If you’re planning to take the Security+ exam, you should have a good understanding of tools used by security professionals and attackers alike such as event logs.
For example, can you answer this question?
Q. Your organization security policy requires that personnel notify security administrators if an incident occurs. However, this is not occurring consistently. Which of the following could the organization implement to ensure security administrators are notified in a timely manner?
A. Routine auditing
B. User rights and permissions reviews
C. Design review
D. Incident response team
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Logs have the capability to record what happened, when it happened, where it happened, and who did it. One of the primary purposes of logging is to allow someone, such as an administrator or security professional, to identify exactly what happened and when.
With this in mind, it’s tempting to set up logging to record every event and provide as much detail as possible—most logs support a verbose mode that will log additional details. However, a limiting factor is the amount of disk space available. Additionally, when logging is enabled, there is an implied responsibility to review the logs. The more you choose to log, the more you may have to review.
Operating System Event Logs
Operating systems have basic logs that record events. For example, Windows systems have several common logs that record what happened on a Windows computer system. All of these logs are viewable using the Windows Event Viewer. One of the primary logs in a Windows system is the Security log and it functions as a security log, an audit log, and an access log.
The Security log records auditable events, such as when a user logs on or off, or when a user accesses a resource. Some auditing is enabled by default in some systems, but administrators can add additional auditing. The Security log records audited events as successes or failures. Success indicates an audited event completed successfully, such as a user successfully logging on or successfully deleting a file. Failure indicates that a user tried to perform an action but failed, such as failing to log on or trying to delete a file but receiving a permission error instead. Some additional logs in a Windows system include:
- Application. The Application log records events recorded by applications or programs running on the system. Any application has the capability of recording errors in the Application log.
- System. The operating system uses the System log to record events related to the functioning of the operating system. This can include when it starts, when it shuts down, information on services starting and stopping, drivers loading or failing, or any other system component event deemed important by the system developers.
If a system is attacked, you may be able to learn details of the attack by reviewing the operating system logs. Depending on the type of attack, any of the operating system logs may be useful.
Firewall and Router Access Logs
You can typically manipulate firewalls and routers to log specific information, such as logging all traffic that the device passes, all traffic that the device blocks, or both. These logs are useful when troubleshooting connectivity issues and when identifying potential intrusions or attacks.
Firewall and router logs include information on where the packet came from (the source) and where it is going (the destination). This includes IP addresses, MAC addresses, and ports.
Other Logs
In addition to the basic operating system logs and firewall and router access logs, administrators use other logs when maintaining systems and networks. These include:
- Antivirus logs. Antivirus logs log all antivirus activity, including when scans were run and if any malware was detected. These logs also identify if malware was removed or quarantined.
- Application logs. Many server applications include logging capabilities within the application. For example, database applications such as Microsoft SQL Server or Oracle Database include logs to record performance and user activity.
- Performance logs. Performance logs can monitor system performance and give an alert when preset performance thresholds are exceeded.
Reviewing Logs
Logs provide the ability to review activity, but ironically, this is often the most overlooked step in the auditing process. Often, administrators only dig into the logs when a symptom appears. Unfortunately, symptoms often don’t appear until a problem has snowballed out of control.
Many third-party programs are available that can automate the review of logs for large organizations. For example, NetIQ has a full suite of applications that monitor multiple computers and servers in a network. When an event occurs, NetIQ examines the event to determine if it is an event of interest. If so, it triggers a programmed response, such as sending an email to a group of administrators.
Another benefit of a third-party program like this is that it provides centralized log management. If a system is attacked and compromised, the logs stored on the log server are retained. As a reminder, attackers often try to erase or modify logs after the attack. Centralized log management reduces the success of these attempts.
Q. Your organization security policy requires that personnel notify security administrators if an incident occurs. However, this is not occurring consistently. Which of the following could the organization implement to ensure security administrators are notified in a timely manner?
A. Routine auditing
B. User rights and permissions reviews
C. Design review
D. Incident response team
Answer is A. Routine auditing of the help desk or administrator logs can discover incidents and then match them with reported incidents.
A review of user rights and permissions helps ensure they are assigned and maintained appropriately, but do not help with ensuring incidents are reported correctly.
A design review ensures that systems and software are developed properly.
An incident response team responds to incidents, but they wouldn’t necessarily ensure administrators are informed of incidents.