Author: Neftaly Malatjie

Audit trails can also be used to reconstruct events after a problem has occurred.  Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased.

Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly tested piece of replacement code).  If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application.  Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages.  Additionally, if a technical problem occurs (e.g., the corruption of a data file) audit trails can aid in the recovery process (e.g., by using the record of changes made to reconstruct the file). 

Intrusion Detection

Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access.  If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection.  Although normally thought of as a real-time effort, intrusions can be detected in real time, by examining audit records as they are created (or through the use of other kinds of warning flags/notices), or after the fact (e.g., by examining audit records in a batch process). 

Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system.  It may also be used to detect changes in the system’s performance indicative of, for example, a virus or worm attack (forms of malicious code).  There may be difficulties in implementing real-time auditing, including unacceptable system performance.

After-the-fact identification may indicate that unauthorized access was attempted (or was successful).  Attention can then be given to damage assessment or reviewing controls that were attacked. 

Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happen on a computer system), intrusion detection, and problem analysis.

Individual Accountability

Audit trails are a technical mechanism that help managers maintain individual accountability.  By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behaviour. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log.

For example, audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database).  An audit trail may record “before” and “after” versions of records. (Depending upon the size of the file and the capabilities of the audit logging tools, this may be very resource-intensive.)  Comparisons can then be made between the actual changes made to records and what was expected.  This can help management determine if errors were made by the user, by the system or application software, or by some other source.

Audit trails work in concert with logical access controls, which restrict use of system resources.  Granting users access to particular resources usually means that they need that access to accomplish their job.

Authorized access, of course, can be misused, which is where audit trail analysis is useful.  While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions.  For example, consider a personnel office in which users have access to those personnel records for which they are responsible.  Audit trails can reveal that an individual is printing far more records than the average user, which could indicate the selling of personal data.  Another example may be an engineer who is using a computer for the design of a new product.  Audit trail analysis could reveal that an outgoing modem was used extensively by the engineer the week before quitting.  This could be used to investigate whether proprietary data files were sent to an unauthorized party. 

Audit trails maintain a record of system activity both by LAN system and application processes and by user activity of systems and applications.  In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.  This bulletin focuses on audit trails as a technical control and discusses the benefits and objectives of audit trails, the types of audit trails, and some common implementation issues.

An audit trail is a series of records of computer events, about an operating system, an application, or user activities.  A computer system may have several audit trails, each devoted to a particular type of activity.  Auditing is a review and analysis of management, operational, and technical controls.  The auditor can obtain valuable information about activity on a computer system from the audit trail.  Audit trails improve the auditability of the computer system.

Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these.  As insurance, audit trails are maintained but are not used unless needed, such as after a system outage.  As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.

Geographical access control may be enforced by personnel. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the mantrap. Within these environments, physical key management may also be employed as a means of further managing and monitoring access to mechanically keyed areas or access to certain networks.

Physical access control is a matter of who, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically, this was partially accomplished through keys and locks. When a door is locked, only someone with a key can enter through the door, depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door, and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed.

Files and data may contain important and valuable information. This important information should be the focus of your security efforts. But who is responsible for ensuring the security of your organization’s information? This question is answered by assigning different layers of responsibility to each piece of important information. Each file, or data element, should have at least three different responsible parties assigned. The three layers of responsibility represent different requirements and actions for each group. The most common layers are data owner, data custodian, and data user. Each layer has specific expectations to support the organization’s security policy.

• Data Owner The data owner accepts the ultimate responsibility for the protection of the data. The data owner is generally a member of upper management and acts as the representative of the organization in this duty. It is the owner who sets the classification level of the data and delegates the day to-day responsibility of maintenance to the data custodian. If a security violation occurs, it is the data owner who bears the brunt of any negligence issues.
• Data Custodian The data owner assigns the data custodian to enforce security policies according to the data classification set by the data owner. The custodian is often a member of the IT department and follows specific procedures to secure and protect assigned data. This includes implementing and maintaining appropriate controls, taking backups, and validating the integrity of the data.
• Data User Finally, the users of data are the ones who access the data on a day-to-day basis. They are charged with the responsibility of following the security policy as they access data. You would expect to see more formal procedures that address important data, and users are held accountable for their use of data and adherence to these procedures.