5.6.2 Anomalous Behavior Recognition
Anomalous behavior recognition is the process of identifying actions or patterns that deviate from established norms, policies, and expected user conduct to mitigate security risks.
Behavioral Authentication and Biometrics Biometric systems analyze physical or behavioral traits to verify identity, providing a baseline for "normal" access patterns. - Facial Recognition: High-growth authentication method (e.g., Windows Hello). To prevent spoofing via photographs, systems often require infrared cameras for liveness detection. - Voice Recognition: Primarily used for speech-to-text (Siri, Alexa). While functional for dictation, it is rarely used as a primary authentication factor due to low accuracy and susceptibility to environmental noise compared to other biometrics. - Multifactor Authentication (MFA): Because human behavior regarding passwords (sharing, reusing, or writing them down) is often flawed, MFA is the primary technical defense against compromised credentials.
Personnel Risk Management Managing anomalous behavior begins with screening and setting cultural expectations during the hiring process. - Background Checks: Pre-employment screening for felony convictions and verification of résumé accuracy to identify potential internal threats. - Social Media Analysis: Reviewing public profiles (Facebook, Instagram) to ensure candidate behavior aligns with organizational values and to flag red flags. - Non-Disclosure Agreements (NDA): Legal tools used to prevent the unauthorized sharing of intellectual property or company secrets. - Onboarding: The phase where specific rules of behavior and security expectations are established, ensuring new hires understand the limits of acceptable system use.
Policy and Compliance Monitoring Organizations define "normal" through formal documentation and enforce it via technical and physical audits. - Acceptable Use Policy (AUP): Also known as a Rules of Behavior policy, this detailed document defines exactly what a user may or may not do on company equipment. - Password Behaviors: Security teams monitor for deviations from policy, such as using dictionary words or sharing accounts. Admins should perform authorized password cracking tests to find weak credentials. - Physical Audits: Periodic walkthroughs of workspace areas to identify "post-it note" passwords or hardware tampering that indicates a deviation from security training.
Exam Tips - Trigger words: Infrared (for facial recognition liveness), Dictionary words (password behavior), NDA (legal protection of secrets). - AUP: This is the primary document used to hold employees accountable for inappropriate behavior on corporate networks. - Liveness Detection: Essential for facial recognition to distinguish a real person from a high-resolution photo. - Policy Enforcement: Effective security combines technical controls (account lockouts, complexity requirements) with administrative controls (AUP, training).