Page 1247 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1247
an NTP server is properly configured, the NIST servers will respond
with encrypted and authenticated time messages. The authentication
provides assurances that the response came from a NIST server.
Systems should have their time synchronized against a
centralized or trusted public time server. This ensures that all audit
logs record accurate and consistent times for recorded events.
Monitoring and Problem Identification
Audit trails offer details about recorded events that are useful for
administrators. They can record system failures, OS bugs, and
software errors in addition to malicious attacks. Some log files can
even capture the contents of memory when an application or system
crashes. This information can help pinpoint the cause of the event and
eliminate it as a possible attack. For example, if a system keeps
crashing due to faulty memory, crash dump files can help diagnose the
problem.
Using log files for this purpose is often labeled as problem
identification. Once a problem is identified, performing problem
resolution involves little more than following up on the disclosed
information.
Monitoring Techniques
Monitoring is the process of reviewing information logs looking for
something specific. Personnel can manually review logs, or use tools to
automate the process. Monitoring is necessary to detect malicious
actions by subjects as well as attempted intrusions and system failures.
It can help reconstruct events, provide evidence for prosecution, and
create reports for analysis.
It’s important to understand that monitoring is a continuous process.
Continuous monitoring ensures that all events are recorded and can be
investigated later if necessary. Many organizations increase logging in
response to an incident or a suspected incident to gather additional
intelligence on attackers.
