External Auditors It is often necessary to test or verify the security mechanisms deployed in an environment. The test process is designed to ensure that the requirements dictated by the security policy are fol- lowed and that no significant holes or weaknesses exist in the deployed security solution. Many organizations conduct independent audits by hiring outside or external security auditors to check the security of their environment. External audits provide a level of objectivity that an internal audit cannot. An external auditor is given access to the company’s security policy and the authorization to inspect every aspect of the IT and physical environment. Thus the auditor must be a trusted entity. The goal of the audit activity is to obtain a final report that details any findings and sug- gests countermeasures when appropriate. However, an audit of this type can take a consider- able amount of time to complete—weeks or months, in fact. During the course of the audit, the auditor may issue interim reports. An interim report is a written or verbal report given to the organization about a discovered security weakness that needs immediate attention. Interim reports are issued whenever a problem or issue is too severe to wait until the final audit report is issued. Once the auditor completes their investigations, an exit conference is held. During the exit conference, the auditor presents and discusses their findings and discusses resolution issues with the affected parties. However, only after the exit conference is over and the auditor has left the premises does the auditor write and submit the final audit report to the organization. This allows the final audit report to be as unaffected as possible by office politics and coer- cion. After the final audit report is received, the internal auditors should verify whether or not the recommendations in the report are carried out. However, it is the responsibility of senior management to select which recommendations to follow and to delegate the implementation to the security team. Monitoring Monitoring is a form of auditing that focuses on the active review of the audited information or the audited asset. For example, you would audit the activity of failed logons, but you would monitor CPU performance. Monitoring is most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment. A common implementation of monitoring is known as illegal software monitoring. This type of monitoring is used to watch for attempted or successful installation of unapproved software, use of unauthorized software, or unauthorized use of approved software i.e., attempts to bypass the restrictions of the security classification hierarchy. Monitoring in this fashion reduces the likelihood of a virus or Trojan horse being installed or of software circumventing the security controls imposed. Monitoring Tools and Techniques The actual tools and techniques used to perform monitoring vary greatly between environments and system platforms. However, there are several common forms found in most environments. These include warning banners, keystroke monitoring, traffic analysis, and trend analysis, and other monitoring tools. Warning Banners Warning banners are used to inform would-be intruders or those who attempt to violate secu- rity policy that their intended activities are restricted and that any further activities will be audited and monitored. A warning banner is basically an electronic equivalent of a no trespass- ing sign. In most situations, the wording of the banners is important from a legal standpoint. Be sure to consult with your attorneys about the proper wording for your banners. Only through valid warnings i.e., clear explanations that unauthorized access is prohibited and that any such activity will be monitored and recorded can most intrusions and attacks be prosecuted. Both authorized and unauthorized users should be informed when their activities are being logged. Most authorized users should assume such, and often their employment agreements will include specific statements indicating that any and all activity on the IT infrastructure may be recorded. Keystroke Monitoring Keystroke monitoring is the act of recording the key presses a user performs on a physical key- board. The act of recording can be visual such as with a video recorder or logicaltechnical such as with a capturing hardware device or a software program. In most cases, keystroke monitoring is used for malicious purposes. Only in extreme circumstances and highly secured environments is keystroke monitoring actually employed as a means to audit and analyze the activity of users at the keyboard. Keystroke monitoring can be extremely useful to track the key- stroke-by-keystroke activities of physical intruders in order to learn the kinds of attacks and methods used to infiltrate a system. Keystroke monitoring is often compared to wiretapping. There is some debate about whether keystroke monitoring should be restricted and controlled in the same manner as tele- phone wiretaps. Because there is no legal precedent set yet, many organizations that employ keystroke monitoring notify authorized and unauthorized users of such monitoring through employment agreements, security policies, and warning banners. Traffic Analysis and Trend Analysis Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content of packets. Traffic and trend analysis can be used to infer a large amount of information, such as primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.