🧱

A10: Insufficient logging and monitoring

Introduction

Insufficient logging and monitoring is in the Top 10 OWASP for many different reasons. Not only is it hard to detect but it’s also hard to protect from. There are several ways we can protect ourselves from this vulnerability but we need to talk about what the vulnerability entails first.

Threat agents/attack vectorsSecurity weaknessImpacts
While performing an attack it is key for an attack to stay undetected for as long as possible and we notice that every major hack happens because incident response is not started up soon enough. This is why it is so important to have proper logging and monitoring in place with an alerting system setup.Often when an attack happens the logging that is done does not contain all the details that are required to debug this major event. A strategy that many have taken is to first execute a pentest or run a vulnerability scanner in aggressive mode (This allows the scanner to execute full on attacks) and to investigate the logs afterwards.Almost all major attacks start by checking what vulnerabilities are possible. If we do not log and monitor this sufficiently, it has been shown that the likelihood of an attack increases drastically. We need to ensure to take action at the first sight of a probe but we can only do this if we monitor and alert our already proficient logs.

What is Insufficient Logging & Monitoring?

Besides not logging enough log entries when events occur, this issue also entails the amount of detail that is logged as we should make sure we can trace back anything required in the event of an unwanted occurrence such as a cyberattack. Some common things we can think about are login, logout, requests and responses that are important to business users and things related to limited resources such as wallets.

Of course it’s not only about what is logged but also how it interacts with the system. If a log entry is made with the wrong characters it might cause the log entry to break the integrity of the logs. This is also known as log injection or poisoning.

Of course we need to also ensure sufficient monitoring is put in place to safeguard the application. After all, there is no use in logging things that do not get monitored. This goes further than just monitoring the logs of course, we need to monitor everything. This also includes APIs and connections to third party applications.

Make sure the logging is all secure and that malicious actors can not easily access it by replacing default passwords and locating the system in a secure location internally.

How to detect Insufficient Logging and Monitoring

Detecting this vulnerability is definitely not an easy task as it will require a good inventory system that keeps track of not only what hardware is available in the system but also what software with their important flows that matter to the business stakeholders. Communication is certainly not an easy task and will continue to be a hurdle for many companies so actually expecting so many teams to work together is hard without proper oversight. This system needs to be centralized and managed by 1 instance within the company that regularly provides updates to the system.

It is important to also investigate new vulnerabilities and CVEs as they arise since they might affect the organization. This can be narrowed down to investigate the components that are running without our organization, for example we can go to exploit db and search for “microsoft” and see that there are many practical vulnerabilities still being discovered quite often.

https://www.exploit-db.com/

Of course we can perform our monitoring with the use of tools but with so many out on the market. Which do you pick?

https://www.nagios.com/

https://www.snort.org/

https://www.splunk.com/

https://www.ossec.net/

https://github.com/Tripwire/tripwire-open-source

https://www.fluentd.org/

Attack Scenarios

One notable attack scenario we can investigate can be found in a CVE where attackers seem to have the ability to pollute the logs and hide audit information from the system administrators, This is of course not good but it does not have a very high impact as we can see on the “seclists.org” website:

https://seclists.org/fulldisclosure/2016/Oct/53

Magneto, a common e-commerce platform, also brought out a patch against this vulnerability type on October 8, 2019 which aims to solve the issue covered here. The vulnerability occurs because administrators do not have their actions properly logged. More information can be found here:

https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

How to Prevent Insufficient Logging and Monitoring

Prevention of this vulnerability type depends in big part on how diligent your organization is with the keeping of what should be logged and what not and how diligently those logs are monitored. We can use tools to aid us in the process but we need to assure that our software is designed for optimal logging as well. Besides creating those logs we need a good way to monitor them. Let’s describe some tips to help you prevent this prevalent security issue before we go into some more tooling.

Log data management tools

https://nlog-project.org/

https://nmap.org/

https://dumpsterventures.com/jason/httpry/

Logging and Monitoring Tips

Conclusion

While this vulnerability type may not seem like a great issue at first, it can be a great issue at the time when you need it most. In the event of an attack or critical bug, you have no way of properly debugging or your ability might be severely hindered so it does really pay off to invest in proper logging and monitoring. It will greatly help the passive web application, server infrastructure and api security you have in place.