Subtitles of the Movie

Two more important principles we need to discuss are accountability and auditing. Now, accountability is what we call the ability to trace an action to a specific user and then hold them accountable or responsible for their actions. In other words, if a particular user does something that may be against our company's security policy, for example, we need to be able to track that person down and tie that person to that particular action and say you did this and then hold them accountable and responsible and we need to be able to do this to a conclusive degree. We need to be able to say that yes, this person is actually the person that did this action. Now, a lot of times we track accountability through auditing. Auditing is essentially the ability to see what actions have happened on the system and who took those actions. Now, all modern computer systems generally have the ability to perform auditing, but sometimes, depending upon the operating system in use, you have to actually turn it on and configure it. So that's where humans often fail because sometimes we don't configure auditing on our systems. Now unfortunately, if we don't configure auditing and something does happen, it may be difficult to trace down a malicious user or attacker or a user who has abused the system and then prosecute them or deliver any other kind of administrative action to them because we don't have our audit trail to go on. Now again, audit can take the form of audit logs, but there's also other kinds of audit out there. Visitor access logs, for example, to a secure facility. The paper logs are considered audit logs, but a lot of the times when we talk about auditing, we're talking about automated logs within a computer system. Now, audit logs can record many pieces of data within a computer system. But normally we want them to include at least the time and date and the event in question, what happened and when it happened and also who performed that action. Was it Bob? Was it Sally? Was it Jim? And where did they perform that action from? Which terminal where they logged in at that time? So that's one of the minimum pieces of information we normally want to look for in an audit log. There may be other kinds of information also that your organization may require. Now, once these logs are generated, if they just go into a file and get archived or deleted, they don't do anyone any good. They must be reviewed by humans because if a human doesn't review these logs, they're ineffective. It doesn't matter. Now, a concept I want to throw at you now that really is tied to accountability is non-repudiation. Now, we'll talk a little bit more about non-repudiation when we talk abut PKI and so forth, digital signatures because that ties very closely in non-repudiation as well. But let me tell you what the basic definition of non-repudiation is. It essentially means that a particular action can be traced to a specific user, that they can be held accountable, in other words, and they can not deny that they performed the action and they can't blame it on someone else. Hey, what am I talking about? What I'm talking about is let's say that Jim violated the company security policy and accessed a file he shouldn't have. Well, we need to be able to say that Jim did that. So we go and we accuse Jim of doing it and Jim says I didn't do it. I gave Dave my password for something else and he must have used my password to log in and access that data. Ok? So now there's some doubt there. We really don't now if it was Jim and maybe he's lying to us or maybe Dave took Jim's password and performed a malicious act. So what we have there is repudiation. What we want is non-repudiation. And there are ways we can get this. PKI is one way to do it. That's where we can insure that whoever performed that action is the person that we think. Now, non-repudiation basically is usually used to insure the identity and accountability of a user for their actions. So that's an important concept and we'll cover it a little bit more when we talk about PKI as well. But for now you need to know that non-repudiation keeps a person from denying that they took an action and it seeks to eliminate the doubt caused by stealing or forging credentials and again, digital signatures is one way that we can insure that we have non-repudiation. We'll cover that a little bit later on in the course. That's essentially all there is to accountability and auditing as far as the terms go. Now later on we'll also be showing you some examples of the audit logs and what they look like and what we're looking for when we look at an audit log. and what they look like and what we're looking for when we look at an audit log.