Audit Logs
Audit logs, also known as audit trails, are a record of an event in an Information Technology System. Audit trails also include destination, resource address, user information, and time stamps (Roratto and Dias, 2014).
Describe what information was contained in the logs and what value they might have in a security investigation.
User ID – identifies an account user responsible for a certain activity.
Files and networks accessed – describes the extent to which the system data was manipulated.
Event ID – uniquely identifies each event in the logs.
Think about the challenges of getting all the Active Directory audit policy settings right. For an infrastructure administrator, how important are these types of settings?
Active directory audit policy settings are essential in detecting suspicious activities. If you actively audit your Active Directory environment, there’s a high chance you will be notified of suspicious activity prior to a malicious attack. Active directory audit policy also helps to provide system status. Dynamic monitoring of system health provides real-time alerting so you can take action before anyone notices.
What are the risks associated with logging too little data or not auditing the correct events?
Insufficient logging and monitoring vulnerability happen when security-critical events are not properly logged and the system is not monitored. Insufficient logging leads to companies failing to deal with security breaches like hacking. Attackers may walk away without being detected due to a lack of monitoring, thus leading to continuous breaching and significant losses.
What are the risks associated with logging too many events?
Logging too many events slows down a system’s performance, including configuration settings to protect the system against security breaches. In addition, logging too many results in redundancy that keeps junk files and data that are not useful, consumes unnecessary storage, and thus makes auditing difficult.
When the default configuration is to create audit logs, what impact can this have on security incident investigations?
The audit directory has a set of prearranged security settings set by Microsoft. These security settings may not be suitable for a specific company’s requirements. In addition, these security settings are well understood by hackers who will attempt to exploit gaps and vulnerabilities (Desmond et al., 2008).
This was just a single domain with two operations on a local LAN. How much more complicated would auditing and log management be for 100 computers? What about an enterprise with 10,000 computers in several domains on their LAN/WAN?
For 100 computers, a known attacker can be allowed in network assessment to help identify traffic from known blacklisted sources. Besides, determining possible outbreaks is also essential in managing an audit and log activities, while for 10,000 computers, it is crucial for the management to incorporate “repeat attack-multiple detection sources” to be able to identify hosts that may be infected and deal with the infection as soon as possible. Besides, this kind of system can implement real-time fraud detection that narrows down the scope of audit and execution.
Consider a cloud-hosted Infrastructure as a Service (IaaS) environment with many new, Internet-accessible systems regularly being built and brought online. What challenges might there be in managing audit policies and logs in such an environment?
It is difficult to deal with suspicious posts from untrusted sources due to web server Apache, thus making it difficult to monitor to audit and monitor log sources from such environments.
Finally, conclude this week’s assignment with a page explaining how the tools and processes demonstrated in the labs might be used by an infrastructure administrator to help secure an environment.
PDCA cycle can be used to implement the security controls. It is a four-step model that is carried out repeatedly for continuous improvement. PDCA stands for Plan, Do, Check, and Act.
Plan – Identify an opportunity and plan a change. For instance, the quality of the finished product might not be high enough, doesn’t fully satisfy the consumer’s needs, or an aspect of your marketing anticipates better results. Explore the available information fully. Formulate ideas and develop an implementation plan. State your success criteria and ensure they are realistic and achievable.
Do – Test the change on a small-scale pilot project to determine whether the proposed solution achieves the desired outcome. This ensures no disruption in the main operation if it’s not successful. Gather data and information as you run the pilot project for future reference and use.
Check – review the test, analyze the results, and identify what you have studied against the expected outcome to assess whether the ideation was a success. You might have to return to the first step if it wasn’t; otherwise, proceed to the next phase.
Act – take action based on what you have learned. If it fails, repeat the cycle with a different plan. If successful, implement what you’ve learned to plan new improvements beginning the cycle.
Security administration processes involve any tasks that support an organization’s security policy to ensure a secure Windows environment. Every objective in the security policy should ensure Availability, Integrity, and Confidentiality of data. Data and information become vulnerable to attacks if any security policy is ignored.
Security administration tasks could include password enforcement, backup policies, encryption, and monitoring systems, and network performance, all meant to ensure a secure IT network and environment (BOURGEOIS, 2016).
References
BOURGEOIS, D. A. V. I. D. (2016). Information systems for business and beyond. CREATESPACE.
Desmond, B., Richards, J., Allen, R., & Lowe-Norris, A.G. (2008). Active Directory: Designing, Deploying, and Running Active Directory.
Roratto, R. and Dias, E., 2014. Security information in production and operations: a study on audit trails in database systems. Journal of Information Systems and Technology Management, 11(3).
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Audit Logs
At the end of the lab, you will be asked to respond to the following in a 2- to 2.5-page response at the end of your Microsoft Word document:
Describe what information was contained in the logs and what value they might have in a security investigation.
Address the following in your response:
- Think about the challenges of getting all the Active Directory audit policy settings right. For an infrastructure administrator, how important are these types of settings?
- What are the risks associated with logging too little data or not auditing the correct events?
- What are the risks associated with logging too many events?
- When the default configuration is to create audit logs, what impact can this have on security incident investigations?
- This was just a single domain with 2 systems on a local LAN. How much more complicated would auditing and log management be for 100 computers? What about an enterprise with 10,000 computers in several domains on their LAN/WAN?
- Consider a cloud-hosted Infrastructure as a Service (IaaS) environment with many new, Internet-accessible systems regularly being built and brought online. What challenges might there be managing audit policies and logs in such an environment?
- Finally, conclude this week’s assignment with a page explaining how the tools and processes demonstrated in the labs might be used by an infrastructure administrator to help secure an environment.