Presentation is loading. Please wait.

Presentation is loading. Please wait.

OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002.

Published byMarsha Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002."— Presentation transcript:

1 OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002

2 Why are logs important? Performance management Capacity planning Cost justification Management reporting Security both for integrity and for incident response – remember, security is there to *ensure* things go as planned, not to prevent access both for integrity and for incident response – remember, security is there to *ensure* things go as planned, not to prevent access

3 Network Responsibility It’s your job to know what’s going on with the network! Logs are a wonderful troubleshooting tool when things don’t go as planned.

4 The basics The 3 Layers Network Network Operating System Operating System Application Application

5 The basics AuthenticationAuthorizationAccountability

6 Authentication Most common authentication – Passwords Authentication – the process of matching a user to an account

7 Authorization After a user is authenticated, the permissions, connections, access, and quotas assigned to a user.

8 Accountability The process of keeping records of activity The ability to answer the questions: - Who did it? - What happened? - Where they were located? - When it happened? - How it was done and/or How much was used?

9 What should you log? Log enough to answer the questions… Who, What, When, Where, How Who, What, When, Where, How Authentication logs Show who logged on when Show who logged on when Don’t show who accessed what Don’t show who accessed what

10 What should you log? What happened? Application logs Application logs File access/change logs File access/change logs Keystroke logging/activity logging Keystroke logging/activity logging

11 What should you log? Where were they located? An updated network map is important An updated network map is important Naming conventions/Addressing policies Naming conventions/Addressing policies

12 What should you log? When did it happen? Time synchronization between logs is an issue Time synchronization between logs is an issue

13 What should you log? How was it done/How much was used?? Network traffic logs Network traffic logs Transaction logs Transaction logs Access logs Access logs

14 Building a case Use several logs to prove the same point Authentication log shows user logged in Authentication log shows user logged in Access log shows access to files-in-question Access log shows access to files-in-question Network logs shows traffic from workstation to servers where files are located Network logs shows traffic from workstation to servers where files are located Application logs show activity to process files Application logs show activity to process files OS logs show operating system state during activity OS logs show operating system state during activity

15 Building a case Use several logs to prove the same point Other application logs show access to other applications during the same time period (helps during an interview – “Yes, I did check my e-mail at that time, and I did run that application, but no, I certainly didn’t change that file….) Other application logs show access to other applications during the same time period (helps during an interview – “Yes, I did check my e-mail at that time, and I did run that application, but no, I certainly didn’t change that file….)

16 Building a case An example: Workstation cache shows suspected activity Workstation cache shows suspected activity Network traffic logs indicate suspected activity Network traffic logs indicate suspected activity Files not found on workstation, but are found in a recent backup Files not found on workstation, but are found in a recent backup User maintains innocence User maintains innocence But….. But…..

17 Building a case An example: But…..telephone records show phone calls…. But…..telephone records show phone calls….

18 Questions…but few answers What should I log? Log as much as is practical for your needs. Log as much as is practical for your needs. How long should logs be kept? Be practical…a general rule of thumb is 3 months of ‘quick’ access, then another 3 months ‘offline’ Be practical…a general rule of thumb is 3 months of ‘quick’ access, then another 3 months ‘offline’ Research, government, health care, accounting, tax, DoD, and others may have additional requirements Research, government, health care, accounting, tax, DoD, and others may have additional requirements

19 Questions…but few answers How should the logs be kept? As safely as practical – backups, check to make sure what you want to log is really being logged… As safely as practical – backups, check to make sure what you want to log is really being logged… On a system that isn’t likely to be compromised… On a system that isn’t likely to be compromised… Sometimes difficult for some OS and Application logs

20 Questions…but few answers Who should have access to the logs Only a limited number of people – they’re not public logs…(see your legal department, your mileage may vary) Only a limited number of people – they’re not public logs…(see your legal department, your mileage may vary) How much should I log? Be practical. Log more than you think you might need, but not so much that it causes problems with network or system performance. Generally plan on 10% of system Be practical. Log more than you think you might need, but not so much that it causes problems with network or system performance. Generally plan on 10% of system

21 An ounce of Prevention… Effort used to prevent incidents is well worth it! Use the logs to verify that the correct things are happening, and to know what happened when things don’t go well

Download ppt "OARtech Logging, evidence, and network management Brian Moeller, CISSP 10APR2002."

Similar presentations

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.
XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.

XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Database Administration Chapter 8 12011 FOSTER School of Business Acctg. 420.

Database Administration Chapter FOSTER School of Business Acctg. 420.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
Network security policy: best practices

Network security policy: best practices
Setting up Email in Outlook Express. Select “Tools” from the toolbar menu.

Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
1. Self Awareness You should only access your accounts and private informations from a safe location (only at home as necessary if at all possible) where.

1. Self Awareness You should only access your accounts and private informations from a safe location (only at home as necessary if at all possible) where.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google