Jan 14 2014

What to Log for Authentication and Access Control

Category: Access Control,Log ManagementDISC @ 10:30 am

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.

  • Failed log in
  • Successful log in
  • Account locked /disable
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).

All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)

Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.

Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology: Special Publication 800-92

Security Log Management

 

Related articles

Tags: Access Control, authentication, Log Analysis, logging, Security, Site Management

Dec 05 2008

Telcos and information privacy

Category: Information PrivacyDISC @ 2:26 pm

Mobile Phone
Image via Wikipedia

With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

“Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

Presidential Phone Compromised

Privacy Debate: Shouldn’t Public Demand High Threshold?
httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

Reblog this post [with Zemanta]

Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon