SECURITY BEST PRACTICES
Managing Audit Data
Getting a firm grip on audit trails is an enormouschallenge. With so many systems generating somuch information, it can seem impossible tomanage. Once generated, using that trove ofinformation to detect and react to security issuescan be equally challenging. Here are someguidelines to help make the most of audit dataresources:
Consider what information is valuable to log,and set policies for what is logged. Auditsystems can log only the minimum or absolutelyeverything.
Find the middle ground that ensures importantevents are captured. Suggested events includelogon/logoffs, file activities (renames,overwrites, copies, deletions), privilegedcommand use, application faults, and any otherevents deemed important based on a system'srole.
Implement a log collection capability thatenables administrators to gather audit data fromall systems to point(s) of aggregation. Collectinginformation in a centralized way makes it mucheasier to assure proper backups and reviewsare performed.
Back up log data often, and keep it secure.Some attacks can go unnoticed for years, andit's important for both detecting and repairingintrusions to be able to review the attacker'sfootprints. It can also help prevent future attacksand provide valuable evidence for legalproceedings. Backups of audit data should bemade separately from general backups andstored for at least a year, preferably at an off-site location.
Establish policy for review of audit data andprovide resources to enforce it. Professionalintrusion analysts, armed with the right tools forsifting through audit data are critical tosituational awareness and adaptive networkdefense. Today's sophisticated attacks maybypass detection by automated means likeIntrusion Prevention Systems and Antivirus; atrained analyst's review of audit data may be theonly way to detect these attacks.
Source Code Information Leaks
Application developers often use comment lines in sourcecode to jot down notes for other programmers (orthemselves) to ensure that the code is re-usable. Thesenotes and even the code itself may contain sensitiveinformation including names, private server addresses, oraccount numbers. Without proper policy, source code canbe a source of information leaks which can benefithackers or disclose private data. To protect privateinformation in source code:
Control access to source code using repositorieswhich have access control capabilities. Ensure thatonly users with legitimate access to source code cancheck-out data from the repository.
Ensure access control lists are up to date. Sourcecode access lists should be re-evaluated every threemonths or whenever anyone with access has achange of employment status.
Set policy for kinds of information which may not beincluded in source code or comments. This list maybe similar to the list of prohibited content in a contentpublishing guide or other existing policy, but shouldalways include account numbers or privateoperations information.