• United States



by Robin Bloor

Audit Trails? What Audit Trails?

Nov 02, 20054 mins
Data and Information SecurityGovernment

A look at the use of audits and computer forensics to combat insider fraud.

If your employer accuses you of hacking into the companys computing system and perpetrating a fraud, and you happen to be guilty, what is your safest tactic if you want to escape criminal charges? The answer is: Ask them to prove it.

One out of three times, even if computer forensics experts are brought in and given unfettered access to all systems, it will be impossible to prove who is guilty of what. The reason is that few computer networks maintain comprehensive audit trails of who did what and when.

To put this is perspective, it isnt that there are no audit trails. Nearly all computer operating systems keep logs, which record some of the activities of computer users such as user logins and launching programs – and although it is possible to turn such logs off, usually they are set on. Also databases have transaction logging capability and database logs are usually set on. Some network devices and IT security devices such as Intrusion Detection Systems (IDS) keep logs of network activity. But, even so if you are trying to prove how something happened within a computer network and who was responsible, these traces might not be enough to prove anything indisputably.

The fact that computer forensics experts exist gives some indication of the nature of this problem. Its easy to imagine a well organized computer environment where it is only necessary to search the user logs to find out who changed what information when – but such computer environments dont exist. Computer forensics experts have to build up a picture of what happened from diverse sets of data records and they also have to be sure that such data has not been interfered with in some way. The burden of proof is heavy.

And even if you can tie back a given activity to a specific login, can you prove absolutely who logged in? Passwords can be stolen in many ways using hacking techniques or more commonly nowadays, social engineering simply persuading someone to give you their login credentials. Only strong authentication using tokens or biometrics (finger prints, retina scans, etc.) can prove with reasonable certainty who used a specific set of computer capabilities.

So what can be done to make it more difficult for digital thieves and fraudsters? Many of the products that are strongly marketed nowadays as compliance solutions will raise the bar for the bad guys. Consul InSight which co-ordinates and analyzes log files across a network and data audit products like Lumigents Audit DB, are examples. Coherent Identity Management systems coupled with strong authentication will improve the picture too.

However, these are not solutions to the whole problem they are just possible components of a solution. The only way to reduce the risk significantly is to invent and test possible fraud scenarios within your organization – and then do the forensics work to see if you can trace the activities you tested for. You will probably need to hire a computer forensics consultant to help you with this.

There are also a few simple but effective precautions that will reduce the risk of fraud. They are based on known facts about fraudsters.

Fact: Most fraudulent attacks are made by people that are trusted with high levels of authorization, such as systems administrators or database administrators.

Precaution: As a matter of policy closely monitor and log all activities of all such super users.

Fact: Social engineering is the most effective way for fraudsters to gain unauthorized access to a system.

Precaution: Regularly send users with high levels of authorization logs of their access activities so they can detect any anomalies and make them sign off on their network usage.

Fact: Most fraudulent attacks are made by insiders but carried out outside office hours in the evening. (Fraudsters fear being discovered by people looking over their shoulders).

Precaution: Dont allow normal system access in the evenings without special authorization. Monitor such access closely.

In the end it isnt just a matter of deploying good IT security products, its also a matter of implementing effective security policy.