Detect intrusions

Revision as of 06:27, 4 December 2006 by Jeff Williams (Talk | contribs)

Jump to: navigation, search

This is a principle or a set of principles. To view all principles, please see the Principle Category page.

Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack. If you detect intrusions perfectly, then an attacker will only get one attempt before he is detected and prevented from launching more attacks. Remember, if you receive a request that a legitimate user could not have generated - it is an attack and you should respond appropriately.

Don't rely on other technologies to detect intrusions. Your code is the only component of the system that has enough information to truly detect attacks. Nothing else will know what parameters are valid, what actions the user is allowed to select, etc... You must build this into your application.

Logging is an important part of detecting intrusions, although there are many other pieces as well. You should log all security relevant information. Perhaps you can detect a problem by reviewing the logs that you couldn't detect at runtime. But you must log enough information. In particular, all use of security mechanisms should be logged, with enough information to help track down the offender.

If you do this, then someday when your application/site is down/hacked you can trace the culprit and check what went wrong. If the user uses an anonymizing proxy, having good logs will still help as "what happened" is logged and the exploit can be fixed more easily.

There are many other responses to intrusions that you should consider. One of the best is to log out the offending user and disable their account. This will make your application many times more difficult to attack.