security | privacy | web dev

OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)

2nd September 2020 ‧ By Simon Bell ‧ Category: Web Application Security

3 min read

Picture of CCTV cameras on a wall (represening monitoring)

Photo by Pawel Czerwinski

This is part of the OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.

Risk rating

Exploitability: 2
Prevalence: 3
Detectability: 1
Technical: 2
Threat Agents
Exploitability
Weakness Prevalence
Weakness Detectability
Technical Impacts
Business Impacts
Application Specific
Easy: 3
Widespread: 3
Easy: 3
Severe: 3
Business Specific
Average: 2
Common: 2
Average: 2
Moderate: 2
Difficult: 1
Uncommon: 1
Difficult: 1
Minor: 1
OWASP's Risk Rating Methodology

What is insufficient logging & monitoring?

What is an attacker's primary objective? To break into your website. What is an attacker's secondary objective? To not get caught. Attackers rely on a lack of monitoring and slow response to achieve their goals, go undetected, and carry out further attacks.

Many attacks go unnoticed for a long time. Leaving opportunities for attackers to carry out further damage -- or even cover up their tracks. Insufficient logging, monitoring, and incident response plans can all contribute to the amount of damage caused by -- and the time taken to recover from -- an attack.

Examples of insufficient logging & monitoring

Bob runs a health and fitness web application. Mallory probes Bob's application for vulnerabilities. Upon discovering a security misconfiguration, Mallory gains unauthorised access to Bob's server. Mallory extracts all data from Bob's website and sells it on the underground market.

Unfortunately, Bob only becomes aware of the attack and data breach when one of his users reports that their data has been sold on the underground market. Bob still doesn't know how the attack happened because his system didn't implement sufficient logging nor monitoring.

With sufficient monitoring in place, Bob could have detected Mallory's initial probe and investigated the web server's logs to determine what damage had been done. Even better, with automated systems such as security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) Bob could have prevented Mallory from carrying out the attacks altogether.

What's the impact of insufficient logging & monitoring?

Many attacks start with a scan or probe to detect vulnerabilities on the application. Allowing these probes to continue can increase the chances of a successfully attack being carried out.

If a data breach has occurred, digital forensic investigation teams will need to determine how severe the breach is. With insufficient data, it can be difficult to understand how the breach occurred and how to prevent it happening again.

Insufficient logging and monitoring can also impact other tools, such as security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) from operating effectively.

How to defend against insufficient logging & monitoring

Ensure the application -- including its underlying server and infrastructure -- has a wide coverage of logging and monitoring. This includes all login and access control failures. For example: an attacker conducting a rainbow attack will show up in such logs and could be prevented from completing the attack.

Logs should be formatted to ensure maximum compatibility with a centralised log management system. This includes allowing easy consumption by the log management system so that various sources can be included. Centralised log management should be segregated from the application to minimise impact in case of a compromised system -- e.g. an attacker could cover their tracks from a log.

Implement an effective monitoring and alert system to prevent attacks before they happen. Security information event management (SIEM) and intrusion detection/prevent systems (IDS/IPS) can help to automate this process.

More on OWASP Top 10

Simon Bell

Simon Bell

I'm an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. I have a PhD in Cyber Security and a BSc in Computer Science.

This website is where I enjoy writing about security, privacy, and web development.

Connect with me at: SJBell.com - Follow me on Twitter: @SimonByte

Join the Key Threat Community

Every week I share:

  • A roundup of important cybersecurity news stories
  • Summary of popular cybersecurity content from Twitter
  • The latest security, privacy, and web info from Key Threat
Up arrow Back to top