Tuesday, May 06, 2008

Reverse Compliance or "Logs as Proof of Incompetence?"

This post is inspired by the BeastOrBudda musings on compliance here.


Now, I wrote a bunch of things about logs for PCI DSS compliance (including my book chapter) and overall logging for compliance. How about "reverse compliance" against logs?

Whaaaat? WTF is "reverse compliance?"

"Reverse compliance" is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

When this type of thinking in progress, people start going even further towards:

  • If I have no logging, people will not know that I was "0wned" for years and thus have to notify the customers (reverse breach disclosure compliance)
  • If I have not logs, nobody can blame that I knew (or - had a way to know) about the successful attack and data theft?
  • If breach investigation will lead to a dead end due to not having logs, maybe I won't be fined as severely?
  • If I don't have logs to show the auditors, they won't blame me for mismanaging security in my environment (or - they will only blame me for not having logs and not for all the other serious issues I have...)
  • If I have no logging, I cannot be found to be in violation of many PCI DSS requirements since evidence of violation will be in the logs (but, will, obviously be in violation of Requirement 10)

The key question is how widespread "reverse compliance" is? I am sure that many of my enlightened readers would think that no organization is that f*cked up :-) Well...

... some sadly are. Is "worst in class" label appropriate here? Maybe not, since these companies are thinking that they are "being smart about their business" and saving money by avoiding those "useless" (also known as "common sense" ;-)) compliance requirements.

So, will you log if logs will prove your incompetence?

That is, my friend, the whole question here...

On the other hand, I hope that this "approach" is not too common in the age of breach notification laws: logs or no logs, they will have to tell the public and - often! - without logs they will have to announce that ALL is lost. The burden in on them to prove what was NOT stolen IF the server where the data is stored was found to be owned.

For example, a compromised server + critical data stored = every record is assumed 'lost' in the absense of logs.

This is, in fact, one of the stronger motivation for log management today as it shows you clear, obvious savings: notify 200,000 people vs notify 40,000,000 people of the breach at, say, $5 apiece....

Technorati tags: ,

Dr Anton Chuvakin