NIST on Security Logs

The National Institute of Standards and Technology has released a document detailing how federal agencies should manage security logs: NIST Special Publication 800-92: Guide to Computer Security Log Management.

Posted on May 18, 2006 at 8:34 AM • 13 Comments

Comments

JonMay 18, 2006 10:48 AM

After years of pagination advancements, we're still printing the statement, This Page Left Intentionally Blank, on documents. First of all, the printing of the statement invalidates the statement. Secondly, if you can't paginate it properly, then sell it for adspace :)

Clive RobinsonMay 18, 2006 10:57 AM

Bruce,

You have forgoton to mention that Germany unlike most other countries has quite good laws for protecting their citizens from unwarented search. This also carries over to the electronic realm as well so they end up with some of the best privecy laws around.

This is due in the main to the problems caused by a certain little Austrian corpral who thought he could rule the world by any means he and his cronies deamed necasary...

Interestingly their securtiy serivces make a lot lot less noise about "super criminals" using "hard crypto" etc...

Clive RobinsonMay 18, 2006 11:00 AM

Opps don't know what happened there my above post should have been on the Bundesamt für Sicherheit in der Informationstechnik page.

Reduce-Reuse-RecycleMay 18, 2006 12:24 PM

> if you can't paginate it properly, then
> sell it for adspace :)

Terrible idea. That would be the end of virtual scratch paper. To save my kids' digital artwork, I would have to waste a whole new file.

ScottMay 18, 2006 12:55 PM

Interesting that there's not much mention of any non-syslog-capable systems and their incompatible format (e.g., how to handle that issue)...

antibozoMay 18, 2006 7:21 PM

Intentionally blank pages are useful to keep following page numbers identical in multiple revisions of a document, and for aligning odd pages on chapter starts. It's also disconcerting to view a document in an electronic reader and find truly blank pages; one is left wondering whether the page is really blank or the engine is having a rendering problem.

fredMay 18, 2006 8:43 PM

I've seen the non-blank page on the other face of the sheet contain a note in the footer that the other side was meant to be blank, something like

Page 37 (and 38)

or

Page 37 (38 blank).

Maybe there's some manufacturing process that would make this useful.

Davi OttenheimerMay 18, 2006 11:22 PM

NIST special publications often have some useful information, although extremely specific (vendor lists?) and not far afield of other standard sources already available.

Speaking of which, have you heard one of these conversations lately?

A: "Hi, have you read the latest NIST SP?."

B: "No, sorry, I speak ISO."

A: "Oh, right, you have offices outside the US. I also know a little CObIT and some SANS. Can you speak in those?"

B: "Actually, I do speak a little SANS, but it's just basic stuff and hardly a standard. These days we're mostly talking COSO and some PCI DSS around here."

A: "Hmmm, well let me try and teach you our internal security standards, since they are a blend and much better than all that open stuff."

As far as the pagination and editorial comments, I'm surprised no one has pointed out that this is a giant 2MB PDF. Aside from one (questionable*) image, there does not appear to be much reason for such a bloated text doc even at 65 pages.

I was also a little surprise at how little Windows logging was discussed. Here's a typical phrase: "Section 3.3 discusses syslog in detail and provides examples of syslog log entries. Other OS logs, such as those on Windows systems, are stored in proprietary formats."

Um, ok, so we should just ignore those, right?

Maybe it's just me but I noted over 100 syslog specific comments (many interesting and helpful) and less than a couple related to Windows.

* Illustration of the word consolidation is nice, but hardly seems necessary. I think just about anyone can imagine what it looks like, even if you're trying to show that data from many systems should be consolidated to few, with a monitoring system attached. Maybe they could have illustrated what it looks like when a sysadmin is told they will have to now figure out how to consolidate hundreds or thousands of log files, and then be able to parse them, all the while doing their regular duties (insert image of smoke-from-ears here).

antibozoMay 19, 2006 5:03 PM

fred> I've seen the non-blank page on the other face of the sheet contain a note in the footer that the other side was meant to be blank

In press shops, blank pages are suspect, as they might have missed a pass through the printer. On the other hand, running every blank page through the printer merely to print "intentionally blank" on it costs a little more. People can save a little by printing the direction on the other side of the page, since that had to go through the printer anyway. This way, when a suspect blank page is found, one can easily check if it's intentionally blank by checking for the note on the other side.

In electronic documents, having an "intentionally blank" notice on each such page costs nothing, so should always be done.

Call me old fashionedMay 19, 2006 10:44 PM

Re: This Page Left Intentionally Blank

If you print it out, which some of us are want to do from time to time, it is nice to know that the printer or some Reader weirdness didn't screw it up. Or, doesn't your tech ever misfire?

AnonymousMay 22, 2006 11:33 AM

@Davi: "As far as the pagination and editorial comments, I'm surprised no one has pointed out that this is a giant 2MB PDF. Aside from one (questionable*) image, there does not appear to be much reason for such a bloated text doc even at 65 pages."

Well there is a deceptively simple answer for that: the document was produced from a Word Document into pdf 1.2 (old) format using the Acrobat Distiller 5.0.5 "driver" (think "glorified print driver") component of PDFMaker 5.0 for Word. Also, things like the NIST text logo appear to have been encoded as images. This seems to apply for much of the body text as well (unless only parts of the text in the document have been compressed for some odd reason). I'm not impressed.

RvnPhnxMay 22, 2006 11:33 AM

oops.......
the May 22, 2006 11:33 AM one should have my nametag on it.......

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..