UNIT 8: IT Security Management, Risk IT 244: Information Security

Assessment and Security Auditing

8.1 IT Security Management

IT security management (ITSM) intends to guarantee the availability, integrity and

confidentiality of an organization’s data, information and IT services. IT Infrastructure
Library (ITIL) security management generally forms part of an organizational strategy to
security management that has a broader scope compared to an IT service provider.

Information security management is an organization’s approach to ensure the

confidentiality, availability, and integrity of IT assets and safeguard them from cyberattacks.
A Chief Information Security Officer, IT Operations Manager, or Chief Technical Officer,
whose team comprises Security Analysts and IT Operators, may carry out the tasks involved
in information security.

It’s obvious that virtually every organization has information they wouldn’t want to be
exposed to or wouldn’t want to fall into the wrong hands.

Regardless of whether this data is stored physically or digitally, Information Security

Management is crucial to securing the data from being stolen, modified, or other accesses
without authorization. You should consider what your organization owns so you can
prioritize their protection.

Pillars of Information Security Management

Today, business organizations produce, amass, and store huge amounts of information from
their customers, such as credit cards and payment data, behavioral analytics, healthcare
information, usage data, and other personal information. All these have increased the threats
of cyberattacks and data theft, which has resulted in important developments in the field of
information security management.

Arjun Lamichhane Page 1

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

i. Information Security Controls

Information security controls are safeguards or countermeasures implemented to minimize,
detect, avoid, or counteract information security risks, including data theft, information
systems breaches, and unauthorized access. These security controls aim to help protect the
integrity, availability, and confidentiality of data and networks.

Three Forms of Security Controls

 Preventive: security controls intend to counteract cybersecurity incidents
 Detective: Some security controls are targeted at detecting unusual cybersecurity
activities. They also detect both potential and successful breaches and notify the
cybersecurity professional of the incidents.
 Corrective: Also, some security controls are intended to be corrective. They are
implemented following a cybersecurity incident to reduce data loss or damage to the
network or system and quickly restore critical business processes and systems
(resilience).

ii. Governance, Risk, and Compliance (GRC)

Governance, risk, and compliance (GRC) mainly deal with structuring risk management for
organizations.

Governance
Governance is the combination of procedures supported and implemented by the executives
to guarantee that all organizational tasks, such as managing IT operations, are managed, and

Arjun Lamichhane Page 2

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

aligned to back up the organization’s business goals. Governance is a key element in an

Identity and Access Management (IAM) solution.

Risk Management
Risk management involves forecasting and dealing with risks or opportunities linked to your
organization’s activities, which could hold back your organization from suitably realizing its
aim in uncertain situations. In the cybersecurity environment, risk management is applying
a comprehensive IT risk management methodology incorporated into your organization’s
enterprise risk management functions.

Compliance
Cyber Regulation and Compliance are the yardsticks that ensure you meet the numerous
controls, typically endorsed by the law, a regulatory authority, or industry group, to
safeguard the CIA Triad (confidentiality, integrity, and availability) of data.

iii. Cybersecurity Audit Management

A cybersecurity audit aims to serve as a ‘checklist,’ which authenticates that the policies a
cybersecurity team indicates are really on the ground and that there are controls available
to implement them.

Purpose of Cyber Audit

Internal Audit
Internal audits analyze an organization’s internal controls, such as its accounting processes
and corporate governance. They ensure that organizations comply with relevant laws and
regulations and that financial reporting and data collection are executed in an accurate and
timely fashion.

Arjun Lamichhane Page 3

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

External Audit
This is an independent assessment of the company’s financial statements and is often
executed for statutory reasons since the law mandates it. The external audit is performed by
a registered firm of accountants with established professional qualifications, including ACCA,
ACA, and CPA.

Third-Party Audit
A third-party audit happens when an organization determines to construct a quality
management system (QMS) that corresponds to the standard set of requirements, like the
ISO9001 and utilizes an independent auditing firm’s services to conduct an audit to
authenticate that the organization has thrived in meeting these standards.

Audit Management
This involves the process of ensuring that board-permitted audit directives are executed.
Audit management simplifies and organizes the collaboration and workflow process of
collecting audits. It manages the internal, external. And third-party audit employees hire and
train suitable audit professionals and establishes audit programs.

iv. Security Program Management

This is made up of projects, processes, activities, technologies, and policies, which are
combined to realize a shared objective.

The Objective of a Security Program

A security program aims to provide a documented set of an organization’s cybersecurity
standards, policies, guidelines, and procedures. Your information security program must
guarantee the integrity, confidentiality, availability, and nonrepudiation of your client and
customer data via efficient security management controls and practices.

Components of Security Program

To accomplish all your operational, strategic, and tactical information security objectives,
you need to implement the following are key components:

 Security policy development

 Risk management

 Incident handling & response

 Security architecture

Arjun Lamichhane Page 4

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

 Threats & vulnerability

v. Vendor Risk Management (VRM) OR Third-Party Risk Management (TPRM)

VRM includes all the processes of evaluating suppliers, partners, and vendors to ensure they
meet certain requirements⁠⁠. Although vendor risk management (VRM) and third-party risk
management (TPRM) are often used interchangeably, they don’t mean the same thing.

TPRM is an assessment of vendor risk introduced by a firm’s third-party relationships along

the whole supply chain. It involves identifying, evaluating, and monitoring the risks
represented throughout the lifecycle of your relationships with third-parties. This often
begins during procurement and reaches the end of the off boarding process.

Types of Risks while Onboarding Vendors

 Operational risk: Example includes a data breach.

 Regulatory risk: You could pay the price if a vendor violates the law or organizational
policy

 Reputational risk: For instance, a rug company outsources production to a factory

that violates child labor regulations, resulting in penalties and destructive publicity.

vi. Strategic Planning

An information security strategic plan can place an organization in a position to accept or
avoid, transfer, or mitigate information risk associated with processes, people, and
technologies. A solid strategy can also help the enterprise effectively protect the
confidentiality, integrity, and availability of information.

Aligning Cybersecurity Initiatives with Business Objectives

Aligning your cybersecurity initiatives with your business objectives begins with
understanding, describing, and ultimately aligning the relationship between your critical
business functions, IT assets, and data.

When you take a careful look at how these components are interconnected, you’ll find it
easier to determine which security controls you should apply for each of them. You should
also note that business functions will depend on IT assets, IT assets will produce data, and
data will provide business functions.

Arjun Lamichhane Page 5

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

8.2 Organizational context and security policy

The organizational security policy is the document that defines the scope of a utility’s
cybersecurity efforts. It serves as the repository for decisions and information generated by
other building blocks and a guide for making future cybersecurity decisions. The
organizational security policy should include information on goals, responsibilities,
structure of the security program, compliance, and the approach to risk management that
will be used.

The organizational security policy serves as a reference for employees and managers tasked
with implementing cybersecurity. What has the board of directors decided regarding
funding and priorities for security? What new security regulations have been instituted by
the government, and how do they affect technical controls and record keeping? Which
approach to risk management will the organization use? How will the organization address
situations in which an employee does not comply with mandated security policies?

The organizational security policy serves as the “go-to” document for many such questions.
It expresses leadership’s commitment to security while also defining what the utility will do
to meet its security goals.

Arjun Lamichhane Page 6

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Intersections with Other Building Blocks

Because the organizational security policy plays a central role in capturing and
disseminating information about utility-wide security efforts, it touches on many of the other
building blocks. The governance building block produces the high-level decisions affecting
all other building blocks. The compliance building block specifies what the utility must do to
uphold government-mandated standards for security. The organizational security policy
captures both sets of information.

The utility’s approach to risk

management (the framework it will
use) is recorded in the
organizational security policy and
used in the risk
management building block to
develop a risk management
strategy. Objectives defined in the
organizational security policy are
passed to the procurement, technical controls, incident response, and cybersecurity
awareness training building blocks.

8.3 Security Risk assessment

A security risk assessment is a process that identifies, evaluates, and prioritizes potential
vulnerabilities to various information assets (i.e., systems, hardware, applications, and data)
and then prioritizes the various risks that could affect those vulnerabilities. The primary
purpose of a risk assessment is to inform decision-makers about vulnerabilities in corporate
systems, allowing them to take preemptive defensive actions and prepare effective risk
responses.

The assessment also provides an executive summary to help executives make informed
decisions about ongoing security efforts. Security risk assessments also indicate to
management areas where employees need training to help minimize attack surfaces.

Risk Assessment Vs Risk Management

While it may seem that these concepts are self-explanatory, it is important for executives and
management to understand their differences.

Arjun Lamichhane Page 7

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

A risk assessment is primarily proactive. It involves testing your current infrastructure and
identifying weaknesses and vulnerabilities. Risk assessment is an important prerequisite for
effective risk management.

Risk management can be proactive or reactive.

The primary goal of risk management is to reduce risk by continuously applying best
practices. Risk management includes a wide range of activities from managing and updating
infrastructure to applying identity management policies to training employees on proper
password hygiene.

Unfortunately, even with strong risk assessment and proactive risk management, some
attacks are likely to succeed. Reactive risk management focuses on minimizing the damage
of these successful exploits and facilitating rapid recovery.

The 4 steps of a successful security risk assessment model

1. Identification. Determine all critical assets of the technology infrastructure. Next,

diagnose sensitive data that is created, stored, or transmitted by these assets. Create a
risk profile for each.

2. Assessment. Administer an approach to assess the identified security risks for critical
assets. After careful evaluation and assessment, determine how to effectively and
efficiently allocate time and resources towards risk mitigation. The assessment approach
or methodology must analyze the correlation between assets, threats, vulnerabilities, and
mitigating controls.

3. Mitigation. Define a mitigation approach and enforce security controls for each risk.

4. Prevention. Implement tools and processes to minimize threats and vulnerabilities from
occurring in your firm’s resources.

Importance of Security Risk Assessments

Successful attacks can cause substantial financial and reputational damage. 23% of small
businesses suffered at least one cyber attack in 2020, with an average annual financial cost
of over $25,000. And this estimate is lower than many others. But the initial financial costs
of dealing with breaches are just one aspect of the damage. Companies also can suffer lost
clients, loss of reputation, loss of intellectual property, and increased insurance premiums,
among other effects. The costs of proactive risk assessments are minimal when compared to
the damage of a successful attack. And the associated benefits more than offset those upfront
costs.

Arjun Lamichhane Page 8

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Identify Security Gaps

Many companies are simply uninformed on even the basics of cybersecurity. More simply
put, they don’t know what they don’t know. Risk assessments help identify security gaps at
all levels, from physical security to high-level malware detection and removal.
They also prevent spending unnecessary money by focusing on the top security controls and
prioritizing security risks.
Reduce Long Term Costs
This goes far beyond comparing the cost of the assessment to the cost of a later breach. Risk
assessments also show companies how to prioritize their security spend to minimize long-
term costs.
Many company executives would not think that A/C maintenance is a cyber security risk. But
a $3,000 investment in updating the air conditioner could save the company $10s of
thousands down the road.
And the faster companies take action, the more cost-effective their efforts can be.
Mitigate & Protect Against Breaches
To be effective, risk assessment reports must be actionable. That is, they must contain
specific recommendations for remediation activities.
Assessment reports must tell companies how to harden their systems by filling security
gaps.
It is equally important that reports identify issues that appear problematic at first glance, but
which are so unlikely that they require no action.
Help Budget Future Security Initiatives
Security risk assessments set the baseline for a company’s ongoing cybersecurity efforts.
By prioritizing identified gaps, they help companies create detailed plans for corrective
actions. And with detailed plans in place, companies can then set realistic budgets for their
IT and cyber security teams.
They can also take rapid steps to address staffing shortages, which can take time given the
current cyber security talent gap.
Increases Employee Security Awareness
Poor security practices among employees create significant vulnerabilities for
businesses. Building a corporate culture focused on cyber security awareness is
essential. Risk assessments help identify areas where companies should provide employees
training to mitigate future risk.
Unless employees know what they are doing wrong and why it is important to correct their
actions, they will remain easy attack targets.

Arjun Lamichhane Page 9

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Types of Security Risk Assessments

Comprehensive risk assessments cover a broad range of potential issues, from location
security to infrastructure security to data security to the risks of employees
misappropriating or damaging data or systems.

 Physical Security Assessment

How easy it for people to get physical access to your systems?

 Do you have security at the entrances to the building?

 Do you log visitors?
 Are there security cameras in sensitive locations?
 Do you have biometric locks on your server room?

Physical security assessments, including physical penetration testing, evaluate the ease with
which a malicious actor can gain physical access to your critical systems.

 IT Security Assessment
 What is the state of your IT infrastructure?
 What network level security protocols do you have in place?
 How are you ensuring compliance with shared security responsibilities in cloud
services?

IT security assessments investigate the overall health over your IT infrastructure and
communications pathways. They identify broad system vulnerabilities that are not specific
to particular applications or data storage facilities, as well as misconfiguration issues that
frequently leave companies open to attack.

 Data Security Assessment

 Is company data subject to least privilege and/or zero trust access controls?
 Do you use network segmentation to limit data access?
 Do you have strong identity management processes?

Data security assessments consider the ease and breadth of access to corporate data.They
identify areas where companies should apply new controls to restrict access to data on an as
needed basis.

Arjun Lamichhane Page 10

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

 Application Security Assessment

 Do company applications conform to security-by-design and privacy-by-design
principles?
 Have you performed white and black box testing of your applications?
 Is application access subject to least privilege control?

Application security assessments consider application vulnerabilities at every level from the
code itself to who has access to the applications. They allow companies to strengthen their
applications and limit access to that needed for employees to perform their jobs.

 Insider Threat Assessment

Many, if not most, attacks arise from insider threats. However, many companies do not
realize that insider threats go beyond employees that are intentionally trying to steal
information or damage systems.

First of all, insider threats are not limited to people. They can include unapproved hardware
that is not subject to a BYOD policy. They can also include outdated hardware. Insider threats
also need be neither intentional nor malicious. Negligence and unintentional threats can
cause just as much harm as intentional ones. A perfect example is using “password” as your
password.

An increasingly common insider threat that many companies do not recognize is the
advanced persistent threat (APT). APTs, which are often used by state-sponsored
cybercriminals or corporate espionage professionals, are long-term, targeted network
insertions. Often, careless or uninformed employees are the attack vector for an APT, with
phishing emails being one of the most common ways attackers get access to company
networks. Essentially, the APT remains undetected in company systems for so long that it
becomes an insider.

8.4 Security Risk Analysis

Risk analysis refers to the review of risks associated with the particular action or event. The
risk analysis is applied to information technology, projects, security issues and any other
event where risks may be analysed based on a quantitative and qualitative basis. Risks are
part of every IT project and business organizations. The analysis of risk should be occurred
on a regular basis and be updated to identify new potential threat

Arjun Lamichhane Page 11

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Steps in the risk analysis process

The basic steps followed by a risk analysis process are:

 Conduct a risk assessment survey:

Getting the input from management and department heads is critical to the risk assessment
process. The risk assessment survey refers to begin documenting the specific risks or threats
within each department.

 Identify the risks:

This step is used to evaluate an IT system or other aspects of an organization to identify the
risk related to software, hardware, data, and IT employees. It identifies the possible adverse
events that could occur in an organization such as human error, flooding, fire, or
earthquakes.

 Analyse the risks:

Once the risks are evaluated and identified, the risk analysis process should analyse each
risk that will occur, as well as determine the consequences linked with each risk. It also
determines how they might affect the objectives of an IT project.

 Develop a risk management plan:

After analysis of the Risk that provides an idea about which assets are valuable and which
threats will probably affect the IT assets negatively, we would develop a plan for risk
management to produce control recommendations that can be used to mitigate, transfer,
accept or avoid the risk.

 Implement the risk management plan:

The primary goal of this step is to implement the measures to remove or reduce the analyses
risks. We can remove or reduce the risk from starting with the highest priority and resolve
or at least mitigate each risk so that it is no longer a threat.

 Monitor the risks:

This step is responsible for monitoring the security risk on a regular basis for identifying,
treating and managing risks that should be an essential part of any risk analysis process.

Arjun Lamichhane Page 12

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

8.5 Security Auditing

Security auditing is a form of auditing that focuses on the security of an organization’s

information system (IS) assets. This function is a key element in computer security. Security
auditing can:

• Provide a level of assurance concerning the proper operation of the computer with respect
to security.

• Generate data that can be used in after-the-fact analysis of an attack, whether successful or
unsuccessful.

• Provide a means of assessing inadequacies in the security service.

• Provide data that can be used to define anomalous behavior.

• Maintain a record useful in computer forensics.

Security Audit
An independent review and examination of a system’s records and activities to determine
the adequacy of system controls, ensure compliance with established security policy and
procedures, detect breaches in security services, and recommend any changes that are
indicated for countermeasures.

The basic audit objective is to establish accountability for system entities that initiate or
participate in security-relevant events and actions. Thus, means are needed to generate and
record a security audit trail and to review and analyze the audit trail to discover and
investigate attacks and security compromises.

Security Audit Trail

A chronological record of system activities that is sufficient to enable the reconstruction and
examination of the sequence of environments and activities surrounding or leading to an
operation, procedure, or event in a security-relevant transaction from inception to final
results.

Arjun Lamichhane Page 13

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Security Auditing Architecture

This architecture is developed by Telecommunication Standardization Sector of the
International Telecommunications Union Recommendation. This model illustrates the
relationship between audit functions and alarm functions. The audit function builds up a
record of events that are defined by the security administrator to be security related. Some
of these events may in fact be security violations or suspected security violations. Such
events feed into an intrusion detection or firewall function by means of alarms.

• Event discriminator: This is logic embedded into the software of the system that monitors
system activity and detects security-related events that it has been configured to detect.

• Audit recorder: For each detected event, the event discriminator transmits the information
to an audit recorder. The model depicts this transmission as being in the form of a message.
The audit could also be done by recording the event in a shared memory area.

• Alarm processor: Some of the events detected by the event discriminator are defined to be
alarm events. For such events an alarm is issued to an alarm processor. The alarm processor

Arjun Lamichhane Page 14

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

takes some action based on the alarm. This action is itself an auditable event and so is
transmitted to the audit recorder.

• Security audit trail: The audit recorder creates a formatted record of each event and stores
it in the security audit trail.

• Audit analyzer: The security audit trail is available to the audit analyzer, which, based on a
pattern of activity, may define a new auditable event that is sent to the audit recorder and
may generate an alarm.

• Audit archiver: This is a software module that periodically extracts records from the audit
trail to create a permanent archive of auditable events.

• Archives: The audit archives are a permanent store of security-related events on this
system.

• Audit provider: The audit provider is an application and/or user interface to the audit trail.

• Audit trail examiner: The audit trail examiner is an application or user who examines the
audit trail and the audit archives for historical trends, for computer forensic purposes, and
for other analysis.

• Security reports: The audit trail examiner prepares human-readable security reports.

8.6 Security Audit Trail

Audit trails maintain a record of system activity. The choice of data to collect is determined
by a number of requirements. One issue is the amount of data to collect, which is determined
by the range of areas of interest and by the granularity of data collection. There is a trade-off
here between quantity and efficiency. The more data are collected, the greater is the
performance penalty on the system. Larger amounts of data may also unnecessarily burden
the various algorithms used to examine and analyze the data. Further, the presence of large
amounts of data creates a temptation to generate security reports excessive in number or
length.

With these cautions in mind, the first order of business in security audit trail design is the
selection of data items to capture. These may include:

• Events related to the use of the auditing software

• Events related to the security mechanisms on the system.

Arjun Lamichhane Page 15

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

• Any events that are collected for use by the various security detection and prevention
mechanisms. These include items relevant to intrusion detection and items related to
firewall operation

• Events related to system management and operation.

• Operating system access (e.g., via system calls).

• Application access for selected applications.

• Remote access.

As the security administrator designs an audit data collection policy, it is useful to organize
the audit trail into categories for purposes of choosing data items to collect.

System-Level Audit Trails

System-level audit trails are generally used to monitor and optimize system performance but
can serve a security audit function as well. The system enforces certain aspects of security
policy, such as access to the system itself. A system-level audit trail should capture data such
as login attempts, both successful and unsuccessful, devices used, and OS functions
performed. Other system-level functions may be of interest for auditing, such as system
operation and network performance indicators.

Application-Level Audit Trails

Application-level audit trails may be used to detect security violations within an application
or to detect flaws in the application’s interaction with the system. For critical applications,
or those that deal with sensitive data, an application-level audit trail can provide the desired
level of detail to assess security threats and impacts. For example, for an e-mail application,
an audit trail can record sender and receiver, message size, and types of attachments. An
audit trail for a database interaction using SQL (Structured Query Language) queries can
record the user, type of transaction, and even individual tables, rows, columns, or data items
accessed.

User-Level Audit Trails

A user-level audit trail traces the activity of individual users over time. It can be used to hold
a user accountable for his or her actions. Such audit trails are also useful as input to an
analysis program that attempts to define normal versus anomalous behavior.

Arjun Lamichhane Page 16

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

A user-level audit trail can record user interactions with the system, such as commands
issued, identification and authentication attempts, and files and resources accessed. The
audit trail can also capture the user’s use of applications

Physical Access Audit Trails

Audit trails can be generated by equipment that controls physical access and then
transmitted to a central host for subsequent storage and analysis. Examples are card-key
systems and alarm systems.

Protecting Audit Trail Data

RFC 2196 (Site Security Handbook) lists three alternatives for storing audit records:

• Read/write file on a host

• Write-once/read-many device (e.g., CD-ROM or DVD-ROM)

• Write-only device (e.g., a line printer)

File system logging is relatively easy to configure and is the least resource intensive. Records
can be accessed instantly, which is useful for countering an ongoing attack. However, this
approach is highly vulnerable. If an attacker gains privileged access to a system, then the
audit trail is vulnerable to modification or deletion.

A CD-ROM or similar storage method is far more secure but less convenient. A steady supply
of recordable media is needed. Access may be delayed and not available immediately. Printed
logs do provide a paper trail, but are impractical for capturing detailed audit data on large
systems or networked systems. RFC 2196 suggests that the paper log can be useful when a
permanent, immediately available log is required even with a system crash.

Protection of the audit trail involves both integrity and confidentiality. Integrity is
particularly important because an intruder may attempt to remove evidence of the intrusion
by altering the audit trail. For file system logging, perhaps the best way to ensure integrity is
the digital signature. Write-once devices, such as CD-ROM or paper, automatically provide
integrity. Strong access control is another measure to provide integrity.

Confidentiality is important if the audit trail contains user information that is sensitive and
should not be disclosed to all users, such as information about changes in a salary or pay
grade status. Strong access control helps in this regard. An effective measure is symmetric
encryption (e.g., using AES [Advanced

Arjun Lamichhane Page 17

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Encryption Standard] or triple DES [Data Encryption Standard]). The secret key must be
protected and only available to the audit trail software and subsequent audit analysis
software.

Note that integrity and confidentiality measures protect audit trail data not only in local
storage but also during transmission to a central repository.

8.7 Implementing the logging function

The foundation of a security auditing facility is the initial capture of the audit data. This
requires that the software include hooks, or capture points, that trigger the collection and
storage of data as preselected events occur. Such an audit collection or logging function is
dependent on the nature of the software and will vary depending on the underlying
operating system and the applications involved.

Logging at the System Level

Much of the logging at the system level can be implemented using existing facilities that are
part of the operating system. In this section, we look at the facility in the Windows operating
system and then at the syslog facility found in UNIX operating systems.

Windows Event Log

An event in Windows Event Log is an entity that describes some interesting occurrence in a
computer system. Events contain a numeric identification code, a set of attributes (task,
opcode, level, version, and keywords), and optional user-supplied data. Windows is
equipped with three types of event logs:

• System event log: Used by applications running under system service accounts (installed
system services), drivers, or a component or application that has events that relate to the
health of the computer system.

• Application event log: Events for all user-level applications. This log is not secured and it is
open to any applications. Applications that log extensive information should define an
application-specific log.

• Security event log: The Windows Audit Log. This event log is for exclusive use of the
Windows Local Security Authority. User events may appear as audits if supported by the
underlying application.

For all of the event logs, or audit trails, event information can be stored in an XML format.

Arjun Lamichhane Page 18

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Logging at the Application Level

Applications, especially those with a certain level of privilege, present security problems that
may not be captured by system-level or user-level auditing data. Application-level
vulnerabilities constitute a large percentage of reported vulnerabilities on security mailing
lists. One type of vulnerability that can be exploited is the all-too-frequent lack of dynamic
checks on input data, which make possible buffer overflow.

Other vulnerabilities exploit errors in application logic. For example, a privileged application
may be designed to read and print a specific file. An error in the application might allow an
attacker to exploit an unexpected interaction with the shell environment to force the
application to read and print a different file, which would result in a security compromise.

Auditing at the system level does not provide the level of detail to catch application logic
error behavior. Further, intrusion detection systems look for attack signatures or anomalous
behavior that would fail to appear with attacks based on application logic errors. For both
detection and auditing purposes, it may be necessary to capture in detail the behavior of an
application, beyond its access to system services and file systems. The information needed
to detect application-level attacks may be missing or too difficult to extract from the low-
level information included in system call traces and in the audit records produced by the
operating system.

8.8 Audit Trail Analysis

Programs and procedures for audit trail analysis vary widely, depending on the system
configuration, the areas of most concern, the software available, the security policy of the
organization, and the behavior patterns of legitimate users and intruders.

Concerns about audit trail analysis.

Preparation
To perform useful audit analysis, the analyst or security administrator needs an
understanding of the information available and how it can be used.

Understanding Log Entries

The security administrator (or other individual reviewing and analyzing logs) needs to
understand the context surrounding individual log entries. Relevant information may reside
in other entries in the same log, entries in other logs, and nonlog sources such as
configuration management entries. The administrator should understand the potential for

Arjun Lamichhane Page 19

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

unreliable entries, such as from a security package that is known to generate frequent false
positives when looking for malicious activity.

Understanding the Context

To perform effective reviews and analysis, administrators should have solid understanding
of each of the following from training or hands-on experience:

 The organization’s policies regarding acceptable use, so that administrators can

recognize violations of the policies.
 The security software used by their hosts, including the types of security related events
that each program can detect and the general detection profile of each program (e.g.,
known false positives).
 The operating systems and major applications (e.g., e-mail, Web) used by their hosts,
particularly each OS’s and major application’s security and logging capabilities and
characteristics.
 The characteristics of common attack techniques, especially how the use of these
techniques might be recorded on each system.
 The software needed to perform analysis, such as log viewers, log reduction scripts, and
database query tools.

Timing
Audit trails can be used in multiple ways. The type of analysis depends, at least in part, on
when the analysis is to be done. The possibilities include the following:

• Audit trail review after an event: This type of review is triggered by an observed event, such
as a known system or application software problem, a known violation of existing security
policy by a user, or some unexplained system or user problem. The review can gather
information to elaborate on what is known about the event, to diagnose the cause or the
problem, and to suggest remedial action and future countermeasures. This type of review
focuses on the audit trail entries that are relevant to the specific event.

• Periodic review of audit trail data: This type of review looks at all of the audit trail data or
at defined subsets of the data and has many possible objectives.

Examples of objectives include looking for events or patterns that suggest a security
problem, developing a profile of normal behavior and searching for anomalous behavior, and
developing profiles by individual user to maintain a permanent record by user.

• Real-time audit analysis: Audit analysis tools can also be used in a real-time or near-real-
time fashion. Real-time analysis is part of the intrusion detection function.

Arjun Lamichhane Page 20

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

Audit Review
Distinct from an analysis of audit trail data using data reduction and analysis tools is the
concept of audit review. An audit review capability enables an administrator to read
information from selected audit records. The Common Criteria specification [CCPS12a] calls
for a capability that allows prestorage or poststorage audit selection and includes the ability
to selectively review the following:

•The actions of one or more users (e.g., identification, authentication, system entry, and
access control actions)

The actions performed on a specific object or system resource

• All or a specified set of audited exceptions

• Actions associated with a specific system or security attribute Audit review can be focused
on records that match certain attributes, such as user or user group, time window, type of
record, and so forth. One automated tool that can be useful in audit review is a prioritization
of audit records based on input from the administrator. Records can be prioritized based on
a combination of factors. Examples include the following:

• Entry type (e.g., message code 103, message class CRITICAL)

• Newness of the entry type (i.e., has this type of entry appeared in the logs before?)

• Log source

• Source or destination IP address (e.g., source address on a blacklist, destination address of

a critical system, previous events involving a particular IP address)

• Time of day or day of the week (e.g., an entry might be acceptable during certain times but
not permitted during others)

• Frequency of the entry (e.g., x times in y seconds)

There may be a number of possible purposes for this type of audit review. Audit review can
enable an administrator to get a feel for the current operation of the system and the profile
of the users and applications on the system, the level of attack activity, and other usage and
security-related events. Audit review can be used to gain an understanding after the fact of
an attack incident and the system’s response to it, leading to changes in software and
procedures.

Arjun Lamichhane Page 21

 UNIT 8: IT Security Management, Risk IT 244: Information Security
Assessment and Security Auditing

References
Organizational Security Policy. (n.d.). Retrieved from Power Sector Cybersecurity Building
Blocks: https://resilient-energy.org/cybersecurity-resilience/building-
blocks/organizational-security-
policy#:~:text=The%20organizational%20security%20policy%20should,managem
ent%20that%20will%20be%20used.

Stallings, W., & Brown, L. (2015). Computer Security Principles and Practice. New Jersey:
Pearson Education.

What is Information Security Management. (2024, March 11). Retrieved from eccouncil
cybersecurity exchange: https://www.eccouncil.org/cybersecurity-
exchange/executive-management/what-is-information-security-management/

Arjun Lamichhane Page 22