Logs, Non-Repudiation, and Accountability
It's not the most exciting topic, but it is a vital one: Logs and Non-Repudiation. When safeguarding an Information System, you need to ensure that the people operating within that environment are accountable for what they do. You probably have a Consent to Monitor statement when users login. This informs them that they are being monitored and data is being collected on how they use the Information System. This data is often in the form of event logs which outline what they do on a system. How many times did they access certain files or websites? What files are they downloading? How many times did they fail to login due to an incorrect password? The Information System can be configured to generate logs for many type of security relevant events.
One of the simple concepts to understand regarding an information system is the criticality of audit logs. A System Administrator may use logs to watch for warning or error events pertaining to the operation of their systems. A Network Engineer uses logs to check for deny events on their Firewalls and Routers. However, logs also serve a pivotal role for the Cyber Security Professional.
Consider how Event Logs can be effective for an Auditor. If someone is trying to brute force into an account, you'll be generating lots of "incorrect password" events. If your auditors are monitoring for these, it could tip them off on a potential Insider Threat. If someone is downloading a bunch of files or trying to run a bunch of unauthorized software, this could be a problem as well. If users are trying to plug in unauthorized devices such as USB Storage, that activity may also generate logs. If working in a classified environment, you risk potential spillage if these events are not properly monitored.
With the amount of logs that are generated for these security relevant events, you can often hold the users accountable for the actions that take place on their accounts. However, there are a few scenarios in which this may prove difficult. Below, we will go over a few of these scenarios.
Non-Repudiation Is Critical For Accountability
The definition of Non-Repudiation is worded differently depending on the context, but when it comes to Information Systems, Non-Repudiation gives us an expectation that the individual who performed an action, such as accessing an information system, actually performed that action. It prevents an individual from denying that they did a particular activity. For example, if logs indicate that someone accessed certain websites, downloaded specific files, or ran specific programs, than Non-repudiation allows us to confidently say that they did that activity.
This means that if logs detect an individual conducts illegal activities on their account, or is an Insider Threat, they can be legally held accountable for their actions. If non-repudiation is not properly considered, than we lose accountability. We would no longer be able to determine who performed the actions in question. In order to properly prevent data breaches, unauthorized activities, or fraudulent activities, policies must be created which maintain Non-Repudiation at all cost.
Keeping Honest People Honest
The way we ensure Non-Repudiation is often with strong authentication methods, such as multi-factor authentication. Many organizations require the use of a security token, along with a PIN, to access their account. Multi-factor authentication methods such as this help ensure that only the authorized individual can access an account.
Not only that, but strong policy regarding "locking your machine" when it is not in use should be employed to ensure that when a user walks away, that an unauthorized individual does not gain access to the account. Policy can be created for when a token is removed, which can lock the machine when the individual leaves. Policy such as this can ensure that actions conducted on a user's account was indeed done by that user.
Group accounts should be prevented at all costs as well, as non-repudiation falls apart with a group account. Any actions conducted on that group account could have been conducted by any individual with access to that account. If an Insider Threat were to use that account to conduct illegal activities, than you would have a more difficult time determining who was accessing that account at the time of the illegal activity.
Logs
You may have strong policy regarding Non-Repudiation, but that doesn't do much without strong logs and separation of duties. Administrators should be prevented from tampering with logs. Designated Auditors which have authorized access to the logs for auditing purposes can ensure that Administrators are unable to tamper with audit logs.
Policies should be in place to log your common threat indicator events such as "incorrect password" login attempts, login activities, and usage logs. These logs, if monitored regularly, can ensure that the users and administrators are only using the system in the way it is authorized to be used. Without proper logs, non-repudiation doesn't do much if Security Professionals can't see the who, what, when, where, and why. It's thanks to the combination of Non-Repudiation and strong logs that we can ensure that everyone remains accountable for their actions on an Information System.
Conclusion
Locking in these strong security policies is pivital in ensuring Non-Repudiation is maintained. Proper Access Control must be maintained. Without strong policies which ensure Non-Repudiation, Security Professionals will be unable to hold the individuals accountable for performing malicious, illegal, or unauthorized activities.
If you've set yourself up for success regarding these policies, you empower your auditors and Cyber Security Professionals to hold people accountable for their actions. Without Non-Repudiation, you are unable to properly discourage malicious activities, unauthorized actions, or Insider Threats. Let's keep the honest people honest by ensuring our Security Policies account for strong Non-Repudiation, and that we ensure strong logs are maintained and audited.