Insufficient Logging and Monitoring is one of the categories on OWASP‘s Top 10 list and covers the lack of best practices that should be in place to prevent or damage control security breaches. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series.
Rather than being a vulnerability in itself, Insufficient logging and Monitoring is an OWASP category that covers the lack of various best practices that could in turn prevent or damage control security breaches.
The category includes everything from unlogged events, logs that are not stored properly and warnings where no action is taken within reasonable time.
When OWASP made this a top 10 vulnerability, the category became part of the list based on a industry survey rather than quantifiable data, so it is unclear how many systems are affected. However, there are always improvements to be made, and logging and monitoring is something that everyone should always have in mind.
In 2016, the average detection rate for an attack was 191 days. Had the breaches been detected earlier the impact could be drastically minimised.
When a security breach is not discovered in time, the attackers have time to escalate the attack further into the system. It also means they can use the stolen data for malicious purposes for a longer time.
When a data breach is made public, it is impossible to say whether the company has been aware of it for a while or just recently discovered it.
With that said, Yahoo would be a good example of what happens when a breach is not made public in time. In September 2016, the company reported a breach from 2014 affecting 500 million users. A few months later, in December, Yahoo reported another breach, this time from august 2013, affecting over a billion users. Information about the latter breach was later corrected, with the number of affected users being updated to three billion users.
How to discover Insufficient Logging and Monitoring
From an outsider perspective, Insufficient Logging and Monitoring is really hard to detect. The logs should only be exposed internally, so whether or not logging and monitoring best practices are implemented is not something an outsider can determine.
Look over the system architecture and make sure there are routines in place on how to handle the logs from every application and system. Many applications and systems already produce a lot of logs, but without proper routines, logging gives little value.
How Detectify can help
Neither insufficient logging nor monitoring can be discovered by an outside attacker. As such, Detectify cannot directly detect those issues. However, to validate that the logging routines actually work and that the right system sends alerts in certain situations, it is a good idea to try to see what is logged during a Detectify scan.
Is it possible to follow what has been done, how it affected the performance of the system and in what way? Would this information be available if a attacker hacked the system to delete the logs, or are they only stored locally on the server?
As mentioned above, Detectify cannot directly look for those issues, but can act as a simulated attack to help you validate your logging and monitoring.
Make sure the logs are backed up and synced to another server. The attacker should not be able to clear all the logs after hacking the server and by doing so preventing any forensics.
Go over the system and make sure sensitive actions are logged. This would include logins, high value transactions, password changes, and so on. This is valuable when investigating a hack afterwards.
Make it a routine to actually look at the most important logs and automate the process for the rest. There should be a system in place that alerts you if a specific warning has been triggered or if a certain warning threshold has been reached, so that proper action can be taken.