March 10, 2019

OWASP Insufficient Logging and Monitoring

Exploiting Insufficient Logging and Monitoring is considered as common flaws in most of the security incidents caused by negligence and carelessness towards monitoring system activities.

The attacker usually take this as the golden opportunity to compromise the target without being exposed.

For example, an attacker is trying to use the default password for a system for all the users to get the access. After he got all the user list those who are using default password. Now there are multiple users still remains which is not using default password. If this activity is ignored by the organization, it is still possible for the hacker that he could get back with other password to compromise other users access as well.

It is very hard for an outsider to monitor the activities inside an organization. So whether or not insufficient Logging and Monitoring best practices are implemented is not something an outsider can determine.

Many applications and servers produce lot of logs so without proper routines, logging gives little value. It is best practice to look over the system architecture and make sure there are process in place to handle the logs with parsing and place it inside a SIEM.

Make sure the logs are backed up and synced to another server. The attacker should not be able to clear all the logs after hacking the server and by doing so preventing any forensics.
Go over the system and make sure sensitive actions are logged. This would include logins, high value transactions, password changes, and so on. This is valuable when investigating a hack afterwards.
Make it a routine to actually look at the most important logs and automate the process for the rest. There should be a system in place that alerts you if a specific warning has been triggered or if a certain warning threshold has been reached, so that proper action can be taken.


Post a Comment