8. The Means of Cybersecurity: Access Control 211 Chapter 2), everything that happens in cyberspace is ephemeral. If actions are not logged, there is no way to know who did what when. Many types of activities can be logged. Some are more obviously relevant for cybersecurity than others. For example, logs recording when a malicious program was installed and by which user would be helpful for investigating how a cyber incident occurred. Other types of activities, like a system log recording when a background process was started by the OS, is less obviously helpful, although it could still be relevant for some types of cybersecurity incidents. As we covered in Chapter 3, cyber forensics is the analysis of cyberspace evidence. In general, the more events that are logged, the more potential clues could be found by cyber forensics experts to determine what happened. It is also the case that the more information that is logged and the longer it is kept, the more data that could be exposed in a data breach—some logging data might be valued by attackers. This is yet another cybersecurity tradeoff that must be weighed carefully. Logging is a setting that can be configured by administrative users in an OS. Some events are logged by default, but not every event. Users are able to manage the events they want to track. While it would be nice to track everything all the time “just in case,” there is a cost to logging. Logs occupy space that must be managed. Also, the more logs that are kept, the more “noise” to sift through to find events of interest. Log files accumulate and grow over time; they never shrink. Logging systems can be configured to only keep logs going back a set period of time. Older log records are deleted to make space for new logs. Alternatively, logs can be limited by size instead of time. An example would be to keep only the most recent one hundred MBs of log files for tracking certain types of activities. When the limit is reached, the oldest logs are deleted to make room for newly recorded events. This approach caps the size of the logs but leaves the time period they cover variable. Instead of deleting them, old logs can also be saved on removable media and stored offline. This would allow an organization to retain records of old events, but it may be more trouble than it is worth. The usefulness of logs decreases exponentially with time, and meanwhile, copying logs onto removable media and storing them can be time consuming. Plus, as the data accumulates over time and is not easily accessible, information may be difficult to locate even if it could be useful if found. Logs are saved as OS system files and are protected. They are meant to be created only by the OS and never to be modified. As we saw in Chapter 4, however, hackers typically want to maintain access to systems and cover their tracks. They have discovered ways to subvert OS authorization protections for log files and are able to sometimes modify or delete them. Deleting logs, though, indicates malicious activity in and of itself. If hundreds of logs exist per minute every minute except for a five-minute period in the middle of the night, this indicates a hacker might be present on the system. Deleting logs is an event that also can be logged, although hackers have devised ways to delete logs without creating a log record. To prevent attacks on logs, it can be helpful to mirror log files to another
RkJQdWJsaXNoZXIy MTM4ODY=