GIAC Foundational Cybersecurity Technologies Practice Test

What benefit does moving from local logging to using a log server provide organizations?

• A. Enables the use of network intrusion detection systems (NIDS)
• B. Harder for attackers to overwrite logs
• C. Attackers will have to pivot through an extra server to infiltrate the network
• D. Less complex logging infrastructure

The correct answer is: Harder for attackers to overwrite logs

Transitioning from local logging to utilizing a log server significantly enhances the security posture of an organization, particularly in terms of log integrity. Centralizing log data on a dedicated server makes it more challenging for attackers to manipulate or overwrite logs. When logs are stored locally on machines, an attacker who gains access to those machines can easily modify or delete the logs to cover their tracks, obstructing incident response efforts and forensic analysis. By using a log server, the logs are delivered from individual devices over the network to a centralized location, ideally secured in a way that only authorized personnel have access. This separation of storage not only helps in safeguarding the logs against deletion or tampering by attackers but also ensures that logs can be retained even if the local system is compromised. Thus, a log server serves as a critical layer of defense, allowing for more effective monitoring, alerting, and compliance with audit requirements. This centralized approach leads to improved log management capabilities, establishing a robust foundation for security analysis and incident response, while simultaneously deterring attackers from easily erasing evidence of their activities. The ability to maintain log integrity is a vital component of a well-designed cybersecurity strategy, supporting efforts to identify and remediate security incidents effectively.