10.1 Insufficient Monitoring & Logging Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

12 hours 9 minutes
Video Transcription
Hi, everyone. Welcome back to the course. So in the last module we talked about using components with known vulnerabilities.
We've reached our final module of the course, so I know you could breathe a good sigh of relief there. So we're gonna talk about insufficient longing in monitory.
So a quick pre assessment question here, ways to prevent against the exploitation of insufficient logging and monitoring include all of the following, except which one.
All right, so if you guessed, answer, see, ensuring loves air only stored locally on. And that was pretty easy, but it may have tripped you up a little bit, but that is the correct answer there. That's not the way that we can prevent against the exploitation of insufficient logging in monitory.
All rights are learning objectives again. We're gonna talk about the risk rating for this particular item on the old lost top 10. This is number 10 on the list. It's official longing and monitoring. We're gonna be talking about organizations not doing it. We'll talk about how to check for it and also ways to prevent or mitigate against it.
And again, the whole goal here is to try to prevent or try to catch malicious activity quickly. So that way we can hopefully curb whatever the attacker is doing.
You'll see here that it's it's pretty prevalent. Now this this is another one that's based off in Iowa survey of the industry. However, anyone experienced and in the industry can tell you that they've seen issues at some organization they've worked at normally, at least that you know, they're not sufficiently logging stuff or they're not monitoring stuff or they're not using, you know,
tools, too.
Uh, take a look at the traffic that's coming into the network to see if for any suspicious activity.
So were they.
He thinks here is about failed log in attempts. So we want to monitor these specifically. So, for example, find brute forcing a password. We want some kind of alert that says, Hey, wait a minute. You know John Smith's account has, you know, 24 password attempts. Password, you know, failures in the last, you know,
four seconds.
Most people don't type that fast, so that's pretty abnormal, right? That's suspicious. So we want a lot of the information. And then, as I mentioned, we want to make sure we alert on it because we could have the greatest love from the world. But if nobody's looking at them, then they're pointless.
So prevalent, you know, as I mentioned, it was based on a survey that that's a commonality of it
and how we checked for it so long stored only locally, that's gonna be ah, red flag. There is gonna be an issue,
no monitoring, You know, that's that's obviously as the name implies, right? No monitoring of the applications or the application programming interfaces. No alerts it. All right, So if there's something event that should be that should trigger an alert, we don't actually have an alert set up.
And then you know the aspect of having no riel time monitoring, right? So when Edward ist monitoring stuff, you know, in the past or you know, our every 24 hours or something, but we're not actually catching real time monitoring,
So we want to make sure that that our applications have that ability to do real time monitoring for us.
So the impact well, this convey ery quite a bit, you know, from minimal up all the way up until you know, data loss, data corruption, et cetera, et cetera.
In most cases, attacks were gonna be So you know, our texts, our Attackers are gonna be starting with eventually looking for vulnerabilities, right? So they're gonna do research on our company will follow, you know, somewhat they'll follow the steps of the pen testing methodology. You know, where we were getting information. So we're doing the footprint reconnaissance. We're scanning different systems
to try to gain more information about our target and kind of map out
their network.
We're in new berating that. So we're finding operating systems on those particular systems and trying to figure out vulnerabilities for those on and then from there were exploiting those were maintaining access. And then we're getting away in covering our tracks. So if you think about and that contacts, Attackers are
going to start with a vulnerability probing and then you know, if if they start scanning systems and then moving into exploitation and we're not logging anything and we're not monitoring anything that will have no clue that they're even there, you know, that's why you see that it takes, you know, sometimes hundreds of days or even a few years for a data breach to be noticed by an organization
and in many cases, that somebody external saying, Hey, by the way,
I found your data, you know, you know, on the web, and it looks pretty critical. You should probably passed there, right? You should probably reconfigure that system.
So that's why we see that, right? We see all these vulnerabilities out there that are, you know, potential vulnerabilities. And so then you can tackle finds those they exploited. If we're not monitoring and longing information and we're not getting alerted about it, then they can exploit it on that can lead to things like data loss. You know, they can corrupt the data that could destroy it all,
which we have seen recently in the media.
That could do theft of I. P s O. That was an email service provider that lost all their data from, like, I think, inception of their company. If I recall correctly,
uh, and then the attacker can also, you know, do things like pivoting throughout the network and then maintaining persistence.
So how do we prevent it? Well, we wantto we want a monitor and log every single failed logging attempt or you know, any type of authentication failure. Anything like that needs to be logged and then sent saying some kind of alert, you know? So, like after X number times or whatever, we needed alert sent to us. So we know what's going on. So we could take a little closer. Look,
any type of find value transaction that's gonna need an audit trail, Right? So if we're, for example, transferring large sums of money, we need to make sure we have on on a trail in place when attacker can't get in and just do that
hasn't mentioned effective monitoring. You know, along with that is gonna be your alerts now, then having some kind of effective incident response plan. So if we don't catch everything, which we never will
if we find it later, we have an effective incident response, a plan in place.
We also want to make sure that we're generating, you know, logs in a digestible format. So
we want to be able to actually understand what the log is telling us. Or have you know, the log fed into some kind of third party application that will take logs from, you know, an angry aggregate. The lives from all these different sources and then basically produce some kind of good dashboard for us to look at where we can make sense of all the data that's coming in.
So just one quick post assessment question here.
Rebecca's working as a network engineer in a very small company. She's tasked with maintaining security for the network
she's already implemented a patching process to keep software in the firm, were up to date on the systems.
Her focus has now changed to preventing exploitation of insufficient logging in monitoring.
So with all that background information there from the following, which choice should Rebecca not do?
All right, So if he gets answers, see, you are correct, so we don't want to fail the track on it. A little events. We actually want to make sure we track those because they're very important, right?
And then the other ones, of course, are things that we want to do to try to prevent against insufficient logging of monitoring. We want to ensure that we're logging any type of access control failure. So again, you know, Le Guin failures, authentication failures.
We also want to make sure that we're generating digestible or easy to read logs so we could make sense of the information. And then, of course, use timely monitoring an allergy.
All right, so this last module of the course, we talked about insufficient logging and monitoring. Before we wrap up the course, the next video's gonna actually be me showing you the capstone lap. Now, again, there's no step by step guide for that particular lab, and I'm also not going to show you how to go through it. I want you to do that one on your own,
to practice your skills in depth. Now, we've walked through all the other labs in the course, so you should have a good amount of
hands on experience. And you should understand all the cops concepts that we're learning.
Also, don't forget if you haven't done it already, and hopefully you've done it by now since we're near the end of the course. But if you haven't done it already, download all the supplement of resource is you're gonna have a lot of good stuff in there. As far as like, step by step guides,
quiz questions to practice with and some other helpful information that have included for you in this course Now I've got a couple of teaching assistants that have helped me on the course, and I mentioned a few times. So one is Carrie LeBlanc. He's a legend in Cyber Security and then Martin Cove, Ill. He's also another legend on, and he's actually an executive
for his particular organization.
So both are phenomenal individuals. They've helped me quite a bit with this course, and I'm definitely appreciative. So I want to give him a quick shout out here in the last module before we move in to wrapping up the course.
Up Next