The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A.
If not properly protected, these logs may not be admissible during a prosecution.
B.
Audit logs contain sensitive data and should only be accessible to a certain subset of people.
C.
Intruders may attempt to scrub the logs to hide their activities.
D.
The format of the logs should be unknown and unavailable to the intruder.
Explanation:
D: Auditing tools are technical controls that track activity within a network, on a network device, or on a specific computer. Even though auditing is not an activity that will deny an
entity access to a network or computer, it will track activities so that a security administrator can understand the types of access that took place, identify a security breach, or warn the
administrator of suspicious activity. This information can be used to point out weaknesses of other technical controls and help the administrator understand where changes must be
made to preserve the necessary security level within the environment. Intruders can also use this information to exploit those weaknesses, so audit logs should be protected through
permissions, rights, and integrity controls, as in hashing algorithms. However, the format of systems logs is commonly standardized with all like systems. Hiding log formats is not a
usual countermeasure and is not a reason to protect audit log files.
A is incorrect because due care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about any suspicious
activities that can be investigated at a later time. In addition, they can be valuable in determining exactly how far an attack has gone and the extent of the damage that may have been
caused. It is important to make sure a proper chain of custody is maintained to ensure any data collected can later be properly and accurately represented in case it needs to be used
for later events such as criminal proceedings or investigations.
B is incorrect because only the administrator and security personnel should be able to view, modify, and delete audit trail information. No other individuals should be able to view this
data, much less modify or delete it. The integrity of the data can be ensured with the use of digital signatures, message digest tools, and strong access controls. Its confidentiality can
be protected with encryption and access controls, if necessary, and it can be stored on write-once media to prevent loss or modification of the data. Unauthorized access attempts to
audit logs should be captured and reported.
C is incorrect because the statement is true. If an intruder breaks into your house, he will do his best to cover his tracks by not leaving fingerprints or any other clues that can be
used to tie him to the criminal activity. The same is true in computer fraud and illegal activity. The intruder will work to cover his tracks. Attackers often delete audit logs that hold this
discriminating information. (Deleting specific incriminating data within audit logs is called scrubbing.) Deleting this information can cause the administrator to not be alerted or aware of
the security breach, and can destroy valuable data. Therefore, audit logs should be protected by strict access control.