Most information detected in security audits relates to breaches in the system because of the rather harmless curiosity of neophyte crackersÂ—or honest mistakes by organizational insiders. However, as security experts advise, harmless or not all incidents need to be logged and reported in a statistical summary. This summary can then be analyzed by computer security professionals to find suspicious cyber activities and to classify the severity of incidents. Common incidents that are terminated by regular security measuresÂ—such as an unsuccessful attempt by a cracker to telnet to the enterpriseÂ’s firewall systemÂ—should be recorded but not typically noted as Â“a severe incident.Â” In contrast, activities indicating that a successful attack is in progressÂ—such as the unexpected alteration of an executable fileÂ—should be reported immediately and logged as Â“an incident of concern.Â”
Alarm classification requires an acute combination of experience on the job by the security expert and common sense. In general, when a security expert is in doubt about how to note Âincidents, the advice given by senior experts in the field is to overclassify rather than underclassify an incident. Note, however, that in one enterprise, an unsuccessful telnet attempt from an unknown host to the firewall may be unimportant, whereas in another enterprise such as a bank, this type of incident may be considered critical and requiring immediate attention from the system administrator.
A revealing news story surfacing in the U.K. on May 19, 2005, claimed that some U.K. financial institutions ignore the findings of security audits and just treat audits as a necessary legal step to satisfy corporate governance regulations. A managing consultant at Integralis maintained that financial institutions are told that they have to carry out a penetration test to comply with audits, but in about 5% of the cases reviewed, the security team continues to find the same system faults audit after audit. Though in some cases the financial institutions claim a lack of resources to correct the discovered flaws, often it is a matter of misplaced priorities; getting new applications up and running is too often their top priority, leaving uncovered security flaws lower on the priority list.