points and monitor your audit logs to uncover any activity that may
               indicate unauthorized administrator access.

               Another common system vulnerability is the practice of executing a

               program whose security level is elevated during execution. Such
               programs must be carefully written and tested so they do not allow any
               exit and/or entry points that would leave a subject with a higher
               security rating. Ensure that all programs that operate at a high
               security level are accessible only to appropriate users and that they are

               hardened against misuse. A good example of this is root-owned world-
               writable executable scripts in the Unix/Linux OS environment. This
               major security flaw is overlooked all too often. Anyone can modify the
               script, and it will execute under root context allowing users to be
               created, resulting in backdoor access.


               Incremental Attacks

               Some forms of attack occur in slow, gradual increments rather than
               through obvious or recognizable attempts to compromise system

               security or integrity. Two such forms of attack are data diddling and
               the salami attack.

               Data diddling occurs when an attacker gains access to a system and
               makes small, random, or incremental changes to data during storage,
               processing, input, output, or transaction rather than obviously altering
               file contents or damaging or deleting entire files. Such changes can be
               difficult to detect unless files and data are protected by encryption or

               unless some kind of integrity check (such as a checksum or message
               digest) is routinely performed and applied each time a file is read or
               written. Encrypted file systems, file-level encryption techniques, or
               some form of file monitoring (which includes integrity checks like
               those performed by applications such as Tripwire and other file
               integrity monitoring [FIM] tools) usually offer adequate guarantees
               that no data diddling is under way. Data diddling is often considered

               an attack performed more often by insiders rather than outsiders (in
               other words, external intruders). It should be obvious that since data
               diddling is an attack that alters data, it is considered an active attack.

               The salami attack is more mythical by all published reports. The name