Registration is another mechanism for ensuring IP security. This mechanism is based on the accountability of the security management system, records all security-related events, such as:
- entry and exit of access subjects;
- start and end programs;
- issuance of printed documents;
- attempts to access protected resources;
- changing the powers of access subjects;
- changing the status of access objects, etc.
The effectiveness of the security system is fundamentally increased if the registration mechanism is supplemented with an audit mechanism. This allows you to quickly identify violations, identify weaknesses in the protection system, analyze the patterns of the system, and evaluate the work of users.
Ludit is an analysis of the accumulated information carried out promptly in real time or periodically (for example, once a day). An operational audit with an automatic response to identified abnormal situations is called active.
The implementation of registration and audit mechanisms allows solving the following tasks of ensuring information security:
- ensuring accountability of users and administrators;
- ensuring the possibility of sequence reconstruction;
- detection of attempts to violate IB;
- providing information to identify and analyze problems.
The considered registration and audit mechanisms are a powerful psychological tool reminding potential violators of the inevitability of punishment for unauthorized actions, and users – for possible critical errors.
Practical means of registration and auditing
The practical means of registration and auditing are:
- various system utilities and application programs;
- registration (system or audit) journal.
The first tool is usually an adjunct to monitoring by a system administrator. A comprehensive approach to logging and auditing is provided using a log book.
The register is a chronologically ordered set of records of the results of the activities of the subjects of the system, sufficient for restoring, viewing and analyzing the sequence of actions surrounding or leading to the execution of operations, procedures or events in a transaction in order to control the final result.
Detection of attempted violations of IB is included in the functions of active audit, the tasks of which are to promptly identify suspicious activity and provide tools for automatic response to it.
Suspicious activity is understood as the behavior of a user or an IS component that is malicious (in accordance with a predefined security policy) or atypical (in accordance with accepted criteria). For example, the audit subsystem, by monitoring the user login (registration) procedure, counts the number of unsuccessful login attempts. If the set threshold for such attempts is exceeded, the audit subsystem generates a signal that the account of this user is blocked.
The organization of registration of events related to IS security includes at least three stages:
- collection and storage of information about events;
- protection of the contents of the logbook;
- analysis of the contents of the registration log.
At the first stage, the data to be collected and stored, the period of cleaning and archiving the journal, the degree of centralization of management, the place and means of storing the journal, the possibility of registering encrypted information, etc. are determined. The registered data should be protected primarily from unauthorized modification and, possibly, disclosure … The most important step is the analysis of registration information. There are several methods for analyzing information in order to detect unauthorized actions.
Statistical methods are based on the accumulation of average statistical parameters of the functioning of subsystems and comparing the current parameters with them. The presence of certain deviations can signal the possibility of the appearance of some threats.
Heuristic methods use models of scenarios of unauthorized actions, which are described by logical rules, or models of actions, which together lead to unauthorized actions.