Upload
lynn-evans
View
214
Download
0
Embed Size (px)
Citation preview
Lottery Log Management:Reviewing Gaming System Logs
Why, What, and How
©2009 Delehanty Consulting LLC
Why You Should Review
• Keep you and your director from getting fired!
• Consistent with business objectives
©2009 Delehanty Consulting LLC
Every Standard Says You Should!(Do you want to explain why you weren’t?)
• NIST 800-92 Guide to Computer Security Log Management
• ISO 27002/17799 Code of practice for information security management
• COBIT 4 Control Objectives for Information & Technology
• NIST 800-53 Recommended Security Controls for Federal Information Systems
©2009 Delehanty Consulting LLC
Lottery’s Log Management Business Objectives
1. Security Operations: Security policies and systems are operating as planned
2. IT Operations: Determine whether IT operations can be improved and whether they are susceptible to issues
3. Forensics: Capture admissible proof that could serve as evidence if harm was done or rules/policies were intentionally broken
©2009 Delehanty Consulting LLC
Analyze What?
• SANS – Top 5 Essential Log Analyses
• NIST SP 800-92 Guide to Computer Security Log Management (consistent with ISO 17799/27002)
©2009 Delehanty Consulting LLC
SANS Essential Log Analyses
1. Attempts to access through existing accounts
2. Failed file or resource access attempts
3. Unauthorized changes to groups, users, etc.
4. Suspicious/unauthorized network traffic
©2009 Delehanty Consulting LLC
NIST Additions
• Transaction information
• Significant Operational Actions – Application startup and shutdown– Task execution– Application failures.
©2009 Delehanty Consulting LLC
Transaction Information
• All transactions should be written to a master transaction file that cannot be altered prior to being received by the Lottery
• Requirement met by:– Transaction Master File– ICS system
• Better source for forensic evidence than Gware
©2009 Delehanty Consulting LLC
HowActivity Analysis Strategies
1. Review all activities and processes
2. Focus on high-risk activities
3. Focus on high-risk processes
4. Develop baselines and then look for anomalies
5. Time sampling or all days
6. All systems, select systems, or sampling
How – A Process ApproachYou’re First Log Review
• High risk
• Daily review
• All gaming systems
• Handout leads you through process
©2009 Delehanty Consulting LLC