When do you know if something went wrong?

Security alert

This is a very important question.

How do you know if something has gone wrong, or if your site has been compromised?

The answer is that, unless you are logging and monitoring events, you don’t know.

If you read about major data breaches, you’ll notice that often the data breach might have been going on for years. The companies only noticed it when someone complained.

According to a 2020 IBM Security study, companies in South Africa took on average 177 days to identify a data breach. That might not be years, but it is still way too late.

Do you log and monitor?

OWASP lists insufficient logging and monitoring as one of the top 10 security risks.

Security logging is the process of logging security and application events when an application is live.

Monitoring is the live review of application and security logs.

Logging and monitoring is essential for every public-facing server. You can use the security logs to identify any potentially malicious activity. Your logs also provide a way to record audit trails and compliance monitoring.

What should you log?

Think carefully about what you log. As the OWASP guideline says: Do not log too much or too little.

You must log enough data to be able to check for malicious activity. Here are some examples of what you should log:

  • The timestamp, source IP and user id.
  • Requests that involve changes to data that should not be modifiable.
  • Authentication successes and failures.
  • Access control failures.
  • Application errors.

But remember that you must never log private or confidential data.

Don’t forget to monitor

It is useless to log all the important information, and then not check the logs.

Don’t assume that anyone is checking the logs. Make sure that important events trigger alerts to the responsible people immediately. And that you have procedures in place to deal with the alerts.

Protect your logs

One last word: protect your log integrity. A clever hacker might try to tamper with the logs. So take the necessary steps to prevent log injection or log forging.

Here are some resources for further reading:

Leave a Comment

Your email address will not be published. Required fields are marked *