[logs] Philosophical perspective on auditing

• Previous message: Christopher Lonvick: "RE: [logs] why log transport is still important"
• Next in thread: Jason Haar: "Re: [logs] Philosophical perspective on auditing"
• Reply: Brian Anon: "Re: [logs] Philosophical perspective on auditing"
• Reply: Eric Fitzgerald: "RE: [logs] Philosophical perspective on auditing"
• Reply: Joe Wulf: "Re: [logs] Philosophical perspective on auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Justin,

The purpose of auditing is to prove what you say you are doing.

Philogophically, think about a tree falling in a forest.  Does the tree 
falling making a sound if no one is there to hear it?  One theory is "esse 
est percipi" - to be is to be perceived.  This suggests that the tree (or 
sound of it falling) does not exist unperceived.  A weaker form acknowledges 
that the tree may exist unpercieved, but how can we claim to have knowledge 
of it existing unperceived?

Let's apply this theory of perception to intrusion detection (or 
logging/monitoring of any sort).  How can anyone claim to have knowledge of 
events occuring (such as extended use of privileges) unperceived?  Without 
auditing it will not be possible to proove the state of extended privilege 
use to determine if there is a problem or not.  With this knowledge, 
management can make informed decisions.

If you tell a customer you do 'X', how do you proove 'X' is actually 
hapening?

I consider the field of information security to be about cost effectively 
mitigating risks to acceptable levels.  The common practice is to layer 
controls that will deter, prevent, detect or react to security incidents.

Despite all the preventative controls in place, 100% security is not 
achievable.  100% security is not the objective.  A company should plan to 
react to security incidents that are not prevented for whatever reason.  
This is why companies establish business continuity plans, disaster 
recovery, and incident response teams.  Inadequately detecting the incident 
may delay or prevent any response.  Spending on reactive controls will not 
be effective without corresponding detective controls.

Is your manager prepared for security incidents to go undetected?  You 
cannot respond to what you don't know.

Regads,
Brian

>I am trying to explain to a manager (non technical) about audit but una=
>ble
>to get through him the point below.  I tried and tried but unsucessful.=
>   I
>am looking for some plain English with examples to show to him.  Any
>advise/info is appreciated.
>
>Auditing makes it possible to do the following:
>=B7     Discover extended use of privilege that occurs when a user chan=
>ges
>identity.  How is this done ? how does a user outside of Unix change
>identity ?


_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Frank O'Dwyer: "RE: [logs] why log transport is still important"
• Previous message: Christopher Lonvick: "RE: [logs] why log transport is still important"
• Next in thread: Jason Haar: "Re: [logs] Philosophical perspective on auditing"
• Reply: Brian Anon: "Re: [logs] Philosophical perspective on auditing"
• Reply: Eric Fitzgerald: "RE: [logs] Philosophical perspective on auditing"
• Reply: Joe Wulf: "Re: [logs] Philosophical perspective on auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 15 2002 - 11:23:10 PST