Log Management + Multi-Factor Authentication

Protecting your data.

Posted by Dennis on June 26, 2019

Introduction

With billions of users all around the world being globally connected today, data has become one of the most valuable resources in the world. From social media platforms to e-commerce businesses, account security and having log record management for your business is crucial in today's era. As technology continues to progress and advance, many of of the largest companies in the world are moving to cloud computing. Cloud vendors including Amazon Web Services, Google Cloud Platform, IBM Cloud, Microsoft Azure, etc. allow us to develop and deploy web applications instantaneously and virtually from any region available in the world.

Being connected to the internet is an amazing thing but being aware and safe online is also very important, regardless of how "unimportant" you think your privacy or data may be. Today, I will share a personal experience of why you should use Multi-Factor Authentication and keep a record of logs if you run a personal website or business.



Unauthorized Access...

Before we begin, for those reading this who are unclear on what multi-factor authentication is, I will briefly explain. Multi-factor authenication is essentially an additional layer of security and protection created to verify a user's identity. This proves that I am who I say that I am and is done by providing two or more factors of authentication which may include, something you know (password), something you have (smart card, access token, etc), and something you are (fingerprint or other biometric). This prevents attacks from cybercriminals.

The following incident I decided to share is to help spread awareness to end users and demonstrate that anyone can fall victim to cybercriminals or attacks.

The Breach

On April 10, 2019 an unauthorized login attempt was made on one of my personal accounts from a location within Russia. Now, I don't live in Russia or recall using a VPN or proxy recently, so I found this very strange and decided to investigate. By default, some websites today keep login access information for general security protection. This information can include the location and IP address in which the login attempt was made from and the amount of attempts that were made. Below is a screenshot of the incident occurence.

In the screenshot above you can see the details of the occurence. Had the user login attempt been successful, this is where multi-factor authentication would have came into play. The user would have been required to provide additional security verification before proceeding. Gaining access to any users' account information can lead to malicious intent including: theft (credit card numbers), personally identifiable information (address, phone numbers, etc), destruction of data and more!

As best practice, I always recommend keeping a record of logs in the event that a scenario such as this one occurs. Below is a screenshot of my log file which was used for further investigation.

As you can see, my log timestamp shows activity at the exact same time that the incident occured. I won't being going into details about what was in the log but keeping a record of logs can provide additional information about what an attacker/intruder is attempting to do.

Being Aware

Many cloud providers today offer the ability to view statistics on web traffic to understand which geographic location visitors are coming from, how often (requests being made), browser and device type, etc. More importantly, if bots/crawlers are targeting your website.

Here are some statistics I generated around the same time the login attempt was made. During that time, a large percentage of traffic was bots/crawlers. What exactly does this mean? Well, this essentially means that there are potentially attempts being made to find vulnerabilities within my website so that it can be exploited. Common web based attacks include SQL injection, cross-site scripting (XSS), and HTTP floods (DDoS).

Final Thoughts

With the world becoming more connected each day, it's important that not only security and industry experts be aware of cybercrimals and malicious activity, but also that you as the end user be educated, informed, and aware of the threats that are present today. Learn about the security settings on your favourite websites so that you are aware of what is occuring with your accounts and use multi-factor authentication whenever given the oppurtunity to do so.