Skip to main content

Security Breach Spotlight: OWASP Top 10's #9 Security Vulnerability - Equifax Data Breach 2017

· 5 min read

Today we dive into Logging and Monitoring Failures, OWASP Top Ten's #9 and explore the Equifax Data Breach in 2017.

Security Breach Spotlight: OWASP Top 10's #9 Security Vulnerability - Equifax Data Breach 2017

monitoring

OWASP #9 - Logging and Monitoring Failures

Continuing our series on the Top 10 Security Vulnerabilities by OWASP, we'll take a look at the Logging and Monitor Failures

Security Logging and Monitoring Failures

Security logging and monitoring failures occur when an application does not properly log security-related events or lacks effective monitoring. This makes it difficult to detect, investigate, and respond to attacks, increasing the time an attacker can operate undetected.

Why is it a problem?

  1. Delayed Incident Response – If logs are missing or improperly configured, security teams may not notice a breach until it’s too late.

  2. Compliance Violations – Many regulations (e.g., GDPR, HIPAA, PCI-DSS) require proper logging and monitoring.

  3. Lack of Forensic Evidence – If an attack occurs, insufficient logs make it hard to investigate and determine the extent of the breach.

  4. Failure to Detect Anomalous Activity – Without proper monitoring, automated security tools cannot flag suspicious behavior in real-time.

Common Examples of these vulnerabilities include:

  1. No logging for critical events such as failed login attempts or admin actions.

  2. Logs that are not centralized (locally stored) or protected (encrypted or signed) can be erased or tampered.

  3. Lack of real-time monitoring and alerts can cause events to be missed as they occur in real-time. Alerts can be setup in unusual login locations, repeated logins or even when excessive data accesses are granted.

  4. Insufficient or Excessive Logging can also be an issue. Logging too little can cause the users to miss important information, and inversely logging too much can cause sensitive data to be stored violating compliance

How do we mitigate these vulnerabilities?

  1. Implement Centralized Logging - Use a Security information and Event Management System (SIEM) and store logs in a secure, and centralized location with access controls.

  2. Log Security Related Events - Events like authentications (both successful and failed), role changes, API Access, data modifications, and security related changes all need to be tracked and stored.

  3. Enable Real-Time Monitoring and Tools - Use automated tools to detect anomalies and trigger alerts. Setup these alerts to trigger in unusual login locations, repeated failed logins, or when excessive data access is granted.

  4. Ensure Log Integrity and Compliance - Use cryptographic hashing or signing to prevent log tampering. Follow compliance requirements (GDPR, PCI-DSS, etc.) on log retention and protection.

  5. Regularly Review and Test Logging Mechanisms - Conduct log analysis to identify suspicious patterns, and perform scheduled and random security audits to ensure logs are properly stored and configured.

Example of what an attack scenario can look like

The attacker can brute-force into the admin account. The repeated failed logins are not logged therefore no security alerts are triggered.

This allows the attacker to eventually gain access to the system where he modifies system configurations and data.

Since none of his privileged admin actions were logged the security team will not be able to trace the changes of what happened. This can cause the attack go go unnoticed for months.

A perfect example of this is the Equifax breach in 2017

Equifax Data Breach 2017

The Equifax data breach of 2017 was one of the largest cybersecurity incidents in history, exposing the personal information of 147 million people. The breach was caused by an unpatched vulnerability in Apache Struts, a widely used web application framework.

Attackers exploited this flaw in March 2017, gaining unauthorized access to Equifax’s systems. Despite multiple warnings about the vulnerability, Equifax failed to apply the necessary security patch in time, leaving their system exposed for months.

A major issue that contributed to the breach was Equifax’s failure to properly log and monitor security events. Although their Intrusion Detection System (IDS) was supposed to alert administrators to suspicious activity, it was misconfigured and did not generate real-time alerts. As a result, attackers were able to move laterally within the network, repeatedly accessing sensitive data—including names, Social Security numbers, birthdates, addresses, and credit card information—without being detected.

This lack of proper monitoring meant that Equifax did not discover the breach until July 29, 2017, nearly four months after the initial attack.

The consequences of the breach were severe. Equifax faced a $700 million settlement for failing to protect consumer data, one of the largest fines for a data breach at the time. The company also suffered significant reputational damage, losing consumer trust and experiencing a drop in stock value. Millions of Americans were affected, with many at risk of identity theft due to the exposure of their personal data. The breach highlighted the critical importance of timely software updates, proper security logging, and real-time threat monitoring.

In response to the breach, Equifax took steps to improve its cybersecurity measures, including hiring a new Chief Security Officer (CSO) and strengthening its security policies. However, the incident remains a cautionary tale about the dangers of failing to patch known vulnerabilities and the risks of inadequate security monitoring. It underscored the need for organizations to proactively secure their systems, enforce strong logging and monitoring practices, and respond swiftly to potential threats to prevent such catastrophic data breaches in the future.