2 cissp ® Official Study Guide Eighth Edition

Logging, Monitoring, and Auditing 
789
Auditors sometimes create a separate audit report with limited data for other person-
nel. This modifi ed report provides only the details relevant to the target audience. For 
example, senior management does not need to know all the minute details of an audit 
report. Therefore, the audit report for senior management is much more concise and offers 
more of an overview or summary of fi ndings. An audit report for a security administrator 
responsible for correction of the problems should be very detailed and include all available 
information on the events it covers. 
On the other hand, the fact that an auditor is performing an audit is often very pub-
lic. This lets personnel know that senior management is actively taking steps to maintain 
security.
Distributing Audit Reports 
Once an audit report is completed, auditors submit it to its assigned recipients, as defi ned in 
security policy documentation. It’s common to fi le a signed confi rmation of receipt. When 
an audit report contains information about serious security violations or performance 
issues, personnel escalate it to higher levels of management for review, notifi cation, and 
assignment of a response to resolve the issues.
Using External Auditors 
Many organizations choose to conduct independent audits by hiring external security 
auditors. Additionally, some laws and regulations require external audits. External audits 
provide a level of objectivity that an internal audit cannot provide, and they bring a fresh, 
outside perspective to internal policies, practices, and procedures. 
Many organizations hire external security experts to perform penetration 
testing against their system as a form of testing. These penetration tests 
help an organization identify vulnerabilities and the ability of attackers to 
exploit these vulnerabilities.
An external auditor is given access to the company’s security policy and the authoriza-
tion to inspect appropriate aspects of the IT and physical environment. Thus, the auditor 
must be a trusted entity. The goal of the audit activity is to obtain a fi nal report that details 
fi ndings and suggests countermeasures when appropriate. 
An external audit can take a considerable amount of time to complete—weeks or 
months, in some cases. During the course of the audit, the auditor may issue interim 
reports. An
interim report
is a written or verbal report given to the organization about 
any observed security weaknesses or policy/procedure mismatches that demand immediate 
attention. Auditors issue interim reports whenever a problem or issue is too important to 
wait until the fi nal audit report. 
Once the auditors complete their investigations, they typically hold an exit conference. 
During this conference, the auditors present and discuss their fi ndings and discuss resolu-
tion issues with the affected parties. However, only after the exit conference is over and 

790
Chapter 17 
■
Preventing and Responding to Incidents
the auditors have left the premises do they write and submit their final audit report to the 
organization. This allows the final audit report to remain unaffected by office politics and 
coercion.
After the organization receives the final audit report, internal auditors review it and 
make recommendations to senior management based on the report. Senior management is 
responsible for selecting which recommendations to implement and for delegating imple-
mentation requirements to internal personnel.
Summary
The CISSP Security Operations domain lists six specific incidence response steps. Detection 
is the first step and can come from automated tools or from employee observations. 
Personnel investigate alerts to determine if an actual incident has occurred, and if so, the 
next step is response. Containment of the incident is important during the mitigation stage. 
It’s also important to protect any evidence during all stages of incident response. Reporting 
may be required based on governing laws or an organization’s security policy. In the recov-
ery stage, the system is restored to full operation, and it’s important to ensure that it is 
restored to at least as secure a state as it was in before the attack. The remediation stage 
includes a root cause analysis and will often include recommendations to prevent a reoccur-
rence. Last, the lessons learned stage examines the incident and the response to determine if 
there are any lessons to be learned.
Several basic steps can prevent many common attacks. They include keeping systems and 
applications up-to-date with current patches, removing or disabling unneeded services and 
protocols, using intrusion detection and prevention systems, using anti-malware software 
with up-to-date signatures, and enabling both host-based and network-based firewalls.
Denial-of-service (DoS) attacks prevent a system from processing or responding to legiti-
mate requests for service and commonly attack systems accessible via the internet. The 
SYN flood attack disrupts the TCP three-way handshake, sometimes consuming resources 
and bandwidth. While the SYN flood attack is still common today, other attacks are often 
variations on older attack methods. Botnets are often used to launch distributed DoS 
(DDoS) attacks. Zero-day exploits are previously unknown vulnerabilities. Following basic 
preventive measures helps to prevent successful zero-day exploit attacks.
Automated tools such as intrusion detection systems use logs to monitor the environ-
ment and detect attacks as they are occurring. Some can automatically block attacks. There 
are two types of detection methods employed by IDSs: knowledge-based and behavior-
based. A knowledge-based IDS uses a database of attack signatures to detect intrusion 
attempts but cannot recognize new attack methods. A behavior-based system starts with a 
baseline of normal activity and then measures activity against the baseline to detect abnor-
mal activity. A passive response will log the activity and possibly send an alert on items 
of interest. An active response will change the environment to block an attack in action. 
Host-based systems are installed on and monitor individual hosts, whereas network-based 
systems are installed on network devices and monitor overall network activity. Intrusion 

Summary 
791
prevention systems are placed in line with the traffic and can block malicious traffic before 
it reaches the target system.
Honeypots, honeynets, and padded cells can be useful tools to prevent malicious activ-
ity from occurring on a production network while enticing intruders to stick around. They 
often include pseudo flaws and fake data used to tempt attackers. Administrators and secu-
rity personnel also use these to gather evidence against attackers for possible prosecution.
Up-to-date anti-malware software prevents many malicious code attacks. Anti-malware 
software is commonly installed at the boundary between the internet and the internal net-
work, on email servers, and on each system. Limiting user privileges for software installa-
tions helps prevent accidental malware installation by users. Additionally, educating users 
about different types of malware, and how criminals try to trick users, helps them avoid 
risky behaviors.
Penetration testing is a useful tool to check the strength and effectiveness of deployed 
security measures and an organization’s security policies. It starts with vulnerability assess-
ments or scans and then attempts to exploit vulnerabilities. Penetration testing should only 
be done with management approval and should be done on test systems instead of produc-
tion systems whenever possible. Organizations often hire external consultants to perform 
penetration testing and can control the amount of knowledge these consultants have. Zero-
knowledge testing is often called black-box testing, full-knowledge testing is often called 
white-box or crystal-box testing, and partial-knowledge testing is often called gray-box 
testing.
Logging and monitoring provide overall accountability when combined with effec-
tive identification and authentication practices. Logging involves recording events in logs 
and database files. Security logs, system logs, application logs, firewall logs, proxy logs, 
and change management logs are all common log files. Log files include valuable data and 
should be protected to ensure that they aren’t modified, deleted, or corrupted. If they are 
not protected, attackers will often try to modify or delete them, and they will not be admis-
sible as evidence to prosecute an attacker.
Monitoring involves reviewing logs in real time and also later as part of an audit. 
Audit trails are the records created by recording information about events and occur-
rences into one or more databases or log files, and they can be used to reconstruct events, 
extract information about incidents, and prove or disprove culpability. Audit trails pro-
vide a passive form of detective security control and serve as a deterrent in the same man-
ner as CCTV or security guards do. In addition, they can be essential as evidence in the 
prosecution of criminals. Logs can be quite large, so different methods are used to ana-
lyze them or reduce their size. Sampling is a statistical method used to analyze logs, and 
using clipping levels is a nonstatistical method involving predefined thresholds for items 
of interest.
The effectiveness of access controls can be assessed using different types of audits and 
reviews. Auditing is a methodical examination or review of an environment to ensure com-
pliance with regulations and to detect abnormalities, unauthorized occurrences, or outright 
crimes. Access review audits ensure that object access and account management practices 
support an organization’s security policy. User entitlement audits ensure that personnel fol-
low the principle of least privilege.

792
Chapter 17 
■
Preventing and Responding to Incidents
Audit reports document the results of an audit. These reports should be protected and 
distribution should be limited to only specific people in an organization. Senior manage-
ment and security professionals have a need to access the results of security audits, but if 
attackers have access to audit reports, they can use the information to identify vulnerabili-
ties they can exploit.
Security audits and reviews are commonly done to guarantee that controls are imple-
mented as directed and working as desired. It’s common to include audits and reviews to 
check patch management, vulnerability management, change management, and configura-
tion management programs.
Exam Essentials

Download 19,3 Mb.

Do'stlaringiz bilan baham: