Story # 1 “Midday Thief” (from “5 stories about information security”)
Greetings to all habrovchan!
We are starting a series of posts in which quite an artistic language will be discussed, what problems an IT specialist may face in the absence of suitable tools for monitoring and auditing changes in various IT infrastructure platforms.
So, the story is the first " Midday Thief, or Who changed the file access settings? ".
')
Martin realized that the week would be the same when the management was already running around the offices on Monday, talking about something in a raised voice. On Wednesday, everything cleared up: somehow, information about the details of a product not yet released to the market fell into the hands of competitors, who now quickly modified their product. The competitive advantage that the company in which Martin worked could have evaporated. Shareholders demanded to find the perpetrators, and the leadership in every way looked for them.
At first, records of all security cameras were viewed. After several days of fascinating viewing, they came to the conclusion that, probably, the information leaked through the insider. Rumors spread rapidly around the office, and Martin knew what would happen next.
“Martin,” came the voice of the boss coming into his office. - We need to talk. It's about leakage. ”
Martin went to the office of the chief and, having made sure that no one hears him, confessed that it was impossible to establish who had access to these files last. “The problem is,” said Martin, “that the current file access control list contains a group of domain users, which should not be there.” It turns out that any employee in the company could access these files. And it is impossible to establish who exactly changed this list. The company simply does not have the necessary programs for this.
“Isn't all this fixed in the logs?” - the boss was annoyed.
“Yes, it’s fixed,” answered Martin. “But the change in the list happened quite a long time ago, and the journal was already overwritten.”
He explained that the Windows server they use simply lacks the long-term storage of security log entries. In practice, the events remain in the journal for several days. Whoever it was, he planned this step long enough. First, he changed the permissions, and, waiting for the change information to be overwritten, he began to use the new permissions. With new permissions, files could be safely copied anywhere - right during working hours - and it would be impossible to catch such a person. Currently, the company does not record every event of successful access to files in the logs, because it will generate such a volume of traffic that the logs will be overwritten even faster.
Martin left the office of the head with a clear indication to correct the situation and prevent it from occurring in the future. He needed a solution that would allow him to archive security event records, and he hoped to find a program that would inform him as soon as possible when permissions and critical groups changed. And searching among the many entries in each security log of a particular event was not at all superfluous.
What possible solutions exist to prevent such a thing from now on?
Disclaimer : NetWrix has a program for auditing file servers and storage devices. You can get acquainted with it here .
We are starting a series of posts in which quite an artistic language will be discussed, what problems an IT specialist may face in the absence of suitable tools for monitoring and auditing changes in various IT infrastructure platforms.
So, the story is the first " Midday Thief, or Who changed the file access settings? ".
')
Martin realized that the week would be the same when the management was already running around the offices on Monday, talking about something in a raised voice. On Wednesday, everything cleared up: somehow, information about the details of a product not yet released to the market fell into the hands of competitors, who now quickly modified their product. The competitive advantage that the company in which Martin worked could have evaporated. Shareholders demanded to find the perpetrators, and the leadership in every way looked for them.
At first, records of all security cameras were viewed. After several days of fascinating viewing, they came to the conclusion that, probably, the information leaked through the insider. Rumors spread rapidly around the office, and Martin knew what would happen next.
“Martin,” came the voice of the boss coming into his office. - We need to talk. It's about leakage. ”
Martin went to the office of the chief and, having made sure that no one hears him, confessed that it was impossible to establish who had access to these files last. “The problem is,” said Martin, “that the current file access control list contains a group of domain users, which should not be there.” It turns out that any employee in the company could access these files. And it is impossible to establish who exactly changed this list. The company simply does not have the necessary programs for this.
“Isn't all this fixed in the logs?” - the boss was annoyed.
“Yes, it’s fixed,” answered Martin. “But the change in the list happened quite a long time ago, and the journal was already overwritten.”
He explained that the Windows server they use simply lacks the long-term storage of security log entries. In practice, the events remain in the journal for several days. Whoever it was, he planned this step long enough. First, he changed the permissions, and, waiting for the change information to be overwritten, he began to use the new permissions. With new permissions, files could be safely copied anywhere - right during working hours - and it would be impossible to catch such a person. Currently, the company does not record every event of successful access to files in the logs, because it will generate such a volume of traffic that the logs will be overwritten even faster.
Martin left the office of the head with a clear indication to correct the situation and prevent it from occurring in the future. He needed a solution that would allow him to archive security event records, and he hoped to find a program that would inform him as soon as possible when permissions and critical groups changed. And searching among the many entries in each security log of a particular event was not at all superfluous.
What possible solutions exist to prevent such a thing from now on?
Disclaimer : NetWrix has a program for auditing file servers and storage devices. You can get acquainted with it here .
Source: https://habr.com/ru/post/141302/
All Articles