Page 1242 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1242

helpful as part of a disaster recovery program. For example, after a
               disaster administrators and technicians can use change logs to return

               a system to its last known state, including all applied changes.

               Logging is usually a native feature in an operating system and for most
               applications and services. This makes it relatively easy for
               administrators and technicians to configure a system to record specific
               types of events. Events from privileged accounts, such as
               administrator and root user accounts, should be included in any

               logging plan. This helps prevent attacks from a malicious insider and
               will document activity for prosecution if necessary.


               Protecting Log Data

               Personnel within the organization can use logs to re-create events
               leading up to and during an incident, but only if the logs haven’t been
               modified. If attackers can modify the logs, they can erase their activity,
               effectively nullifying the value of the data. The files may no longer
               include accurate information and may not be admissible as evidence to

               prosecute attackers. With this in mind, it’s important to protect log
               files against unauthorized access and unauthorized modification.

               It’s common to store copies of logs on a central system, such as a
               SIEM, to protect it. Even if an attack modifies or corrupts the original
               files, personnel can still use the copy to view the events. One way to
               protect log files is by assigning permissions to limit their access.

               Organizations often have strict policies mandating backups of log files.
               Additionally, these policies define retention times. For example,

               organizations might keep archived log files for a year, three years, or
               any other length of time. Some government regulations require
               organizations to keep archived logs indefinitely. Security controls such
               as setting logs to read-only, assigning permissions, and implementing
               physical security controls protect archived logs from unauthorized
               access and modifications. It’s important to destroy logs when they are

               no longer needed.



                          Keeping unnecessary logs can cause excessive labor costs if
   1237   1238   1239   1240   1241   1242   1243   1244   1245   1246   1247