assembled as part of Critical Control 1, to ensure that each managed item that is actively connected to the network is periodically generating logs.
“Analytical programs” for reviewing logs can be useful, but the capabilities employed to analyze audit logs is quite wide-ranging, including just a cursory examination by a human. Actual correlation tools can make the logs far more useful for subsequent manual inspection by people. The measurements above do not require correlation tools be deployed, given their cost and complexity, but such tools can be quite helpful in identifying subtle attacks. Such tools are not a panacea, however, and are not a replacement for skilled information security personnel and system administrators. Even with automated log analysis tools, human expertise and intuition are required to identify and understand attacks.
Critical Control 7: Application Software Security
How do attackers exploit the lack of this control?
Attacks against vulnerabilities in applications have been a top priority for criminal organizations since 2005. In that year the attackers focused on exploiting vulnerabilities in ubiquitous products such as anti-virus tools and back-up systems. These attacks continue – with new vulnerabilities in security products and in back-up tools being discovered and exploited each week. A second, massive wave of application attacks began surging in late 2006 when the criminals went after custom-developed web, server, and workstation applications. They found fertile territory. In one attack, more than 1 million web servers were exploited and turned into infection engines for visitors to those sites. Trusted organizations in state governments, the United Nations, and similarly respected organizations infected hundreds or thousands of PCs, turning them into zombies. Many more web and non-web application attacks are emerging. On average more than 70 new vulnerabilities are found every week in commercial applications – and many more are waiting to be found (or have already been exploited without public recognition) in custom applications written by programmers for individual sites in government, commercial, and private enterprises.
How can this control be implemented, automated, and its effectiveness measured?