2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	722/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 718 719 720 721 722 723 724 725 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Protecting Log Data
Personnel within the organization can use logs to re-create events leading up to and dur-
ing an incident, but only if the logs haven’t been modifi ed. If attackers can modify the logs,
they can erase their activity, effectively nullifying the value of the data. The fi les may no
longer include accurate information and may not be admissible as evidence to prosecute
attackers. With this in mind, it’s important to protect log fi les against unauthorized access
and unauthorized modifi cation.
It’s common to store copies of logs on a central system, such as a SIEM, to protect it. Even
if an attack modifi es or corrupts the original fi les, personnel can still use the copy to view the
events. One way to protect log fi les is by assigning permissions to limit their access.
Organizations often have strict policies mandating backups of log fi les. Additionally,
these policies defi ne retention times. For example, organizations might keep archived log
fi les for a year, three years, or any other length of time. Some government regulations
require organizations to keep archived logs indefi nitely. Security controls such as setting
logs to read-only, assigning permissions, and implementing physical security controls pro-
tect archived logs from unauthorized access and modifi cations. It’s important to destroy
logs when they are no longer needed.
Keeping unnecessary logs can cause excessive labor costs if the organiza-
tion experiences legal issues. For example, if regulations require an orga-
nization to keep logs for one year but the organization has 10 years of logs,
a court order can force personnel to retrieve relevant data from these 10
years of logs. In contrast, if the organization keeps only one year of logs,
personnel need only search a year’s worth of logs, which will take signifi-
cantly less time and effort.
The National Institute of Standards and Technology (NIST) publishes a signifi cant
amount of information on IT security, including
Federal Information Processing Standards
(FIPS) publications.
The
Minimum Security Requirements for Federal Information and
Information Systems (FIPS 200)
specifi es the following as the minimum security require-
ments for audit data:
Create, protect, and retain information system audit records to the extent
needed to enable the monitoring, analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate information system activity.

776
Chapter 17
■
Preventing and Responding to Incidents
Ensure that the actions of individual information system users can be
uniquely traced to those users so they can be held accountable for their
actions.
You’ll find it useful to review NIST documents when preparing for the
CISSP exam to give you a broader idea of different security concepts. They
are freely available, and you can access them here:
http://csrc.nist
.gov
. You can download the FIPS 200 document here:
http://csrc.nist
.gov/publications/fips/fips200/FIPS-200-final-march.pdf
.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 718 719 720 721 722 723 724 725 ... 881