CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [253]
You should consider auditing, monitoring, logging, and watching all forms of security. They actually prevent many attacks from being attempted in the first place, and they detect any attempt that is made to breach security. Most forms of auditing should be announced to all entities trying to gain entry into your secured environment, the computer network as well as the physical building. You should notify anyone trying to enter your environment that only authorized personnel are allowed to enter, that all actions are recorded and monitored, and that any violation of security policy or law will be prosecuted. This type of sign or banner should be clearly visible at every entry point of your building and at every logon or access point on your public and private IT systems.
Auditing prevents casual attacks and detects intentional attacks. But auditing by itself is not enough. Your audit logs need to be protected against tampering and loss. This protection is required while the log is open and active as well as when it is closed and stored on backup media. Your best choice for storage media for auditing is a write once, read many (WORM) device. WORM devices are designed so that once data is written to them, it cannot be altered by any means short of physical destruction of the storage device itself. If you want your audit logs to be 100 percent accurate, to have perfect integrity, and to be supportable in court, WORM devices are your only choice. Other forms of storage devices allow written data to be altered. If that is even possible, a good defense attorney can cast doubt on the reliability and integrity of the audit details. Your WORM devices should be of sufficient capacity to collect audit logs for a reasonable amount of time. You must protect your WORM devices from theft and physical damage.
You should review your audit logs regularly both by automated means (such as a security auditor or an IDS tool) and by human means. Look for abnormalities or specific violations of security policy. Each incident should be investigated. As you discover issues or weaknesses, take action to prevent reoccurrence or future exploitation.
Audit logs should be backed up and retained—not just for a few months or years, but indefinitely. You never know how far back malicious events reach until they are discovered and investigated. If your retention policy allows for backups to be destroyed after only six months, you could easily be destroying essential evidence against internal and external attackers. This might require a separate backup system for audit logs so that the amount of physical space required to maintain all audit logs does not become too significant of a burden.
Authentication Schemes
No matter which access control scheme you use (DAC, MAC, and so forth), the basic two-step process to log onto the network is always required. Every authorized user has (or should have) their own user account. To use the IT system, the user must first log on. The two-step logon process is to claim an identity (identification) and then prove that you are responsible for that identity (authentication). There are at least three important aspects to this two-step process that require investigation.
■ Number and type of factors
■ Client, server, or mutual authentication
■ Mechanism of authentication protection
Authentication Factors
The number and type of factors reflect the strength of the authentication process. Remember that there are three basic types of authentication factors:
■ Type 1 (something you know)
■ Type 2 (something you have)
■ Type 3 (something you are)
Only a single factor is needed for identification because you only need to claim a single identity. But when it comes to authentication, more and different is always better (and here better means stronger).
All Type 1 (something you know) examples are the same no matter what they