Evidence of the occurrence of major theft, vandalism, fire, earthquake, and similar causes of loss is usually obvious. Evidence of attempts at unauthorized entry and unauthorized usage is much less so.
The best way to find evidence of attempts at unauthorized entry and unauthorized usage is continuous monitoring of system log files. For example, a Type 115 (Console) Log Record that shows numerous unsuccessful connection attempts can be considered reasonable evidence of attempts at unauthorized entry.
Monitoring the Type 144 (File Open) Log Record can disclose a pattern of unsuccessful attempts to open files. This may mean that an unauthorized person has gained access to the system, or an authorized user is trying to access files to which he or she has no authorization.
Close scrutiny and analysis of log files on a regular basis reveals the frequency of attempts to violate system security, how successful your security measures are in thwarting such attempts, and the location of weaknesses in your defenses.
