코더들이 보안을 정복하다: Share & Learn 시리즈 - 불충분한 로깅 및 모니터링
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
불충분한 로깅 및 모니터링은 애플리케이션의 방어 구조 내에 존재할 수 있는 가장 위험한 상태 중 하나입니다.이러한 취약점이나 상태가 존재하면 이를 대상으로 한 거의 모든 고급 공격이 결국 성공할 것입니다.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
While we have been exploring topics in these blogs, we've uncovered quite a few dangerous vulnerabilities and malicious exploits that hackers employ to assault networks and bypass defenses. They run quite the gamut from exploiting weaknesses in programming languages, to injecting code using various formats, to hijacking data in transit. It's quite a range of threats, but whenever any of them are successful, there is often one common component shared among their victim's applications.
Insufficient logging and monitoring is one of the most dangerous conditions that can exist within an application's defensive structure. If this vulnerability or condition exists, then almost any advanced attack made against it will eventually be successful. Having insufficient logging and monitoring means that attacks or attempted attacks are not discovered for a very long time, if at all. It basically gives attackers the time they need to find a useful vulnerability and exploit it.
In this episode we will learn:
- How attackers can use insufficient logging and monitoring
- Why insufficient logging and monitoring is dangerous
- Techniques that can fix this vulnerability.
How do Attackers Exploit Insufficient Logging and Monitoring?
At first, attackers don't know if a system is being properly monitored, or if log files are being examined for suspicious activity. But it's easy enough for them to find out. What they will sometimes do is launch some form of inelegant, brute force type of attack, perhaps querying a user database for commonly used passwords. Then they wait a few days and try the same kind of attack again. If they are not blocked from doing it the second time, then it's a good indication that nobody is carefully monitoring the log files for suspicious activity.
Even though it's relatively simple to test an application's defenses and gauge the level of active monitoring happening, it's not a requirement of successful attacks. They can simply launch their attacks in such a way as to make as little noise as possible. More often than not, the combination of too many alerts, alert fatigue, poor security configurations or simply a plethora of exploitable vulnerabilities means that they will have plenty of time to complete their goals before defenders even realize that they are there.
Why is Insufficient Logging and Monitoring Dangerous?
Insufficient logging and monitoring is dangerous because it gives attackers time to not only launch their attacks, but to complete their goals long before defenders can launch a response. How much time depends on the attacked network, but different groups like the Open Web Application Security Project (OWASP) puts the average response time for breached networks at 191 days or longer.
Think about that for a moment. What would happen if robbers held up a bank, people called the police, and it took them half a year to respond?
The robbers would be long gone by the time police arrived. In fact, that same bank can be robbed many more times before the police even respond to the first incident.
It's like that in cybersecurity too. Most of the high profile breaches that you hear about on the news were not smash and grab type of operations. Often times the targeted organization only learns about a breach after the attackers have had more or less full control over data for months or even years. This makes insufficient logging and monitoring one of the most dangerous situations that can happen when trying to practice good cybersecurity.
Eliminating Insufficient Logging and Monitoring
Preventing insufficient logging and monitoring requires two main things. First, all applications must be created with the ability to monitor and log server-side input validation failures with enough user context for security teams to identify the tools and techniques, if not the user accounts, that attackers are using. Or, such input should be formatted into a language like STIX (Structured Threat Information eXpression) which can be quickly processed by security tools to generate appropriate alerts.
Secondly, it's not enough to simply generate good alerts, though that is a start. Organizations also need to establish roles and responsibilities so that those alerts are investigated in a timely fashion. Many successful breaches actually triggered alerts on the attacked networks, but those warning were not heeded because of questions of responsibility. Nobody knew whose job it was to respond, or assumed that someone else was looking into the problem.
A good place to start when assigning responsibilities is adopting an incident response and recovery plan like the one recommended by the National Institute of Standards and Technology (NIST) in special publication 800-61. There are other reference documents, including ones specific to various industries, and they don't have to be followed to the letter. But forming a plan defining who within an organization responds to alerts, and how they go about doing that in a timely fashion, is critical.
More Information about Insufficient Logging and Monitoring
For further reading, you can take a look at what OWASP says about insufficient logging and monitoring. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Ready to find, fix and eliminate insufficient logging and monitoring right now? Head to our training arena: [Start Here]
목차
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약다운로드시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
