Evidence of the occurrence of major theft, vandalism, fire, earthquake, and
similar causes of loss is usually obvious. Evidence of attempts at
unauthorized entry and unauthorized usage is much less so.
The best way to find evidence of attempts at unauthorized entry and
unauthorized usage is continuous monitoring of system log files. For example,
a Type 115 (Console) Log Record that shows numerous unsuccessful connection
attempts can be considered reasonable evidence of attempts at unauthorized
entry.
Monitoring the Type 144 (File Open) Log Record can disclose a pattern of
unsuccessful attempts to open files. This may mean that an unauthorized
person has gained access to the system, or an authorized user is trying to
access files to which he or she has no authorization.
Close scrutiny and analysis of log files on a regular basis reveals the
frequency of attempts to violate system security, how successful your
security measures are in thwarting such attempts, and the location of
weaknesses in your defenses.