Monitoring IT resources

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

Malware protection systems automatically check for and install updates at desired intervals and also run the desired scans at the selected frequency without needed user actions.

The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.

It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.

All servers in the organization should be protected by a properly configured software firewall that monitors traffic, accepts compliant traffic, and monitors users.

WAF (web application firewall) should be protecting offered digital services from attacks (e.g. SQL injection).

Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.

When defining the baseline, the following must be taken into account:

• monitoring the use of data systems during both normal and peak times
• usual times of use, places of use and frequency of use for each user and user group

Monitoring systems must be configured against the baseline to identify anomalous behavior such as:

• unplanned termination of systems or processes
• traffic related to malware or malicious IP addresses or domains
• known attack characteristics (e.g. denial of service or buffer overflow)
• unusual system use (e.g. keystroke logging)
• bottlenecks and overloads (e.g. network queues, latency levels)
• unauthorized access (actual or attempted) to systems or data
• unauthorized scanning of data systems and networks
• successful and failed attempts to access protected resources (e.g. DNS servers, web portals and file systems)
• unusual user and system behavior

With the help of email monitoring, e.g. identify personal, unstructured but valuable or sensitive personal or other information in e-mail traffic and the system.

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.

Configurations should be monitored with comprehensive system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and recovery software) and reviewed regularly to assess settings, password strengths, and operations performed. Actual configurations can be compared to defined target models. Any discrepancies must be dealt with either automatically or by manual processing.

Any unauthorized changes must be corrected and cause investigated and reported.