So you are using a popular application server, and then suddenly it turns out to be vulnerable for a while, and even though you thought you had installed all the patches on time, you still wonder: “Was I on time or were they ahead of me?”.
Too large a part of the information systems that had been hacked turned out to have been targeted by hackers for much longer ago than people thought. Today, it sometimes takes more than nine (9!) months to discover that systems have been vulnerable to unauthorised access, theft and misuse of critical data.
Now that the buzz surrounding AVG and GDPR seems to have died down a little, an important fact remains: in order to actually be compliant with the applicable regulations, precautions must be taken at a much deeper level than was previously thought. The proverbial proof of the pudding is in detailed log files: in amongst all that gathered data must lie the evidence to show that a vulnerability has been used for malicious purposes.
Joomla! and Drupal – we’ve all heard of them
A good and telling example may be the discovery of a vulnerability in Joomla!, a popular CMS in widescale use around the world. Because of the popularity, flexibility and ease of use there are many Joomla! websites, but there are also many modular extensions (plugins) that add extra functionality. It was recently revealed that one of those frequently used plugins had a vulnerability in it that was not previously known, while the plugin had been in use unchanged everywhere for more than a year.
After the discovery, a CVE was released within 10 days containing a description of the problems. After software developers and administrators were made aware of this within one or two days, most of them implemented patches that protected their systems against vulnerability within one day. But then the question arises: had the system and thus the underlying data already been accessed by hackers before the discovery of the vulnerability, or not? And how do you find out?
On 28 March 2018, the Drupal Security Team released a bugfix for Drupal CMS, another popular CMS which is widely used around the world. More details were announced on 12 April, after which the number of attacks on Drupal sites increased to 26,000 per hour, all in search of the vulnerability that had been patched less than two weeks previously. But was every site patched, and patched on time? It can sometimes only take five hours to exploit a vulnerability for attacks on information systems. Drupalgeddon2 was a good and bad example of this.
Deep-sea diving in the logs
Recognising and discovering unauthorised access to systems because of vulnerability requires knowledge and experience, lots of system data and tools, a great deal of patience and an eye for detail, because sometimes the breach is in just a few characters of code. There are many tools available that can link log file data to other log files and generate logic from them, providing visibility into cross-links and guidance for system administrators, developers, and information security specialists. Not everyone is equally experienced (…) in ‘reading’ raw HTTP requests, tracing SQL queries or being familiar with JSON queries. Are you? For more details and code examples, see https://bitsensor.io/blog/audit-log-introduction/#three-moments-of-vulnerability
BitSensor is a solution that does not wait until a vulnerability is finally discovered, until it reveals itself or until it is seized on by hackers. BitSensor builds tools that transform log files into manageable sources of powerful information, allowing immediate and adequate action to be taken to protect the systems and their valuable data.
Want to know more?
Hello, I am Henk-Jan Angerman. Op een toegankelijke manier vertel ik u alles over de mogelijkheden die een oplossing zoals BitSensor kan bieden. Neem contact met mij op voor een eerste vrijblijvende intake, om te zien hoe onze diensten en oplossingen bij uw organisatie kunnen passen.