Many critics of the Open Web Application Security Project (OWASP) Top Ten list view insufficient logging and monitoring, new on the list in 2017, as more of a best practice guide for defending a web application than an actual vulnerability. The argument goes logging and monitoring are basic pillars of a modern secure system. In other words, you should implement stringent logging and monitoring procedures. For others, because attacks often take so long to be identified, the real surprise is that insufficient logging and monitoring hasn’t made the list before.
In terms of risk, OWASP ranks the opportunity for attacks based on this vulnerability “medium,” prevalence “high” and detectability “low.” Impact is listed as somewhat difficult to define, mainly because of the nature of how attacks are initiated. Most successful attacks start with vulnerability probing. Allowing such probes to continue (by not detecting them through logging and monitoring) can raise the likelihood of an exploit to be successful by nearly 100%.
Insufficient logging and monitoring replaces 2013’s A10 entry, unvalidated redirects and forwards.
Why Was Insufficient Logging & Monitoring Added to the 2017 OWASP List?
A recent Ponemon Institute survey found identifying a security breach in 2017 took an average of 191 days. This figure is a lower from the 2016 figure of approximately 201 days. The faster a data breach can be identified and contained, the lower the costs. Consequently, the average cost of a data breach decreased 10% and the per-capita cost decreased 2.9%.
The study suggests besides faster identification times this year, a strong U.S. dollar significantly influenced the global cost analysis and contributed to the overall decline in the cost of breaches. Ponemon also attributed these improvements to investments in security technologies such as security analytics, SIEM, enterprise wide encryption and threat intelligence sharing platforms.
What Is Insufficient Logging & Monitoring?
A loose metaphor for this vulnerability is ignoring an orange warning light on the dashboard of your vehicle. While likely to be relatively unimportant, unlike a red light, it would be unwise not to investigate the source of the warning. In addition, most people have their vehicles serviced regularly in case the monitoring system itself is insufficient or has broken down. The same proactive approach should be mandatory for monitoring web application security.
Logging and monitoring provide raw data so you can identify unusual patterns in an application as reported by log files or observed by security monitors. The main problem with the logging process is if your application doesn’t log events, audit reports won’t show it and you won’t be able to monitor those unusual patterns.
Some causes of logging and monitoring failures include:
- Unlogged events, e.g., failed logins or high-value transactions
- Logs that are not backed up (intruders that access a system will often delete logs to obscure their movements so you won’t be able to backtrack to the source of the intrusion)
- Software misconfigurations that fail to alert on apparently unimportant events, e.g., a failed login or a seemingly innocuous read-only event
- Obscure error logging without enough details for forensics to follow up on or for administrators to understand the problem
- Lack of a formal escalation plan following a breach
- Absence of automated auditing and monitoring security frameworks and/or lack of skilled security personnel to analyze log data
- Poor authentication management
- Insufficient logging and monitoring training
How Do You Detect Insufficient Logging & Monitoring?
When an attacker tries to exploit a vulnerability, they spend a lot of time probing an application or system to find these vulnerabilities. In the event a system doesn’t have sufficient logging and monitoring in place, the attacker is free to leisurely explore for flaws and weaknesses, increasing the chance of successfully finding and exploiting an existing vulnerability. Ideally, you will have monitoring software in place to alert you to this pernicious probing; if not, at the very least you need an intrusion detection mechanism to let you know you have been targeted.
If applications aren’t patched with the latest fixes, vulnerabilities remain open to exploitation. The National Vulnerabilities Database (NVD), managed by the National Institute of Standards and Technology (NIST) is a searchable repository of known security vulnerabilities. We did a search on “Microsoft Word” for vulnerabilities reported in the last three months, and came up with seven matches, including: Microsoft Office 2010, Microsoft Office 2013 and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled (aka the Microsoft Word Memory Corruption Vulnerability). It would be a good idea to keep an eye on this resource and keep software updated.
There are a number of open source intrusion detection tools and frameworks that can help you automate the monitoring of your system:
- Nagios: Provides complete management and monitoring of application logs, log files, event logs, service logs and system logs on Windows, Linux and Unix servers. Nagios can manage and monitor these logs and alert you when log patterns are detected.
- Snort: Intrusion detection and prevention tool that can perform real-time traffic analysis and packet logging on networks.
- Splunk: Consolidates log and machine data, including structured, unstructured and complex, multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable and more affordable way.
- OSSEC: An open source, host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active responses.
- Tripwire: Lightweight security and data integrity tool useful for monitoring and alerting on specific file changes on Linux servers.
- Fluentd: Decouples data sources from backend systems by providing a logging layer between these and the application’s frontend. It boasts 500+ plugins that connect it to various data sources and outputs — from application frameworks and network protocols to IoT devices to social media applications.
How Do You Prevent Insufficient Logging & Monitoring?
- Ensure all login, access control failures and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and are held for sufficient time to allow delayed forensic analysis.
- Ensure logs are generated in a format that can be easily consumed by a centralized log management solution.
- Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables.
- Establish effective monitoring and alerting so suspicious activities are detected and responded to in a timely fashion.
- Establish or adopt an incident response and recovery plan, such as NIST 800-61 rev 2.
User-friendly tools that can help you create an interface to manage log data:
- Nlog: A free logging platform for .NET, NETSTANDARD, Xamarin, Silverlight and Windows Phones. It can process diagnostic messages emitted from any .NET language (C#, VB.NET etc.), and augment them with contextual information (date and time, severity, thread, process or environment).
- Nmap: Powerful, free and open source utility for network discovery and security auditing.
- httpry: A specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse and log the traffic for later analysis.
- Open-AudIT: An application to tell you exactly what is on your network, how it is configured and when it changes.
How Do You Protect Your System From Insufficient Logging & Monitoring?
Some suggestions from Dave Whitelegg at IBM:
- Use a separate and dedicated security-hardened server platform to capture and store audit log events.
- Use network time synchronization technology to synchronize system clocks. This will also allow automated monitoring tools to analyze patterns of events that occur in real time.
- Have strong access control to logs.
- Create a formal incident response plan.
- Ensure 24/7 monitoring by implementing an alert system for monitoring staff.
Chris Bihary from Tap Into Technology believes human insight is a cool tool to help protect your system. Some tips:
- Know your baseline traffic to determine what is not normal.
- Identify the presence of unknown/unauthorized IP addresses on wireless networks.
- Be wary of multiple failed login attempts for system authentication and event logs.
- Follow up on suspicious activity on the network after-hours.
- Investigate unexplained system reboots or shutdowns.
- Keep an eye on services and applications configured to launch automatically without authorization.
Before you get started, research the standards, methodologies and frameworks you need to proactively defend yourself:
- AppSensor project: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response.
- OWASP ModSecurity Core Rule Set (CRS): Set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top 10.
- The Open Source Elastic Stack: Ensures logs are generated in a format that can be easily consumed by a centralized log management solutions, like Elastic Stack, so you can search, analyze and visualize data in real time.
- PCI Security Standards Council: Learn about effective daily log monitoring within the context of PCI DSS.
- Familiarize yourself with the OWASP Logging Cheat Sheet.
How Can Insufficient Logging & Monitoring Be Leveraged In an Attack?
If critical security information is not logged, there will be no trail for forensic analysis and discovering the source of attacks may be impossible. Just as importantly, when logs are not written, alerts are not issued, and risks turn into real-time breaches.
- Scenario 1: A small startup falls victim to a brute force attack to break an employee’s password. Unfortunately, the victim system does not create alerts for failed login attempts so the attacker has plenty of time to keep trying. Finally gaining entry, the hacker, as a delaying tactic, wipes out the internal source code and then downloads personal data relating to employees, suppliers and customers while the organization scrambles to plug security holes.
- Scenario 2: In 2013, the German division of Vodafone was hacked and the names, addresses, bank account numbers and birth dates of more than 2 million German Vodafone customers were stolen. The attacker was a third-party subcontractor. User action monitoring software could have alerted the company to the fact an insider attack had been launched.
- Scenario 3: A user loads some movies from his home USB stick onto his work computer to share with colleagues. Unfortunately, the stick was previously infected by a friend who had given him the stick. Fortunately, basic anti-virus software should pick up the bug; that is if the user’s anti-virus program is up to date. Alerting the security department about failed security breaches can help them implement more stringent controls in the future.
How Can I Learn More About OWASP Top 10 Vulnerabilities?
Infosec Institute offers secure-coding training modules for developers through its security awareness training platform, SecurityIQ, including a module on insufficient logging and monitoring.
The platform includes training for every vulnerability included in OWASP’s 2017 list, as well as over 300 additional security awareness training modules for all employee levels and roles. Sign up for a free SecurityIQ account to get started today.
You can also learn more about secure logging and monitoring practices and earn your CISSP (Certified Information Systems Security Professional) certificate in PentestingExperts Institute’s seven-day CISSP Boot Camp.