Question

At the end of the lab, you will be asked to respond to the following in a 2- to 2.5-page response at the end of your Microsoft Word document:

Describe what information was contained in the logs and what value they might have in a security investigation.

Address the following in your response:

• Think about the challenges of getting all the Active Directory audit policy settings right. For an infrastructure administrator, how important are these types of settings?
• What are the risks associated with logging too little data or not auditing the correct events?
• What are the risks associated with logging too many events?
• When the default configuration is to create audit logs, what impact can this have on security incident investigations?
• This was just a single domain with 2 systems on a local LAN. How much more complicated would auditing and log management be for 100 computers? What about an enterprise with 10,000 computers in several domains on their LAN/WAN?
• Considera cloud-hosted Infrastructure as a Service (IaaS) environment with many new, Internet-accessible systems regularly being built and brought online. What challenges might there be managing audit policies and logs in such an environment?

Finally, conclude this week's assignment with a page explaining how the tools and processes demonstrated in the labs might be used by an infrastructure administrator to help secure an environment.

Answer 1

1 . Describe what information was contained in the logs and what value they might have in a security investigation.

User ID :

This information aids in identifying an account user.

Date and time of log on and log off :

Provides precision on the temporal variation that is important in determining its link with the time a fraud occurred.

Files and networks accessed :

This provides the extent to which the system might have been manipulated by determining the exposed data.

System configuration changes :

This indicates whether the system settings weremanipulated during the time of the crime.

E.g., disabling specific configurations.

2 . Think about the challenges of getting all of the Active Directory audit policy settings right. For an infrastructure administrator, how important are these types of environments?

The Active Directory Audit Policy settings are essential for an infrastructure administrator in enabling total control over Account login activities, Account management, detailed tracking, DS access, Object access, policy change, privilege use, system operation, and enable global object access auditing.

3 . What are the risks associated with logging too little data or not auditing the actual events?

In the event of logging too little data the associated risks include weak protection of log information, the system remains vulnerable to hacking, poor system response in case of unusual activities due to low threshold faculties, and poor diagnosis of software damage or in identifying corrupted files.

4 . What are the risks associated with logging too many events?

Logging too many events may result in slowing down the functioning of the system which includes the configuration to protect itself against hacking. Besides, too many events occur in redundancy that keeps junk data which is not useful and thus making auditing difficult.

5 . When the default configuration is to create audit logs, what impact can this have on security incident investigations?

- There will be no further security events that will be recorded when the security log is full.

- The SQL server will be incapable of detecting that the system is not able to record the events within the security log. This causes loss of audit information.

6 . This was just a single domain with two operations on a local LAN. How much more complicated would auditing and log management be for 100 computers? What about an enterprise with 10,000 computers in several domains on their LAN/WAN?

- In the case of 100 computers, there can be the application of a known attacker allowed in network assessment. This helps in identifying traffic from known blacklisted sources . Besides, determining possible outbreak is also essential in managing an audit and log activities.

- In the case of 10,000 computers, it is crucial for the management to incorporate a "repeat attack-multiple detection sources" to be able to find hosts that may be infected and deal with the infection as soon as possible. Besides, this kind of system can apply real-time fraud detection to enable narrow down the scope of audit and execution .

7 . Consider a cloud-hosted Infrastructure as a Service (IaaS) environment with many new, internet- accessible systems regularly being built and brought online. What challenges might there be managing audit policies and logs in such a situation?

- There is difficulty in dealing with suspicious posts from untrusted source due to web server Apache. Besides, such an environment makes it challenging to monitor log sources and in determining whether a log source has stopped sending events or not.

8 . Finally, conclude this week's assignment with a page explaining how the tools and processes demonstrated in the labs might be used by an infrastructure administrator to help secure an environment.

PDCA, or the security administration process, is the process of implementing security controls within the IT infrastructure. The security administration process is not implemented once; instead, it is a cyclic process whose phases are performed continuously for security administration.

Plan – Consider what you need to accomplish to meet your security goal and establish objectives and processes to achieve that goal. A specification document will be created during the planning activity. It details how to measure the results to determine if meet the goal.

Do – Implement the processes established in the Plan phase.

Check – Ensure the plan includes clear definitions of a success or a failure. The check phase contains activities performed to evaluate the results of the Do phase to ensure that the actions taken meet the defined success criteria.

Act – Take an action to respond to any unexpected or undesired behavior in the Check phase. Analyze the distinctions between expected outcomes and determined outcome. Find out the basis for any discrepancies and go back to the Plan phase to create a framework to advance performance.

The security administration process includes any tasks that directly support an organization's security policy. The security administration tasks keep a Windows environment secure. Every precautionary measure arranged ought to unswervingly tackle a security guiding principle objective. Every objective in the security policy ought to sustain one or more of the A-I-C arpeggio characteristics—availability, veracity, and confidentiality. As controls are developed

and deployed, be sure to protect all three properties for data at multiple layers. Any unaddressed security property leaves data vulnerable to attack (Solomon, 65).

Everyday security administration tasks include but not limited to: provide input for acceptable use policies, enforce password controls, enforce physical security standards, deploy controls to meet encryption requirements, implement backup policies, keep software current, ensure antimalware controls up-to-date and in force, monitor system and network performance (Solomon, 67). These tasks help to secure an IT network and environment.