Logging/Alerting Requirements#
Maturity Level 1#
Activate Audit Logging#
Ensure that logging has been enabled on all systems and networking devices.
Components of election technology solutions must utilize available logging capabilities to store system activity.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.3.1
Ensure Adequate Storage for Logs#
The product must provide a mechanism to maintain the storage of logs over a certain period of time.
Election technology components should be designed to store audit logs for multiple significant election events without losing any data. Logs should be retained for a minimum of 180 days with the option to archive logs for longer periods of time.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.3.2
Log All Authentication Activities#
Log all authentication activities, whether successful or not.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.4
Log All Privilege Changes#
Log all activities or occasions where the user’s privilege level escalates.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.5
Do Not Log Inappropriate Data#
While logging errors and auditing access is important, sensitive data must never be logged in an unencrypted form.
For example, under HIPAA and PCI, it would be a violation to log sensitive data into the log itself unless the log is encrypted on the disk. Additionally, it can create a serious exposure point should the application itself become compromised.
Applies to: Products that handle sensitive data
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.8
Store Logs Securely#
Logs must be stored and maintained appropriately to avoid information loss or tampering by an intruder. Log retention should also follow the retention policy set forth by the organization to meet regulatory requirements and provide enough information for forensic and incident response activities.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.9
Maturity Level 2#
Alerting#
Provide a mechanism to alert responsible parties to the occurrence of certain logged events.
The method of alerting can vary, but must take the form of a “push” notification.
Applies to: All
Centralize Anti-Malware Logging#
The product must allow all malware detection events to be sent to enterprise anti-malware administration tools and event log servers for analysis and alerting.
This assist in the early detection of an incident and ensures the proper security personnel are alerted to malware on the network.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 2.3.4
Enable DNS Query Logging#
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
This is used to detect attempts to reach known malicious sites from within your network. This will help detect malware and prevent it from communicating with its command and control infrastructure.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 2.3.5
Enable Command-Line Audit Logging#
Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.
A large percentage of malware uses Powershell and Bash. This logging will assist in the detection of malware and a better understanding of its impact.
Applies to: Appliance-based products, or other standard configurations that include a command shell.
Reference: CIS Security Best Practices for Non-Voting Election Technology 2.3.6
Log and Alert on Changes to Administrative Group Membership#
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
Changes to election technology administrator accounts must be logged and alerted. Quick notification allows for timely remediation in the event of privilege escalation or other attack.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 2.4.8
Central Log Management#
Logs must be aggregated to a central log management system for analysis and review.
Networked election technology solutions must utilize central event logging. Central event logging is extremely beneficial for detecting events and ensuring event logs are properly protected.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.3.5
Enable Detailed Logging#
Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Election technology components particularly servers and those devices in publicly accessible network interfaces should capture detailed enough information to fully understand and reconstruct security incidents.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.3.6
Log User Activity#
Log relevant use activity, at a minimum login times, pages/screens viewed. Take care to not log information that would violate voter or ballot privacy.
This can greatly assist with understanding the impact of security incidents involving user accounts. This is especially important for administrators.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.10
Log Administrative Activities#
Log all administrative activities on the application or any of its components.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.6
Log Access to Sensitive Data#
Log all access to sensitive data. This is particularly important for corporations that have to meet regulatory requirements like Health Insurance Portability and Accountability Act (HIPAA), PCI, or Sarbanes-Oxley Act (SOX).
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology A1.6.7
Maturity Level 3#
Log and Alert on Unsuccessful Administrative Account Login#
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
This enables election technology administrators to detect attempts to brute force or socially engineer access to administrator accounts.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 2.4.9
Enforce Detail Logging for Access or Changes to Critical or Sensitive Data#
Enforce detailed audit logging for access to sensitive data or changes to sensitive data using tools such as File Integrity Monitoring or Security Information and Event Monitoring.
This can help detect a malicious attempt to alter the integrity of the data. Database level logging can be enabled to track all changes to the database.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 4.2.10
Monitor Attempts to Access Deactivated Accounts#
Monitor attempts to access deactivated accounts through audit logging.
This can alert election system administrators to likely malicious behavior.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.1.12
Alert on Account Login Behavior Deviation#
Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration.
Major commercial systems have the capability to establish an activity baseline based on time of day, IP address, and other data. Where possible, set up alerts to anomalous behavior for early detection of a possible attack.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.1.13
Deploy SIEM or Log Analytic Tools#
Support the use of Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
Timely and accurate detection of potential security events is critical during peak election periods. A SIEM solution can greatly assist with this.
Applies to: All
Reference: CIS Security Best Practices for Non-Voting Election Technology 5.3.4