Hello and welcome back to I t. Security Policy training here on Cyber Harry. This is model for the information logging policy, our system activity policy,
and this will be taught by myself. Troy Lemaire
learning objective For this policy, we're gonna go over general requirements, activities to be logged, elements of the log and formatting and storage.
So if we look at this Sand's provided sample policy
logging from critical systems application, the service's can provide key information and potential indicators of compromise.
We look at the standard of the policy going into general requirements. Basically,
what it says here is you're gonna be looking to answer some of these questions now, these questions you're gonna need to modify if it doesn't fit within your organization. But for the most part, they should fit just about everybody. But looking at what activity are you gonna perform or what was performed, Who are what performing activity,
what activity was performed on When was the activity perform? What tool was activity
formed with and what was the status, such as success or failure? Outcome are the result of the activity.
Now, if we continue on with activities to be logged
basically This is where you would put in. What are the activities that you would want to be logged,
create, read, update or delete confidential information. Another one is initiated. Network connecting network connection except a network connection, user authentication and authorization for activities.
Rant, Modify, revoke Access Rights
System network. Our service configuration Changes Application process startup Shut down our restored and the detection of suspicious malicious activity, such as from a intrusion detection system or prevention system, an entire system or an anti spyware system.
We look at elements of the logs
we're gonna be want to be able to identify these things in the log,
and that would be the type of action performed
subsequent performing the action subsystem, performing the action identifiers for the subject requesting the action
identifies for the object the actual was performed on
or after values when actually involves updating a data element.
The time the actually perform whether the action was allowed or denied and description are reason codes of wide action was denied
in the system.
Now when we moved down to formatting and stories, this is ah,
interesting piece that has changed over the last few years. Basically, whenever hackers are going in and hacking. What they're doing is they're going delete all the logs so they can to cover their tracks.
So this is why inside of this formatting and storage, you need to have some type of information that's going to talk about how you're gonna protect those logs from being deleted so that their trails aren't covered. And you can tell what action actually happened without any logs. You cannot tell what they did inside the system,
and that makes it a lot harder to do any kind of forensic work that you need to do to find out exactly what happened when you had a breach.
So you want to use some of these mechanisms that air here and supported. They are Microsoft Windows event logs, logs and well documented formats. Such a cyst log log stored in anti SQL database,
other open logging mechanisms, and then you want to make sure that you push all these into a system for storage
that cannot be deleted by just a normal user. So you don't want to go and push these into a file directory and then give it writes to everyone on the network and then a breach happens and that intruder goes in, deletes that whole directory or delete all the files and directory, and you have lost all of your logging. So that's why this
part is very important
as part of this policy.
Now, if we look at the summary for this lecture we just had,
it was information logging policy. We went over general requirements,
activities to be long
elements of the log and formatting and storage
operation. Logging Recap question
What questions should be answered by the contents of the law,
and there's many answers that should be there. But what activity was to perform who or what performed activity, what activity was performed on
when the activity was performed? What tool was activity performed with and what was the status
of that activity?
Next policy Recap Question.
Some shells support the formatting and storage of audit logs in such a way as to ensure the blank of the logs and to support enterprise level analysis and reporting.
And that would be integrity. And this is where we talked about the uh,
breach is happening and the Attackers going in and deleting the logs to cover their tracks.
Looking forward in the next lecture. We're gonna continue on with server policy and look at server security policy specific to servers.
As always, questions for clarification. Reach mints. Ivory Message. My user name is at Troy Lemaire, and thank you for attending this cyber ery training.