Logs are good for more than just taking up space on your hard drive. Logs are useful records of an event that took place at a particular time and in a particular manner. Since it’s obviously impossible to see everything is happening in your systems all the time, and certain events (like security incidents or application errors) may require forensic or debug data to assess, logging can be a critical piece of a IT infrastructure. Chances are if you are a system administrator, you’ve come across one or two logs in your time.
Logs are typically generated for things like:
Security events
Uptime/downtime
Errors (5xx, etc.)
Traffic/usage
Why Logging is Useful
For some, logs may seem like a nuisance. For others, their purpose is a mystery.
Many organizations use logs to help with things like troubleshooting, monitoring and alerting, analytics, and application debugging. At Port80, we do a considerable amount of logging with our web application firewall, ServerDefender VP. Here we use logs to detail security events such as XSS, SQL injection, input validation, and buffer overflow attacks. They capture detailed information about who, where, and how the event occurred. For us, logs are a way to view events and perform an assessment.
We look to see if legitimate users are being inadvertently blocked by security controls by analyzing the logs of the user moving through the site. If we see lots of bad behavior (attempting to access certain pages, XSS exploits, etc), we’ll know they are likely a malicious user and we might block their IP. If we see some harmless behavior that set off our web application firewall, we might want to adjust our controls for a particular field or page. But without this log data, we would have no way of knowing what type of actions to take because we would have no data to base our decisions on.
For another take on logging, information security video-blogger Javvad Malik produced a quick overview of log management that’s both educational and entertaining:
The volatility in the current environment requires organizations to react very quickly to the changing business landscape. Consequently, this has to be done not only with speed but also under severe cost pressures. More and more IT teams are adopting third party packaged solutions as their answer to the challenge of providing quick solutions to business, as building proprietary solutions often satisfy neither time or budgetary requirements.
This trend is growing fast in all organizations. Business are signing strategic IT sourcing deals whereby they hand over the entire IT support to an external vendor, placing the vendor with the responsibility for infrastructure and personnel. Or, they are moving to outsourcing model where they buy and customize solutions from a third party vendor for their automation needs.
To cash-in on this trend, some IT consulting companies have built products which they customize according to the client’s requirements and implement them onsite. In this process the one piece that gets neglected the most is security.
Most organizations don’t have processes or checks in place to ensure the third party code is implemented securely. In our experience, while testing applications which have been provided by third party vendors experiencing security flaws, we have seen vulnerabilities that could have been easily exploited by the attackers to access highly confidential personal and financial data.
The story is no different in other verticals. In December 2012, an Egyptian hacker breached Yahoo!’s security systems and acquired full access to Yahoo! Database server. The SQLi attack was carried out on a Yahoo! Web application, which was a third party application.
So how can organizations protect against this? We mooted the idea of conducting regular Security Assessment to some of the firms who have many products. But given that there is extensive customization done of these products at the time of implementation, the best practice is to perform a periodic code review of the code deployed at the client end.
The argument against this is that very often clients feel helpless that they will not receive access to the code. Recently, though, there have been cases where clients have been able to get the vendors to agree to access to code for security code review. But no matter what, when deploying or integrating a third party application, ensure that you perform proper security checks and don’t just deploy the quickest and cheapest solution. Remember, you’re only as secure as your weakest link.
As discussed in a previous post on incident response, there really isn’t any form of authority one can call in the event of a hack attack. So, if we live in a world where we are left to fend for ourselves in cases of cyber criminality, what are we to do?
One potential course of action to take, in the absence of authorities or first responders, while under attack is to hack back. However, even in this regard there are not sufficient laws to help people and organizations defend themselves. In fact, if anything, there are laws that could land those who hack back in trouble.
For example, cybercrime laws in the US have extensive provisions for what is constituted as cybercrime. However, none have provisions that define exceptions to the rule for cases of self-defense. If an organization or individual were to attempt to stop such an attack by attaching the machine(s) where the attack originated, they may not be able to plead “self-defense.” In fact, their efforts may be categorized as an attack and they may face legal repercussions.
The issue of hacking back isn’t just one that has beleaguered technical people, it’s even become a debate for lawyers. To hear the legal side of things, the Federalist Society has a recorded discussion on the legality of hacking back between a group of lawyers.
Problems with Hack Back
Legality aside, there are other issues that arise when considering hacking back. For one, attackers often don’t just attack from their own machines, but from botnets or zombie machines (i.e. machines belonging to other unsuspecting individuals and organizations that they have been able to virtually own). In a case like this, hacking back would really mean attacking and shutting down or damaging machines belonging to people who otherwise have nothing to do with the attack. This would really just make life miserable for the person or organization in the middle of it all, and make the person who thinks they are defending themselves somewhat of a bad guy.
But it’s Kind of Like the Real World…
Criminal laws in most countries have express clauses defining what constitutes self defense and upholding the right of an individual to use force in order defend his/her body and property. So let’s take an example.
If some thieves came on a stolen bike to steal money from someone traveling in a car and in defending him or herself, if the individual in the car ends up damaging the bike, the owner of the bike cannot file a complaint against the person in the car. Isn’t this similar to what happens in the online world when the attackers hijack machines and use them to attack others? In the absence of any specific protection in the laws concerning cybercrime, shouldn’t provisions from the criminal laws come to the aid of the beleaguered organizations who when under attack, can attack back to control the damage?
It is strange that while laws don’t protect individuals and organizations, nations have already started using “hack back” as a strategy to strike back. Recently, stories came out about the United States attempting to hack back China after numerous state-sponsored hacks originating from the Chinese. This could be interpreted in two ways: there is a indeed a shadow cyberwar occurring, or it was a defensive technique.
So what can organizations do? In light of the confusion in the law and the fact that the business world is more globally connected, organizations need to focus on strengthening their own assets against attacks. Using a red team approach is a good idea to evaluate the preparedness to respond to any type of attacks. The red team approach is a concept of allowing a team of crack commando style infosec analysts to attack the corporate IT assets to gauge the preparedness of the IT assets to withstand the attacks and effectiveness of the incident response process. Preparedness and knowledge are traits that could better equip you to deal with hack attacks, in lieu of the existence of a dedicated cyber-authority.
Earlier this week, the Associated Press’s Twitter account sent out a tweet announcing a terrifying attack on the White House. The Tweet quickly spread throughout Twitter and sent the stock market spiraling.
However, as we now know, the Tweet was fake, the result of the @AP account being hacked. As web security professionals, what we’re most concerned about is: a) How did the account get hacked, and b) How do we prevent it from happening again?
If there’s somethin’ strange in your neighborhood, Who ya gonna call? If it’s somethin’ weird and it don’t look good, Who ya gonna call? Ghostbusters?
You could ask the same question when it comes to the web today: Who are you going to call when you get hacked? The local police? Well that’s not as easy as placing a call for a crime in the physical world. A recent piece by Eileen Sullivan of the Associated Press details how local police struggle with responding to cybercrimes.
There are numerous reasons local authorities cannot deal with hackers: For one, police have to act within their jurisdictions. Even if police had the technical capabilities to track down and stop a perpetrator, if they were acting from from thousands of miles away there would be little they could do because of jurisdiction. Continue Reading
