Lottery Log Management: Reviewing Gaming System Logs Why, What, and How Why You Should Review • Keep you and your director from getting fired! • Consistent with business objectives ©2009 Delehanty Consulting LLC Every Standard Says You Should! (Do you want to explain why you weren’t?) • NIST 800-92 Guide to Computer Security Log Management • ISO 27002/17799 Code of practice for information security management • COBIT 4 Control Objectives for Information & Technology • NIST 800-53 Recommended Security Controls for Federal Information Systems ©2009 Delehanty Consulting LLC Lottery’s Log Management Business Objectives 1. Security Operations: Security policies and systems are operating as planned 2. IT Operations: Determine whether IT operations can be improved and whether they are susceptible to issues 3. Forensics: Capture admissible proof that could serve as evidence if harm was done or rules/policies were intentionally broken ©2009 Delehanty Consulting LLC Analyze What? • SANS – Top 5 Essential Log Analyses • NIST SP 800-92 Guide to Computer Security Log Management (consistent with ISO 17799/27002) ©2009 Delehanty Consulting LLC SANS Essential Log Analyses 1. 2. 3. 4. Attempts to access through existing accounts Failed file or resource access attempts Unauthorized changes to groups, users, etc. Suspicious/unauthorized network traffic ©2009 Delehanty Consulting LLC NIST Additions • Transaction information • Significant Operational Actions – Application startup and shutdown – Task execution – Application failures. ©2009 Delehanty Consulting LLC Transaction Information • All transactions should be written to a master transaction file that cannot be altered prior to being received by the Lottery • Requirement met by: – Transaction Master File – ICS system • Better source for forensic evidence than Gware ©2009 Delehanty Consulting LLC How Activity Analysis Strategies 1. 2. 3. 4. Review all activities and processes Focus on high-risk activities Focus on high-risk processes Develop baselines and then look for anomalies 5. Time sampling or all days 6. All systems, select systems, or sampling ©2009 Delehanty Consulting LLC How – A Process Approach You’re First Log Review • • • • High risk Daily review All gaming systems Handout leads you through process ©2009 Delehanty Consulting LLC