Page 1267 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1267

Logging and monitoring provide overall accountability when
               combined with effective identification and authentication practices.

               Logging involves recording events in logs and database files. Security
               logs, system logs, application logs, firewall logs, proxy logs, and
               change management logs are all common log files. Log files include
               valuable data and should be protected to ensure that they aren’t
               modified, deleted, or corrupted. If they are not protected, attackers
               will often try to modify or delete them, and they will not be admissible
               as evidence to prosecute an attacker.


               Monitoring involves reviewing logs in real time and also later as part
               of an audit. Audit trails are the records created by recording
               information about events and occurrences into one or more databases
               or log files, and they can be used to reconstruct events, extract
               information about incidents, and prove or disprove culpability. Audit
               trails provide a passive form of detective security control and serve as
               a deterrent in the same manner as CCTV or security guards do. In

               addition, they can be essential as evidence in the prosecution of
               criminals. Logs can be quite large, so different methods are used to
               analyze them or reduce their size. Sampling is a statistical method
               used to analyze logs, and using clipping levels is a nonstatistical
               method involving predefined thresholds for items of interest.

               The effectiveness of access controls can be assessed using different

               types of audits and reviews. Auditing is a methodical examination or
               review of an environment to ensure compliance with regulations and
               to detect abnormalities, unauthorized occurrences, or outright crimes.
               Access review audits ensure that object access and account
               management practices support an organization’s security policy. User
               entitlement audits ensure that personnel follow the principle of least

               privilege.

               Audit reports document the results of an audit. These reports should
               be protected and distribution should be limited to only specific people
               in an organization. Senior management and security professionals
               have a need to access the results of security audits, but if attackers
               have access to audit reports, they can use the information to identify
               vulnerabilities they can exploit.
   1262   1263   1264   1265   1266   1267   1268   1269   1270   1271   1272