To determine whether their computer systems are secure, businesses, government agencies, and medical and educational institutions often maintain the services of computer security professionals to conduct a security audit—a validation of an enterprise’s security profile, with details on “alarm classifications.” This type of security audit is not much different from accounting audits that review a company’s financial profile and books.
Most information detected in security audits relates to breaches in the system because of the rather harmless curiosity of neophyte crackers—or honest mistakes by organizational insiders. However, as security experts advise, harmless or not all incidents need to be logged and reported in a statistical summary. This summary can then be analyzed by computer security professionals to find suspicious cyber activities and to classify the severity of incidents. Common incidents that are terminated by regular security measures—such as an unsuccessful attempt by a cracker to telnet to the enterprise’s firewall system—should be recorded but not typically noted as “a severe incident.” In contrast, activities indicating that a successful attack is in progress—such as the unexpected alteration of an executable file—should be reported immediately and logged as “an incident of concern.”
Alarm classification requires an acute combination of experience on the job by the security expert and common sense. In general, when a security expert is in doubt about how to note incidents, the advice given by senior experts in the field is to overclassify rather than underclassify an incident. Note, however, that in one enterprise, an unsuccessful telnet attempt from an unknown host to the firewall may be unimportant, whereas in another enterprise such as a bank, this type of incident may be considered critical and requiring immediate attention from the system administrator.
A revealing news story surfacing in the U.K. on May 19, 2005, claimed that some U.K. financial institutions ignore the findings of security audits and just treat audits as a necessary legal step to satisfy corporate governance regulations. A managing consultant at Integralis maintained that financial institutions are told that they have to carry out a penetration test to comply with audits, but in about 5% of the cases reviewed, the security team continues to find the same system faults audit after audit. Though in some cases the financial institutions claim a lack of resources to correct the discovered flaws, often it is a matter of misplaced priorities; getting new applications up and running is too often their top priority, leaving uncovered security flaws lower on the priority list.
Leyden, J. U.K. Banks Ignore Security Audit Findings. Reg SETI Group Website. http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/; Pipkin, D.L. Halting the Hacker: A Practical Guide to Computer Security. Upper Saddle River, NJ: Prentice Hall, 2003.