T 2.161 Loss of confidentiality and integrity regarding logged data

Some IT systems generate logged information such as user name, IP address, email address, and computer name that can be allocated to specific persons. Such information can be intercepted and manipulated if transmission is insecure and not encrypted. This risk is particularly applicable if centralised logging is used. Such information improves the attack opportunities. For example, if an attacker knows the user names, he/she can attempt to guess the corresponding passwords or try to crack the password using dictionary attacks (see also T 5.18 Systematic trying-out of passwords).

The integrity of the logged information may also be affected adversely by insecure and unencrypted transmission, as well as by misbehaviour of administrators. For example, if an administrator changes or deletes the logged data in order to conceal a configuration error, the information may no longer be processed further. Furthermore, transmission errors during transmission to a centralised logging server may cause a loss of integrity for logged data. However, data may also be forged deliberately in order to provide incorrect information.

Examples:

• By means of a man-in-the-middle attack, the attacker can read the transmitted and unencrypted logged data in an unauthorised manner. Thus, he/she is provided with specific information about the information system such as the IP addresses of the individual IT systems. The attacker is now able to forge IP addresses and to masquerade as another IT system (IP spoofing). In some information systems, it is common that internal systems trust each other so that a user may log in without entering any user name or password. The attacker can now attack the target computer with the help of the forged IP address without having to authenticate.
• Within the framework of the transmission of the log messages from the file server to the centralised logging server, physical failures in the transmission channel cause transmission errors. This is the reason why the administrators do not recognise that the file server failed again and again during the past hours.