Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.
So, Anton Security Tip of the Day #7: Don't Log or "They" Will Get Us!
This tip steps away from regexes, log parsing, data mining and those pesky oh-days :-) and touches upon an interesting log management process debacle.
So, imagine you are a hard-working system admin, just as overwhelmed with various system management issues as "the next guy." One day your boss's boss rushes in and asks you: do we log our employee and partner access to application, tools and data stored on our systems? Thinking that he has finally seen the light and understood the value of logging, you cheerfully say "Of Course!" However, his response causes you to drop that wireless hub you are holding: "We need to stop it immediately or THEY will get us!"
They? Who are "they": the aliens, the ATL agency (stands for "Appropriate Three Letter" agency :-)) or the evilicious Illuminati? No, the boss explains, in this case "they" are simply lawyers who, in case of a litigation against our company, might subpoena the log records (together with email, IM, old documents an other stored and transmitted electronic communication), revealing the horrible truth (whatever it might be - everybody is hiding something).
Upon waking up one night with the above hear, the boss remembered that he "heard somewhere" that if you don't log anything in your normal course of business, than nobody can get the records: they simply won't exist. And so he suggested you turn all logging off. Uh-oh.
This tips is about how you might respond!
Well, first, we need our logs! We use them just about every day for all sorts of operational tasks and losing all that will make troubleshooting and system administration impossible. If you would happen to lose whatever system to malfunction or attack, you will have almost no way to learn what went wrong and thus prevent it in the future.
Second, auditors expect to see logs. And thus, claiming that "we don't do it here" won't fly with them since they would not be able to do their jobs. And - do you really want a pissed auditor within a 5 miles radius? One that doesn't report to IT (i.e. to that boss's boss...)?
Third, if you handle credit card transactions and thus subject to PCI requirements, you have to log, period. Nothing to argue with - unless you plan to run a cash-based business for the rest of your life.
Fourth, if you happen to work towards some of the IT "best practices" and strive for operational excellency, lacking logs will totally torpedo these efforts. Most such documents call for logging and monitoring.
Fifth, indeed, the new e-discovery rules (rule 37(f) "Safe Harbor") do indeed state that 'If you can prove that missing data has been deleted during “routine” data expunging [or never existed in the first place], you are probably safe from legal sanctions.' However, most people agree that it is not an unlimited "get out of jail free card" since there are commonly accepted views of what is routine (e.g. doing some logging) vs what is exceptional - or even exceptionally dumb (e.g. not doing any logging)
So, today's tip is: logging is too useful to be destroyed on a whim. If you get in a similar situation (although, likely not that extreme!) use this material to fight for your logs!