Is There a Log of That?
Invalid logical access attempts are often an indication of a malicious user attempting to access something they don’t have permission to. This is why PCI Requirement 10.2.4 requires that organizations implement automated audit trails to reconstruct invalid logical access attempts. Misspell your password? There should be a log of that. Someone tries to view a file that they don’t have permission to? There should be a log of that. User tries to execute permission they do not have? There should be a log of that. Anytime there’s invalid logical access attempts, there should be a log of that.
PCI Requirement 10.2.4 is often misunderstood. What it calls out is that any invalid logical access attempt gets logged. For example, if somebody logs into an operating system and they happen to fat-finger it, we get a log of it. What about when there’s a file sitting out on a repository somewhere and this individual doesn’t have the rights to view that file, and they try to anyway? That should create a log. What about when you have an application that might have specific permissions that are not allocated to a user and that user tries to execute those permissions? In these situations, we look to see that logs are being generated. Once again, when somebody performs this type of activity or when somebody executes or tries to attempt to access something that they don’t have permission to access, that should create a log.