by launching vulnerability-scanning tools against them to verify that the scanner traffic triggers an appropriate alert. The captured packets of the IDS sensors should be reviewed using an automated script each day to ensure that log volumes are within expected parameters and that the logs are formatted properly and have not been corrupted.
Additionally, packet sniffers should be deployed on DMZs to look for HTTP traffic that bypasses HTTP proxies. By sampling traffic regularly, such as over a 3-hour period once per week, information security personnel search for HTTP traffic that is neither sourced by or destined for a DMZ proxy, implying that the requirement for proxy use is being bypassed.
To identify back-channel connections that bypass approved DMZs, effective network security personnel establish an Internet-accessible system to use as a receiver for testing outbound access. This system is configured with a free or commercial packet sniffer. Then, security personnel connect a sending test system to various points on the organization’s internal network, sending easily identifiable traffic to the sniffing receiver on the Internet. These packets can be generated using free or commercial tools with a payload that contains a custom file used for the test. When the packets arrive at the receiver system, the source address of the packets should be verified against acceptable DMZ addresses allowed for the organization. If source addresses are discovered that are not included in legitimate, registered DMZs, more detail can be gathered by using a traceroute tool to determine the path packets take from the sender to the receiver system.
Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
How do attackers exploit the lack of this control?
Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems were compromised, without protected and complete logging records, the victim is blind to the details of the attack and to the subsequent actions taken by the attackers after they gained the initial foothold. Sometimes logging records are the only evidence of a successful attack. Many organizations keep audit