Sie sind auf Seite 1von 1

CSOL500 Module 6 Discussion 2: Continuous Monitoring Marc Leeka

Continuous monitoring of assets (as opposed to interval-based monitoring) allows you to respond
quickly to detected problems because information is analyzed in real-time, thus giving you a
better opportunity to affect the outcome of the intrusion. It is the difference between looking at
yesterdays security video tapes to figure out who shoplifted the six-pack of beer versus
watching the customers and the beer cooler closely and spotting and reacting to suspicious
behavior that may or may not be a shoplifter.

Continuous monitoring does not necessarily mean that every asset is checked every second or
minute but it does imply monitoring in a predetermined interval that is based on the risk of the
asset. The objective of a continuous monitoring program is to determine if the complete set of
planned, required, and deployed security controls within an information system or inherited by
the system continue to be effective over time in light of the inevitable changes that occur.1
Lastly, This kind of program brings two main benefits that standard point-in-time security
assessments do not: increased visibility the staff at all levels sees what is happening, as it is
happening and increased control.2

Had the NSA practiced continuous monitoring, Edward Snowden might not have been able to
obtain so many restricted documents and he probably wouldnt have made it to the airport.
Snowden used his valid access (such as CAC with keys and certificates and SSH keys for system
administration) to determine what information was available and where it was stored even if he
didnt immediately have full access to that information. It strikes me that the NSA did not follow
and monitor a least privilege model that Snowden was able to inventory so much information.

Snowden gained unauthorized access to other administrative SSH keys and inserted his own to
gain full, trusted status to information he was not authorized to access. Using usernames and
passwords from colleagues could afford him more opportunities to take keys or insert his own as
trusted. Having root or equivalent administrative status gave Snowden total access to all data.
The NSA was not monitoring unusual and unique access to information by administrator-
equivalents that had never previously accessed that information before.

To get data off the NSAnet, Snowden used Command and Control servers to receive encrypted
data sessions. These sessions were authenticated with self-signed certificates. The NSA was not
monitoring outbound data streams to unknown servers.

The NSA was no stranger to self-signed certificates. The NSA used stolen digital certificates
from unknowing Taiwanese companies to launch the Stuxnet attacks with trusted status.
1
NIST Special Publication 800-137 (September 2011), Information Security Continuous Monitoring (ISCM) for
Federal Information Systems and Organizations, at http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-
Final.pdf
2
White paper (2012), Continuous Monitoring of Information Security, CDW-G. Retrieved from
https://statetechmagazine.com/sites/default/files/continuous_monitoring_of_information_security.pdf.

Ross, R. (2012, Summer). What Continuous Monitoring Really Means. Fedtech Magazine. Retrieved February 23,
2016, from http://www.fedtechmagazine.com/article/2012/07/what-continuous-monitoring-really-means.

Snowden activity taken almost verbatim from Hudson, J. (2013, November 12). Deciphering How Edward Snowden
Breached the NSA. Retrieved February 23, 2016, from https://www.venafi.com/blog/post/deciphering-how-edward-
snowden-breached-the-nsa/

Das könnte Ihnen auch gefallen