S 6.67 Use of detection measures for security incidents

Initiation responsibility: IT Security Management

Implementation responsibility: IT Security Management

It is very important to detect when security incidents occur as well as trying to prevent them. There are a number of security-relevant irregularities whose detection can be automated using appropriate technical measures, enabling them to be detected early. These detection measures generally increase the reliability of detection and significantly reduce the time between the occurrence of an irregularity and its detection. However, the gain in the ability to react early comes at the effort that is required to implement and monitor such measures. This effort should be estimated in advance. If the potential damage is very large or even entails personal injury, then there is virtually no choice but to adopt such detection measures.

Examples of this kind of detection measures include:

• alarm annunciation devices (see S 1.18 Intruder and fire detection devices)

• remote indication of malfunctions (see S 1.31 Remote indication of malfunctions)

• virus scanning programs (see S 2.157 Selection of a suitable computer virus scanning program)

• intrusion detection and intrusion response systems (see S 5.71 Intrusion detection and intrusion response systems)

• cryptographic checksums (see S 4.34 Using encryption, checksums or digital signatures)

Not all security incidents can be detected promptly using only technical measures. Often organisational measures must be used as well. The reliability of automatic detection measures generally depends on how up-to-date these are and how well suited they are to the actual circumstances. The effectiveness of organisational detection measures depends heavily on the reliability of the persons tasked with implementing them and also on how easily the measures lend themselves to being implemented in actual ongoing operations.

• obtaining information on security weaknesses of the system (see S 2.35 Obtaining information on security weaknesses of the system)

• regular security checks of selected IT systems (e.g. see S 2.92 Performing security checks in the Windows NT client-server network, S 4.93 Regular integrity checking and S 5.8 Monthly security checks of the network)

• regular analysis of log files (e.g. see S 2.64 Checking the log files, S 4.5 Logging of PBX administration jobs, S 4.25 Use of logging in Unix systems, S 4.47 Logging of firewall activities, S 4.54 Logging under Windows NT, S 5.9 Logging at the server)

Additional controls:

• What detection measures are in use?

• Are steps taken to ensure that anything unusual in the log files gets reported?