We don't want a security breach! That's why we rely heavily on logging and monitoring our applications-without it, breaches cannot be detected. Though challenging to test, it can be beneficial for accountability, visibility, incident alerting, and forensics. That's why this is in the OWASP Top 10 of vulnerabilities-to help detect, escalate, and respond to active breaches!

A security logging/monitoring failure is a vulnerability that occurs when a system/application fails to monitor or log security events properly. This makes it really difficult to detect (and respond) to incidents and leaves us open to more attacks! It leaves the door open to attackers to gain unauthorized access to our systems and data without detection. Ooooh, sneaky.

What are some of the most common failures?

  • Not logging the critical events, such as logins, failed login attempts, high-value transactions, unauthorized access to sensitive data, or system configuration changes. Warnings and errors generate no, inadequate, or unclear log messages.
  • Not monitoring logs for suspicious activity such as repeated failed login attempts, system configuration changes, or even unusual traffic patterns. Application and API logs need to be monitored.
  • Having a weak monitoring system that can't detect suspicious activity or generate too many false positives. Lack of integrity can also allow anyone to corrupt data and generate a false alarm.
  • Not storing logs for long enough makes it challenging to investigate past security incidents. They should also be stored locally and backed up.
  • Not having a process for reviewing/responding to security logs can allow security incidents to go undetected or unaddressed, impacting the company! A company should have alerting thresholds and response escalation processes.
  • Insecure logging and monitoring systems can allow attackers to access/modify logs, making it more difficult for the good guys to track their activities.
  • The application is unable to detect, escalate, or alert for active attacks in real or near real time.

How can you prevent security logging and monitoring failures? Log all critical security events and monitor them for suspicious activity.

  • Ensure all user authentication, access control, data manipulation, and server-side input validation failures are logged to help identify suspicious or malicious behavior.
  • Ensure logs are retained long enough to support forensics and that they cannot be tampered with or accessed by anyone other than authorized users.
  • Ensure log data is properly encoded to prevent injection or attacks on the logging/monitoring system.
  • Don't allow attackers/users to tamper with log data.
  • Use encryption for data-at-rest and data-in-transit.
  • Use a log format compatible with other systems.
  • Ensure effective monitoring and alerting for suspicious activities, enabling quick detection and response. This should be real-time monitoring and alerting. Ideally, this would be an automated process as well as a manual inspection.
  • Establish/adopt an incident response and recovery plan. The plan would outline roles, responsibilities, and procedures.

So yeah, breach puh-lease! Stay on top of your logging and monitoring and work to protect your customers and your organization from security incidents.

You can read more here: https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/