NSF DEANZA SECURITY COURSE
Task Description: Task 3
Title: Security Procedure Review, Monitoring, and Reporting
1. Original Source:
Tony Nguyen
2. Performance Objectives/skills:
(1) Pre-requisite skills: Successful completion of Tasks 1 &2;
(2) New skills introduced/learned:
1. Document ongoing procedures to perform periodic audits of the Enterprise
Network, including criteria for evaluating and prioritizing threat levels, and listing
what steps need to be taken for each threat level
2. Prepare templates to document periodic and incident reports
3. Monitor network logs and prepare a periodic report recording and analyzing
monitoring results
3. KEY TOPICS COVERED
This task will cover what to monitor, why to monitor, and useful monitoring tools.
First students will create monitoring templates and a monitoring schedule, then
students will use these resources to monitor the network logs and fill in a periodic
report template analyzing the results.
4. SCENARIO SET UP (Business Problem & Student Task):
Fictional email from the company's president:
Hello,
Between the network audit, our recent growth, and anticipated expansion, we have our
work cut out for us. You probably already know what we need to do next: set up a
comprehensive monitoring system, specifically:
1. Recommend monitoring procedures and schedule (based on diagnosed or expected
problems).
2. Document monitoring procedures and provide report templates to document
monitoring results. These templates should be for both periodic (weekly, monthly, and
NSF DeAnza Security Course
Task Description Document_T3_V1
1
quarterly) and incident reports. In most situations, you’ll be sending these reports to me,
although I may, on occasion, forward them on to management if I deem it necessary.
Please lay out plans for monitoring not only the network’s hardware and software, but
also for monitoring the employees.
3. Research and evaluate the different network monitoring software in the industry and
offer recommendation so that to improve the effectiveness and efficiency of our security
tasks.
Then, I’d like you to monitor network and analyze and report on your results using the
templates you’ve created. I also would like you to fill out a weekly template of monitoring
result. Based on what you find, you may need to alter our policy—if that’s the case, let
me know what changes you propose.
Also, as our anticipated expansion involves the possible acquisition of a 50-person
company, I’ll need to know how this potential 100% increase in capacity might affect our
network hardware, software, monitoring procedures, and security policy. Please be as
thorough and specific as possible—we may need to use this information sooner than you
think. And keep in mind that, as in everything we do here, our monitoring plans shouldn’t
just keep us out of hot water, we should monitor with eye towards improving the
performance of the system and implementation of the policy.
--Minoo
“Paranoia is having all the facts.”
Notes:
 An outline of a model response to the question about the impact of the 100%
increase in capacity would be:
Considering the impact of a possible 100% increase in network capacity, there
would be a need to change some network configurations and procedures to
adapt to the new load. For example, some new security devices such as firewalls
and intrusion detection systems would need to be provisioned at certain strategic
points in the network. Monitoring software would need to be re-evaluated for
scalability in the new environment. Procedures and report templates would need
to re-examined and possibly broadened in order to ensure they would be
effective with the increased capacity.

An industry feedback suggests that companies often make a strategic business
decisions, backed by policy, which dictate how much proactive vs. reactive
defense they should use. I think that a balance for C-Bay would be 20% for
proactive and 80% for reactive defense. The reason is that a small company may
not have a lot of resources to do proactive tasks. Usually small to medium-size
business networks are run on "skeleton" networking resources and staffs, so it
would leave little time, money, or manpower to do much of proactive security
work.
Business Problem:
Enterprise Monitoring to assure that Security Policy is enforced is a key element
for the growth of an organization. Monitoring systems must change with changing
NSF DeAnza Security Course
Task Description Document_T3_V1
2
business environment, therefore should be continually improved. This monitoring
is not just limited to software, or data collection, it should also include asking
employees how they are creating passwords, checking email, etc. Students
shouldn’t just diagnose existing problems, they should plan for and try to preempt
expected problems, both malicious and accidental, e.g., someone tripping over a
cord and bringing down a server.
Student Task:
1. Based on diagnosed or expected problems, recommend monitoring
procedures and schedule.
2. Document monitoring procedures and provide report templates to document
monitoring results (for both periodic and incident reports).
3. Monitor network; analyze and report on results using appropriate templates.
5. SCENARIO RESOURCES
a. Input logs
 Server Logs from Task 2
 Network Problem Logs, Device Operation Logs, Security Violation Logs, Audit
Logs, Performance Logs. The logs should include some indicators of
problems or potential security weaknesses. For example, log files could
contain risky use of vulnerable port numbers, numerous suspicious
consecutive attempts of invalid log-in, unacceptable password changes,...
b. Security Policy
c. Information about the enterprise and network from Tasks 1 & 2
 Network topology
 Network configuration settings
 Network operation and maintenance procedures
d. Problem report from Task 2
e. Recommendations for changes to business practices/network/security
policy from Task 2
6. STUDENT SOLUTION DELIVERABLES
a. Document monitoring procedures-5hrs
 Students responsibilities:
 Interviewing and surveying of current procedures
 Understanding of current documents and processes
 Reviewing of monitoring tools being used
 Investigating individual network personnel roles and
interaction between them.
NSF DeAnza Security Course
Task Description Document_T3_V1
3

Characteristics of good monitoring procedures:
 Effective implementation:
- step by step approach
- clear dependencies and requirements for each step
- detail results and errors after each step.
 Well-defined objectives and dependencies
 Traceability of problems
 Responsiveness to real-time events
 Ease of use
 Clear reporting and auditing capacities
 Not focused solely on hardware and software, also include plans


to monitor employees
Containing contingency plans outlining what to do when 100%
capacity is reached
Examples of some bad monitoring procedures:
 Procedures whose purposes that no one seems to
understand
 Procedures that do not notify users of critical network
problems
 Procedures that are not in sync with the latest software
upgrades or patches
 Procedures that are not practical in many situations, e.g.,
that don’t take into consideration resource constraints

Procedures that are too complicated and assigned to
marginally-trained personnel
Notes:
Useful links:
 The Center for Internet Security http://www.cisecurity.org/
 The Center for Education and Research in Information
Assurance and Security resources
http://www.cerias.purdue.edu/tools_and_resources/
 CIAC http://www.ciac.org/ciac/
 A good procedure example: Monash University Critical
Incident Procedure
http://its.monash.edu.au/policies/criticalproc.html
A bad procedure example (lacks specific details)
http://www.ualr.edu/isdept/instructions/policy/incidhand.html
b. Create periodic and incidental report templates, e.g.,: daily, weekly,
summary of trends, incident reports. The audience of reports is someone above
learner in systems admin food chain. Templates must highlight most important
findings—should have “at a glance” sections and what the section should contain
NSF DeAnza Security Course
Task Description Document_T3_V1
4
(Potential report template categories: implications—long and short term,
resolution, well-defined rating system to prioritize issues)
 Steps that students take to create these templates:






Lay out the format of the reports
Decide on the delivery time (daily, weekly, monthly, or on-demand)
of each type of reports
Characteristics of good monitoring templates:








Research on the on-line real estate industry practices and
requirements for reports
Determine what network software and tools are being used and
what are their output
Define the type of audience and the most relevant parameters that
need to be included for each audience. The audience could be
divided into categories such as:
o executive / management
o network security personnel
o network administration personnel
o network help-desk
o network planners
Clarity
Conciseness
Rich content: Content of templates should include information
enabling the readers to take proper decision or action.
Timeliness: The templates should include detail timing information
of incident and historical perspective of incident.
Relevance to audience
Compatibility with current network tools: The templates should be
reproducible or easily understood in the context of network tools in
use. For example, if a template calls for certain network statistics
then the current network tools should be able to provide those
network statistics accurately.
Conformance to standard industry practices
Examples of bad templates:





Templates that are hard to understand
Templates that have inadequate content
Templates that have insufficient information
Templates that are not clearly organized
Templates that are too difficult to produce
NSF DeAnza Security Course
Task Description Document_T3_V1
5
Note: Example of a bad template:
c. Completed periodic report documenting monitoring results and analysis
(Students will do this using network logs)
 Steps that learners take to fill in the periodic report:
o Research on common industry practices and requirements for
reports
o Determine what network software and tools are being used and
what are their output
o Define the type of audience and the most relevant parameters that
need to be included for each audience
o Lay out the format of the reports
o Decide on the delivery time (daily, weekly, monthly, or on-demand)
of each type of reports

Characteristics of good periodic report:
 Clarity
 Conciseness
 Adequate meaning
 Rich content
 Timeliness
 Relevance to audience
 Compatibility with current network tools
 Conformance to standard industry practices
 Traceability

Examples of bad periodic reports:
 Reports that are hard to understand
 Reports that have targeted to the wrong audience
 Reports that have insufficient information
 Reports that are cluttered
 Reports that are too difficult to produce
 Reports that do not follow industry standards
7. KEY DECISIONS:
 What are the key decision learners will need to make when determining and
documenting monitoring procedures?
o How to get relevant documents:
 What document is used to report an incident?
 What document is used to show daily network status?
NSF DeAnza Security Course
Task Description Document_T3_V1
6





What document is used to show weekly network status?
What document is used to show monthly network status?
What document is used to change an existing monitoring
procedure?
What document is used to add a new monitoring procedure?
What document is used to remove an existing monitoring
procedure?
o How to get to the right people
 Who creates/analyze incident reports?
 Who creates/analyze daily reports?
 Who creates/analyze weekly reports?
 Who creates/analyze monthly reports?
 Who creates new procedures?
 Who creates new templates?
o How to find out about the monitoring software and tools
 Ask the network personnel to list networking software they
are using
 Ask the network personnel whether the software licensed or
download for free?
 Ask the network personnel whether the software useful to
the user?
 Ask the network personnel whether the software useful to
the user?
 Ask the network personnel what software they wish to have
and why?
o How to find out the creation / delivery / analysis processes in use
 What are the steps involved when a hacking incident is
detected?
 What are the steps involved when a new virus is detected?
 What are the steps involved when a daily report is needed?
 What are the steps involved when a weekly report is
needed?
 What are the steps involved when a monthly report is
needed?
 What is the process in delivering incident reports?
 What is the process in delivering periodical reports?
 What is the process in analyzing incident reports?
 What is the process in analyzing periodical reports?
NSF DeAnza Security Course
Task Description Document_T3_V1
7
How should the learners approach this task?
o Read relevant documentation
o Interview network personnel
o Analyze current process and workflow
o Research and study appropriate software tools as needed
Is there a set of questions learners can ask themselves to help them
approach this task?
o What are the steps in each procedure?
o What are the input and output of each procedure
o Why a procedure is useful or not?
o Who read or analyze the procedure outputs
o When is a procedure performed?
o How long does it take to get a procedure result?
o Where will it go from here?

What are the key decision learners will need to make when determining and
documenting templates?
 Find existing templates
 Find out how people are using the templates
 Determine the adequacy, sufficiency, and usefulness of the
templates
 Research on the current tools for the purpose of producing and
analyzing templates
 Determining the audience for each existing or new template.
 Determining the resources for each existing or new template.
 Determining the time relevance for each existing or new template.
What questions will they need to formulate and answer to help them create
these templates?
o What are the currently used templates?
o When is a new template needed?
o What information should be included in a template?
o What are the goals of a template?
o What are the derivatives of a template?
o Is there any existing or similar template in use by the real estate
industry?

What are the key decision learners will need to make when writing their
periodic report?
o Find existing reports
o Find out how people are using the reports
o Determine the adequacy, sufficiency, and usefulness of the reports
 What are the goals of the reports?
NSF DeAnza Security Course
Task Description Document_T3_V1
8
o
o
o
o
 Who are the intended readers?
 Why the reports are useful to readers?
 What is the minimal information on the report?
 What is the desirable information on the report?
 Is there any time limitation of the report?
 When should the report be delivered?
Research on the current tools for the purpose of producing and
analyzing reports
Determining the audience for each existing or new report.
Determining the resources for each existing or new report.
Determining the time relevance for each existing or new report.
What questions will they need to formulate and answer to help them create this
report?
o What are the currently used reports?
o When is a new report needed?
o What information should be included in a report?
o What are the goals of a report?
o What are the resulting actions of a report?
o Is there any existing or similar report in use by the on-line real
estate industry?
8. Common Mistakes:
 What mistakes do people commonly make (or might students make) when
creating and documenting monitoring procedures, creating monitoring
templates, monitoring the network and documenting their results?
o Excluding of important procedures:
For example, in case of a virus attack, it is easy to forget a data
recovery procedure in case a PC disk needs to be reformatted.
o Not detecting currently used versus obsolete procedures
For example, an obsolete procedure is still documented but
followed by anyone.
o Not understanding network administration and security roles
In some medium or large companies, network admin and network
security are two distinct functions.
o Not defining specific purpose of each template and report
For example, a report may not have any specific purpose. May be it
was the created as a result of a temporary experimental network
change that is no longer applicable.
o Misinterpreting the meaning of some network parameters
For example,
What does "Replay Count" means in a security monitoring
software?
What does "IKE Failure" means in a VPN monitoring software?
NSF DeAnza Security Course
Task Description Document_T3_V1
9
o Defining the wrong audience for templates and reports
For example, a detailed hacking incident report is intended for
network help desk personnel.
o Including too few or too much details on the reports
For example, detailed VPN IKE failure statistics are included in a
report to a high-level MIS executive who would not normally deal
with detail VPN technology.
9. Readings & External Resources
 What external resources can we point students to help them create and
document monitoring procedures, create monitoring templates, monitor the
network and document/analyze their results?









RFC 1244 Site Security Handbook by the Internet Engineering Task
Force
RFC 1281 Site Guidelines for the Secure Operation of the Internet from
the IETF
NIST : Internet Security Policy: A technical Guide
RFC 2350 Expectations for Computer Security Incident Response
Network Security Policy: Best Practices White Paper from Cisco
(http://www.cisco.com/warp/public/126/secpol.html)
RFC 2196 Site Security Handbook
Best Practices in Network Security, from Network Computing
(http://www.networkcomputing.com/1105/1105f2.html)
Harvard University's Information Security Handbook
(http://all.net/books/document/harvard.html)
ISO 17799 (http://www.iso17799software.com/)
10. Mentoring Resources
 What might a model student solution look like for each of the 3
deliverables—procedures, templates, and periodic report? (or maybe there’s
no “model solution”, instead wide variety of possible responses)
 What preparation and prior knowledge will mentors need to mentor this
task?
 What resources will be helpful for them to refer to in order to prepare for this
task?
 What coaching questions will help the mentors facilitate student learning?
 What should the mentor keep in mind or be aware of when facilitating this
task?
NSF DeAnza Security Course
Task Description Document_T3_V1
10