These days there is a high probability that your web application will be attacked due to the vulnerabilities it has. The question is, can we reduce the damage? The answer to this question, is to properly set up logging and to monitor your web application. OWASP has included insufficient logging and monitoring in its vulnerability list: OWASP Top 10- 2017 The Ten Most Critical Web Application Security Risks. ( Owasp top 10 )
Log file is a file that records events that occur in your application. There are a lot of sources ( antivirus software, firewalls, application itself etc. ) that generates log files.
Log files are composed of log entries. Each entry contains information related to a specific event that has occurred within the application. The objective of logging is to provide clues. You need to have answers for these 3 questions: Who, When and What? You need just important data, not unnecessary information because logging everything can create massive amounts of logs. The amount is not that important, but high-quality logs are.
Monitoring and Alerting
Monitoring is simply detecting abnormal events, continuously watching the log files or the data in the files. So, for monitoring to properly work, the log files need to contain that suspicious data first. It is fully dependent on what your application is logging in the first place. It needs to be able to spot the clues. The same as with logging itself, passively monitoring is a detective control. You can detect whether a security violation has occurred. Therefore, the objective of monitoring is providing a timely detection. Besides security violations, you can also detect, for example, anomalies.
So, let say if the attacker tried 100 different usernames that he found in some database on the internet, and then logged on with the 101st one, your application should detected that. Alerting is actively informing about a non-standard(abnormal) situation. It usually triggers additional responses. The purpose of alerting is generating a quick response. For example, in the previous example, if you knew that someone tried 100 different credentials and then logged, in you would surely start an investigation.
Correct logging and monitoring will increase the security of not only your application but your whole network. It is very important also that the whole team(developers, system administrators, security professionals) is doing monitoring and logging. For security purposes knowing what you should log and monitor are essential.
As you know, there are a lot of databases with leaked username and password combinations. Having such credentials, an attacker can try to perform credential stuffing attack on your web application. Credential stuffing attack is the injection of leaked username and password pairs. This technique is based on the fact that users sometimes use the same password on different websites. In other words, when one website gets hacked and credentials are stolen, they might work for other websites as well.
Let’s assume after checking 100 password and username pairs, the attacker finds the correct pair of credentials. Now the attacker can steal that user’s personal information (for example, credit card numbers), edit that user’s information, or even use that account to damage your website. Moreover, you even don’t realize how your website is damaged since your application didn’t make logging or did it improperly. Otherwise, If you set up logging properly(since logging after 50 attempts is something that you should consider as suspicious) your application will be logging what is happening.
What Is Insufficient Logging and Monitoring
During a security-critical event, if the application does not record the event or omits important details about the event, insufficient monitoring and logging occur. Let say your application contains a vulnerability. In the previous example, the attacker was able to log in and exploit that vulnerability. More importantly, the attacker stayed undetected. This is what we mean saying insufficient logging and monitoring- a lack of visibility or in another word not knowing what is happening. We also need to mention that all failed, as well as successful login attempts, should have been logged and monitored. Simply saying insufficient logging and monitoring is a lack of quantity of logged events.
Now let’s assume that application logged some events , but they lack some important sort of information( for example a timestamp), then we are talking about a lack of quality of logged files. If your application has log files locally and not in the remote server, it can lead to issues with the availability of logged files. So, if the log files were not accessible whenever you need them, then we are talking about availability issues. And because no monitoring the respond was not on time.
To sum up when you don’t know what’s happening in your application, then you’re talking about insufficient logging and monitoring. In other words, logging and monitoring are important for situational awareness and timely respond. Without logging and monitoring discovering the source of attacks may become difficult. That is why it is so important to make sure that the important events within the application are logged and monitored.
Defensive Measures Against Insufficient Logging And Monitoring
1) It is important to ensure that all login and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis.
2) Logs are needed to be generated in a format which can be easily used by log management solutions.
3) High-value transactions should have an audit trail with integrity controls in order to prevent tampering or deletion, such as append-only database tables.
4) In order to detect suspicious activities and respond to them in the time effective monitoring should be established.
5) Incident response and recovery plan should be established.