Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

omen’s movements advocating for gender equality in an intersectional way, where feminism should meet the experiences of this demographic of women, is at her intersection of <b><i>culture</i></b>, race, and gender oppression that is at a cross-road with the traditional, white, female-focused movement in the first (1840–1920), second (1962–1980s), and possibly arguably even third (1990s) <a href="https://www.history.com/news/feminism-four-waves">waves of feminism</a> that mainly all focused on the experiences of oppression from a predominantly western white female perspective alone.</p><h1 id="034e">Female Gender Oppression: Population Control via The Medical Profession</h1><p id="531d">Kim Jiyoung’s friend falls pregnant, and what a drama it caused; this was around the time when the government implemented “birth control” policies they called “family planning.” Abortion was legal for medical related reasons. What if I told you that being born female was also considered a “medical problem” and a reason for her friend to consider abortion? And clearly some medical professionals felt the same way. The author cites this as a common dilemma for women throughout the 1980s-1990s. While the author does not go deep into this subject as part of the plot, I did do some investigation myself into this. According to the <i>Feminist Majority’s</i> short report they released in <a href="https://feminist.org/news/korean-women-pressured-to-abort-girl-babies-to-try-for-sons/">January 1997</a> they confirmed that:</p><blockquote id="cdaa"><p>“Although fetal sex identification and abortion are against the law in South Korea, women continue to feel pressure to abort girl fetuses in order to try for sons.”</p></blockquote><p id="5cf4">Also</p><blockquote id="fe88"><p>“Compared to a natural ratio of 105 boys born for every 100 girls (which later evens out to 1:1 since boys die earlier), some regions in South Korea have rates of 125 boys born to every 100 girls resulting in 30,000 fewer girls born each year than would be the case without sex-influenced abortions.”</p></blockquote><p id="9143">And</p><blockquote id="41f7"><p>“A Chinese government report in 1992 found the ratio in China at 118.5 boys to 100 girls, statistics which embarrassed the government enough that it never formally released the results.”</p></blockquote><p id="9f55">When looking the pressure Korean women face to have sons, taking a simple glance at the birth rate ratio would lead a critical mind to see the ratio supports the argument that the medical profession had what I would call “a silent compliance” to help embed and maintain female oppression, by aborting female babies. Sure, no doctor with his or her head on straight will announce to the world, “come to me for female terminations, I’ll gladly help you.” But that doesn’t mean it wasn’t going on. The stats on the birth rate ratio show that at this point in time, in the nineties when the rates were released, female terminations must have been carried out at a high rate.</p><p id="1f4d">What is key to note about the male to female birth rate ratio is: any parent will probably remember the scan they were given when their fetus was eighteen to twenty weeks old. Around this time, when you’re offered a nice photo of the baby, you can also <a href="https://www.healthline.com/health/pregnancy/when-can-you-find-out-sex-of-baby#medical-tests">learn the sex of the baby</a>. For the Korean women it’s at this point that terminations logically must have been happening for females babies. This is as late as five months into pregnancy; abortions done then come with a higher risk to the mother as stated in the research done by <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9614144/"><i>Frontiers in Women’s Global Health’s</i></a><i> </i>2022 study across southern Ethiopia. Their report asserts that:</p><blockquote id="eb57"><p>“Second-trimester abortion accounts for 10–15% of all induced abortions, with varying rates across countries, and is responsible for two-thirds of major abortion complications. It is also associated with higher medical costs, morbidity, and mortality rates than first-trimester abortion.”</p></blockquote><p id="e44f">With only 10–15 % as a norm for abortions at this stage, we can assume it’s not the norm globally. The <a href="http://aidtowomencenter.org/abortion-secondtrimester"><i>Aid to Women Centre</i></a> also cites a lot of risks and complications post abortion for women who have second trimester abortions. The Korean women have been subjected to a health risk, for the sake of maintaining their cultural patriarchy, which is not something we see a lot of for the western woman, in western culture.</p><p id="d54f">If we further compare the western gender oppression to the Koren women’s via the outcomes for female babies, and the medical profession’s willingness to partake in oppression, and lastly the health risk of a woman choosing late termination (even if the practice was more common in the eighties-nineties), you see that this type of oppression is not a cultural norm in the west. It could be argued that pressure should be placed on the Korean medical profession for better regulation of abortion practices.</p><p id="67d5">For Korean women their intersection of cultural oppression includes a key aspect western woman do not have. Which is: from the womb, females leave a bad taste in society’s mouth. Whether you have a girl or a boy, generally speaking, for the western woman it is a cause for celebration, not abortion.</p><figure id="d363"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*i1XzuPmk2jAonENWjAYxTA.jpeg"><figcaption>Photo by <a href="https://unsplash.com/@thatsherbusiness?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">That’s Her Business</a> on <a href="https://unsplash.com/photos/white-ceramic-mug-on-white-ceramic-plate-8KHPeh9mNvs?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a></figcaption></figure><h1 id="3e35">The Role of Korean Women: Their ‘Double Jeopardy’ and Work</h1><p id="a483">Being a woman with another characteristic that can be used for oppression (such as race or class), has been defined as ‘a double jeopardy’ by the black feminist Frances. M. Beal, in her work <a href="https://en.wikipedia.org/wiki/Double_Jeopardy:_To_Be_Black_and_Female"><i>Double Jeopardy: To Be Black and Female (1969)</i></a><i>. </i>In relation to the Korean woman, her double jeopardy is being female and living in a <b>culture which defines her role in a specific way</b>. Korean females are often not shunned for working or discouraged from working. In the west, the “right to work” caused a ruckus from predominantly white women in the second wave (1963–1980s) of feminism, against white men’s oppression. But the Korean woman is often expected to work, not for herself but to support the males in her family so that <b>they can progress</b> in life. Woman will work in substandard conditions with risks to their health, for terrible wages, to gain a few pennies to rub together in the contribution pot of male success. In <i>Kim Jiyong, Born in 1982, </i>the author writes:</p><blockquote id="b3ac"><p>“This was at a time when people believed it was up to the <b>sons</b> to bring honour and success to the family. The family’s wealth and happiness <b>hinged upon male</b> success. The <b>daughters</b> gladly supported the male siblings.”</p></blockquote><p id="e10a">This narrative comes in a scene where we see a Korean lady struggling with work to provide for a man and fulfill her cultural duty. Yet she could not dream for herself, and she could not be a success, and she could not work in the profession of her own desire.</p><p id="f2e2">Where culture meets feminism from this angle of work and roles in society, is a need to recognise the “double jeopardy” for Korean women — that is focused on <b>cultural roles and norms</b> for her as a woman in the world of work. Outside of being white and female, the cultural roles for women often do look very different for the black, brown, and minority woman; I have said this before and will keep saying it.</p><p id="bac4">The Korean woman is in a similar position of not being able to pursue her dream of her ideal career, just like white feminists fought for the right to work against white men. However, what is unique to women in different communities is that it is <b>a necessity for them to work and they are expected to</b>, <b>but not for them</b>, for the <b>patriarchy</b>, in the context of Korean women. For black women this looks different which I do plan to write about in a future story. Sticking to the Korean women’s plight and experience, now, if this is not oppression worth noting, or checking the patriarchy’s behaviour to show them how it damages the Korean women, then I don’t know what is.</p><p id="f1a9" type="7">Where culture meets feminism from this angle of work and roles in society, is a need to recognise the “double jeopardy” for Korean women</p><h1 id="7d11">Education of Korean Girls and Women</h1><p id="7ff4">In addition to being expected to work minor jobs to support the patriarchy, the Korean woman’s education is sacrificed. Boys are prepared for school with the right equipment, books, lunches etc., as mentioned earlier. Later on, when it comes to further education, boys are encouraged to attend higher education to access the degrees that will land them high paying jobs. While girls are not put in this position, but it’s fine for them to work on lower paying jobs, in risky environments, to support this cultural norm and the patriarchy. If you’re a woman in the west, tell me: when was the last time this was expected of you, as a woman?</p><h1 id="3ac5">How Cultural Oppression Embraces Sexual and Physical Harassment</h1><p id="7490">One of the most heartbreaking things about the cultural oppression Korean women face, for me as a reader of the author’s work, was how vivid it was that sexual and physical harassment is something Korean girls should just get used to. It appeared to be a cultural norm, something that starts from an early age and doubles down on the learning Korean girls gain around their status being lower than boys.</p><p id="fe7a">It appears that if a girl or woman is a victim, she is questioned over what she possibly could have done to bring the assault on herself. We do see this today in the western culture at times; it would be a lie to say we don’t.</p><p id="a618">The difference is when comparing the western woman’s potential experience of the doubt around her experiences, and the Korean woman’s, culturally it seems more acceptable to disbelieve a Korean woman. Also, it’s more culturally acceptable to physically/sexually harass women. For women, it’s almost like harassment is an expected life experience that is a woman’s responsibility to avoid.</p><p id="669c">One of the most dramatic examples of this embedded culture was while Kim Jiyoung was at school. She was bullied by a boy, and the teacher blamed her. The truth only came out when another young girl was brave enough to raise her hand and say what she saw. Later on, we follow young Kim Jiyong’s story as she makes her way home from school. A boy follows her, and even attempts to intimidate her with sexual advances on the bus. Her father’s response is to ask her, “what did you do?” for her to bring on his attack.</p><p id="4479"><a href="http://dis.hanyang.ac.kr/lyceum-vol-1/sexual-harassment-in-south-korea/"><i>The Hangyang Dis Division of International Studies</i></a> backs up the ex

Options

periences of Kim Jiyoung; they reported in 2018:</p><ul><li>a sexual assault is reported across south Korea at a rate of 3 cases an hour.</li><li>98% of assaulters being men, and 86% of victims being women.</li><li>One of the most common places of assault happening in the workplace.</li></ul><p id="cca9"><a href="http://dis.hanyang.ac.kr/lyceum-vol-1/sexual-harassment-in-south-korea/">The <i>Hangyang Dis Division of International Studies </i></a>also says in their report:</p><blockquote id="cdd6"><p>“Before you ask yourself why these women don’t speak-out, you must first understand the culture background of their society.”</p></blockquote><p id="1008">Supporting the last point above, we see workplace sexual harassment when Kim Jiyoung enters the world of work, in the field of marketing. A male security guard takes it upon himself to install secret cameras in one female toilet, then uploads the images to a pornographic site. He shares his assault with other men in the workplace, the cat is only let out of the bag when the word reached Kim Jiyoung’s female friend via her boyfriend — who warned her to use a different bathroom. The women engage in sexual assault litigation against the company; then the male CEO of the company responds to the women who were victims of the pornographic website experience:</p><blockquote id="62fc"><p>“It’ll ruin this company’s reputation if word gets around in the field, The accused male employees have families and parents to protect, too. Do you really want to destroy people’s lives like this?”</p></blockquote><p id="3a9e">What we see here is sexual harassment at its finest, with a spoonful of misogyny mixed in. It could be argued that any boss would respond like this, especially a male boss, to protect their company. Yet the men themselves who were part of the sexual assault admitted what they did but see no wrongdoing — that’s the cultural dynamic around overlooking women and sexual assault the <i>Hangyang Dis Division of International Studies</i> is probably referring to in their citation about understanding culture, above.</p><p id="7201">When compared to western culture, this is not something that would be taken as lightly. It could even be argued that a CEO (for the good of their company) is more likely to disassociate with the offenders of sexual assault to protect their brand. <a href="https://en.wikipedia.org/wiki/Sean_Combs">Sean ‘Puffy’ Combs,</a> the American rapper who currently at the time of writing has <a href="https://www.latimes.com/entertainment-arts/business/story/2023-12-06/sean-diddy-combs-sexual-assault-harve-pierre-fourth-woman">four sexual assault</a> cases against him, has been dropped from all of his lucrative money making deals by big companies. <a href="https://en.wikipedia.org/wiki/Russell_Brand">Russell Brand,</a> who is also caught up in sexual assault cases, lost his <a href="https://www.theguardian.com/culture/2023/sep/19/youtube-suspends-russell-brand-revenues-channel">YouTube monetised channels</a>, and <a href="https://en.wikipedia.org/wiki/Jonathan_Majors">Jonathan Majors</a> was <a href="https://www.independent.co.uk/arts-entertainment/films/news/jonathan-majors-assault-projects-dropped-b2324039.html">dropped from his acting roles</a> due to his accusations of sexual assault; this has all happened in 2023 at the time of writing this. In the west what we see here is a different response to women’s sexual assault. We have a “cancel culture” for men. Korean has a “what did we really do wrong? You can’t cancel us” culture. For the fourth wave feminist, this is something to challenge when culture meets feminism. The patriarchy needs checking around their handling — literally of women and their bodies, which they feel are free to access for all.</p><figure id="550f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fuRradtidxYvIirUNUppbg.jpeg"><figcaption>Photo by <a href="https://unsplash.com/@sandym10?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Sandy Millar</a> on <a href="https://unsplash.com/photos/gold-wedding-band-on-white-textile-8vaQKYnawHw?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a></figcaption></figure><h1 id="afc3">About Married Life and Korean Women’s Oppression</h1><p id="736c">For the Korean woman, she is often forced to give up work (if she has been lucky enough to find it), once she gets married. The pressure to get married is high, and her choice between work, marriage, and children is due to cultural expectations; this is not a woman who can have it all in any way shape or form. Once a woman is married it is an expectation, demand, and almost her duty to now start popping out babies — that are male, mind you. So that he can “bring the success, prosperity, and respect to the family,” as mentioned earlier.</p><p id="f56f">It was around 2014 when Kim Jiyoung finally secured work, battling through the sexism she faced as a Korean woman, which I deep dive into in my essay, <a href="https://readmedium.com/is-feminism-to-blame-for-korean-women-taking-down-the-patriarchy-870090bcc034?sk=ab5fcd0da5d394069b13b6107ad7dbe3"><i>Is Feminism to Blame For Korean Women Taking Down The Patriarchy</i></a><i>. </i>Then Kim Jiyoung left work, just as one in five Korean women quit their job citing: marriage, pregnancy, childbirth and care, or the education of their younger children, according to <a href="https://eng.kwdi.re.kr/inc/download.do?ut=A&upIdx=101628&no=1"><i>Women’s Lives Through Statistics in 2015, Statistics Korea</i></a><i>. </i>Around the time Kim Jiyong was faced with life changes the author asserted that:</p><blockquote id="fe06"><p>“The workforce participation rate of Korean women decreases significantly before and after childbirth. Its percentage starts at 63.8% for women aged twenty and twenty-nine, drops to 58% for women aged thirty to thirty-nine.”</p></blockquote><p id="da10">What this shows is that when culture meets feminism in this area for women, there is greater pressure, expectation, and demand for them to leave work to have male children, and if they do return to work after birth — to work to support their son’s progression. The latter, the author demonstrates, often means taking a lower paying job and giving up a career. Kim Jiyoung went from being a marketing executive in a male, sexist, environment — but she made it! — to considering part-time work in an ice cream parlour. This expectation is not a cultural norm for many of us western women, but one we need to be sensitive to, if we are to be inclusive female advocates.</p><p id="c887">Husbands also add to this pressure to leave work but fail to see what their wives are giving up. This plays out for readers clearly when married Kim Jiyoung is pressured by in-laws to have a child, then discusses it with her husband. They have barely been married five minutes at this point:</p><blockquote id="0c7b"><p>“And what will you be giving up <i>Oppa</i>?</p></blockquote><blockquote id="844d"><p>“What?”</p></blockquote><blockquote id="5852"><p>“You said don’t just think about what I’ll be giving up. I’m putting my youth, health, job, colleagues, social networks, career plans, and future on the line. No wonder all I can think about are the things I’m giving up. But what about you? What do you lose by gaining a child.”</p></blockquote><p id="e500">Her husband, true to his culture, did not see Kim Jiyoung’s personal goals, dreams, and rights to work go down the pan, in favour of producing child after child until she has a boy. Only to then take work well below her skills to provide for the male child.</p><p id="3643">For intersectionality to really make an impact in this fourth wave of feminism, as I said in the opening, eyes must be opened, ears must be fixed, and the advocate for women’s rights must step outside not only their <a href="https://readmedium.com/the-intersection-when-race-meets-feminism-the-unfinished-conversation-d39e2dda8062?sk=ecfa9780caf2ab4cc78d4d86dc2d29b3">race</a>, class, sexuality, able body, but also their<b> culture</b> to understand how oppression looks different for different demographics of women. This is how the patriarchy’s behaviour oppresses some women; the men do nothing to change a son’s position being more valuable than daughter’s from the moment they are conceived. They take this status norm in their culture as chance to exploit women sexually, physically, and even financially with Korea having the largest gender pay gap in the Asian countries. The patriarchy’s behaviour is culturally harming women; this is not my opinion, this is based on the data, statistics, and evidence presented. My message to the patriarchy is: don’t argue with me, argue with the evidence, and do something about it.</p><p id="0517"><b>What are your thoughts and feelings now that you’ve seen cultural oppression by reading these words?</b></p><p id="319a"><i>Thanks for your readership, I hope my writing gave you something to think about. If I’ve caught you in a good mood or you’re feeling kind, you can buy me a coffee here: <a href="https://www.buymeacoffee.com/meandmymuse">https://www.buymeacoffee.com/MeAndMyMuse</a>. Why not follow me for more of my thought-provoking muse?</i></p><p id="b84b"><b>Further reading:</b></p><div id="b269" class="link-block"> <a href="https://readmedium.com/is-feminism-to-blame-for-korean-women-taking-down-the-patriarchy-870090bcc034"> <div> <div> <h2>Is “Feminism to Blame” For Korean Women Taking Down The Patriarchy?</h2> <div><h3>And they are using their wombs!</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*dlbaZB-GAzJKEHITvpsrLA.jpeg)"></div> </div> </div> </a> </div><div id="e914" class="link-block"> <a href="https://readmedium.com/the-intersection-when-race-meets-feminism-the-unfinished-conversation-d39e2dda8062"> <div> <div> <h2>The Intersection When Race Meets Feminism: The Unfinished Conversation</h2> <div><h3>Who is wiling to have it?</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*9ssL5l5Hjai5yhg3riC6Jg.png)"></div> </div> </div> </a> </div><div id="9ef5" class="link-block"> <a href="https://readmedium.com/intersection-where-class-meets-feminism-are-the-women-of-latin-america-class-less-dc3ff334e521"> <div> <div> <h2>Where Class Meets Feminism: Are the Women of Latin America Class-less?</h2> <div><h3>And whose responsibility is it to improve their lot?</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*b5hexyyoSq8tEGd10Fdf2w.jpeg)"></div> </div> </div> </a> </div><p id="08a1"><i>For more of the good stuff, follow <a href="https://medium.com/fourth-wave">Fourth Wave</a>. Have you got a story, essay, or poem that focuses on women or other disempowered groups? <a href="https://readmedium.com/submit-to-the-wave-7c92f095e86f">Submit to the Wave!</a></i></p></article></body>

The attackers are in your network — now what?

How will you know and what will you do about it?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Cybersecurity for Executives | Data Breaches

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

My previous posts in this series on Cybersecurity for Executives covered many precautions you can take to defend systems. No matter how much defense you employ, at some point, you have a security incident. That brings us to the question of how will you know when an attacker has breached your defenses and what will you do about it?

This post covers two topics at a very high level:

Security monitoring: Ensuring all systems have logging enabled, alerts set up for suspicious behavior, and someone is assigned to watch the logs and alerts.

Incident handling: When something in the logs indicates a security breach, a team of professionals trained to investigate the breach takes action to resolve the breach in the appropriate way.

Incident handling and monitoring teams

The most critical point for executives is to ensure you have an incident handling team that is separate from other teams building, testing, and monitoring systems, if at all possible. That team may be monitoring the logs, or you may have a separate team monitoring logs. At some companies, the team that monitors logs for security incidents is called a Security Operations Center, which is more commonly called a SOC (pronounced “Sock”).

If you would like a full copy of the book click here to purchase on Amazon: Cybersecurity for Executives in the Age of Cloud

Multiple reasons exist for having separate a separate team or teams for this security function. The first reason would be that those monitoring logs have training specifically for incident handling, so they know what to look for in the logs and how to create alerts. This training includes information about how to use security tools like an Intrusion Detection System (IDS) or Intrusion prevention system (IDS), tools to perform disk and memory capture, memory analysis, and reverse-engineering malware. This team should be aware of top threats and how to correctly determine if a suspicious activity in the logs is an event or an incident.

What’s the difference between a security event and a security incident?

Security Event: Something suspicious occurs in the logs.

Security Incident: The suspicious event is an actual security problem.

Although I highly recommend training developers, QA, IT professionals, and DevOps engineers to learn how to spot security problems in logs, these teams are not focused on this task. They generally focus on building things, and that is a different mindset. Hire people specifically focused on finding security threats and resolving security incidents for the best results.

If you are an executive or business owner, you can probably relate to the fact that context-switching is distracting and can waste time. One minute you are negotiating a contract. Then you are scheduling meetings. Next, you are looking over financials. Then you are preparing a presentation for an upcoming speaking engagement. Someone calls and asks if you can participate in their podcast. You are already overwhelmed. If you also had to watch all your logs for security problems, that would be hard, right? Larger organizations can afford to have people focused on monitoring security logs, and they usually have a separate team for this purpose. Smaller companies can outsource this activity to another company.

The SOC

I don’t know what type of security operations center all large companies have, but at one I worked for, it looked like something out of the movies. You walked into a big room with rows of desks pointed towards some large TV screens. The screens were full of news reports, Twitter feeds such as what the hacker group Anonymous was up to, and lots of logs. There was a separate room with no windows or cameras allowed in it. The people that worked in this room performed for need-to-know investigations and employee monitoring.

This team would try to identify threats in the environment and contact the appropriate group to resolve the problem. For example, if a particular IP address appeared to be infiltrating the network or a new strain of malware was taking advantage of a particular open port, the people in the SOC could contact the firewall team to create a new rule and block the attack.

Some organizations do not have money for such an extensive facility, so they make do with people in ordinary desks doing what they can to stay on top of the logs and alerts. Others outsource the SOC function to another company. If monitoring security is not the company’s expertise, this could be a viable option. Another reason companies may outsource the SOC function would be to get 24x7 monitoring around the clock by hiring a company in a different time zone. Be aware that opening your network and sending logs to third parties brings with it the addition risks I mentioned in other posts, so make this vendor selection with care.

It is still a good idea to get security training for your internal team. When the outsourced SOC contacts your organization to tell you an incident has or is occurring, make sure you have people prepared to deal with it appropriately.

Before the Target breach, the company outsourced some of their security monitoring functions to a company in India. The company in India reported the incident to Target in Minnesota, but whoever received that notification did not respond to it. Several possible explanations exist. For example, perhaps the message was not clear, or the person who got the message was distracted by another pressing matter.

Logs — All of them

To determine if your organization is under attack or an attacker has breached any systems, the company needs to collect logs — the more logs, the better. If a security incident occurs and no logs exist, it is impossible to tell what happened. This scenario is problematic for several reasons.

The organization may have been breached but doesn’t know it. As I already explained in prior posts, some companies hat attackers inside their network for months or years. If no logs exist, there is nothing that shows what the attackers are doing.

Some breaches incur fines if a breach of certain types of data occurs. If no logs exist, the people investigating the breach may not be able to tell how many records the attackers accessed. In that case, the organization must provide the worst-case scenario number of records. That amount may be much higher than the actual number of records obtained, and as a result, the company has to pay more than it should have.

If the company wants to take legal action related to a breach, they need proof. The logs provide that proof, showing what actions took place and who did it. If no logs exist, there is almost always no way to know what happened.

There are many types of logs. Different logs exist depending on what type of systems you are running and in what environment. All the different infrastructure in an on-premises office, data center, or cloud environment has system logs. Hopefully, every Internet-connected device has traffic, network, or access logs of some kind.

Overview of common types of logs:

Operating system logs: your laptops, servers, and desktops produce different types of logs for different system functionality.

Application logs: Your developers and vendors build logging into the applications the build. Make sure systems have logging enabled to the appropriate level. Usually, organizations turn off debug logs with detailed error information and possible sensitive data in production.

Server software logs: Turn on logs for web servers, mail servers, DNS servers, NTP servers, and any other type of server software running on your network.

IOT device logs: You may have logs for cameras, printers, automated coffee makers, and even fish tanks. If these devices have access over the network to other systems, make sure the logs are enabled, or at least log network traffic to and from these devices.

Network logs: As data flows through your network and to and from the Internet, it flows through devices that route the packets to the correct destination. These network logs are vital because even if an attacker gets into an individual device and turns off the logs on that device, he or she will generally not have access to turn off network logs. I explained previously how network logs helped me identify my first breach, even though I knew little about cybersecurity.

Cloud logs: Every cloud service you use should produce logs that tell you who logged in when, what they did, and what data they accessed. Ensuring could services can provide the logs you need should be part of your vendor assessment.

All the other logs: Any other device, application, or system connected to your network should have logs, including load balancers, firewalls, security appliances, HVAC systems, voice-enabled devices, alarm systems, mobile devices, and thermostats.

Collecting Logs

To get logs from all these devices, you need to make sure the logging functionality is on. The logs need to be secure, so someone cannot change them or delete them. You can replicate live logs to an alternate location. You may want to encrypt them.

You need to understand how the logs work. Is it a daily log file that overwrites itself each day? Is there a file for each day? Does the log file overwrite itself after a certain amount of time? If an attacker cannot delete or write into the files directly, he or she can write lots of log entries to leverage the way the system works to overwrite the entries that show the actions during the attack. Make sure you structure and back up your logs, so this doesn’t happen. Just I explained in my post on security disaster recovery, make sure your backups are sound.

Logs can take up a great deal of space. Organizations need to determine how long they keep the logs. Use different types of storage for faster or slower access, which can reduce long term archival costs when logs are required for sometimes up to a year for compliance in some industries. Organizations need to make sure they have enough physical hardware to store the logs. Alternatively, use a scalable cloud service.

Make sure all the systems have timestamps in sync. Often an attacker pivots through an environment, and the people investigating the logs need to compare logs from different sources to piece together what happened. If the timestamps are in sync, it is easier to correlate the data in the logs.

Monitoring logs

Now that you have all the logs, someone needs to monitor the logs. They can also create alerts for suspicious activities and use security tools that help analyze and alert people to suspicious events. I wrote about some of these types of security products in my last post.

Another type of security product companies use to help them monitor logs is called a SIEM (Security Incident and Event Monitor) — where companies capture as many of the logs as possible from different sources. This tool helps both track events, helps security teams find threats and respond to events. A SIEM may be used for monitoring by a SOC and help companies with logging requirements for compliance.

Looking for threats in logs is sometimes called threat hunting. Ideally, your security products and service find every attack in your environment, but I already explained why that is not always the case. At this point, training people to look for suspicious activity in your logs helps. You may have a SOC or an incident response team, but training all your IT and operations team members to be aware of threats helps your organization find a breach faster and shut it down.

Logs can contain any number of suspicious patterns such as numerous failed logins, excessively large data transfers, unexpected long connections, and memory dumps in logs indicative of malware attempting buffer overflows or other types of attacks. Some malware embeds itself deeply into an operating system so you won’t see it in any of the management tools in the operating system itself, but you see it on the network as it communicates with other devices if you know what is expected and unexpected and your logs are clear.

There are so many things in logs that can indicate a problem. Those are just a few to consider. Sometimes, you don’t or can’t see anything in the logs, but you know something went wrong for some other reason. Perhaps the FBI (if you are in the United States) came knocking on your door to tell you that someone is selling your data on the Dark Web, the place where criminals and people who want to hide transactions do business. Perhaps money is missing from your bank account. Maybe a user is telling you that their machine is “acting funny,” or someone thinks someone is reading their emails based on some external events.

Incident Response

Once an organization determines that a security incident has occurred, the process of incident response kicks in. There are different versions of an incident response process, and you want people who have received proper incident response training to handle the incident. Some people train employees to handle incidents, and others hire companies that specialize in this area of security.

I’ve already explained why logs are essential in a security incident. The other important factor is that all logs and data must be accessed, stored, and appropriately transferred, otherwise known as chain of custody, to be admissible in a court case. If the security incident involves a physical server, an exact copy of the disk is required and a hash to prove no one altered it at any point after the point of capture.

Unfortunately, some malware hides traffic in expected traffic or encrypts traffic, in which case an incident handler needs to look at the memory on the system. Some incident responders receive training to capture and analyze system memory to determine if malware exists in the system and what it is doing. The memory is lost as soon as someone shuts down or reboots the system. If the people handling the incident don’t know better, they may unplug, reboot, or shut down the system before the incident responses can complete their analysis.

Depending on the size and type of security incident, an organization may need to disclose the breach or call in law enforcement. Organizations need to determine how they communicate the breach and who needs to be involved. One of the reasons for having a separate team handle the incident is in case you have an insider threat. Additionally, incident handlers might not use the organization’s standard means of communication in case the attackers compromised those channels.

Preparation

Incident response involves a lot more than what I have covered here, but as you have probably figured out, you should prepare in advance. Avoid having someone destroy evidence or hinder an investigation by training them upfront.

Ensure that people know what to do and whom to contact when they suspect a security incident. A policy should state the actions people should take if they find or suspect a security problem. Communicate the policy to the entire organization — and don’t expect them to remember it if they watched a video or signed a document. Display the information in places where people will see it. You may have heard the announcement at the airport in the U.S. if you travel: “If you see something? Say something.” This a campaign by the Department of Homeland Security. If you remember this phrase, you likely travel a lot as I do (I’m sitting in an airport as I write this), and the announcements reinforce the message over time. Do this with your security policies, and especially this one.

I worked on a cloud audit at one company where many different departments managed the cloud systems they use. I prepared a list of questions for them regarding their security controls. I also went through the policies the company had created with the help of the auditors. One of the policies was whom to contact in the case of a security incident. When I asked five different teams, none of them gave the correct answer. Additionally, most of them were not looking at logs, or if they were, they didn’t know what to monitor to see if a security problem existed. The security team did not have access to any of the logs.

Most security professionals suggest obtaining law enforcement connections in advance. Additionally, if you think you may need outside assistance establish a relationship with that company and have them on call for the point when an incident occurs.

When a significant incident occurs, the organization may need to disclose information. Someone needs to talk to the press when they call. The organization may need to notify customers through emails, letters, and a statement on the website. Who is responsible for this in your organization, and are they prepared?

You may not want your employees speaking to the press. When I contacted people I knew from Capital One, some of them inside the company (not all) said they couldn’t speak to me because they were “being monitored.” It is probably a good policy to inform people that they should not speak to third-parties about an on-going incident or investigation. Though some people did talk to me who may not have received those directives and some people who already left the company, I did not publish everything they told me as I’m not a dirt-digging reporter. Some news outlets may jump to conclusions and write malicious articles that hurt the organization. Communicate to employees what can and cannot be discussed with external sources.

Practice in advance. Gather teams to do tabletop exercises. Practice capturing evidence such as disk or memory capture. Make sure you have the proper skills and tools to do this effectively without destroying or losing evidence. Executives should participate in incident response preparation. Executives should be involved in decisions and communication throughout the process.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab