According to a survey conducted by Lepide - a leading security auditing solutions provider - 60 per cent of companies are still not able to determine who has access to their critical data. The survey was conducted during a variety of trade shows including Infosec Europe, RSA Singapore, and DataConnectors Pittsburgh, and involved 250 face-face interviews.
A common misconception amongst organisations is that all cyber threats originate from outside their organisation, yet according to a report published by mcafee.com, 43 per cent of data breaches were the result of malicious or incompetent insiders. This problem is emphasised by the continuous surge in healthcare related breaches. For example, according to a report published by Protenus, of the 31 health data breaches disclosed in January 2016, "59.2 per cent of breached patient records were the result of insiders".
Data breaches can be caused by many things. Some examples include:
- Unauthorised application use
- Unauthorised physical and logical access to sensitive data
- Misuse of corporate computers, such as unauthorised sharing of work devices
- Remote worker security - transferring files between work and personal computers
- Misuse of passwords - sharing passwords/weak passwords
- Malware and ransomware
- Back-doors and application vulnerabilities
- Privilege escalation
- Configuration errors
- Lost or stolen devices, including inadequately disposed-of paperwork etc.
There are a number of steps a company can take to help mitigate data breaches. These include: educating staff members, encrypting sensitive data, using access control lists, and developing a clear policy on how to react and respond to a breach. However, the most important steps that needs to be taken is to ensure that you know exactly who, what, where, and when, the breach occurred.
Active Directory stores all events in a log file, which enables administrators to track changes within AD. However, native AD auditing has many limitations:
- Native auditing provides very sparse details about who, what, where and when changes are made to Active Directory (and Group Policy). The logs are very cryptic and it would take time to decipher them.
- The native logs do not provide daily reports and alerts about changes made to AD. Instead the sysadmin must scrutinise the logs on each domain controller. Likewise, compliance reports would need to be created manually.
- The native logs are unable to consolidate the audit data from different domain controllers.
- If the native auditing is not configured correctly, the logs will be overwritten by new audit data.
- Native logs typically generate large volumes of data, and provide no functionality for long-term archiving of data.
While it is possible to use the native AD logs to determine who has access to your critical data, we wouldn't recommend it. They are simply not able to provide the information you need, when you need it.
You must be able to maintain least privilege by displaying current AD permissions, how permissions are granted, when they are changed, and when users are added to privileged security groups. You will also need to be able to detect user account modification and deletion, and manage inactive user accounts.
Privileged mailbox access should also be tracked. You ideally want a way of automating password resets, including password expiration reminders. Additionally, it helps if you can track suspicious logon attempts, and account lockouts.
Since the native Active Directory logs are not capable of providing such information in a fast, efficient and intuitive manner, what is the alternative?
There are a number of commercial vendors who offer advance AD auditing solutions. These solutions allow you to track current permissions and permission changes, audit, monitor, and alert changes made to your Active Directory. You can detect account modification and deletion, roll back and restore changes, and perform health checks that monitor memory and CPU usage. Some solutions provide threshold alerting, which can help identify anomalous user logon attempts, and track suspicious file/folder activity. Given the recent wave of ransomware attacks, this feature is invaluable. For example, threshold alerting enables you to quickly find out if X number of Y events have occurred within Z period of time. As such, should a device within your organisation become infected with ransomware, the encryption process will be noticed very quickly. Some vendors allow you to trigger a customer script, should such as event occur. For example, in the event of a suspected ransomware attack, you can trigger a script to terminate a specific process, lock-down a user account, adjust the firewall settings, or shut down the system entirely. These scripts can be written in all common scripting languages.
We audit human behaviour in a variety of different ways. For example, Britain is CCTV capital of the world. Our spending habits are audited using store loyalty cards and credit card transactions. TiVo and Skyplus audit our viewing habits, and HTTP cookies are used to audit our browsing habits. Many retail outlets use radio frequency ID tags to monitor their stock and prevent theft. However, when it comes to auditing sensitive data, most companies are not so interested. When you mention cyber-security, most people think about viruses or hackers trying to penetrate a firewall in attempt to steal classified information. However, according to this magazine, 43 per cent of data breaches are caused by insiders. Education and incentives are required to remedy this situation.
And here comes the GDPR...
The General Data Protection Regulation (GDPR) is an EU regulation that will come into effect from 25 May 2018. The GDPR was designed to replace the current Data Protection Directive (DPD) with a more up-to-date alternative. The GDPR has increased territorial scope, stricter consent laws, improved rights for data subjects, and much harsher penalties for those who don't comply. Some may consider it to be an intrusive approach, but it will, if nothing else, persuade companies to treat data protection with the respect it deserves.
Any organisation that processes personal data belonging to EU citizens will be required to comply with the GDPR. If an organisation is not able to quickly and accurately determine who, what, where and when, their critical data is being accessed, it is unlikely they will be able to comply.
Aidan Simister, CEO, Lepide
Image source: Shutterstock/Wright Studio