Monitoring is a vast subject and it is often difficult to think about everything you can monitor; even worse is deciding what is worth the cost of being monitored and what can safely be ignored. To top it all off there are so many media that a company can monitor that it’s a huge task to even tackle the subject.
The first medium that likely comes to mind when one thinks of monitoring is the internet. The internet is a like a huge lawless expanse with a direct path to your company. Anyone can launch attacks from it and a successful attack can be as damaging as, if not more than, a physical break-in. So what can one monitor and which of these should in fact be monitored?
- Suspicious requests to your firewall
It’s amazing how many requests your firewall will receive every day. Most of these requests are in fact automated scanners searching for a specific vulnerability and scanners looking for interesting servers such as open relays. It is impossible to manually check each request; however, it is important to find out if an attack was successful. Ideally you should set up a log processing tool that is able to ignore the noise and alert the administrator of an actual break in or unusual event that warrants investigation.
- Monitoring files coming in and out of your internet pipe
Just as with the above probing attempts, a lot of files get transfered in and out of your company. These can include downloaded files off the web, pictures from loading web sites as well as files submitted by your user to an online web form. It is generally important to monitor these in some form or other, the most basic being a virus scanner off each desktop. A better solution would be virus scanning each file as it is coming in as well as having an IDS solution that might be able to detect attacks embedded in files such as the recent JPG exploit.
- Monitor Web Activity
Monitoring the web activity of your employees is an important security step that I would recommend. The target here primarily is to ensure that your employees do not surf dangerous sites or consume excessive bandwidth. Certain sites can include malicious software that exploits browser vulnerabilities and installs viruses on the host without user interaction. Some websites are used for phishing attacks and other activities that might put the user or the company in jeopardy.
- Connection Attempts
It is to be expected that people try to connect to your services; however, in some cases you may want to monitor where such requests are coming from and block access to that IP if necessary. This is especially true for services such as Remote Desktops and file sharing requests.
- Monitor your servers’ usage
Servers such as mail servers and web server use bandwidth which can be expensive. It is important that the bandwidth usage of these services is constantly monitored. Sometimes due to programming errors or even the malicious intent of an attacker bandwidth usage might spike and when that happens, it is essential to catch it as early as possible to reduce costs and ensure proper service to the legitimate clients.
- Monitor Servers’ Health
An often neglected monitoring task is actually monitoring whether the services you’re running are running as expected. If such a service were to break it is essential that corrective action is taken as quickly as possible. If clients use these services your company’s image might be on the line.
- Employees’ activity online
The final monitoring option related to the internet is a bit controversial; I’m talking about monitoring employee’s activity online. This can vary from work related to personal. In some cases personal internet usage can be innocent such as checking the news to spending a little time check their social networking sites. In other cases it can be damaging to the company if an employee is visiting illegal sites such as gambling (online gambling might be illegal in some areas) to participating in forums/social networking and posting comments that could be damaging in various ways to a company (from image to legal liability). This level of monitoring is controversial for obvious reasons and might also be illegal in some countries; yet, neglecting it could put a company in harm’s way although pursuing it might result in an unpleasant working environment for your employees.