Time
2 hours 23 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello and welcome back to I t. Security Policy training here on Cyber Harry. This is model for the information logging policy, our system activity policy,
00:09
and this will be taught by myself. Troy Lemaire
00:14
learning objective For this policy, we're gonna go over general requirements, activities to be logged, elements of the log and formatting and storage.
00:24
So if we look at this Sand's provided sample policy
00:28
logging from critical systems application, the service's can provide key information and potential indicators of compromise.
00:36
We look at the standard of the policy going into general requirements. Basically,
00:41
what it says here is you're gonna be looking to answer some of these questions now, these questions you're gonna need to modify if it doesn't fit within your organization. But for the most part, they should fit just about everybody. But looking at what activity are you gonna perform or what was performed, Who are what performing activity,
00:59
what activity was performed on When was the activity perform? What tool was activity
01:03
formed with and what was the status, such as success or failure? Outcome are the result of the activity.
01:11
Now, if we continue on with activities to be logged
01:15
basically This is where you would put in. What are the activities that you would want to be logged,
01:19
create, read, update or delete confidential information. Another one is initiated. Network connecting network connection except a network connection, user authentication and authorization for activities.
01:30
Rant, Modify, revoke Access Rights
01:34
System network. Our service configuration Changes Application process startup Shut down our restored and the detection of suspicious malicious activity, such as from a intrusion detection system or prevention system, an entire system or an anti spyware system.
01:52
We look at elements of the logs
01:55
we're gonna be want to be able to identify these things in the log,
01:59
and that would be the type of action performed
02:00
subsequent performing the action subsystem, performing the action identifiers for the subject requesting the action
02:08
identifies for the object the actual was performed on
02:14
or after values when actually involves updating a data element.
02:17
The time the actually perform whether the action was allowed or denied and description are reason codes of wide action was denied
02:25
in the system.
02:27
Now when we moved down to formatting and stories, this is ah,
02:30
interesting piece that has changed over the last few years. Basically, whenever hackers are going in and hacking. What they're doing is they're going delete all the logs so they can to cover their tracks.
02:43
So this is why inside of this formatting and storage, you need to have some type of information that's going to talk about how you're gonna protect those logs from being deleted so that their trails aren't covered. And you can tell what action actually happened without any logs. You cannot tell what they did inside the system,
03:00
and that makes it a lot harder to do any kind of forensic work that you need to do to find out exactly what happened when you had a breach.
03:08
So you want to use some of these mechanisms that air here and supported. They are Microsoft Windows event logs, logs and well documented formats. Such a cyst log log stored in anti SQL database,
03:22
other open logging mechanisms, and then you want to make sure that you push all these into a system for storage
03:28
that cannot be deleted by just a normal user. So you don't want to go and push these into a file directory and then give it writes to everyone on the network and then a breach happens and that intruder goes in, deletes that whole directory or delete all the files and directory, and you have lost all of your logging. So that's why this
03:46
part is very important
03:49
as part of this policy.
03:55
Now, if we look at the summary for this lecture we just had,
03:59
it was information logging policy. We went over general requirements,
04:02
activities to be long
04:04
elements of the log and formatting and storage
04:10
operation. Logging Recap question
04:13
What questions should be answered by the contents of the law,
04:15
and there's many answers that should be there. But what activity was to perform who or what performed activity, what activity was performed on
04:24
when the activity was performed? What tool was activity performed with and what was the status
04:29
of that activity?
04:31
Next policy Recap Question.
04:34
Some shells support the formatting and storage of audit logs in such a way as to ensure the blank of the logs and to support enterprise level analysis and reporting.
04:45
And that would be integrity. And this is where we talked about the uh,
04:47
breach is happening and the Attackers going in and deleting the logs to cover their tracks.
04:56
Looking forward in the next lecture. We're gonna continue on with server policy and look at server security policy specific to servers.
05:02
As always, questions for clarification. Reach mints. Ivory Message. My user name is at Troy Lemaire, and thank you for attending this cyber ery training.

Up Next

Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By

Instructor Profile Image
Troy LeMaire
IT Security Officer at Acadian Ambulance
Instructor