Editor’s Note: A GAO report on EPA’s Information Security found multiple serious deficiencies, some related to continuous monitoring. The GAO report is attached here. The section of the report titled “EPA Did Not Effectively Log and Monitor System Activity” is reprinted below.
From: GAO
To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Agencies accomplish this by implementing system or security software that provides an audit trail, or a log of system activity, that can be used to determine the source of a transaction or attempted transaction and to monitor a user’s activities. Audit and monitoring involves the regular
collection, review, and analysis of auditable events for indications of inappropriate or unusual activity, and the appropriate investigation and reporting of such activity. Automated mechanisms may be used to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Audit and monitoring controls can help security professionals routinely assess computer security, perform investigations during and after an attack, and even recognize an ongoing attack. Audit and monitoring technologies include network and host-based intrusion detection systems, audit logging, security event correlation tools, and computer forensics.
NIST guidance states that agencies should retain sufficient audit logs to allow monitoring of key activities, provide support for after-the-fact investigation of security incidents, and meet organizational information retention requirements.
Although EPA has many useful mechanisms at its disposal to help prevent and respond to security breaches, such as firewalls and intrusion detection systems, it has not consistently implemented integrated and responsive audit and monitoring. For example, EPA had not enabled auditing on a server used for receiving confidential data from commercial entities. Furthermore, more than 150 of EPA’s network devices had remote logging set to a severity level that was not sufficient for logging important security information. In addition, the number of error logs on one server database system was set so low that old logs would be overwritten as soon as this number was reached, thus removing the old logs from use. As a result, EPA is limited in its ability to establish accountability, ensure compliance with security policies, and investigate violations.
Leave a Reply