Lottery's Log Management Business Objectives

advertisement
Lottery Log Management:
Reviewing Gaming System Logs
Why, What, and How
Why You Should Review
• Keep you and your director from
getting fired!
• Consistent with business objectives
©2009 Delehanty Consulting LLC
Every Standard Says You Should!
(Do you want to explain why you weren’t?)
• NIST 800-92 Guide to Computer Security Log
Management
• ISO 27002/17799 Code of practice for
information security management
• COBIT 4 Control Objectives for Information &
Technology
• NIST 800-53 Recommended Security Controls for
Federal Information Systems
©2009 Delehanty Consulting LLC
Lottery’s Log Management
Business Objectives
1. Security Operations: Security policies
and systems are operating as planned
2. IT Operations: Determine whether IT
operations can be improved and whether
they are susceptible to issues
3. Forensics: Capture admissible proof that
could serve as evidence if harm was done
or rules/policies were intentionally broken
©2009 Delehanty Consulting LLC
Analyze What?
• SANS – Top 5 Essential Log Analyses
• NIST SP 800-92 Guide to Computer
Security Log Management (consistent
with ISO 17799/27002)
©2009 Delehanty Consulting LLC
SANS
Essential Log Analyses
1.
2.
3.
4.
Attempts to access through existing accounts
Failed file or resource access attempts
Unauthorized changes to groups, users, etc.
Suspicious/unauthorized network traffic
©2009 Delehanty Consulting LLC
NIST Additions
• Transaction information
• Significant Operational Actions
– Application startup and shutdown
– Task execution
– Application failures.
©2009 Delehanty Consulting LLC
Transaction Information
• All transactions should be written to a
master transaction file that cannot be altered
prior to being received by the Lottery
• Requirement met by:
– Transaction Master File
– ICS system
• Better source for forensic evidence than
Gware
©2009 Delehanty Consulting LLC
How
Activity Analysis Strategies
1.
2.
3.
4.
Review all activities and processes
Focus on high-risk activities
Focus on high-risk processes
Develop baselines and then look for
anomalies
5. Time sampling or all days
6. All systems, select systems, or sampling
©2009 Delehanty Consulting LLC
How – A Process Approach
You’re First Log Review
•
•
•
•
High risk
Daily review
All gaming systems
Handout leads you through process
©2009 Delehanty Consulting LLC
Download