T 2.160 Lack of or insufficient logging

Logged data can be used, for example, in order to determine whether security specifications were violated or whether attacks were attempted. Additionally, the logged information can be used for error analysis in the event of damage and for determining the causes or for integrity tests.

Within an information system, there are often IT systems and applications for which the logging of the basic settings has not been enabled. Such systems and applications must be configured accordingly in advance. Logging may not be possible for systems and applications. An insufficient planning concept may also cause a lack of logging.

Even if logging is used for individual systems, information and findings resulting from this may be lost, because they are not collected at a central location. In information systems without centralised logging, it is difficult to ensure that the relevant logged information of all IT systems is maintained and analysed.

If the users of the IT systems and applications are allowed to disable the logging function themselves, this may also cause problems. For example, a user may violate policies without this having any consequences for him/her. If the users are allowed to change or delete existing log files, there is the risk that security violations are not detected.

Example:

• An unauthorised user tries to guess passwords for the web email account of other users. Since the password can often be used for other services (single sign-on), this is particularly interesting for the attacker. This attack is not detected due to a lack of logging on the email server. The attacker can guess the passwords of the users unobtrusively by using the brute-force methods.