Security Logging and Monitoring Failures: Introduction
Imagine a scenario wherein a company remains unnotified about a data breach that happened months ago and gets to know about it but only through some security researcher who found the dump for sale on the dark net. Well, that’s a true possibility and what’s more devastating about the thing is the fact that it would result in huge fines and loss of the company’s image if not big but to some extent. All this could be avoided by ensuring that proper security logging and monitoring is done by the concerned IT team to prevent any such disaster.
Security logging and monitoring failures refer to instances where security logs and monitoring systems fail to capture or alert malicious activity. This can occur due to a variety of reasons, such as misconfigured systems, lack of proper monitoring or logging, lack of resources, and software bugs. These failures can lead to a delay in detecting and responding to security incidents, potentially resulting in data breaches or other security incidents. To prevent these failures, organizations should implement robust security logging and monitoring systems, regularly maintain and update them, and ensure that they have adequate resources to operate effectively. Additionally, organizations should conduct regular testing and audits to identify and address potential vulnerabilities. OWASP Top 10 2021 ranked security logging and monitoring third, up from tenth in OWASP top 10 2017
Attack Surface
Insufficient Logging
Not logging enough information or not logging the right information can make it difficult to identify and track security breaches.
Example: Due to insufficient information logging a developer cannot find out exactly where the problem is existing in the codebase so it is better always to include a stack trace for debugging purpose though ensuring that it does not disclose any sensitive information
Lack of monitoring
Without regular monitoring, it can be difficult to detect security breaches in a timely manner, giving attackers more time to cause damage. For this purpose, SIEM (Security information and Event information) systems can be utilized to effectively monitor the activities.
Example: An attacker found a vulnerability in the logging system which allowed him to bypass the logging system by replacing the information sent to the server with generic and static information to camouflage the attacker’s actions.
Outdated software
Using outdated software can make it easy for attackers to exploit known vulnerabilities, making it difficult to detect and prevent breaches.
Example: An attacker finds out that it’s target is using an outdated version of a web app library which he then actively exploits to gain foothold of the application.
Improper configuration
Incorrectly configuring or leaving them at default configuration can make security systems ineffective, as they may not be able to detect or prevent certain types of attacks.
Example: Due to improper security configuration of the logging system of the application used by an organization, attackers were able to access the logs of the application containing sensitive information as well.
Limited resources
Limited resources can make it difficult to implement and maintain effective security logging and monitoring systems.
Example: A breach happened in an organization with the organization not knowing about it until some external entity informed them about so shows lack of proper monitoring resources.
Lack of threat intelligence
Without access to threat intelligence, it can be difficult to identify and respond to emerging threats, making it more likely that a security breach will occur.
Example: The IT team not knowing about how to identify the patterns in network usage was fooled by the attackers in an DDOS attack.
Examples of Attacks
Scenario #1:
Due to a lack of monitoring and recording, the website operator for a supplier of children’s health insurance was unable to identify a breach. The health plan provider was alerted by a third party that an attacker had obtained and altered thousands of children’s sensitive health information. A post-incident analysis revealed that the website’s designers had neglected to fix important flaws. Since the system was not being tracked or monitored, the data breach may have been happening since 2013, which is more than seven years ago.
Scenario #2:
A significant Indian airline had a data breach involving millions of customers’ personal information from more than 10 years, including passport and credit card information. A third-party cloud hosting provider had a data breach, and after some time, they informed the airline.
Scenario #3:
A significant European airline experienced a reportable GDPR violation. According to reports, the breach was brought on by attackers who grabbed more than 400,000 client payment records by abusing security flaws in the payment application. The privacy regulator punished the airline with a 20 million pound punishment as a consequence.
Security logging and monitoring failures: Impact
Security logging and monitoring failures can have significant impacts on an organization, including:
- Lack of visibility into security incidents: Without proper logging and monitoring, it can be difficult to detect and respond to security incidents in a timely manner.
- Compliance violations: Many regulations, such as HIPAA and PCI-DSS, require organizations to maintain detailed logs of their security activities. Failure to do so can result in non-compliance and fines.
- Lack of forensic data: In the event of a security incident, logs and monitoring data can be critical for conducting an investigation and determining the root cause of the incident.
- Difficulty in identifying patterns: Logs and monitoring data can help security teams identify patterns and trends in security-related activities, which can aid in identifying potential threats. Without this information, it can be more difficult to identify and mitigate threats.
- Business disruption: Security incidents can cause business disruption and damage to an organization’s reputation. Logging and monitoring failures can make it more difficult to quickly contain and recover from incidents, leading to further business disruption.
Security logging and monitoring failures: Remediation
Self-awareness campaigns to daily stand-ups all these can help a lot in maintaining a good security posture for the organizations. Here are some points which can help in mitigating the risk of such a failure:
- Implement a centralized logging and monitoring system: This system should be able to collect, store, and analyze security logs from all devices and systems within the organization. This will help to identify and track security incidents in real-time.
- Conduct regular security audits: Regular security audits should be conducted to identify any potential vulnerabilities or security risks in the organization. These audits should be used to identify any areas that need improvement and to develop a plan to address those issues.
- Train employees on security best practices: Employees should be trained on best practices for security logging and monitoring, as well as how to identify and report security incidents. This will help to ensure that employees are aware of potential security risks and know how to respond to them.
- Implement security incident response procedures: Organizations should have a well-defined incident response plan in place to address any security incidents that occur. This plan should include procedures for identifying and reporting incidents, as well as steps for containing and mitigating the impact of those incidents.
- Test and validate security controls: Organizations should regularly test and validate their security controls to ensure that they are functioning as intended. This will help to identify any issues that need to be addressed and to ensure that the organization is prepared to respond to security incidents.
Security logging and monitoring failures can have serious consequences while dealing with the analysis and prevention of cybersecurity incidents in the future. To learn more about how to manage risk in your organization, contact ASPIA.