More on not logging - “Reverse Compliance”
May 8th, 2008 Drazen Drazic Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance |
Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:
“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.
May 8th, 2008 at 10:24 am
“Reverse Compliance”, “Logging Double edged sword” etc. Its all ‘ORM’ by a different name. Its all good stuff.
A while back on b or b we wrote a standard covering these shonky, head-in-the-sand, principles. Known as Ostrich Risk Management 101, or simply ‘ORM’.
http://beastorbuddha.com/2008/02/13/big-galoot-diatribe-bgs-ostrich-risk-management-101/
DD - how’s that ORM flow chart coming along ? Now might be a good time to post it up !
BG.
May 9th, 2008 at 1:05 am
Funniest stuff ever over on the loganalysis mailing list, worth a peek, this BorB post reminded me of it. It’s a thread called ‘Star Trek and log integrity”…
http://www.loganalysis.org/pipermail/loganalysis/2008-May/subject.html#start
SNIP
http://www.cbs.com/video/?showname=classics/star_trek
There’s no obvious way to link directly to an episode, but if you click to
page 5, you’ll see episode 20, “Court Martial,” in which Captain Kirk is
proved innocent of a crew member’s death after Spock is able to prove that
the computer logs have been tampered with. I am *so* going to incorporate
this into my logging tutorial :-)” tbird
“What do you expect from a starship that runs on Windows-24k? Microsoft
added support for syslog in 2348 - citing customer demand - but still
has no Enterprise-class log architecture.” ranum
“Captain Picard: “Data, review for format string vulnerabilities in
syslog-ng. ”
Commander Data, as Picard exhales: “Done. However we must wait for the
Change Advisory Board to approve the update. They are currently
backlogged by 391 years 3 months 6 days 46 minutes and 23 seconds.” wynn
D2
May 9th, 2008 at 5:40 pm
@D2, sensational mate! LOL.
@BG, post Auscert, we’ll formally launch the Ostrich Risk Management certification program and official website. To begin with, it will be a self-assessment examination and those who successfully pass will be able to proudly display the “ORM Certified Organisation” logo on their website. At this stage, we are still to finalise the pricing per year.
In 2009, we will introduce the “ORMCA” (Ostrich Risk Management Certified Auditor) certification program. From then on, organisations must engage only approved ORMCAs to perform ORM audits. Pricing on the ORMCA certification is also yet to be determined but we’re thinking around the USD10K per year plus training costs. While the costs may seem high, we will require no pre-requisite knowledge and experience. How good is that? You can’t put a price on the value that will add to a career. Forgot your MBAs!
Stay tuned!
Early bird expressions of interest in both the company certification and ORMCA program can be left here as responses or emailed to me through the “Contact Me” section on this website.
DD