Importance of Accountability and Logging

Accountability is something that I have been banging on about for years.  If you think about it, it’s pretty important. If an incident should occur you need to be able to state with certainty the whos, whats, wheres and whens of the situation to be able to respond.  That’s not limited to disciplining staff after the fact. This is for everyone or thing that interacts with an organisations systems and how you can detect and remove weaknesses.  Logging also is known as an Audit Trail, is the key to accountability.

Logs vary hugely between systems and its not unusual for a single system to produce more than one log.  For instance, an authorisation log and an events log; One would hold information about attempted logins, detailing.

For example:

1. Who is logging in
2. What they were logging into
3. When the other would show what actions the users tried to take

Logging Performance

Its worth thinking outside the box on logs too.

They can contain significant information when analysing the performance of a system under a certain load.  Knowing that a system was handling X number of queries. Similarly, it was able to do this at 30% of expected capacity allows you to scale up the scenario to account for DOS attacks etc.  This would fall under the Availability of “CIA”.

If we intend to use the logs in a forensic or legal capacity. The logs themselves must remain secure and kept in their original form.  We must only access the logs by authorised individuals. The attacker may want to edit the logs to hide their presence or worse still the logs could afford them the information. That allows them to alter their attack to be more successful.  They must not be analysed by individuals or departments with a vested interest. For example, the system administrator that looks after the system.

Logging Automation

Keeping on top of logs very quickly becomes unmanageable if attempted manually.  Automation is possible through allowing the systems administrator to stay on top of many systems. Also, automation assists with their association logs with relative ease. 

Take the Apache Web Server as an example, it produces a log entry for every single access request that it receives. To load a single web page, the user may effectively request hundreds of objects including, Images, javascript files, CSS files etc as well as the main HTML files.  This can quickly add up to millions of entries per day (or on a fairly busy server per minute).  Storing all this data can be quite a task in itself.

Accountability Logging and rotation schemes

It is very common for system administrators to employ log rotation schemes on systems.  This is perfectly acceptable from a systems administration point of view as it prevents the system from using up all the storage space available unnecessarily.  It’s quite the opposite from an information systems security point of view however.

Not all logs are useful to security, so according to ISC2 there are five types of security auditing:

• Network Events
• System Events
• Application Events
• User Actions
• Keystroke Logging

The first four of these as a whole roughly represent user (or attacker) activity with: over what medium, against what system, using what application and what data.

Keystroke logging, however, is a bit different.  It gives a high level of details and information that it allows you to reconstruct even partial commands. Not just ones attempted, the complete content of typed documents, chat windows and critically passwords.  It is due to this invasive nature that users tend to complain if keystroke logging is employed.

YGHT can help you increase your cybersecurity