Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 147

Accounting, you recall, is one of the “big three” functions of access control (the other two are authentication and authorization). Having strong, effective accountability as part of your information systems architecture supports three main objectives that most (if not all) organizations need to achieve.

 Resource utilization, monitoring, and chargeback: In all but the smallest of SOHO environments, organizations need to plan and budget for IT resource usage by the organization. Budgets can and should allocate resources not only to departments or work units but also to objectives, goals, projects, and initiatives. Once a budget has allocated IT resource use in this way, accounting functions track actual usage so management can control usage and investigate budget variances (usage over or under predicted and budgeted amounts). In this way, resource usage accounting can also identify the need to scale or resize the organization's IT resources in more deliberate ways.

 Individual accountability: By providing detailed records of each individual's accesses to systems resources, management has an informed basis upon which they can hold individuals responsible for their actions and decisions. This type of digital forensic evidence can play a vital role in supporting any corrective actions management needs to take, such as counseling or admonishing an employee; it also can support litigation if required.

 Information security monitoring, analysis, and incident characterization and response: At each step of the access control process, detailed information can and should be generated about: which subjects, under what conditions, attempted what kind of accesses to which objects; what decisions were made as to granting or denying access; and what outcomes if any resulted from these access attempts. Authentication or authorization rejects can send alarms to systems security reporting and monitoring functions, including to the watch-standers in the security operations center (SOC) or network operations center (NOC). Accounting information can provide the diagnostic and forensics data that may be needed in analyzing and characterizing the event, as well as supporting decisions about containment and other required responses. Accounting data as part of access control also can provide important trending data, which may reveal whether the access control system is doing its job effectively enough to provide the required level of security and protection. After a security incident, this data may also help identify changes to sensitivity settings, constraints and conditions, or alarm filtering levels as part of providing better protection before the next incident occurs.

Taken together, this means that the data your accounting functions generate must be reliable and verifiable as to its accuracy and completeness. Data that cannot unambiguously identify the subject or subjects in question and precisely identify the actions they took or attempted to take are of little value to the troubleshooter or the litigator.

You must also take actions to protect the accounting data and related information in various systems or applications log files from inadvertent or deliberate damage, alteration, or loss. This not only protects the chain of custody of such data as forensics evidence but also provides another opportunity for early detection of an intrusion or unauthorized access or usage attempt. For example, by routing all security-related event notifications and supporting data to a separate logging agent, which is protected by separate and distinct administrator credentials, you both protect the log data while providing another source of alarms if some other process (a subject), even one with systems administrator, root, or other elevated privileges, attempts to access that data. It's also good to keep in mind that unplanned system restarts can sometimes be part of attempts to obscure an attacker's actions, including their attempts to cover their tracks by altering log files.

It is worthwhile to consider all of your security-related information as high-value, high-payoff assets—ones where the losses to the organization if they are compromised, destroyed, or lost is far greater than the modest investments to properly gather, isolate, and protect this data. Don't let your log files overwrite themselves too quickly. Instead, work with your security experts and your legal team to set an effective data retention policy for this data and then implement this in your security information management practices and procedures.

Having said all of that, it's worth remembering that each month seems to bring news of even more sophisticated attack mechanisms being used by the black hats; in many cases, rootkits and other stratagems can alter the reality of your systems while keeping your perceptions of them largely intact. When all else fails, having “golden image” backup copies from which you can reinstall everything, from the bare metal up, may be your only safe and sane path back to normal, trustworthy operations.