T 2.22 Lack of or insufficient evaluation of auditing data

Functionalities designed to log certain events regarding their chronology are integrated into many IT systems and applications. This way, large amounts of auditing data are often generated in an information system the evaluation of which is complex and very time-consuming. However, reasonably evaluating this auditing data is necessary in order to be able to perform error analyses and to identify attempted attacks.

A variety of logging concepts will be used during the life cycle of an IT system. For example, comprehensive logs are created during the development phase in order to facilitate problem analysis in the event of errors.

In the implementation phase, logs are used to optimise the performance of the IT system in the production environment or to examine the effectiveness of the security concept in actual practice for the first time, amongst other things.

In the production phase, logs are mainly used in order to ensure proper operation. Auditing data is then used to subsequently identify security violations within the IT system or attempted attacks, amongst other things. Logging can also be used to determine who the perpetrator was and can serve as a deterrent to potential attackers as a consequence. Regular evaluation of the auditing data allows for use of the data for preventive measures such as an early warning system, whereby deliberate attacks to an IT system may be detected or defeated prematurely.

Central logging

If auditing data is evaluated at a central location, it is possible that important information is overlooked and attacks are not detected due to the large amount of data, for example. For this reason, there are systems supporting the administrator in evaluating the auditing data or even automatically evaluating the data. Depending on the product, the information of the different data sources can be combined and processed to become one log report. However, there is the risk that the auditing data possibly can no longer be traced back to their original data source so that it cannot be instantly seen where the event initially occurred.

Improperly configured filter functions of the evaluation tools may cause further evaluation issues. This may result in auditing data required for failure detection, troubleshooting, or early warning not being evaluated.

Examples:

• An attacker tries to crash the database server by means of a DoS attack. This attack is logged on the affected IT system. However, due to a lack of evaluation of the auditing data the attack is not detected and the attacker can repeat the DoS attack until it is successful.
• Within the framework of a web server attack, an RPC security gap was used in order to gain access to the system. The web server generated corresponding auditing data, but this data was discarded due to improper filter settings at the central logging server. Therefore, no automatic alarm was triggered and the attack was not detected.