Other Monitoring Tools There is a wide range of available tools to perform monitoring. Many are automated and per- form the monitoring activities in real time. Some monitoring tools are developed in-house and are ad hoc implementations focusing on a single type of observation. Most monitoring tools are passive. This means they cause no effect on the monitored activity, event, or traffic and make no original transmissions of their own. A common example of a tool for monitoring physical access is the use of closed-circuit tele- vision CCTV. CCTV can be configured to automatically record the viewed events onto tape for later review, or personnel who watch for unwanted, unauthorized, and illegal activities in real time can watch it. Failure recognition and response is an important part of monitoring and auditing. Other- wise, what is the point of performing the monitoring and auditing activities? On systems that use manual review, failure recognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated. Automated monitoring and auditing systems are usually programmed to recognize failures. Failure recognition can be based on signatures or be knowledge based. For a discussion of these two mechanisms, please see the intrusion detection discussion in Chapter 2. In either case of a manual or automated recognition, the first step in a response is to notify the authority responsible for sustaining security and handling the problem or breach. Often this is the local administrator, the local manager, or the local security professional. The notification usually takes the form of an alarm or warning message. Once notification is performed, the responsible personnel i.e., the administrator, manager, or security professional or the automated tool can perform a response. When a person is responsible for the response, they can adapt the response to the specific condition and situation. For this reason, personnel-controlled responses are often the most effective. Automated tool responses are typically predefined response scripts that are usu- ally much broader in scope than necessary. Automated tools are excellent for quick and efficient lockdown, but often the countermeasure or response imposed by a tool will significantly affect the ability of the system to continue to support and perform productive work. Whenever an auto- mated tool response is deployed, personnel should be notified so the response can be fine-tuned and the network can be returned to normal as soon as possible. Penetration Testing Techniques In security terms, a penetration occurs when an attack is successful and an intruder is able to breach the perimeter of your environment. The breach can be as small as reading a few bits of data from your network or as big as logging in as a user with unrestricted privileges. One of the primary goals of security is to prevent penetrations. One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any