We think there’s a big problem with how a lot of organisations approach IT security – and here’s why.
We speak to IT teams on a daily basis about their security measures and hear all the same products being referred to and the vast sums of money spent on ensuring their systems are secure. However, the reality is that so many of the deployments of these security solutions fail due to complexity or lack of planning for how to manage the fall out and results on detection of issues.
Here’s what we believe – IT security should start from the inside out – namely IT teams should start with the most critical questions and systematically work their way out. Each question should then be tested and re-tested systematically on a regular basis. It’s interesting that we regularly have fire drills and test our ability to respond in the event of a physical emergency, yet rarely test what would happen in the event or a virtual or cyber emergency. Arguably the impact of a cyber emergency occurring is much greater and actually represents a more significant risk to the modern business.
It’s our view that IT security strategies should be designed with a series of straightforward, common sense questions that should be tested. Response times should be measured, and all relevant gaps and threats should be checked and updated systematically on a scheduled and regular basis. Ideally, these things should be tested by external tools and organisations without warning for the most accurate picture.
Secondly, and importantly, the other key aspect of IT security that needs to be considered is the human element. We should only be giving levels of privilege that are appropriate for the role and trustworthiness of the individual, rather than simply an all or nothing approach. Far too often, we see junior admins, early on in tenure, with free reign and little proactive inspection.
So, let’s start with a few basic premises and work from the inside out. What are the most important parts of the IT infrastructure? Let’s group these into a few categories here:
Category A – Those without which the business simply can’t function. Let’s call these core, high risk areas. Active Directory is a prime example of this.
Category B – Those without which pose a risk to profitability (i.e. those areas that pose a risk in terms of data leakage, sensitive company details, the virtual assets of the company, namely confidential data).
What to Audit in Your Active Directory
At the core of practically all modern networks is Active Directory. If your Active Directory malfunctions and users can’t logon, business processes shut down completely. If your Active Directory is compromised the implications are undeniably catastrophic. I don’t think such statements are over dramatic. So, let’s start with a few questions that we think all organisations should be able to immediately answer pertaining to this aspect of the environment:
- Who logged on, when did the log on and where did they log on from?
- Who changed the password, when and did the password meet security checks?
- Who created a user, when and where from?
- Who granted, changed or modified use permissions for users or groups?
- How many inactive users are there within the Active Directory?
- How do you identify an Active Directory brute force attack?
- Are you providing the right audit data to the right people as to changes? Are you separating and securing auditing and reporting?
- If something was to happen in the Active Directory that was ‘critical’ how quickly would you know?
- How quickly could you identify a performance or service anomaly on a Domain Controller?
- How easily can you keep track of password expiration to ensure passwords aren’t compromised?
- If a change was made that prevented users, groups logging on how quick could you identify the issue?
- If log files were tampered after a critical Active Directory change what contingency do you have in place?
What to Audit in the Rest of Your IT Infrastructure
When we mentioned Category B as platforms without which pose a risk to profitability, we’re referring to those within which sensitive data is contained – namely, File Server. Of course, there are many other platforms that are important to audit (including Exchange, SharePoint, SQL, Office 365 etc.) but to list them all would be impractical. So, let’s take a look at some of the questions you need to be asking yourself when it comes to File Server:
- Who currently has access to your sensitive files/folders and has this access changed?
- Who’s making changes to critical data (copying, moving, modifying, deleting etc.), when were they made, what changed and where?
- Have you seen any recent anomalies in the events occurring in File Server?
- Are you able to easily present audit data in the correct format to pass compliance audits (HIPAA, FISMA, SOX, PCI and GDPR to name a few)?
- Are you able to proactively react to unwanted changes (such as being able to run a custom script automatically)?
- Are you able to notice in real time when potentially damaging changes are taking place to your data?
Questions similar to these should be asked about all the platforms in your IT environment that store or process critical data. Once you can answer these quickly and accurately, you’re in a much better place in terms of both IT security and compliance readiness.
If you need any help getting answers to these critical changes, contact Lepide and request a demo of our award-winning LepideAuditor. We’ll be able to show you exactly how our solution helps you improve the sophistication and proactiveness of your IT audit.