System Log

Once a sufficient number of network behavior statistics are gathered, a proper wireless IDS can start looking for the suspicious events indicating the possibility of malicious attack. These events might be manifested as the presence of certain frame types, frequency of frame transmission, frame structure and sequence number abnormalities, traffic flow deviations, and unexpected frequency use. Let's categorize the events a quality wireless IDS should be able to detect and issue a warning for.
 

1 RF/Physical Layer Events

• Additional transmitters in the area.
• Channels not used by the protected WLAN in use.
• Overlapping channels.
• Sudden operating channel change by one or more monitored wireless devices.
• Loss of signal quality, high level of noise, or low SNR.

These events can indicate connectivity or networking problems, severe network misconfiguration, rogue device placement, intentional jamming, and Layer 1 and Layer 2 man-in-the-middle attacks.

2 Management/Control Frames Events

• Increased frequency of normally present network frames.
• Frames of unusual size.
• Unknown frame types.
• Incomplete, corrupted, or malformed frames.
• Floods of deassociate/deauthenticate frames.
• Frequent reassociation frames on networks without enabled roaming.
• Frames out of sequence.
• Frequent probe requests.
• Frames with ESSIDs different from the WLAN ESSID.
• Frames with the broadcast ESSID ("Any").

In some circumstances, the answer is “all of them,”. Additionally, these requirements apply to all “system components,” which is defined as “any network component, server, or application included in, or connected to, the financial transactions environment'. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to,Web, database, authentication, Domain name system (DNS), e-mail, proxy, and Network Time Protocol (NTP) servers. Applications include all off-the-shelf and custom-built applications, including internally facing and externally facing Web applications.

However listed below, a few common uses for log information, taken from Tony Bradley books about PCI compliances

• Threat Detection Historical Host Intrusion Detection Systems (HIDSes) from the 1990s looked at audit trails and logs in search of patterns and strings in logs, and raised alerts upon seeing them.Today, hunting for signs of hacking attempts (as well as successes in the form of "compromise detection") in logs is just as useful.
• Incident Response and Troubleshooting When a system is hacked, logs are the most informative, accessible and relatively easy to analyze (compared to full disk images) form of incident evidence
  

Enabling audit log is an issue -as we discussed before. But leave it to management how to decide this feature, because whatever the decision we still need to making audit log policy to ensure the activities become effective.

Here is some topics that should be put clear in audit log policy

1. Event logging

What kind of activity that should be logged. All administrator activities or only sensitive activity for several users. Other approach such as based on hour log -the audit log will be enabled only in working hours. Auditor should clearly state which event that should be logged.

2. Log recording and archiving

Archiving log to write once disk, archiving to tape storage or just put in hard disk is also a must stated in log policy. How long any security breaches will be archived.

Enabling audit log is an issue to application performance, everybody agree about that, especially IT department guys. But when you ask the audit log issue to IS auditor then absolutely they will said that audit log is mandatory for any regulatory compliance.

Here is the major issue why audit log usually become major finding in every audit engagement:

1. Enabling audit log produce a lot of data files.

IT engineer in telecommunication managing MSC or HLR device will feel very difficult if should maintain the log retention for a long time. IT officer from manufacturing company will find difficulties when enabling all audit log function

2. Reviewing audit log, need special skill and even special tools.

Even if we have a very large storage to store the audits log. We still need tools to analyze the pattern in audit log. Large data without good interpretation is nothing.