T 3.114 Incorrect administration during logging

If logging servers are administrated incorrectly and security incidents are not recognised or discovered as a consequence, the security of the entire information system may be adversely affected. Configuration and operation errors are possible reasons. Such administrator errors may additionally cause a loss of confidentiality of data requiring protection.

The configuration errors include incorrectly or incompletely configured parameters and options. This may be a threshold set too high, the exceeding of which generates an alarm, or filter settings that are too tolerant. Such misconfigurations may trigger frequent false alarms making premature warning more difficult.

Operation errors in the field of centralised logging may occur if the training measures are insufficient or not existent. This may result in the administrators misinterpreting the analysis results of logged data and therefore overlooking a security incident. Improper operation may also result in logged data being deleted or changed accidentally. Another potential risk for the overall security is entailed by modified security settings and advanced access rights for the logging system. These may be exploited by unauthorised users in order to gain access to the monitored IT systems.

Examples:

• Within an organisation, the utilisation thresholds were set too low within the early-warning system. For this reason, a false alarm is triggered even when the server is only slightly utilised. Over the course of time, the alarms are neglected more and more and ultimately disregarded completely. This results in a high security risk, because real alarms indicating that the server actually is strongly overloaded are now ignored as well. Due to the overload condition, a server fails for a longer period of time and causes huge financial damage.
• An administrator accidentally changes the time of a login event from 07:13 am to 77:13 in one of the log files by entering an incorrect command in the text editor only controlled by the keyboard. Later, this log file is required in order to demonstrate that a user logged in to his computer at 07:13 using his user name on 14 April 2009. Due to the invalid time, the entry in this log file is of no use. Since the event cannot be found in any other log file, it cannot be demonstrated that the employee was at work this day at this time.