Page 1244 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1244
more depth.
Audit Trails
Audit trails are records created when information about events and
occurrences is stored in one or more databases or log files. They
provide a record of system activity and can reconstruct activity leading
up to and during security events. Security professionals extract
information about an incident from an audit trail to prove or disprove
culpability, and much more. Audit trails allow security professionals to
examine and trace events in forward or reverse order. This flexibility
helps when tracking down problems, performance issues, attacks,
intrusions, security breaches, coding errors, and other potential policy
violations.
Audit trails provide a comprehensive record of system
activity and can help detect a wide variety of security violations,
software flaws, and performance problems.
Using audit trails is a passive form of detective security control. They
serve as a deterrent in the same manner that closed circuit television
(CCTV) or security guards do. If personnel know they are being
watched and their activities are being recorded, they are less likely to
engage in illegal, unauthorized, or malicious activity—at least in
theory. Some criminals are too careless or clueless for this to apply
consistently. However, more and more advanced attackers take the
time to locate and delete logs that might have recorded their activity.
This has become a standard practice with many advanced persistent
threats.
Audit trails are also essential as evidence in the prosecution of
criminals. They provide a before-and-after picture of the state of
resources, systems, and assets. This in turn helps to determine
whether a change or alteration is the result of an action by a user, the
operating system (OS), or the software, or whether it’s caused by some
other source, such as hardware failure. Because data in audit trails can
be so valuable, it is important to ensure that the logs are protected to
