OWASP Top 10 : Insufficient Logging & Monitoring
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - Insufficient Logging & Monitoring
What is Insufficient Logging & Monitoring?
Logs give visibility into an organization’s activities. Logs and audit trails generated enables an organization to troubleshoot, track events, detect incidents and maintain regulatory requirements. Insufficient logging and monitoring is, missing security critical information logs or lack of proper log format, context, storage, security and timely response to detect an incident or breach.
According to the 2020 IBM breach report, the average time to detect and contain a data breach is 280 days. Logs are an important part of incident response. Organization may be blindsided to a breach which can go undetected with irreparable regulatory, financial and legal issues. Proper log management will ensure faster breach detection and mitigation that will save business time, money and reputation.
How does Insufficient Logging & Monitoring attacks impact business?
Confidentiality: Logs contain sensitive information and that can be accessed by an attacker
Integrity: Allowing unsanitized input to log files, attackers might tamper with log files and corrupt, inject unexpected inputs, change entries (CWE-117).
Availability: Logging everything can overload the system causing denial of service, business disruption could happen due to security incident or breach
Non repudiation: The source of the attack may not be traceable and may lead to system compromise, future attacks
Accountability: Missing audit trails
Security incidents could be mitigated with proper log collection and monitoring. Sufficient logging can even mitigate APTs, ransomwares, malwares, insider threat, DOS, dns attacks etc.
In April 2019,Dominion National, Virginia based vision and dental insurer found out unauthorized access 9 yrs ago. The server contained PII data of plan producers and healthcare providers. This is the result of poor log review and audit policies.
CIA’s Vault 7 data breach in 2016 where 180 GB and 34 terabytes of information was leaked because stolen data was in a server where user activity and audit is not monitored. The breach went undetected for a whole year.
Investigators found Anthem was hit by APT attack in February 2014 and data was exfiltrated in December 2014 till January 2015. Among many security control failures to protect PHI data, regular system activity review and identifying suspicious activity was missed. Anthem had to pay $115 million dollars in fines and $16 million to OCR for HIPPA and security rules violations
Target breach in 2013 where attackers stole 40 million credit cards from around 2000 Target stores by accessing the POS system. They had sufficient logging but failed to timely respond to monitored alerts. Target paid 18.5 million as part of breach settlement
How to prevent a Insufficient Logging & Monitoring attack?
Perform a baseline of logs needed for business which includes access logs, failed logins, suspicious or anomalous activities, network, endpoints, cloud etc.
Log formatted properly and context of logs is clearly understood
Have a centralized log management system where all logs are collected in one place like a SIEM tool integrated with real time reporting, heuristics and visualization tools
Synchronize time (UTC)
Secure the logs
Store the logs in accordance with the compliance and business requirements
Properly monitor user activity, anomalous behavior with automation and alerting
Log review should be closely monitored
Logs should not be deleted or modified
Integrate SIEM with SOC to improve threat detection and visibility
Legacy systems to cloud environments must be continuously monitored
Anomalous activity or any incident must be timely reported and action must be taken
Have an incident response plan following NIST 800-61 rev2 or later
Follow standards NIST 800-92, CIS control 6 and ISO27001
Perform pentesting and DAST tools to check to see where insufficient logging and monitoring has occurred
Interested in learning how to know if your organization is vulnerable to Insufficient Logging & Monitoring attacks? Drop us a note now at firstname.lastname@example.org