10. Insufficient logging & monitoring

Insufficient monitoring allows attackers to work unnoticed.

What it is

Organizations aren’t actively looking for attackers or suspicious activities, and hackers go undetected.

How it works

Software and systems have monitoring abilities for organizations to see logins, transactions, traffic, and more. By monitoring for suspicious activity, such as failed logins, organizations can potentially see and stop suspicious activity.

Why it’s bad

Attackers rely on the lack of monitoring to exploit vulnerabilities before they’re detected. Without monitoring and the logging to look back to see what happened, attackers can cause damage now and in the future.

Countermeasures

• Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for a sufficient time to allow for delayed forensic analysis.

• Examine the logs following penetration testing. The testers' actions should be recorded sufficiently to understand what damages may have been inflicted.

• Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.

• Do not make systems more vulnerable by exposing logging and alerting events to a user or an attacker (see sensitive information exposure section).

Insufficient logging & monitoring example

Improperly setup logging, monitoring, and alerting at the operating system, application, authentication, and security logs unknowingly leaves the door open for hackers to enter.

Ensuring physical, logical, and other security measures are in place is your first line of defense. Just like the lock on your front door, if you leave it unlocked, someone is going to eventually come in.