T 4.89 Lack of or insufficient alarm concept during logging

Products storing and analysing logged and monitoring data can often be integrated into an IT early-warning system as optional components. IT early-warning systems are used in order to already issue warnings during a security incident, even before possible effects are noticeable. This is particularly effective for central logging. Such security incidents can be detected more quickly due to reasonably analysed log events.

However, monitoring must include an alarm component. Otherwise, monitoring the entire information system and analysing the logged data, but not generating any alarms, has negative effects on the availability, confidentiality, and integrity of the systems.

False-Positives and False-Negatives

Thresholds set too low or too high constitute frequent errors in alarm components. These thresholds determine the point where alarms are generated. Thresholds set too low may cause false alarms (False-Positives). Thresholds set too high do not trigger any alarm despite an IT security incident (False-Negatives).

False-Positives may also be caused by the administrators not including certain systems, incorrectly identified as malicious, to the exception lists (white lists). For example, this includes vulnerability scanners or monitoring stations very frequently connecting to other systems and services on different ports and often exceeding thresholds. However, white lists may also be misused by attackers in order to not to trigger any alarm when an IT system is attacked (False-Negative). If the white lists contain too many systems, many False-Negative incidents may occur.

Incorrect reaction to security incidents

An incorrect reaction to occurring security incidents is another problem. This may result in huge damage or even catastrophes, for example if attacked services are switched off or if the sprinkler system is triggered in the event of an access alarm. It is also possible that security incidents are interpreted incorrectly by the personnel who ignore an alarm triggered by an attack. Such threats are facilitated by poor or incorrect training measures for the administrators.

Example:

• The administrators responsible for the IT early-warning system discover suspicious entries in the log files of a security gateway. However, they do not follow up the matter, because the entries were made by a system included on the white list. On the previous day, an attack to the logging server was detected, but the alarm triggered was interpreted as a false alarm. As a consequence, an attacker was able to access the logging server and add the security gateway to the white list. Therefore, the attackers, upon further attempts, were able to unobtrusively overcome the firewall with another successful attack and to penetrate the internal network of the organisation.