Authentication logs are records of the attempts and results of logging into an IT system, network, or application, such as the user name, password, date, time, location, or device1. Authentication logs can help to verify and audit the identity and access of the users, and to detect and investigate any unauthorized or suspicious login activities, such as failed or repeated attempts, or unusual patterns or locations2.
Among the four options given, the discovery that authentication logs have been disabled should be of greatest concern to the organization. This is because disabling authentication logs can:
Prevent or hinder the organization from monitoring and controlling the access and activity of the users, especially the disgruntled, terminated IT administrator who may have malicious intentions or insider knowledge
Enable or facilitate the disgruntled, terminated IT administrator or other attackers to bypass or compromise the authentication mechanisms or policies, and gain unauthorized or elevated access to the IT systems, networks, or applications
Conceal or erase the evidence or traces of the login attempts or actions of the disgruntled, terminated IT administrator or other attackers, and make it difficult or impossible to identify, investigate, or prosecute them
Indicate or imply that the disgruntled, terminated IT administrator or other attackers have already breached or compromised the IT systems, networks, or applications, and have disabled the authentication logs to cover their tracks or avoid detection3
References = What is Authentication Logging?, Authentication Logging - Wikipedia, Fired admin cripples former employer’s network using old credentials
