Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 166

More often than not, software and devices are acting in their own name (so to speak) as subjects in your systems and have user IDs created for them. Database systems, systems belonging to partners in your federated access environment, storage subsystems, and even individual endpoint devices are just some examples of devices and their installed software and firmware that might have user IDs; if they do, then their accounts should be subject to review. Underneath all of that “user-level” devices-as-users activity, though, you'll find an ever-increasing number of operating systems and support functions, each with its own user ID and privileged account, which are automatically invoked as part of routine systems operation and use. In effect, invoking such a function causes a login-like event to happen for that function's user ID; or, if it's a continuously logged-in user ID, the function “wakes up” the process thread related to that user ID, and it starts requesting other systems functions to take action as needed to get its job done. Often used for housekeeping purposes such as backups, disk management, or the general gathering and analysis of monitoring and log data, these accounts usually have elevated privileges that grant access to special devices or system files.

It's therefore a very good practice to check the access accounting information for these system-level user IDs as well. Ideally, you would check system by system for every computer, every security device on your network, and every database—in fact, every technical entity—to see which software and systems can do any of these things:

 Connect

 Read

 Write

 Move

 Delete

 Verify the presence and state of health of the device on the system

 Start or stop

 Read or change access settings

 Read or change any other configuration settings

 Perform privileged actions, or act as a system administrator

Such checks are time-consuming and even in a modest-sized network must be automated in order for a comprehensive scan to be practical. As with so many security measures, you may find it necessary to prioritize which systems (and which system accounts) are reviewed.