About
Security logging and monitoring failures are not an explicit vulnerability like other OWASP Top 10 risks. Rather, it is a best practice guide to protect the application.
Description
Security logging and monitoring failures are previously known as insufficient logging and monitoring which describes a lack of quantity of logged events. It occurs when, during a security-critical event, the application does not record the event or overlook influential details about the event. Therefore compromises are sometimes not detected at all or are noticed much too late.
Logging and monitoring are essential for situational awareness and timely response. Without it discovering the source of attacks may become difficult. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. On average, it takes up to seven months for the attack to be noticed.* Detectors built into the application can provide a remedy, identify attackers on the first attempt and initiate protective measures themselves.
The exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Coupled with missing or ineffective integration with incident response, it allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
*Statistics show that identifying attacks is often difficult. The delay before identification of Advanced Persistent Threats (APT) is 98 days in the financial sector and 197 days in online trading. That’s almost seven months. 58 % of the financial service providers surveyed and 71 % of online merchants estimate the probability of being able to contribute to a significant improvement in this situation in the coming year to be somewhat low. Given that more than 50 network attacks per month at 83 % of financial service providers and 44 % of online merchants, this situation is alarming.
Overview
Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to nearly 100%.
OWASP ranks the chance for attacks based on this vulnerability into “medium”, prevalence “high” and detectability “low”. The outcomes are documented as somewhat challenging to define, mainly because of the way attacks are initiated.
Detection
One approach for determining if you have sufficient monitoring is to review the logs following penetration testing. The testers’ actions should be recorded sufficiently to comprehend what damages they may have inflicted. From an outsider perspective, this risk is hard to detect since the logs should only be exposed internally.
According to OWASP, insufficient logging, detection, and monitoring occur in the following cases:
Auditable events, such as logins, failed logins, and high-value transactions are not logged.
Warnings and errors generate no, inadequate, or unclear log messages.
Logs of applications and APIs are not monitored for suspicious activity.
Logs are only stored locally.
Appropriate alerting thresholds and response escalation processes are not in place or effective.
Penetration testing and scans by DAST tools (such as OWASP ZAP) do not trigger alerts.
The application is unable to detect, escalate, or alert for active attacks in real-time or near real-time.
Potential impact
Prevention of cyber attacks is the best way for organizations to prevent costly security incidents. If an attack should occur despite precautions, a quick reaction is required to reduce the cost. Immediate identification of the breach costs large enterprises 456,000 US dollars. If the incident remains undetected for one week, the costs even double to 1.2 million US dollars. Furthermore, when a security breach is not detected in time, the attackers have time to escalate the attack further into the system.
Prevention
OWASP recommends the following measures according to the risk of the data stored or processed by the application:
Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for adequate time to allow delayed forensic analysis.
Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.
Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.
Establish or adopt an incident response and recovery plan, such as NIST 800-61 rev two or later.
In addition to the measures defined by OWASP, further security steps are recommended:
A separate and dedicated, security-hardened server platform to capture and store events in the audit log.
Use network time synchronization technology to synchronize system clocks, which also enables automated monitoring tools to analyze event patterns that occur in real-time.
Robust access control to logs.
Create a proper incident response plan.
Ensure 24/7 monitoring by implementing a warning system.
Also, consider the following:
Know your base traffic to determine what is not usual.
Determine the presence of unknown/unauthorized IP addresses in wireless networks.
Be cautious with multiple failed login attempts for system authentication and event logs.
Track suspicious network activity after hours.
Investigate the inexplicable system reboots or shutdowns.
Check services and applications, configured to start automatically without permission.
Cases
In 2016, Yahoo reported two beaches. One from 2014 affecting 500 million users, and a few months later, another breach from august 2013, impacting over a billion users. This information was afterward corrected, with the number of affected users being corrected to three billion users.
____________________________________________________________________________________________
References and more information:
Last updated