In this age of increasing cyber threats, the security of web applications has become a paramount concern. Malicious entities are always on a lookout for new opportunities like lack of logging and monitoring. They spend a lot of time examining applications and systems to find errors and vulnerabilities.
It’s not surprising that without proper logging and monitoring, IT and software development teams are unaware of any discrepancies if (and when) cyberattacks or hacking attempts occur. The bad guys rely on the window of opportunity and calmly attack systems without being noticed, overwhelming defenses and potentially causing significant damage.
But…Good news, everyone! This article provides a monster set of great preventive methods to help organizations operate with confidence and assurance in the security of their systems. So let’s jump right into it!
Security Logging and Monitoring Failures Explained
Before diving into the impact of Security Logging and Monitoring vulnerabilities, let’s take a moment to understand the vulnerability itself.
Security Logging and Monitoring Failures initially held the 10th position in the 2017 OWASP edition. However, the vulnerability has since moved up one spot and now occupies the 9th position in the 2021 list. As the title suggests, the vulnerability implies the risk of apps and APIs not having proper logging and monitoring in place to track down and debug errors.
Insufficient Logging and Monitoring stands out from other categories in the OWASP Top 10 because it cannot be directly exploited. Instead, it revolves around having inadequate detection and response measures or a lack of them. Without efficient logging and monitoring, organizations might spend days, weeks, or even months detecting a breach and then conducting digital forensics after the incident has occurred.
OWASP states that nearly all major security incidents originate from the exploitation of insufficient logging and monitoring. Attacks based on insufficient logging and monitoring are usually ranked high in prevalence, medium in opportunity, and low in detectability.
Example of centralized log collection and password attack alerts in the “Checkmk” service
How Can Hackers Leverage Insufficient Security Logging and Monitoring?
When proper logging and monitoring are not in place, it gives enough room for ransomware criminals to perform malicious activities detrimental to your business. What can they possibly do? Get unauthorized access to your system, spy on you, tamper with, extract, or destroy data, penetrate multiple ecosystem components further, and get away with it.
Here are some of the exploits of logging failures:
- Password attacks. Impostors can exploit insufficient logging and monitoring to obtain unauthorized access to user accounts. The methods include brute force attacks, dictionary attacks, and password sniffers.
- Man-in-the-middle-attack (MITM). Here, perpetrators eavesdrop on the communication between two parties and modify messages. Such attacks include email hijacking, Wi-Fi eavesdropping, session hijacking, and DNS spoofing.
- Denial of service (DoS). During this attack, threat actors first attempt to gain access to the system, shut down the network, and then reduce its ability to respond to user requests by overwhelming the target system with enormous bot-generated traffic.
- Advanced persistent threats (APTs). APTs are targeted attacks that enable fraudsters to access a network, deepen their hold on the system, and go undetected for extended periods.
The attack surface is even larger than you can imagine, right? At first glance, insufficient logging and monitoring might not seem like a big deal, but if we look under the hood, there’s a lot more to uncover.
Example of a Password Attack in nginx logs
Attack Examples
To illustrate the attack, let’s take a look at the following scenarios:
- A video-sharing platform suffered a significant credential-stuffing attack. Despite logging failed login attempts, no alerts were triggered during the attack. In response to user complaints, the company analyzed API logs and discovered the breach. Platform executives had to publicly announce the incident, urging users to reset their passwords and create stronger ones instead.
- The hacker starts by scanning for users with a shared password. Once identified, they exploit this vulnerability to take control of all such accounts. For other accounts, a single false login attempt is left behind, possibly to evade detection or cause confusion. After a waiting period, the attacker repeats the process with a different password, aiming to exploit weak or common passwords for unauthorized access.
- Access keys, used for administrative API access, were leaked on a public repository. Someone identified the potential security risk and notified the owner of the repository via email. Despite an email notification, the repository owner took over 48 hours to respond. This exposure could grant unauthorized access to the administrative API. Insufficient logging hinders the company from fully assessing the breach and determining the accessed data by malicious actors.
As you can see, attackers can always find ways to blindside an organization. No system is entirely immune to potential security breaches. Unfortunately, insufficient logging and monitoring are typically addressed only after significant damage has occurred. The repercussions can be severe, extending beyond technical issues to impact a company’s reputation.
How to Detect Security Logging and Monitoring Failures?
The challenges are diverse, but so are the solutions. To stay on top of your API security posture, it’s important to run routine penetration tests.
Use the help of cybersecurity professionals to check for any abnormalities. The process involves simulating network and application attacks to discover weaknesses and identify unusual patterns. The testers’ actions should be well-documented so that you can understand the extent of damage caused by malicious operators.
Without conducting penetration testing, how can you be sure your system is functioning correctly? As hostile attackers step up their game, organizations must do all they can to keep their digital assets intact.
Example of a website vulnerability testing report using Greenbone Security Assistant
Real-Life Examples
What can happen if people remain oblivious to properly implementing logging and monitoring tools? Thousands of data breaches were successful due to inadequate logging and monitoring. The breaches were preventable, but organizations made blunders. This led to significant financial losses and tarnished reputations. Continue reading to discover real-life examples of victims affected by such attacks.
Target
The Target data breach was one of the largest retail data breaches in history, affecting 70 million customers. During the 2013 holiday season, the second-largest discount store chain in the USA was hacked. A vast amount of personal customer data was stolen, including 40 million credit and debit card accounts.
Simply neglecting to properly log failed login attempts was enough to let malicious operators on board. This seemingly small mistake allowed the hackers to attempt different usernames and passwords from the same IP address until they succeeded. The consequences were devastating: Target not only lost over $200 million but also the trust of their customers, who no longer had faith in their security.
Yahoo!
Let’s continue with a data breach involving Yahoo!, an American web services provider. It was a breach of epic proportions — 896 million Yahoo! user accounts were compromised. Over the course of 191 days, ransomware criminals managed to copy private information such as birth dates, phone numbers, password recovery emails, and even password challenge questions and answers.
Despite state-of-the-art security software and hundreds of security professionals, how did Yahoo! fail? The breach appears to have been made possible by a simple spear-phishing email sent in early 2014 to a Yahoo! company worker. Only in late August 2016 did the full scale of the breach begin to become apparent.
There were a multitude of missteps inside the company — they did not implement basic security measures such as encrypting identifying information. It took Yahoo! too long to detect the breach, costing their users’ trust.
Citrix
Similarly, in 2019, the giant firm Citrix suffered a significant data breach, exposing 6TB+ of emails, docs, and secrets. Executives at Citrix learned about the breach from the FBI, and what they discovered was devastating. Quite concerned, Citrix immediately initiated a forensic investigation.
Attackers used password spraying, a method that exploits weak passwords. This incident occurred because Citrix didn’t have sufficient security measures in place, causing tremendous financial damage to the company. Employees, contractors, interns, job candidates, beneficiaries, and dependents affected by a data breach at Citrix have managed to secure a $2.28 million settlement in court.
The Citrix breach highlights the significance of simple security measures like having strong passwords and using two-factor authentication (2FA). Companies must regularly audit user passwords against common password lists and remain vigilant for signs of compromise.
Prevention Strategies and Best Practices
In the complex world of digital advancements, security is a critical pillar. As a basic guideline, the more valuable the data, the more security measures — like logging and monitoring — should be in place to alert potential threats.
Several steps should be followed to protect from security logging and monitoring failures:
- Specify the logging and monitoring requirements. Outline what information to log and monitor, establish the frequency, and identify the responsible parties
- Log application errors, connectivity issues, runtime errors, configuration changes, and file system errors
- Use encryption for central logging
- Configure alerting.
If any malfunctions or errors happen, your security team needs to be alerted - Ensure high-risk functionality is logged. This includes login attempts, high-value transactions, user account changes, password changes, etc
- Keep your software patched. Regularly update your systems with security patches
- Conduct regular security scans. This will help you identify vulnerabilities much sooner, thereby reducing subsequent and consequent damage
- Carry out internal and external penetration testing to confirm the logging side of the risk. Red (whitehat hackers) and blue (in-house threat hunters) teaming are used to confirm the monitoring side of the risk
- Monitor and review. If you don’t do any monitoring, what’s the point of even logging? Regularly monitor and review your logging and monitoring solutions to ensure they’re functioning correctly and capturing all the needed data
- Conduct anti-phishing training. Train your employees in secure coding practices, incident response procedures, and security awareness
At QAwerk, we understand the importance of having a proactive anomaly detection approach that aligns with an organization’s specific needs and context. The steps mentioned above offer a roadmap for organizations looking to safeguard their digital assets effectively.
Insufficient Security Logging and Monitoring Protection with QAwerk
QAwerk helps organizations achieve attack protection in a cloud-first, API-driven world. We specialize in stopping web application and API attacks through holistic penetration testing. Our pentesters will probe and seek to break into your system in a controlled environment. This is done to understand the risks facing your web applications and test their effectiveness in responding to security incidents.
Here are the myriad benefits QAwerk offers:
- Provides a comprehensive view of fraud rings
- Prevents website and server downtime
- Analyzes logs and finds problems within them
- Provides detailed security reports (vulnerability severity, potential impact, and the likelihood of exploitation)
- Saves time and money for your business
Key takeaways
In the fast-paced threat landscape, where malicious actors are evolving their tactics, ramping up defenses becomes a Herculean task. Security Logging and Monitoring Failures present a major challenge in the cyber security field.
Amid these challenges, it’s essential to take a comprehensive approach, which includes establishing a strong application security program. This program should focus on bolstering an organization’s security stance through continuous monitoring, regular penetration testing, and developer education in secure coding practices.
By mirroring the probing techniques cyber adversaries use, our experienced pentesters can detect potential vulnerabilities in your systems before they wreak havoc on your business. Don’t leave your API security to chance – reach out to security professionals to streamline your defensive stack and reduce security complexity!
Increase your web app security now
