Cyber Security in Schools: Event Log Monitoring

In this seventh blog in the series which builds upon every stage of the NCSC's 10 Steps to Cyber Security, we look at Event Log Monitoring. In our previous blog, User Privileges, Passwords and the Human Firewall, we outlined how good user management and the appropriate allocation of rights, permissions and privileges can help reduce the likelihood and impact of a cyber-attack.

In this blog we outline how you can potentially reduce or stop a cyber-attack by spotting signs of malicious activity and unauthorised access to systems, services and assets. This includes actively monitoring the environment for signs of reconnaissance, preventing further reconnaissance when identified, and preparing your team to respond effectively in the event of a subsequent attack.

Protecting your school’s assets

Identifying and understanding the value of your school’s assets is essential in order to have an effective defence in place. An asset can have a tangible or intangible value to a school. Assets such as end-user equipment, printers, servers and infrastructure devices all have a relatively easy quantifiable value. Whereas the loss or destruction of data, the theft of intellectual property or the effort required to recover from the effects of a ransomware attack are harder to quantify.

Before we go any further, ask yourself the following questions...

• Have you identified all your data assets? 
• Have you categorised and prioritised your data assets? 
• Do you know which assets an attacker might prioritise?
• How would an attacker gain access to these data assets?
• Do these systems and services support event logging, auditing and alerting?
• Do these logs, events or alerts provide you with the relevant information?
• Do you know what "normal" looks like in your environment?
• Can you rule out the white noise to correctly identify anomalies?
• Do you have the capability and capacity to assess monitoring outputs accurately?

The following steps focus on digital assets only, although some of the principles could be applied to hard copy data and non-technical systems.

1. Identify where your critical data assets are held.

This could be on-premise servers, network storage devices (NAS/SAN), end-user devices, cloud services, systems and services or on removable media such as backup tapes, portable devices or USB drives. This information should be available from your school’s Records of Processing Activity (RoP) or data maps. If not, these activities should be combined.

2. Categorise the data held in these systems.

Categorising your data is vital in determining the appropriate security and logging required to protect each asset. Security should be applied appropriately and proportionally. Generally, the classification falls into the below high-level categories:

• Confidential (only senior management have access)
• Restricted (most employees have access)
• Internal (all employees have access)
• Public (everyone has access)

Learn more about cyber crime in schools in 9ine's latest on-demand webinar presented by Ian Hickling, UK Cyber Protect Officer of the UK Cyber Crime Special Operations Unit.

3. Assess each system or solution in turn.

Check the application or software solution, operating systems, appliance interface and productivity platforms for their ability to monitor, log, audit, and where possible, alert. In general, the main types of logs available are security logs, system logs, application logs and firewall logs. Each log type has a primary function; however, they can contain very similar information. If one system does not provide the logs or events you need you may need to look at a third party tool or put in place compensating security controls.

4. Decide how you will retain and store your logs. 

As log files can contain valuable evidence, an adept attacker will try and sanitise these logs. Taking steps to protect the integrity of these log files is crucial when preserving evidence and allowing you to create a complete timeline of events. One way of doing this is to push/pull all logs into a central repository that is locked down and does not allow modification of events. You will need to determine how far back you want to go as logs build up exponentially and defining a time period will stop excessive build up of logs.

5. Implement a log storage and analysis tool that suits your requirements 

Whether implementing a mechanism for collating and analysing logs or sourcing an appropriate third party solution such as a Log Management System (LMS) or Security information and event management (SIEM), you should consider the following:

• Where are the logs coming from (logging source)?
• What is the log format? SNMP Traps, Syslog, Windows Event Forwarding, (log transport)?
• How are the logs processed and stored?
• Can they be manipulated, searched, queried and analysed?
• Can they be tailored?

There are many solutions to choose from and the NCSC provides a list of publicly available, open-source tools. The NCSC has not formally tested these products, and neither 9ine nor the NCSC recommend a particular one, however the solution needs to meet your functional requirements, technical skill knowledge and be within your allocated budget.

6. Validate that your logging capability is working as intended.

You must get what you need from your system logs and alerts, and to do that you first need to baseline the outputs. There is often a high percentage of informational events captured in monitoring logs and events. Some isolated errors and events will be systems or users going about their day-to-day routines with occasional failures (false positives). It is this white-noise that you need to understand (baseline) and then filter from your analysis to find anomalies that might indicate there is an issue or a malicious user. Some of the key items you want to look at are:

• User authentication/rejection
• Multiple failed logins
• Account lockout
• File and Folder Access/Denial (excessive)
• System/Service Startup
• System/Service Modification
• Modification of ports and firewall rules
• Escalation of privileges
• Creation of Privileged/Administrative accounts
• All of the above e.g. looking for anomalies, out-of-hours events, excessive events.

Once you are confident that you have set up and configured the logging to meet your needs, the next step is to proactively review the captured information for signs of malicious activity or threats. Following the above will help your teams become more proactive in the identification of malicious attack or suspicious behaviour and provide invaluable information in any post-incident investigations.

Examples of what active monitoring of events and logs can highlight.

• Multiple failed logins and lockouts can indicate a brute force attack on a known account e.g. a username being tried with successive passwords until access is gained. Attackers can use dictionary tables or rainbow tables (precomputed table of password hashes).
• Traffic leaving the network with IP addresses, not within your range(s) can indicate a bot or a DDoS attack being executed against an external target using your devices.
• Increased or abnormal requests against files can indicate trial and error by an attacker when trying to access files within your network.
• Privilege escalation events can indicate a malicious user has compromised an account and is trying to escalate their privileges within your systems.

Using the above steps as a guideline you will be on your way to building solid foundations when effectively determining the monitoring and logging your school requires. By ensuring that the IT department monitors and reviews new and historical event logs, you are providing another layer of security in your defence-in-depth strategy. Ultimately strengthening the school's defences and better protecting the confidentiality, availability and integrity of the school's assets. 

ABOUT THE AUTHOR:

Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.