OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)
Photo by Pawel Czerwinski
This is part of the OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.
Risk rating
Threat Agents
|
Exploitability
|
Weakness Prevalence
|
Weakness Detectability
|
Technical Impacts
|
Business Impacts
|
---|---|---|---|---|---|
Application Specific
|
Easy: 3
|
Widespread: 3
|
Easy: 3
|
Severe: 3
|
Business Specific
|
Average: 2
|
Common: 2
|
Average: 2
|
Moderate: 2
|
||
Difficult: 1
|
Uncommon: 1
|
Difficult: 1
|
Minor: 1
|
What is insufficient logging & monitoring?
What is an attacker's primary objective? To break into your website. What is an attacker's secondary objective? To not get caught. Attackers rely on a lack of monitoring and slow response to achieve their goals, go undetected, and carry out further attacks.
Many attacks go unnoticed for a long time. Leaving opportunities for attackers to carry out further damage -- or even cover up their tracks. Insufficient logging, monitoring, and incident response plans can all contribute to the amount of damage caused by -- and the time taken to recover from -- an attack.
Examples of insufficient logging & monitoring
Bob runs a health and fitness web application. Mallory probes Bob's application for vulnerabilities. Upon discovering a security misconfiguration, Mallory gains unauthorised access to Bob's server. Mallory extracts all data from Bob's website and sells it on the underground market.
Unfortunately, Bob only becomes aware of the attack and data breach when one of his users reports that their data has been sold on the underground market. Bob still doesn't know how the attack happened because his system didn't implement sufficient logging nor monitoring.
With sufficient monitoring in place, Bob could have detected Mallory's initial probe and investigated the web server's logs to determine what damage had been done. Even better, with automated systems such as security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) Bob could have prevented Mallory from carrying out the attacks altogether.
What's the impact of insufficient logging & monitoring?
Many attacks start with a scan or probe to detect vulnerabilities on the application. Allowing these probes to continue can increase the chances of a successfully attack being carried out.
If a data breach has occurred, digital forensic investigation teams will need to determine how severe the breach is. With insufficient data, it can be difficult to understand how the breach occurred and how to prevent it happening again.
Insufficient logging and monitoring can also impact other tools, such as security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) from operating effectively.
How to defend against insufficient logging & monitoring
Ensure the application -- including its underlying server and infrastructure -- has a wide coverage of logging and monitoring. This includes all login and access control failures. For example: an attacker conducting a rainbow attack will show up in such logs and could be prevented from completing the attack.
Logs should be formatted to ensure maximum compatibility with a centralised log management system. This includes allowing easy consumption by the log management system so that various sources can be included. Centralised log management should be segregated from the application to minimise impact in case of a compromised system -- e.g. an attacker could cover their tracks from a log.
Implement an effective monitoring and alert system to prevent attacks before they happen. Security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) can help to automate this process.
More on OWASP Top 10
- OWASP Top 10: Intro
- OWASP Top 10: Injection (A1:2017)
- OWASP Top 10: Broken Authentication (A2:2017)
- OWASP Top 10: Sensitive Data Exposure (A3:2017)
- OWASP Top 10: XML External Entities (XXE) (A4:2017)
- OWASP Top 10: Broken Access Control (A5:2017)
- OWASP Top 10: Security Misconfiguration (A6:2017)
- OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
- OWASP Top 10: Insecure Deserialisation (A8:2017)
- OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
- OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)
Recent
Top 10 Web App Security Risks
-
OWASP Top 10: Intro
-
OWASP Top 10: Injection (A1:2017)
-
OWASP Top 10: Broken Authentication (A2:2017)
-
OWASP Top 10: Sensitive Data Exposure (A3:2017)
-
OWASP Top 10: XML External Entities (XXE) (A4:2017)
-
OWASP Top 10: Broken Access Control (A5:2017)
-
OWASP Top 10: Security Misconfiguration (A6:2017)
-
OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
-
OWASP Top 10: Insecure Deserialisation (A8:2017)
-
OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
-
OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)