Auditing and Accountability

---

Goals

• Define accountability and its benefits, including nonrepudiation, deterrence, intrusion detection and prevention, and admissibility of records
• Define auditing, including what can be audited and auditing methods
• Identify elements of incident response in policies and procedures
• Classify security principles and actions according to the types of attacks they mitigate or eliminate
• Identify the key information or critical fields to be analyzed, using a range of cybersecurity tools to determine vulnerabilities or possible attacks
• Classify cybersecurity tools according to the type of vulnerability they find/identify

Accountability

Accountability means making sure a person is held responsible for their actions.

Accountability helps keep environments secure in several ways:

• nonrepudiation
• deterrence
• detecting and preventing intrusions
• admissibility of records

Nonrepudiation

Nonrepudiation refers being unable to successfully deny an action took place because we have sufficient evidence that they did it.

Can establish nonrepudiation by:

• using encryption, like hash functions, to digitally sign a communication or file
  • E.g., can’t deny sending an email because the system digitally signs every email it sends
• Logs

Deterrence

Accountability can be a great deterrent against misbehavior.

• key is to let people know they will be held accountable for their actions

Intrusion Detection and Prevention

Auditing information in your environment can help detect and prevent intrusions both logically and physically.

2 types of tools:

• intrusion detection systems (IDS)
  • strictly a monitoring and alerting tool
• intrusion prevention systems (IPS)
  • can take action based on events

Admissibility of Records

In legal settings, introduction of records are more likely to be accepted when produced by a regulated and consistent tracking system.

• ensures records are admissible in legal setting

Chain of custody is the tracking of information over time, its location, ownership, and protections while stored.

• evidence collection should create an unbroken chain of custody

Auditing

Auditing is a methodical examination and review of an organization’s records.

• performed to ensure people comply with laws, policies, and administrative controls
• ensure accountability by keeping accurate records of who did what and when they did it, then reviewing those records

What do you audit?

• Audit the factors that determine access to systems
  • E.g., passwords, software licenses, internet usage
• Log files
• User activities
• Network traffic
• File modifications

Logging gives you a history of the activities that have taken place in an environment.

• a reactive tool

Monitoring is observing information about an environment to discover undesirable conditions such as failures, resource shortages, and security issues, as well as trends that might signal the arrival of such conditions.

• subset of auditing
• reactive activity
• typically watching for:
  • increased resource usage
  • unusual network latency
  • attacks
  • traffic at unusual times
• Clipping level is an unusual levels of an activity

Assessments are tests that find and fix vulnerabilities before any attackers do.

• active activity
• 2 kinds
  • Vulnerability Assessment
  • Penetration Testing