Dealing with file security breaches

howler · 30 Sep 2009 at 09:59

I can't get my head round a sensible way to deal with security breaches of ntfs folders, here is the scenario:

Auditing is turned on and checking for security failures on files or folders, event log captures these security failures. Lets assume for the moment that they are genuine attempts to access something the user shouldn't

How do you act on that information? Do you ask to the user why they tried to access folder x? Surely the response will be, it was an accident or they will just lie about the situation?

Now if it goes a step further and somehow they manage to access data they shouldn't. how will you ever know about it becuase you cannot spend all day looking at success audits?

To add to the problem I find that the auditing is pretty bad at being accurate, especially if the user has read only access to an office file a security failure often generates, I guess this is windows working out what it can and cannot do?

I'm sure other people on here must have to audit this sort of stuff, I need to come up with a way of auditing and identifying security breaches so they can be acted on but I keep going round in circles

iaind · 30 Sep 2009 at 10:29

I think you're looking at the problem the wrong way around - you are trying to use the IT to locate personnel issues, I would see this sort of thing as the IT being used to support existing personnel issues.

If you are confident that your security/permissions etc are robust and effective then you should be letting the business approach you to say they think they have a problem with a member of staff trying to gain access to secured files and you then provide the logs to support them.

Obviously you have a due diligence to ensure the mechanisms in place are working effectively, but as you've already discovered it's a difficult/impossible process to spot the issues from the logs alone.

It obviously also depends on the type of business and therefore the type of data - if a higher level of monitoring is required so you can establish not just what they are trying to access but how, I would be inclined to look at something like screen recording. Alternatively, something like GFI events manager will let you record all logs in a central location, query them and set up customisable alerts

howler · 30 Sep 2009 at 10:36

The issue is that if the user has got at the data and a breach has been identified it really is too late.

Prevention is better than cure and all that, obviously ACLs should take care of it and I can provide historic event logs where required

But, if we went down the route of something like GFI events manager how do you approach staff about these breaches? Do you just secretly build up the information for use at a later date?

Even with a tool like that surely you still aren't likely to know if a user has managed to get somewhere the 'shouldn't' have permission to?

iaind · 30 Sep 2009 at 10:45

I'm very much of the mindset that the business (eg the managers) should be empowered with things like this, it helps remove the "big brother" image a lot of IT departments have.

Presumably you have something along the lines of departmental folders - you could configure something like events manager to email the department manager in the event of any attempted breach.

Even with a manual approach to monitoring the logs, I'd still want to discuss the issue with the person's boss/supervisor/team leader/whatever rather than approaching them directly

howler · 30 Sep 2009 at 10:51

That makes sense and saves me a great deal of hassle

The next thing is that how does the manager define false positives from genuine malicious attempts?

I know from previous experience that the windows auditing generates a lot of false positives

iaind · 30 Sep 2009 at 11:03

Well they are paid (often a lot of money) to manage the staff, they should be capable of dealing with them proactively - if a certain name keeps popping up they can take them to one side and ask them what's going on.

Your responsibility should just be to ensure the system is working effectively and not generating many false positives - I think this is just going to be a trial and error process. There may be third party products which can monitor these things more effectively but I haven't pesonally investigated them, so use your Google-fu there.

You could also look at how the file system is structured to reduce accidental attempts, keeping things out of harms way so to speak

howler · 30 Sep 2009 at 11:25

Ok that gives me something to work with, I think I will be very selective about the folders I audit so that the logs aren't full of spam!

Thanks for your comments Iain