OWASP top 10 A09:Security Logging and Monitoring failures

Security Logging and Monitoring failures have no direct vulnerabilities that can be exploited but this doesn’t mean that logging and monitoring is any less critical.

Insufficient logging and monitoring of systems can impact visibility, incident alerting, login failures, system failures and breaches. This makes it essential to have a fully operational logging and monitoring system to collect logs and give out alerts to Security Operation Center (SOC) staff and administrators. It is also important to perform checks on a regular basis to ensure all the correct systems are logging as expected — you don’t want valuable logs to be missing from your firewall.
Security logging and monitoring is intended to be an early indicator of cyber threats and data breaches.

Without proper systems in place, your business can be at risk of the following:

Lack of log generation for critical security events:
When key events like authentication failures or unauthorized access are not logged, it becomes nearly impossible to detect or investigate security breaches. This lack of visibility allows attackers to exploit vulnerabilities without raising alarms.Login and failed attempts not being logged:
All login attempts should be recorded to track who logged in, when, and where. Logging failed login attempts helps identify potential breaches, especially when there’s an excessive number of login failures.Logs not backed up or being stored locally:
Logs should be stored remotely from the original host machine to prevent loss in the event of system failure, hardware damage, or natural disasters. Backing them up in a separate location ensures their availability for analysis.Lack of monitoring systems in real time:
Real-time monitoring, such as using SIEM (Security Information Event Management), adds an extra layer of protection. It allows for the immediate detection and analysis of suspicious events as they occur, enabling a faster response.Missing monitoring and alerting systems:
Ensure that all critical systems are properly configured to log events and alert administrators. Without proper monitoring, suspicious activities may go unnoticed.Logs not protected against tampering or deletion:
If attackers can delete or modify logs, they can cover their tracks, making it difficult to trace malicious activities or understand the full scope of an attack.Improper logs that do not provide any valuable information:
Ensure that logs are meaningful and capture all relevant information. Failing to log critical data reduces the effectiveness of audits, investigations, and incident responses.Failure to monitor or analyze logs regularly:
Logs are useless if not reviewed proactively. Without regular analysis, security incidents may remain undetected, giving attackers free rein for extended periods.Insufficient log storage or log retention policies:
Logs that are not stored long enough or lack detail hinder forensic investigations. Without adequate retention, crucial historical data could be lost, impeding the detection of attack patterns.Missing or ineffective alerting mechanisms for suspicious activities:
If suspicious activities don’t trigger alerts, administrators won’t be notified of ongoing threats. This delay in detection allows attackers more time to exploit vulnerabilities.Failure to centralize logs from various systems and applications:
Logs from different systems should be centralized for a holistic view of network security. Without this, key signs of compromise may be missed, resulting in delayed incident detection.Inconsistent logging across environments, such as production and staging:
When logging practices differ across environments, critical events may go unnoticed in less-secure areas like staging. Attackers could exploit this inconsistency as a gateway to production systems.Delayed log review and response, causing slow detection of incidents:
Reviewing logs too late gives attackers more time to carry out their activities undetected. A delayed response increases the overall damage and complexity of the breach.Logs not accessible during a security incident or investigation:
If logs are unavailable during a breach, it severely limits the ability of incident responders to assess the damage and trace the source of the attack, prolonging the resolution process.

T-Mobile Data Breach: In January 2023, T-Mobile disclosed a data breach affecting millions of customers due to a flaw in its security logging and monitoring system, which allowed attackers to access customer data without triggering alerts for abnormal activity.

Uber Data Breach (2022): In September 2022, Uber experienced a data breach when a hacker gained access to sensitive company information, including source code and employee data. The breach was attributed to weak logging practices that failed to alert security teams in a timely manner.

Security breaches may go undetected for extended periods.Attackers can move laterally within systems or escalate privileges without detection.Investigating incidents or tracing the source of a breach becomes difficult due to insufficient logs.Compliance with security regulations and standards may be compromised, leading to penalties.Delays in identifying and responding to threats can increase the severity of an attack.Missing or tampered logs hinder the ability to collect forensic evidence during investigations.Real-time suspicious activity alerts may fail, allowing attackers more time to exploit vulnerabilities.Ensure comprehensive logging of all critical security events, such as login attempts, system access, and configuration changes.Implement real-time monitoring systems (like SIEM) to detect suspicious activities and generate alerts for immediate response.Regularly review and analyze logs to identify patterns, anomalies, and potential threats proactively.Secure logs by implementing access controls and encryption to prevent tampering or unauthorized deletion.Centralize logging from all systems and applications to create a unified view of network activity.Establish log retention policies that meet both business and compliance requirements, ensuring logs are stored for an appropriate duration.Automate alerting mechanisms to notify administrators of suspicious activities or potential breaches in real-time.Educative: What Are Security Logging and Monitoring FailuresSoftware Secured: Risk of Security and Monitoring Logging FailuresForesite: OWASP Top Ten — 9 Security Logging and Monitoring Failures