[Security_sig] Re: Departmental questions resolution...

Mary Edie Meredith maryedie at osdl.org
Fri Aug 12 14:14:14 PDT 2005


One final question (I hope).

[snip]

> > ---> Hostile attackers are expected and are usually internal,
typically  not external attackers.
> 
> Yes.
[snip]
> 
> > >> Is audit important, and what to audit?
> > >
> > > [A] Audit? what's an audit ??
> > > [B] Same as Edge Server.  May contain sensitive documents with
> > > restrictive ACLs whose access should be audited.
> > >
> > > --->Security auditing is important for:
> > > (1) system and application/service login attempts, both successful and
> > > failed,
> > > (2) security changes made by the system administrator or application
> > > administrator,
> > > (3) anything else important to the site policy, in particular,
> > > Departmental Servers may contain sensitive documents with restrictive
> > > ACLs whose access should be audited.
> > > (4) IDS style auditing of things like network traffic analysis, or
> > > binary/configuration file checksum intrusion detection, the focus being
> > > on internal attacks,
> 
> s/internel/external/ I think (we're talking about remote traffic here)

If the hostile attacks are most likely to come from internal users (see
cut from email at the beginning of this one), why wouldn't the emphasis
be on intrusion detection by internal users?  
> 
> > > Note, that although the above items are important to audit, local
> > > policy makers or system administrators may not understand the
> > > need for auditing or may not have an audit administrator.
> > 
> > Yes ... but ... much depends upon the sensitivity of the information
> > present on, or processed by the server. Highly sensitive data-handling
> > servers require much more monitoring/auditing than a server used for
> > general purpose work.
> > 
> > "Departmental server" covers a wide range of uses.
> > Most will not require extraordinary monitoring. An NSA departmental server
> > may, for example.
> > 
> > No simple, short answer to this.
> 
> Again, agreed.
> 
> thanks,
> -chris




More information about the security_sig mailing list