Coders Conquer Security: Share & Learn Series - Insufficient Logging and Monitoring
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.