Page 1252 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1252
Companies can and do use keystroke monitoring in some
situations. However, in almost all cases, they are required to
inform employees of the monitoring.
Traffic Analysis and Trend Analysis Traffic analysis and trend
analysis are forms of monitoring that examine the flow of packets
rather than actual packet contents. This is sometimes referred to as
network flow monitoring. It can infer a lot of information, such as
primary and backup communication routes, the location of primary
servers, sources of encrypted traffic and the amount of traffic
supported by the network, typical direction of traffic flow, frequency of
communications, and much more.
These techniques can sometimes reveal questionable traffic patterns,
such as when an employee’s account sends a massive amount of email
to others. This might indicate the employee’s system is part of a botnet
controlled by an attacker at a remote location. Similarly, traffic
analysis might detect if an unscrupulous insider forwards internal
information to unauthorized parties via email. These types of events
often leave detectable signatures.
Egress Monitoring
Egress monitoring refers to monitoring outgoing traffic to prevent
data exfiltration, which is the unauthorized transfer of data outside the
organization. Some common methods used to prevent data exfiltration
are using data loss prevention techniques, looking for steganography
attempts, and using watermarking to detect unauthorized data going
out.
Advanced attackers, such as advanced persistent threats sponsored by
nation-states, commonly encrypt data before sending it out of the
network. This can thwart some common tools that attempt to detect
data exfiltration. However, it’s also possible to include tools that
monitor the amount of encrypted data sent out of the network.
Data Loss Prevention
