access can all be helpful, but in addition to preventative measures, an overall
solution must include detective techniques to audit and monitor the system.
An ESM can be used for monitoring access to information, and to mon-
itor modiﬁcation of that information. It can also identify when removable
media devices have been attached to systems, and what information has been
moved onto those systems. Many people don’t know that every time they
connect a removable media device to their computer, a log entry is generated;
additionally, moving ﬁles from the computer system to the device also gener-
ates log entries.
Even with ESM and other technical solutions, this is yet another example
of the necessity of including people in the equation. With the right level of
preventative and detective measures supported by polices, removable media of
any type becomes a less critical issue, and employees can still take advantage
of products like iPods while maintaining the security integrity of the organi-
zation. And that is exactly what this next company did.
Auctioning State Property
A state government agency was noticing that asset trending reports in their
ESM were revealing anomalies. It seemed that several non-critical servers
were simply disappearing from the asset inventory. ESMs have the ability to
track various assets in an environment, including key information such as: IP
address, operating system, vulnerabilities, patch levels, asset use, asset criticality,
relationships to compliance, physical location, and so forth. Running reports
on a recurring basis can help to reveal changes within the environment such
as patches being added to servers, devices conforming to regulatory compli-
ance standards, additional assets coming online, or in this case, assets disap-
pearing without any type of change management request.
It appeared that ﬁve servers had disappeared. Application, server and net-
work teams were unaware of what could have happened. Change control
reports were reviewed; individuals were interviewed; but there were still no
answers. It was becoming obvious that this wasn’t an internal process issue; the
servers had been stolen. Since these were non-critical servers, the organization
was still able to operate. Even so, the security team wanted to understand
what might have happened.
Insiders Abridged • Chapter 12 165
424_Wtr_Clr_12.qxd 7/27/06 1:47 PM Page 165