Welcome to the final article in our blog series on the OWASP Top 10 Security Vulnerabilities. In this article, we’ll take a detailed look at OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring.
Audit Trail Vulnerabilities: Insufficient Logging and Monitoring
Insufficient logging and monitoring of computer systems, applications and networks provide multiple gateways to probes and breaches that can be difficult or impossible to identify and resolve without a viable audit trail.
Typical log architecture generates both security and operational logs, analyzes, stores and monitors those logs. This is not only important for dealing with the threats resulting from insufficient logging and monitoring but for regulatory compliance as well. With today’s varying levels of application, server and network communication, it’s imperative to maintain more than a modicum of best practices pertinent to your industry and to your organization. Vulnerabilities and breaches often take the better part of a year to find — up to 200 days in some cases — and can cost enterprises millions of dollars.
Vulnerabilities: Security and Operational Logs
Security logs are different than operational logs. Operational logs (aka operating system logs) will include routine system events like logins and shutdowns on workstations, servers and networks. They will also derive logs from associated security software. Security logs from security software include logs from firewalls, routers, and host or network security devices and services.
Operational logs are indispensable for honing in on questionable activity that may lead to an attack on your most sensitive and mission-critical data. However, security logs are often deemed supplementary, depending on what a particular company requires for an investigation into a vulnerability or threat. Either way, both types of logs are invaluable for identifying and resolving insufficient logging and monitoring vulnerabilities.
Basic vulnerabilities include:
- unlogged events, such as failed login credentials
- locally stored logs without cloud backup
- misconfigurations in firewalls and routing systems
- alerts and subsequent responses that aren’t handled effectively
- malicious activity alerts not detected in real-time
Penetration testers and auditors should test and validate computer systems, applications, related servers, and networks periodically. Deficiencies are vulnerabilities that need to be addressed as soon as they are identified.
You do not want to stop logging if you find yourself vulnerable. While insufficient logging and monitoring vulnerabilities create a high prevalence of breach potential, abruptly stopping the logging may alert savvy attackers to the fact that your sensitive and mission-critical data may be exposed and easily exploited. Adhere to your company’s best practices if your company has established them.
Prevention is key. Not all logs are clear or readable. They should be monitored and validated at a pace commensurate with your business impact.
Logging and Monitoring Best Practices
If you do not mandate that your company collect, store, maintain and monitor logging activity, then you are opening yourself to costly security breaches that you cannot easily track. Audit trails provide your IT staff with the tools for the identification, prioritization, investigation, and resolution of exploitation.
Most U.S. states and territories have enacted security breach notification laws. Therefore, it is in the best interests of all private and government entities to comply with all national and state regulations. Center to compliance is logging and monitoring all events that involve your company. Here are a few regulations that you may be required to comply with:
- The Federal Information Security Management Act for Federal agency systems
- The Gramm-Leach-Bliley Act for financial institutions
- The Sarbanes-Oxley Act of 2002 for financial and accounting purposes
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) for healthcare
- Requirement 10 of the Payment Card Industry Data Security Standard (PCI-DSS) for organizations storing, processing and transmitting credit card data
The Control Objectives for Information and Related Technology (COBIT) has more information to guide you regarding best practices and increasing regulatory demands.
Find and Implement Viable Policies and Procedures
You can further minimize insufficient logging and monitoring exploitation by establishing feasible policies and procedures that mandate consistency and compliance throughout your company’s infrastructure.
Doing so will:
- reduce breach risk by setting up clear audit trails
- help establish log and compliance goals
- set up internal standardization for procedures, including who manages those procedures
- protect sensitive and mission-critical data
Whether your organizational structure needs to facilitate a single management system for a small business or is based on several types of enterprise structures that demand interoperability for regulatory compliance, it is imperative to train those involved, including developers, and re-train often as new regulations emerge or security breaches mandate change. Something as seemingly innocuous as realigning work stations with a new server merits retraining personnel.
Preventing Insufficient Logging and Monitoring Exploitation and Attacks
You don’t want to engage in damage control. The levels of log management can be overwhelming to sift through. There are many passive commercial and open-source log management frameworks available that can automate the monitoring process. Penetration testers and auditors tend to be resource-intensive and expensive, but sometimes necessary.
There has to be a new mindset. Simply keeping attackers out of company business is passe and dangerous–whether you are a small business or a major corporation. It’s not enough to find the who and eradicate the threat. Today you have to know why your company is vulnerable and how to prevent probing eyes and attacks before they start. Not only will it keep your company viable, but also compliant with ever-changing regulations that mandate an audit trail.
Damage Control to Threat Control to Responsible Control
You can’t resolve a breach if you don’t detect it. By defining (and verifying) the roles and responsibilities of those involved in log management at both the systemic and operational levels, companies can mitigate breaches and have ready audit trails to resolve breaches.
Learn more in our complete OWASP Top 10 2017 series:
- OWASP Top 10 2017 – A1 Injection
- OWASP Top 10 2017 – A2 Broken Authentication and Session Management
- OWASP Top 10 2017 – A3 Sensitive Data Exposure
- OWASP Top 10 2017 – A4 XML External Entities (XXE)
- OWASP Top 10 2017 – A5 Broken Access Control
- OWASP Top 10 2017 – A6 Security Misconfiguration
- OWASP Top 10 2017 – A7 Cross-site Scripting (XSS)
- OWASP Top 10 2017 – A8 Insecure Deserialization
- OWASP Top 10 2017 – A9 Using Components with Known Vulnerabilities
- OWASP Top 10 2017 – A10 Insufficient Logging & Monitoring