Computer Security Threat Monitoring and Surveillance
Computer Security Threat Monitoring and Surveillance
Computer Security Threat Monitoring and Surveillance
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
In most systems such data is not collected. This is because the<br />
systems are generally large with a large number of users, <strong>and</strong><br />
recording the presumed attempted logons would consume too many<br />
system resources to warrant their acquisition.<br />
In addition there is a potential problem created by recording in<br />
the audit data unsuccessful logons if those logons contain the password<br />
or other user authenticator. The danger is that the audit trail<br />
will contain partial or complete user authenticators or passwords<br />
from legitimate errors made by authorized users as well as the un<br />
successful external penetration attempts. This is not to say such.<br />
data should not be collected, it is only to point out that in the<br />
collection it is possible that a greater danger is created.<br />
Auditing of attempted logons can include identification of the<br />
terminal, the port through which the terminal is connected to the<br />
system, <strong>and</strong> the claimed ide."ltity of the user <strong>and</strong> the like. If the<br />
assets required it, it would·be possible to trigger an immediate<br />
exception report to the security officer or other operations personnel<br />
if the number of unsuccessful longons from a given port number ex<br />
ceeded some threshold over time. The cost of this idea is the<br />
additional complication of maintaining logon records or even extracts<br />
from l.ogon records on a per-port basis when the number of ports or the<br />
number of potential users of the system is extremely large. Note that<br />
the external penetrator threat translates into an internal threat<br />
as soon as the installation access controls have been penetrated.<br />
-10