Monitoring Tools and Techniques The actual tools and techniques used to perform monitoring vary greatly between environments and system platforms. However, there are several common forms found in most environments. These include warning banners, keystroke monitoring, traffic analysis, and trend analysis, and other monitoring tools. Warning Banners Warning banners are used to inform would-be intruders or those who attempt to violate secu- rity policy that their intended activities are restricted and that any further activities will be audited and monitored. A warning banner is basically an electronic equivalent of a no trespass- ing sign. In most situations, the wording of the banners is important from a legal standpoint. Be sure to consult with your attorneys about the proper wording for your banners. Only through valid warnings i.e., clear explanations that unauthorized access is prohibited and that any such activity will be monitored and recorded can most intrusions and attacks be prosecuted. Both authorized and unauthorized users should be informed when their activities are being logged. Most authorized users should assume such, and often their employment agreements will include specific statements indicating that any and all activity on the IT infrastructure may be recorded. Keystroke Monitoring Keystroke monitoring is the act of recording the key presses a user performs on a physical key- board. The act of recording can be visual such as with a video recorder or logicaltechnical such as with a capturing hardware device or a software program. In most cases, keystroke monitoring is used for malicious purposes. Only in extreme circumstances and highly secured environments is keystroke monitoring actually employed as a means to audit and analyze the activity of users at the keyboard. Keystroke monitoring can be extremely useful to track the key- stroke-by-keystroke activities of physical intruders in order to learn the kinds of attacks and methods used to infiltrate a system. Keystroke monitoring is often compared to wiretapping. There is some debate about whether keystroke monitoring should be restricted and controlled in the same manner as tele- phone wiretaps. Because there is no legal precedent set yet, many organizations that employ keystroke monitoring notify authorized and unauthorized users of such monitoring through employment agreements, security policies, and warning banners. Traffic Analysis and Trend Analysis Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content of packets. Traffic and trend analysis can be used to infer a large amount of information, such as primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more. Other Monitoring Tools There is a wide range of available tools to perform monitoring. Many are automated and per- form the monitoring activities in real time. Some monitoring tools are developed in-house and are ad hoc implementations focusing on a single type of observation. Most monitoring tools are passive. This means they cause no effect on the monitored activity, event, or traffic and make no original transmissions of their own. A common example of a tool for monitoring physical access is the use of closed-circuit tele- vision CCTV. CCTV can be configured to automatically record the viewed events onto tape for later review, or personnel who watch for unwanted, unauthorized, and illegal activities in real time can watch it. Failure recognition and response is an important part of monitoring and auditing. Other- wise, what is the point of performing the monitoring and auditing activities? On systems that use manual review, failure recognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated. Automated monitoring and auditing systems are usually programmed to recognize failures. Failure recognition can be based on signatures or be knowledge based. For a discussion of these two mechanisms, please see the intrusion detection discussion in Chapter 2. In either case of a manual or automated recognition, the first step in a response is to notify the authority responsible for sustaining security and handling the problem or breach. Often this is the local administrator, the local manager, or the local security professional. The notification usually takes the form of an alarm or warning message. Once notification is performed, the responsible personnel i.e., the administrator, manager, or security professional or the automated tool can perform a response. When a person is responsible for the response, they can adapt the response to the specific condition and situation. For this reason, personnel-controlled responses are often the most effective. Automated tool responses are typically predefined response scripts that are usu- ally much broader in scope than necessary. Automated tools are excellent for quick and efficient lockdown, but often the countermeasure or response imposed by a tool will significantly affect the ability of the system to continue to support and perform productive work. Whenever an auto- mated tool response is deployed, personnel should be notified so the response can be fine-tuned and the network can be returned to normal as soon as possible. Penetration Testing Techniques In security terms, a penetration occurs when an attack is successful and an intruder is able to breach the perimeter of your environment. The breach can be as small as reading a few bits of data from your network or as big as logging in as a user with unrestricted privileges. One of the primary goals of security is to prevent penetrations. One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any