Exploiting Insufficient
Logging and Monitoring is considered as common flaws in most of the security
incidents caused by negligence and carelessness towards monitoring system
activities.
The attacker
usually take this as the golden opportunity to compromise the target without
being exposed.
For example,
an attacker is trying to use the default password for a system for all the
users to get the access. After he got all the user list those who are using
default password. Now there are multiple users still remains which is not using
default password. If this activity is ignored by the organization, it is still
possible for the hacker that he could get back with other password to compromise
other users access as well.
It is very
hard for an outsider to monitor the activities inside an organization. So
whether or not insufficient Logging and Monitoring best practices are
implemented is not something an outsider can determine.
Many
applications and servers produce lot of logs so without proper routines,
logging gives little value. It is best practice to look over the system architecture
and make sure there are process in place to handle the logs with parsing and
place it inside a SIEM.
Remediation
Make sure the logs are backed up and synced to
another server. The attacker should not be able to clear all the logs after
hacking the server and by doing so preventing any forensics.
Go over the system and make sure sensitive actions
are logged. This would include logins, high value transactions, password
changes, and so on. This is valuable when investigating a hack afterwards.
Make it a routine to actually look at the most
important logs and automate the process for the rest. There should be a system
in place that alerts you if a specific warning has been triggered or if a
certain warning threshold has been reached, so that proper action can be taken.
0 comments:
Post a Comment