Operational security requires ongoing review of an operational system to verify system security controls are operating correctly and effectively. Consistent auditing and monitoring achieve this and both rely on accountability.
Auditing and Audit Trails: Effective auditing is reliant on accountability, which is managed by logging the activities of users and system services that maintain the operating environment and the security mechanisms. If a user’s actions can’t be verified that individual cannot be held accountable for a specific action rendering auditing ineffective as security policies cannot be enforced. Logging can help retrace actions and events, provide evidence for prosecution, and run problem reports and analysis.
The process of analyzing logs is called auditing and is an inherent function of an operating system. The audit trails are created by logging security incidents and is a running file of records that provide documentary evidence of user actions. Trails may isolate specific events or contain all of the activities on a system. This can be used as a tool to identify whether a user has violated security policies. It allows a security administrator to monitor user activity over time, and include information about additions, omissions, or alterations to the data within a system. Audit trails are not protective controls as they are usually examined after the event.
Monitoring: System monitoring is critical to all of the domains of information security. The main purpose of monitoring is the discovery of violations such as unauthorized or abnormal computer usage. Network utilities such as Snort and TCPdump, are commonly used by organizations to monitor network traffic for suspicious activity and anomalies. Failure recognition and response, which includes reporting methods, is a critical part of monitoring.
An intrusion-detection system (IDS) is another monitoring mechanism. It is a technical detective access control system designed to constantly monitor network activities and to trace any scanning and probing activities, or patterns that appear to be attempts at unauthorized access to the information system in real-time. IDS can also be programmed to scan for attacks, track an attacker’s movements, alert an administrator to an ongoing attack, run system diagnostics for possible weaknesses, and can be configured to put defensive measures in place to block any additional unauthorized access. IDSs can also be used to identify system failures and system performance. Attacks discovered by an IDS can come from external connections, viruses, malicious code, trusted internal users attempting to employ unauthorized activities, and unauthorized access attempts from trusted locations.
Clipping levels play a significant role in system monitoring. This allows a user to make an occasional error before investigation is activated. It functions as a violation threshold before violations are logged or follow-up response occurs. Once that threshold is surpassed, investigation or notification begins.