Page 1189 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1189
chapter) send alerts to administrators when an item of interest
occurs.
Anti-malware software will often display a pop-up window to
indicate when it detects malware.
Many automated tools regularly scan audit logs looking for
predefined events, such as the use of special privileges. When they
detect specific events, they typically send an alert to
administrators.
End users sometimes detect irregular activity and contact
technicians or administrators for help. When users report events
such as the inability to access a network resource or update a
system, it alerts IT personnel about a potential incident.
Cell Phone Cannot Be Updated
Many security incidents aren’t detected until months after they
occur. Users often notice things that aren’t quite right, such as the
inability to update a cell phone, but don’t report it right away. This
allows attackers to maintain a presence on infected devices or
networks for an extended period of time.
As an example, retired United States (U.S.) Marine Corps general
John Kelly turned in his cell phone to White House technical
support personnel during the summer of 2017. He was the White
House chief of staff at the time. Kelly reportedly was unable to do
software updates, and some other functions on his phone weren’t
working. After some investigation, the White House IT department
reportedly determined that his phone was compromised, and the
compromise may have occurred as early as December 2016, while
Kelly was the Secretary of Homeland Security.
Notice that just because an IT professional receives an alert from an
automated tool or a complaint from a user, this doesn’t always mean
