspecting systems to see what software is installed and whether passwords are posted on sticky notes on monitors or keyboards. A good way to do this without attracting attention is to clean all the monitor faces. While you're cleaning the monitors, you can also verify that physical security is being upheld. If you notice a password on a sticky note, you can "accidentally" forget to put it back. You should also notify that user that this is an unsafe practice and not to continue it.
You should also consider obtaining a vulnerability scanner and running it across your network. A vulnerability scanner is a software application that checks your network for any known security holes; it's better to run one on your own network before someone outside the organization runs it against you. One of the best-known vulnerability scanners is Nessus.