399 – Security controls absence - Monitoring

Description

The application lacks of alert or notification mechanisms in the presence of critical changes in the system, such as: access and modification of resources, roles creation, among others.

Impact

Perform potentially harmful operations in the system without raising an alert.

Recommendation

Set notification mechanisms in critical changes in the system resources or services.

Threat

Authenticated attacker from the Internet who succeeded to compromise a resource.

Expected Remediation Time

90 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): H
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 301 - Notify configuration changes
• 318 - Notify third parties of changes

Fixes

• Aws
• Php

Last updated

2024/02/20