The Importance Of Remote Logging

Many people will recall the downfall of the Dutch Certificate Authority DigiNotar last year after it was discovered that attackers had compromised the CA’s servers and generated illicit certificates for some major internet sites.  Fox-IT was contracted to investigate the breach and has issued it’s final report.  A notable element in the report was that DigiNotar stored it’s log files on the servers themselves.

The news article on Threatpost includes an except from the report:

“The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been compromised by the intruder. The log files were generally stored on the same servers that had been compromised and evidence was found that they had been tampered with. Consequently, while these log files could be used to make inconclusive observations regarding unauthorized actions that took place, the absence of suspicious entries could not be used to conclude that no unauthorized actions took place,”

This really highlights the importance of moving logs to a different server for storage and analysis.  If you aren’t pushing your logs to a logging server, please consider doing so.