Scope

In order to design a security monitoring surveillance system, it is necessary to understand the types of threats and attacks that can be mounted against a computer system, and how these threats may manifest themselves in audit data. It is also important to understand the threats and their sources from the viewpoint of identifying other data. It is also important to understand the threats and their sources from the viewpoint of identifying other data sources by which the threat may be recognized.

To assist the reader, the following definitions are used in this paper: Threat:

The potential possibility of a deliberate unauthorized attempt to: a) access information b) manipulate information c) render a system unreliable or unusable

Risk:

Accidental and unpredictable exposure of information, or violation of operations integrity due to malfunction of hardware or incomplete or incorrect software design.

Vulnerability:

A known or suspected flow in the hardware or software design or operation of a system that exposes the system to penetration of its information to accidental disclosure.

Attack:

A specific formulation or execution of a plain to carry out a threat.

Penetration:

A successful attack; the ability to obtain unauthorized (undetected) access to files and programs or the control state of a computer system.

In considering the threat problem, the principal breakdown of threats is on the basis of whether or not an attacker is normally authorized to use the computer system, and whether or not a user of the computer system is authorized to -use a particular resource in the system* The cases of interest are shown in figure 1.

Another view of the representation of threats is shown in JPigure 2. This representation shows the protected resources, surrounded by rings of control and rings of "users". In some ways this represen-tation is more useful for purposes of identifying where and what kind of audit data might be of use in detecting the exercise of one of the threats shown.