No more hiding in the server room
Protecting Company Data From Rogue Insiders
I just came across (yet another) good article by Kevin Beaver called Tests for securing the internal windows network . Kevin is an independent security expert, so he can’t be blamed for being vendor biased. Interestingly enough, the 1st step out of 3 he lists is “Test for share, directory, and (if needed) file permissions”.
Some might be surprised by this, but almost whenever I do a remote audit of file servers or a NAS devices, I always seem to find data that’s Exposed. Now, I’m not talking about an environment that’s “just” overly permissive – we all know how things work in large organizations: as people change roles or departments, they somehow always retain their old access rights and assume the new ones needed for the new role. (Why this is taking place probably warrants it’s own post). I’m talking about sensitive data being exposed to the “everyone” group (think the ‘Finance’ folder holding your company’s most sensitive data), I’m talking about seeing the “Domain\users” group showing up in unexpected places, because it’s a nested group of a nested group in Active Directory etc… If I had hair on my head, they would stand up every time we do one of these remote audits!
* Find Data Exposure Level- discover and highlight data that is accessible to the ‘Everyone’ group and other unrestricted and unwanted groups
* Discover Who Can Access Specific Data- See which users and groups have access to folders on your shares
* Fix Access Rights Policies– With visibility into who has access to your sensitive data, you can lock those access rights down
* Monitor Changes – Stay on top of the access rights on sensitive folders by tracking changes taking place
* Audit NAS And File Servers- Keep a history of user access rights and generate a point-in-time access rights audit trail
So what do you think is holding many IT environments back from being able to effectively secure their company’s data against rogue insiders? Is it because of the ever-changing data environment? Is it because existing solutions are too complex / expensive or just don’t provide the required functionality?
Some might be surprised by this, but almost whenever I do a remote audit of file servers or a NAS devices, I always seem to find data that’s Exposed. Now, I’m not talking about an environment that’s “just” overly permissive – we all know how things work in large organizations: as people change roles or departments, they somehow always retain their old access rights and assume the new ones needed for the new role. (Why this is taking place probably warrants it’s own post). I’m talking about sensitive data being exposed to the “everyone” group (think the ‘Finance’ folder holding your company’s most sensitive data), I’m talking about seeing the “Domain\users” group showing up in unexpected places, because it’s a nested group of a nested group in Active Directory etc… If I had hair on my head, they would stand up every time we do one of these remote audits!
* Find Data Exposure Level- discover and highlight data that is accessible to the ‘Everyone’ group and other unrestricted and unwanted groups
* Discover Who Can Access Specific Data- See which users and groups have access to folders on your shares
* Fix Access Rights Policies– With visibility into who has access to your sensitive data, you can lock those access rights down
* Monitor Changes – Stay on top of the access rights on sensitive folders by tracking changes taking place
* Audit NAS And File Servers- Keep a history of user access rights and generate a point-in-time access rights audit trail
So what do you think is holding many IT environments back from being able to effectively secure their company’s data against rogue insiders? Is it because of the ever-changing data environment? Is it because existing solutions are too complex / expensive or just don’t provide the required functionality?
Views: 8
-
Comment by Wesley "Nonapeptide" on January 14, 2010 at 4:55pm
-
In my own experience, it seems to be the following reasons in roughly the following order:
1) It doesn't even occurr to many of us that the problem exists at all, much less on our own networks.
2) It's not perceived to be a threatening problem... until files are mysteriously deleted or moved.
3) Tools to thoroughly evaluate and document the extent of the problem are not well known
In my current workplace, I usually end up seeing shares on client PCs that the creators made and forgot about (I'm often that forgetful creator). Hmmm... maybe I should shut a few of those down while I'm thinking about it. BRB.
-
Comment by Jeff Hengesbach on January 14, 2010 at 6:26pm -
I think Wesley has excellent points. I'd go on to add:
1) Many of the 'exposures' are pre existing from before "Breaches" were popular, well publicized, and good prevention processes in practice. The volumes of data and the rate of change can make it very challenging to keep up good housekeeping, not to mention find pre existing exposures.
2) Point and click mentality has resulting in a user base that does not know what a "path" is and thus makes the topic of folders and their security a confusing and frustrating topic which ends up getting avoided.
3) Even from an IT admin perspective, the flexibility of Windows folder/file permissions and extended ACL's on *Nix platforms can be tricky and non-obvious. There are lots of 'admins' that do not well understand inheritance , set-guid, and file acls.
4) I think it bears worth repeating Wesley's #3 - good tools to do this stuff are not well known. With modern data volumes it isn't feasible to manually find exposures.
5) Smaller shops that may still have large amounts of data are likely priced out of may options.
Comment
© 2012 Created by Elizabeth Ayer and Michael Francis.
Powered by 
.
You need to be a member of The SysAdmin Network to add comments!
Join The SysAdmin Network