Cybersecurity: Audit and AccountabilitySam Musa | Cyber Security Adjunct Professor, University of Maryland University College
System and performance monitoring is one way universities can identify security issues. System and performance monitoring examines the computer memory, disk inputs and even the bandwidth being consumed. For example, if an application server is infected with malware, it may make the application response time very slow. Recognizing this kind of performance behaviors may assist security officers in finding problems. Performance baseline is another method that can be used to recognize irregular behaviors that affect a computer’s performance. For example, a network monitoring application may indicate a bandwidth usage level at certain hours of the day. If a system administrator notices a spike in network usage at 2:00 AM, it would indicate an abnormal behavior.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can be used to monitor the network and prevent malicious activities. Systems logs can be used to record security notifications and critical messages about the systems applications. Performance logs can also be used to monitor CPU, memory and bandwidth consumption. In addition, access logs, IDS logs, firewall logs, applications logs and anti-virus logs must be analyzed to gather information about a network that has been attacked. College and university leaders must ensure that systems are capable of auditing failed logon, successful logon, and collecting time stamps, source and destination IP addresses, filenames, and access control rules invoked.
If a system doesn’t permit external access and an audit reports that an external IP address gained access to the system, that event must be recorded, and a notification message must be sent to the system administrator immediately for appropriate actions.
Reviewing large amounts of audit information can be an overwhelming task. But there are many log analysis and correlation tools that can be used to assist universities in seeing their true security postures. Splunk, LogRhythm and ArcSight are just a few log analysis tools that can be used to maximize the efficiency of the collected logs.
Ultimately, postsecondary leaders should compare monitoring methodologies, conduct system audits often, and execute proper logging procedures. System baselines may be used to reduce the time needed to analyze security events. While information systems must be audited for suspicious activities, audited events should be also stored for auditing and investigation purposes.
To see the other articles in the Cybersecurity series, please click here.
Author Perspective: Educator